Government contracts attorneys advising Defense Industrial Base clients face a regulatory and legal terrain that has shifted materially in the last several years. The Cybersecurity Maturity Model Certification framework, the Department of Justice Civil Cyber-Fraud Initiative, and the broader application of the False Claims Act to cybersecurity representations have produced an environment where the technical and the legal questions cannot be cleanly separated. A contractor's compliance posture under NIST 800-171 has become a legal exposure question. A practitioner's documentation work product has become potential evidence. The lawyer's diligence depends on technical inputs the lawyer is not equipped to develop alone.
This page describes how the practice supports counsel in this work. The firm operates as a credentialed practitioner advisor with experience in the technical implementation of CMMC and adjacent frameworks, the documentation and evidentiary practices that satisfy third-party assessment standards, and the procedural and substantive intersections between cybersecurity compliance and government contracts litigation. The work serves attorneys directly when retained as a consulting expert, supports clients at counsel's direction when retained through the firm, and contributes substantive analysis when matters move toward litigation or pre-litigation diligence.
The Regulatory and Legal Landscape
The relevant framework for an attorney advising a DIB client now spans several overlapping regimes. Each carries its own obligations, its own enforcement mechanism, and its own evidentiary characteristics. The combination produces a posture where representations made under one regime can become exposure under another.
| Regime | Substance | Enforcement |
|---|---|---|
| DFARS 252.204-7012 | NIST 800-171 implementation and incident reporting for CUI | Contract administration, with derivative FCA exposure |
| DFARS 252.204-7019 and 7020 | SPRS self-assessment scoring and government access for assessment | Contract eligibility and FCA exposure on submitted scores |
| DFARS 252.204-7021 | CMMC certification at the level applicable to the contract | Contract eligibility, conditioned on third-party assessment |
| 32 CFR Part 170 | The CMMC program rule and assessment process | The Cyber AB ecosystem and CyberAB-authorized C3PAOs |
| False Claims Act | Liability for false certifications material to government payment | Civil action by DOJ or qui tam relator, treble damages plus penalties |
The integrating element is documentation. Each regime depends on representations the contractor makes about its own compliance posture, the controls it has implemented, the gaps it has identified, and the remediation it has scheduled. The representations exist in System Security Plans, Plans of Action and Milestones, SPRS submissions, contractor responses to government inquiries, and the contractor's internal records of how compliance work was actually performed. This documentation is the primary evidentiary record an attorney works from, both in advising the client and in defending the client when a regulatory or whistleblower action arises.
The False Claims Act in the Cybersecurity Context
The Department of Justice Civil Cyber-Fraud Initiative formalized in October 2021 the use of the False Claims Act as the primary federal enforcement mechanism for cybersecurity misrepresentations under government contracts. The initiative produced a series of settlements that establish the patterns counsel now works against.
The 2022 Aerojet Rocketdyne settlement, at $9 million, established that misrepresentations about cybersecurity controls under defense contracts trigger FCA liability whether or not the misrepresentations were made in bad faith. Constructive knowledge is sufficient. The 2025 MORSE Corp settlement, at $4.6 million, applied the same principle specifically to NIST 800-171 compliance representations. Multiple sealed qui tam actions remain pending across the DIB. The settled cases share several features that bear directly on counsel's diligence.
The first feature is that the certification pathway, not the underlying technical control, is the legal pivot. A contractor with a partially implemented control set who accurately represents that posture faces no FCA exposure on those representations. A contractor with the same control set who represents complete implementation does. The legal question is not whether the controls are perfect. It is whether the representations are accurate.
The second feature is that the qui tam whistleblower provisions create discovery channels outside the contractor's control. A current or former employee with knowledge of a compliance gap can file under seal and recover a relator share of any eventual settlement. The relator share has been substantial in the cybersecurity cases that have settled, which produces sustained incentive for inside disclosure. Counsel advising contractors on cybersecurity exposure should account for this discovery channel as a baseline assumption rather than an edge case.
The third feature is that the documentary record produced during ordinary compliance work is the evidence the FCA action will eventually examine. The System Security Plan that satisfied the procurement gate becomes the document the relator's counsel cross-references against the contractor's actual implementation. The POA&M that documented planned remediation becomes the document the DOJ examines for whether the remediation occurred. Documentation that was developed for one purpose, the procurement gate, gets read in a different forum, the FCA discovery process, where its weaknesses become exposure rather than mere process gaps.
The detailed treatment of FCA exposure is addressed in the firm's analysis at CMMC and the False Claims Act, and the SSP and POA&M evidentiary integrity question is addressed in the white paper on artifact integrity.
