The False Claims Act Risk for Defense Contractors
The False Claims Act Risk Every Defense Contractor Must Understand
You signed the contract. You submitted your SPRS score. You assumed you were covered.
What many defense contractors don’t realize: that SPRS submission is a federal legal representation. If your score doesn’t reflect reality, you’ve created a False Claims Act liability — one that can result in triple damages, civil penalties per false submission, and in serious cases, criminal prosecution.
CMMC has made this risk impossible to ignore.
What the False Claims Act Actually Is
The False Claims Act (31 U.S.C. § 3729) makes it illegal to knowingly submit a false or fraudulent claim to the federal government. Originally passed during the Civil War to address defense contractor fraud, it has been significantly strengthened over the decades.
Applied to CMMC: if you certify cybersecurity compliance to the DoD — through SPRS scores, annual affirmations, or contract representations — and that certification is materially false or overstated, you are exposed.
Consequences under the FCA include:
- Triple damages — the government can recover three times its actual losses
- Civil penalties per false submission (adjusted annually by the DoJ) [NEEDS SOURCE: current per-claim figures]
- Qui tam provisions — a whistleblower can file a lawsuit on the government’s behalf and collect 15–30% of any recovery
This isn’t theoretical. In October 2021, the Department of Justice launched the Civil Cyber-Fraud Initiative specifically to use the False Claims Act against contractors who misrepresent their cybersecurity posture in federal contracts.
How CMMC Creates FCA Exposure
Here’s the chain that connects your daily operations to federal liability:
1. DFARS 252.204-7012 — Required since December 31, 2017. Any DoD contractor handling Covered Defense Information (CUI) must implement all 110 controls in NIST SP 800-171. This has been a contractual obligation for nearly a decade. Most contractors have not fully complied.
2. SPRS self-reporting — Contractors self-report their NIST 800-171 compliance score (maximum 110) to the Supplier Performance Risk System (SPRS). That score is visible to contracting officers when you bid. Many contractors submitted scores significantly higher than their actual posture warranted.
3. Annual affirmations under DFARS 252.204-7021 — Starting November 10, 2025, every covered contractor must have a designated “affirming official” submit annual compliance affirmations in SPRS. That signature is a formal legal representation to the federal government.
4. CMMC self-assessment (Level 2, Phase 1) — During the current phase, Level 2 allows self-assessment rather than third-party audit. That makes the accuracy of self-certification your direct legal responsibility.
Each annual affirmation is a separate “claim” under the FCA. Three consecutive years of inaccurate affirmations means three distinct liability events.
For more on how DFARS clauses interact, see our DFARS Clauses Decoded guide.
What “Knowingly” False Actually Means
The FCA does not require proof of intent to defraud. Courts have applied three standards:
- Actual knowledge — you knew the representation was false
- Deliberate ignorance — you intentionally avoided confirming whether it was true
- Reckless disregard — you had reason to suspect but didn’t verify
A CEO who signs a contract affirmation without ever asking their IT team whether NIST 800-171 controls are actually implemented may qualify under “deliberate ignorance.” Claiming you didn’t know is not a legal shield if a reasonable executive in your position should have verified.
The Whistleblower Risk Is Real
The qui tam provisions of the FCA make this a practical threat — not just a theoretical one. Former employees, disgruntled vendors, or competitors who know your compliance posture is misrepresented can file a sealed complaint. If the case succeeds, they receive a portion of the recovery.
Who knows your security gaps? Your IT staff. Former MSP vendors. Compliance consultants you didn’t hire. Anyone who’s seen the inside of your network.
You cannot control who becomes a whistleblower. You can control whether there’s a gap to expose.
The Supply Chain Dimension
If you’re a prime contractor, your FCA exposure extends to your subcontractors. Under DFARS 252.204-7021, primes must verify subcontractor compliance before awarding any work involving FCI or CUI. Certifying that your supply chain is compliant when it isn’t creates the same exposure as certifying your own posture.
