The Enforcement Landscape Has Changed
For years, defense contractors assessed their own cybersecurity compliance with minimal oversight. Organizations submitted self-reported scores to the Supplier Performance Risk System, checked the required boxes, and moved forward with contract performance. Auditors rarely appeared. The practical consequence of overstating a security posture was, for most organizations, nonexistent.
That era has ended. The Department of Justice launched its Civil Cyber-Fraud Initiative in October 2021, explicitly targeting government contractors who misrepresent their cybersecurity practices. The Initiative focuses on three categories of conduct: knowingly providing deficient cybersecurity products or services, knowingly misrepresenting cybersecurity practices or protocols, and knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
The enforcement results that followed were not incremental. They were exponential.
$6.8 billion in total False Claims Act recoveries in FY2025, the highest single-year amount in the history of the statute.
$52 million in cybersecurity-related settlements across nine separate cases in FY2025. Cybersecurity fraud recoveries have more than tripled in each of the past two years.
1,297 new qui tam (whistleblower) lawsuits filed in FY2025, with more than $5.3 billion recovered from whistleblower-initiated matters.
5 of 9 cybersecurity enforcement cases in FY2025 were initiated by whistleblowers.
The trajectory is not subtle, and it is not slowing. For CEOs and senior executives of defense contractors, understanding this enforcement framework is essential context for every investment decision and every attestation they will sign.
What the False Claims Act Actually Requires
The False Claims Act dates to the Civil War era, originally enacted to combat suppliers who sold defective goods to the Union Army. In its modern form, it prohibits knowingly submitting false claims for payment to the federal government. As of the Department of Justice's July 2025 adjustment, civil penalties range from $14,308 to $28,619 per false claim, in addition to treble damages. Those figures are per claim. A single contract with multiple invoices can generate dozens or hundreds of individual violations.
The critical word in that framework is "knowingly." The False Claims Act does not require proof that an executive intended to defraud the government. It requires only that the executive knew, or should have known, that the claim was false. Deliberate ignorance and reckless disregard for the truth both satisfy this standard.
Applied to CMMC, the implications are direct. When an organization submits a bid for a DoD contract, it makes representations about its security posture. When it attests to its CMMC level, it certifies that specific controls are in place. When it accepts contract payments while failing to maintain required security measures, it submits claims based on false premises. Each of those actions is a potential False Claims Act violation if the underlying representations are inaccurate and the organization knew or should have known they were inaccurate.
The Cases That Define the Risk
The enforcement actions that have followed the Civil Cyber-Fraud Initiative illustrate both the breadth of the government's reach and the specificity of its expectations. The government does not distinguish between large and small contractors, between technology companies and machine shops, between universities and defense manufacturers.
| Case | Year | Settlement | Key Issue |
|---|---|---|---|
| Aerojet Rocketdyne | 2022 | $9.0M | Misrepresented cybersecurity compliance in federal contracts. Initiated by whistleblower. |
| MORSECORP | Mar 2025 | $4.6M | Submitted SPRS score of 104; actual score was negative 142. Failed to use FedRAMP-compliant cloud services. Qui tam action. |
| Major Defense Contractor | May 2025 | $8.4M | Failed to implement NIST SP 800-171, including failure to develop a system security plan. Whistleblower initiated. |
| Georgia Tech Research Corp. | Sept 2025 | $875K | Failed to adhere to proper standards in processing and storing CUI related to DoD contracts. |
| Swiss Automation | Dec 2025 | $421K | Illinois precision machining company failed to provide adequate cybersecurity for CUI technical drawings. Initiated by former employee. |
The MORSECORP case is particularly instructive. The gap between the self-reported SPRS score and the actual assessed score was 246 points. That is not a rounding error or a matter of interpretation. It represents a fundamental disconnect between what the organization reported to the government and what actually existed. The case demonstrates that the government is willing to pursue contractors specifically for SPRS score inaccuracy, and that whistleblowers are positioned to identify these gaps.
The Swiss Automation case carries a different lesson. A precision machining company, not a technology firm or a defense prime, settled for $421,234 based on cybersecurity failures related to technical drawings it received from other contractors. The case was initiated by a former employee. For small and mid-sized manufacturers who assume their size or specialization makes them unlikely targets, that case eliminates the assumption.