Engagement Models for Counsel
The practice supports counsel through several engagement models, each with different procedural and evidentiary characteristics. The model selected depends on the posture of the matter, the relationship between the attorney and the client, and the privilege considerations that apply.
| Model | Engagement | Primary Use |
|---|---|---|
| Retained by counsel as consulting expert | Engagement letter with the law firm, work directed by counsel | Pre-litigation diligence, internal investigation, regulatory response |
| Retained by counsel as testifying expert | Engagement letter with the law firm, expert disclosure required | Litigation matters reaching expert disclosure stage |
| Retained by client at counsel's direction | Engagement letter with the contractor, scope coordinated with counsel | Operational readiness work integrated with legal advisory |
| Retained by client directly | Engagement letter with the contractor, counsel kept informed | Standard readiness consulting where legal exposure is the backdrop rather than the foreground |
The consulting expert model under direction of counsel produces work product that may be protected under the attorney work product doctrine when the engagement is properly structured. The privilege analysis depends on the jurisdiction and the specific facts, and counsel makes that determination. The practice cooperates with counsel's preferred privilege structure and documents the engagement accordingly. The practice does not provide legal advice on the privilege question and defers to counsel on the structuring.
The testifying expert model proceeds under the standard expert disclosure rules in the relevant jurisdiction. The practice has the substantive credentials to qualify as a testifying expert in matters involving CMMC, NIST 800-171, DFARS cybersecurity obligations, and the related technical-legal questions. Testifying expert engagement is offered selectively and depends on the alignment of the matter with the practice's competence.
Scope of Substantive Competence
The practice's substantive competence covers several areas relevant to counsel advising DIB clients. Each area corresponds to questions counsel encounters in regulatory advisory, internal investigation, or litigation work.
The first area is the technical-regulatory framework itself. CMMC, NIST 800-171 Revision 2, the CMMC Assessment Process, the Level 2 Scoping Guide, the relationship between FCI and CUI, and the operational implementation of the 110 Level 2 controls. The practice can produce analysis on any of these topics in a form usable for counsel's advisory or evidentiary purposes.
The second area is documentation evaluation. System Security Plans, Plans of Action and Milestones, Shared Responsibility Matrices, supplier flowdown attestations, and the broader evidentiary record contractors maintain. The practice can evaluate whether documentation is complete, accurate, internally consistent, and aligned with the contractor's actual operational practice. This work is frequently the foundation of the FCA exposure analysis counsel produces.
The third area is the operational technology environment. Defense aerospace manufacturers, machine shops, and other contractors with CNC controllers, coordinate measuring machines, and similar production equipment in scope present compliance questions that conventional IT-focused advisors are not equipped to address. The practice has direct experience in these environments and can advise on the scoping, implementation, and assessment questions specific to operational technology under CMMC.
The fourth area is the supply chain dimension. Prime contractor flowdown obligations, subcontractor self-attestation gaps, and the verification framework documented in The Supply Chain Compliance Office are increasingly the substance of disputes between Primes and their suppliers. Counsel representing either side benefits from a practitioner who understands both perspectives without commercial allegiance to either.
The CMMC Ecosystem Boundary
The practice operates as a CyberAB Registered Practitioner Advanced. Under the CMMC ecosystem rules, the credential authorizes consulting and implementation work but explicitly does not authorize the performance of formal CMMC assessments. The assessments are reserved for CMMC Third Party Assessment Organizations. The practice observes this boundary as a matter of professional discipline and does not perform certification assessment work.
For counsel, the ecosystem boundary has practical implications. The practice can advise on what the assessment process will examine, what evidence assessors expect to see, and how the contractor's documentation should be structured for the assessment. The practice cannot certify the contractor or substitute for the C3PAO assessment that the contract requires. Counsel relying on the practice's analysis as part of legal diligence should understand that the analysis is consulting work product, not assessment certification.
The ABA Connection
David W. Koran is an Associate Member of the American Bar Association Section of Public Contract Law. The membership reflects the practice's focus on the intersection between technical compliance and the legal terrain government contracts attorneys operate in. Section programming, publications, and committee work in the cybersecurity area address many of the questions this page covers, and the practice contributes to and learns from that body of professional discourse.
For counsel evaluating the practice as a referral resource for clients or as a consulting expert in their own matters, the ABA Section associate membership is one credibility signal among several. The CyberAB credential, the published white papers on technical-legal topics, the book authorship on the CMMC decision framework, and the operational engagement history with DIB contractors collectively establish the practice's standing in this work.
A Path to Engagement
Counsel considering engagement of the practice for a specific matter or evaluating the practice as a referral resource for a client is welcome to begin with a substantive conversation. The conversation is conducted under appropriate confidentiality and is not contingent on engagement. The purpose is to determine whether the practice's competence aligns with the matter's needs and whether engagement makes sense for both sides. If alignment exists, the engagement structure follows from the considerations described above. If alignment does not exist, the conversation produces a clean determination at minimal cost to either party.
Engagement decisions are not made on the strength of marketing material. They are made on the substance of the practitioner's competence, the fit with the matter, and the working relationship between the practitioner and the attorney. This page is intended to support the first step in that evaluation. The conversation completes it.