This is why primes are dropping non-compliant subs now — they’re managing their own liability, not being bureaucratic. For more detail, see CMMC for Subcontractors.
Five Steps to Reduce Your Exposure
Step 1: Get an honest gap assessment. Before your next affirmation, determine your actual NIST 800-171 score — not what you think it is, what it demonstrably is, with documented evidence. Use our CMMC cost page to understand what remediation typically costs by organization size.
Step 2: Correct your SPRS score proactively. If your current score is inflated, correcting it before you’re investigated is viewed far more favorably by the DoJ than being caught. Engage legal counsel before making changes — there is a process.
Step 3: Document remediation with a POA&M. A Plan of Action and Milestones acknowledging gaps and charting a closure path demonstrates good faith. DFARS 252.204-7021 explicitly allows conditional CMMC status with a 180-day closure deadline. This is the legally contemplated path for contractors with gaps.
Step 4: Move before Phase 2. The CMMC timeline is compressed. Phase 2 (November 10, 2026) requires third-party C3PAO certification for most Level 2 contracts. If you’re not audit-ready, you can’t bid. The time to remediate is now, not after you’ve lost a contract.
Step 5: Understand the FCA risk exists today. Phase 1 relies on self-assessment — which means the False Claims Act is the primary enforcement mechanism for non-compliance right now, before any C3PAO audit requirement kicks in. The exposure is not future tense.
Frequently Asked Questions
Q: Can I face FCA liability for cybersecurity gaps I genuinely didn’t know about?
Yes, under the “deliberate ignorance” standard. If a reasonable executive in your position should have verified compliance — and you signed affirmations without doing so — courts have found that sufficient for FCA liability. Genuine ignorance is harder to assert the larger and more sophisticated your organization is.
Q: We submitted an honest SPRS score of 67. Are we at risk?
No. A lower-than-perfect score submitted honestly — with documented evidence and an active remediation plan — is not FCA exposure. The risk is submitting an inflated score or affirming compliance you don’t actually have. Honest assessments with POA&Ms are explicitly contemplated by the DFARS framework.
Q: What’s the difference between FCA exposure now versus after Phase 2?
Phase 1 relies on self-attestation, making the FCA the primary enforcement mechanism today. After Phase 2 (November 2026), C3PAO assessments add independent verification — but FCA exposure doesn’t disappear. The two mechanisms are additive. A failed C3PAO audit followed by DoJ investigation is a worse outcome than proactive remediation now.
Q: Does my subcontractor’s compliance problem become my problem?
Yes. Primes who certify supply chain compliance without verifying it share in the exposure. Award a subcontract to a non-compliant sub and certify otherwise in SPRS, and you’ve created your own FCA event.
Q: What happens if I find a compliance gap mid-contract?
Report it. Proactive disclosure to the contracting officer and DoD is consistently treated more favorably than discovered non-compliance. Your legal counsel should guide the process, but early disclosure is almost always the right call.
The Bottom Line
CMMC created a formal compliance framework. The False Claims Act is its enforcement mechanism.
Every annual affirmation your organization submits is a legal representation to the federal government. If it’s false — knowingly or through deliberate ignorance — the exposure is real, personal to the signing executive, and potentially criminal.
The practical answer is straightforward: know your actual compliance posture before you sign anything.
Take our free CMMC readiness assessment to understand where you stand before your next affirmation deadline.
Sources: DFARS Final Rule (90 Fed. Reg. 43,560, Sept. 10, 2025) | DoJ Civil Cyber-Fraud Initiative | NIST SP 800-171 Rev 2 | 31 U.S.C. § 3729 (False Claims Act) | DFARS 252.204-7021
Found this useful?
Get the CMMC Readiness Checklist — free
15 questions to understand your compliance exposure before you talk to a single vendor.
Ready to get started?
15 minutes. We'll tell you exactly where you stand on CMMC and what your next step should be.
Get in TouchFree. Available to US-based defense contractors.