The Core Mechanism
The False Claims Act (31 U.S.C. § 3729) makes it illegal to knowingly submit a false or fraudulent claim to the federal government. With CMMC, the trigger is self-attestation, when your company certifies its cybersecurity compliance status in order to win or maintain a DoD contract, that certification becomes a legal claim. If it’s inaccurate, you’ve potentially committed fraud against the government.
“Knowingly” under the FCA is defined broadly: it covers actual knowledge, but also deliberate ignorance and reckless disregard of the truth. That last one is the trap for SMBs, you don’t have to intentionally lie to be liable. Checking a box without rigorously verifying your controls is enough.
The Financial Stakes
The penalties are severe and compounding:
- Treble damages, the government can recover 3x the value of the contract(s) in question
- Civil penalties of $14,308 – $28,619 per false claim, as of the DOJ’s July 2025 adjustment
- Each contract, each renewal, and each annual affirmation, can be treated as a separate claim
For an SMB with multiple DoD contracts, the exposure can easily reach into the millions from what started as sloppy self-assessment paperwork.
The DOJ Is Actively Enforcing This
The DOJ’s Civil Cyber-Fraud Initiative, launched in 2021, has accelerated sharply. In FY2025 alone, the DOJ recovered over $52 million across nine cybersecurity-related FCA settlements. Notable cases:
A Research Corporation — Submitted a false SPRS score based on a fictitious system environment that didn’t reflect their actual infrastructure. That score was a condition of contract award. They settled.
A Major University — Paid $1.25 million for failing to comply with cybersecurity requirements across 15 DoD and NASA contracts.
Defense subcontractor (December 2025) — A precision machining supplier settled after knowingly failing to provide adequate cybersecurity for technical drawings of defense parts. This is the first major enforcement action directly targeting a subcontractor, which is a significant signal for the broader supply chain.
TRICARE managed care provider — Paid $11.25 million for falsely certifying cybersecurity compliance from 2015–2018. Old violations, new consequences.
The “Affirmation Trap” Unique to CMMC
CMMC Affirmation Trap: Under 32 CFR §170.22, contractors must maintain current CMMC status throughout contract performance and re-attest at least annually. This creates recurring FCA exposure, not just at contract award, but every single year.
If your SPRS self-assessment score and your actual control implementations diverge significantly from what a C3PAO later finds during a third-party audit (required starting Phase 2, November 2026), that discrepancy itself becomes evidence of a false claim. Essentially, your self-assessment is your sworn statement, and the C3PAO audit is the polygraph.
Supply Chain Liability — A Specific SMB Risk
Prime contractors are increasingly flowing CMMC requirements down to subcontractors. If a prime knowingly awards work to a non-compliant sub and misrepresents supply chain compliance, the prime faces FCA liability. This means primes are scrutinizing subs much more carefully, being non-compliant doesn’t just affect your own contracts, it can make you unacceptable to primes regardless of your direct DoD relationship.
There’s also an acquisition liability precedent now: a company was held liable for FCA violations committed by a contractor it acquired, even when the violations predated the acquisition. For SMBs involved in M&A activity, this is a significant due diligence issue.
The Practical Takeaway for SMBs
The combination of annual re-attestation, C3PAO third-party audits coming in November 2026, and aggressive DOJ enforcement means the stakes of sloppy self-assessment have never been higher. The window to get compliant before your self-attestation becomes legally exposed is closing fast.
If you want to have a conversation around this and any other CMMC related topics, connect with our team.
Comments are closed