The Criminal Dimension
Civil settlements represent one end of the enforcement spectrum. In December 2025, the Department of Justice unsealed a criminal indictment against a former senior manager at a defense contractor providing cloud computing services to the Department of the Army. The alleged fraud exceeded $29 million. This is not a civil penalty or a negotiated settlement. It is a federal criminal case targeting an individual for conduct related to cybersecurity misrepresentation.
The distinction matters for executive decision-making. Civil cases produce financial penalties. Criminal cases produce personal consequences that no corporate insurance policy or indemnification agreement can mitigate.
Personal Liability and the "Should Have Known" Standard
The enforcement framework does not treat cybersecurity compliance as a purely organizational matter. Federal enforcement increasingly focuses on individual accountability. A CEO who signs an attestation certifying that the organization meets specific cybersecurity requirements assumes personal responsibility for the accuracy of that certification.
The practical consequence is that willful blindness is not a defense. An executive cannot delegate cybersecurity compliance entirely to an IT department, decline to inquire about the organization's actual security posture, and then claim ignorance when the posture turns out to be materially deficient. The False Claims Act's knowledge standard captures precisely this behavior. If the executive had the ability to know and chose not to look, the law treats that choice the same as actual knowledge.
Under 32 CFR 170.22, a senior company official must submit an annual affirmation in SPRS attesting that the organization has implemented and will maintain implementation of all applicable CMMC requirements. That affirmation is a legal certification with recurring exposure. Every annual cycle creates a new attestation, and each attestation is a potential false claim if the underlying compliance posture does not match what is certified.
The Whistleblower Dynamic
The most significant enforcement accelerant in the False Claims Act framework is the qui tam provision, which allows private citizens to file lawsuits on behalf of the federal government. When a case results in recovery, the whistleblower receives a percentage of the proceeds, typically 15 to 25 percent when the government intervenes, and up to 30 percent when it does not.
In FY2025, whistleblowers in cybersecurity cases received more than $4.5 million in collective awards. The financial incentives for reporting are substantial, and the people most likely to know that an organization's cybersecurity posture does not match its SPRS score are the people who work inside the organization: a system administrator, a compliance officer, a frustrated IT manager, or a former employee who left on difficult terms.
Five of the nine cybersecurity enforcement cases in FY2025 were initiated by whistleblowers. That is not a peripheral factor in the enforcement landscape. It is the primary mechanism through which cases reach the Department of Justice.
What This Means for Executive Decision-Making
The enforcement data leads to several conclusions that are directly relevant to any CEO or general counsel evaluating an organization's CMMC position.
First, CMMC compliance is a legal obligation with personal consequences, not a technical project that can be managed solely within the IT department. The executive who signs the annual attestation bears responsibility for its accuracy, and the "should have known" standard means that insufficient oversight is itself a source of liability.
Second, SPRS score accuracy is a specific enforcement target. The MORSECORP case established that the government will pursue contractors for the gap between self-reported and actual compliance scores. Any organization that has not independently validated its SPRS score against its actual implemented controls is carrying a quantifiable legal risk.
Third, the whistleblower provisions mean that internal cybersecurity gaps are not private matters. Every employee with visibility into the organization's actual security posture is a potential relator with a financial incentive to report discrepancies between what is certified and what is real.
Fourth, the enforcement trajectory is accelerating, not plateauing. Cybersecurity fraud recoveries have more than tripled in each of the past two years. The Civil Cyber-Fraud Initiative is actively expanding its focus, and the December 2025 criminal indictment signals a willingness to pursue individual executives, not just organizational settlements.
The CMMC Decision, Second Edition
Chapter 1 ("The Teeth of Compliance") and Chapter 9 ("Your SPRS Score") address False Claims Act liability, personal executive accountability, whistleblower provisions, and SPRS score accuracy in depth. The full book covers the complete sequence of decisions defense contractor executives face in navigating CMMC.
Free Download →The Role of Legal Counsel
The enforcement pattern reinforces a consistent recommendation: defense contractor executives should engage legal counsel before making CMMC attestations, not after a problem surfaces. Government contracts attorneys are positioned to evaluate the legal exposure associated with specific compliance gaps, advise on disclosure obligations, and structure the attestation process in a way that protects both the organization and the individual signing the certification.
For attorneys advising defense contractors, the False Claims Act enforcement data provides a concrete framework for quantifying the risk their clients face. The settlements described in this article are not theoretical. They are the current cost of getting it wrong, and the trend line suggests that cost is increasing.