Most CMMC conversations focus on certification timelines and contract eligibility. What gets far less attention and arguably carries higher stakes is the legal exposure that comes with inaccurate compliance claims. The Department of Justice has made cybersecurity enforcement a priority, and the numbers are escalating fast.
In FY2025, the Department of Justice recovered $52 million across nine cybersecurity-related False Claims Act settlements. That formed part of a record-shattering $6.8 billion in total FCA recoveries for the fiscal year. Cybersecurity fraud resolutions have more than tripled in each of the past two years. Since the Civil Cyber-Fraud Initiative launched in October 2021, the DOJ has settled fifteen civil cyber-fraud cases with more than half of those occurring during FY2025 alone.
On January 28, 2026, Deputy Assistant Attorney General Brenna Jenny, the political official overseeing nationwide False Claims Act enforcement stated at the American Conference Institute’s Advanced Forum on False Claims and Qui Tam Enforcement that cybersecurity enforcement cases are “not about data breaches.” They are “premised on misrepresentations.”
The distinction matters enormously: you do not have to be hacked to be sued. You just have to say you are compliant when you are not.
With CMMC, the government has handed the DOJ an exceptionally clean enforcement mechanism. Your SPRS score, your annual affirmation, your SSP documentation these are all official representations to the federal government. If they do not accurately reflect your implemented security controls, each one is a potential false claim.
The False Claims Act carries penalties of up to three times the actual damages plus over $11,000 per false claim. For a defense contractor with multiple contracts, each requiring separate SPRS submissions and annual affirmations, the exposure compounds quickly.
Jenny also noted that whistleblower (qui tam) filings related to cybersecurity saw a substantial increase in FY2025, and the DOJ expects that trend to continue. The FCA rewards whistleblowers with up to thirty percent of any government recovery creating a powerful incentive for employees with inside knowledge of cybersecurity gaps to come forward.
In December 2025, the DOJ announced a settlement with a subcontractor in the defense supply chain, a precision machining supplier that allegedly failed to provide adequate cybersecurity as required by DFARS 252.204-7012 for technical drawings it supplied to contractors. The case was initiated by a qui tam action filed by a former quality control manager. Organization size does not provide protection.
Inflated SPRS scores. If your self-assessment claims a score of 95 but an independent review reveals unimplemented controls, that discrepancy is a misrepresentation. Before CMMC, there was limited verification. Now, C3PAO assessments provide the independent validation that can expose the gap between what you reported and what you actually implemented. Under the current SPRS framework, 3-point and 5-point controls cannot be marked as NOT MET only 1-point controls (22 out of 110) can be placed on a POA&M. That means you must have at least 88 controls fully implemented before anything gets uploaded.
Outdated documentation. Your SSP describes controls that were implemented two years ago but have since drifted. Personnel changed. Systems were reconfigured. New applications were added without being assessed. The SSP still claims full compliance. That is a misrepresentation even if no one intended to deceive.
Subcontractor non-compliance. Under DFARS 252.204-7021, prime contractors are required to verify subcontractor certifications and ensure proper flowdown of CMMC requirements. If you affirm that your supply chain is compliant and a subcontractor is not, your affirmation is inaccurate. Prime contractor liability for subcontractor non-compliance is an area the DOJ has shown increasing interest in.
Conditional status that expires. If you receive conditional Level 2 certification with a POA&M and fail to remediate within 180 days, your status expires. Any continued representation of compliance after expiration creates immediate exposure.
The February 1, 2026 Revolutionary FAR Overhaul eliminated DFARS 252.204-7019 entirely and renumbered 252.204-7020 to 252.240-7997. All assessment obligations now run through a single clause: DFARS 252.204-7021. This simplification removes any ambiguity about which requirements apply. It also removes any argument that a contractor was confused by overlapping or conflicting obligations.
One clause. One framework. One set of representations to the government. The enforcement case becomes cleaner and easier to prosecute.
Accuracy over speed. Do not submit an SPRS score you cannot substantiate with documented evidence. A lower score with a credible POA&M is far safer than an inflated score with no supporting documentation.
Get an independent gap assessment. Your internal team may have blind spots. A qualified Registered Practitioner evaluates your environment against the same criteria a C3PAO will use, identifying discrepancies between your reported posture and your actual posture before an assessor or the DOJ does.
Maintain living documentation. Your SSP, POA&M, and evidence artifacts must reflect current reality, not a snapshot from the day you last updated them. Build recurring evidence collection into your operations, not a quarterly scramble.
Audit your subcontractor compliance. If you are a prime, verify that your subcontractors have current CMMC status in SPRS before award and on an ongoing basis. Document your verification process. If a subcontractor falls out of compliance, document your response.
Take your annual affirmation seriously. This is not a checkbox. It is a signed representation to the federal government that you remain in continuous compliance. Treat it with the same diligence you would any federal filing. Jenny’s remarks make clear that the DOJ views these affirmations as enforceable representations and whistleblowers are watching.
Rudram Engineering’s Registered Practitioner conducts an independent evaluation of your compliance posture against NIST 800-171 identifying the gaps between your SPRS score and your actual implementation. You get the truth before it becomes a liability.
Schedule Your Free CMMC Compliance Review at rudramengineering.
Rudram Engineering, Inc. | Rockledge, FL | Serving the Defense Industrial Base for 18+ years
