Key Takeaways:
- Defense contractors subject to Cybersecurity Maturity Model Certification (CMMC) compliance are at risk of False Claims Act (FCA) liability.
- The CMMC affirmation requirement is a recurring legal certification that must be submitted annually, and false certifications can trigger treble damages and per-claim penalties.
- The Department of Justice (DOJ) has settled several cybersecurity-related FCA cases in 2025, including cases involving defense contractors and subcontractors.
- The "knowing" standard for FCA liability is lower than many think, and contractors can be held liable for reckless disregard of the truth or falsity of information.
- CMMC compliance is a key consideration for corporate mergers and acquisitions (M&A) transactions, and buyers should conduct thorough diligence on targets’ CMMC compliance.
Introduction to CMMC and FCA Liability
The Cybersecurity Maturity Model Certification (CMMC) program went live on November 10, 2025, and defense contractors subject to CMMC compliance under government contracts will be subject to False Claims Act (FCA) liability risks going forward. The annual certification requirement creates recurring FCA exposure that many defense contractors may have overlooked. The U.S. Department of Justice (DOJ) settled seven cybersecurity fraud cases in 2025 alone, including the first enforcement action against a subcontractor and a case holding a business liable for violations by a federal contractor it acquired prior to the acquisition.
The Affirmation Requirement
Under 32 C.F.R. 170.22, an "affirming official" (a senior company executive) must submit an annual affirmation in the Supplier Performance Risk System (SPRS) attesting that the organization "has implemented and will maintain implementation of all applicable CMMC security requirements." This affirmation is required upon achieving CMMC status, annually thereafter, and at Plan of Action and Milestones (POA&M) closeout. The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 makes a "current" affirmation a prerequisite for contract award and option exercise. For CMMC Level 1 compliance, only final status is permitted; no conditional status is allowed. For CMMC Level 2 and Level 3, contractors may hold conditional status for up to 180 days while closing out a POA&M, but a current affirmation from an affirming official is still required.
The DOJ’s Civil Cyber-Fraud Initiative
In October 2021, Deputy Attorney General Lisa O. Monaco announced the Civil Cyber-Fraud Initiative, signaling that the DOJ would use the FCA as a primary enforcement tool against government contractors and grantees who fail to meet cybersecurity obligations. The initiative targets three categories of conduct: knowing failures to comply with cybersecurity standards, knowing misrepresentations of security practices, and knowing failures to report cyber incidents. The enforcement theory is straightforward: when a contractor certifies compliance with DFARS 252.204-7012 or CMMC requirements as a condition of payment or contract eligibility, and that certification is false, the contractor has submitted a false claim or made a false statement material to a false claim under 31 U.S.C. Section 3729.
2025 Settlement Wave
In 2025, the DOJ settled seven cybersecurity-related FCA cases, sending an unmistakable signal about enforcement priorities. These cases included a managed care provider that administered health benefits for military servicemembers, a defense contractor that submitted a false SPRS score, and a defense contractor acquisition where the acquiring company was explicitly named as "successor in liability" for the target’s preacquisition cybersecurity failures. Another case held a contractor and its private equity owner liable for DFARS cybersecurity violations, including alleged improper sharing of sensitive defense information with an unauthorized foreign software company.
The "Knowing" Standard
The FCA does not require specific intent to defraud. Under 31 U.S.C Section 3729(b)(1), "knowingly" means actual knowledge, deliberate ignorance of the truth, or falsity of information or reckless disregard of the truth or falsity of information. This matters for CMMC affirmations, as a contractor that signs an annual affirmation without verifying the accuracy of its compliance status or that ignores known gaps may be accused of acting with "reckless disregard" sufficient to establish FCA liability.
Implications for Corporate Mergers and Acquisitions (M&A) Transactions
For acquirers of defense contractors, the July 2025 successor liability settlement changes the calculus. The acquiring company in that case inherited FCA exposure for cybersecurity deficiencies that predated the acquisition by years. As a result, CMMC and DFARS compliance is no longer just about operational considerations or short-term risk exposure; it presents long-term risks that can haunt an acquirer post-closing. Buyers evaluating targets with U.S. Department of War (DOW) contracts, subcontracts, or other touchpoints with Controlled Unclassified Information (CUI) should treat CMMC compliance as a core diligence workstream.
What Defense Contractors Should Do Now
CMMC Phase 1 is live, so contractors bidding on covered solicitations must have a current CMMC status and affirmation on file. For those who have already submitted affirmations, or will soon, here are practical steps to consider in managing FCA risk: treat affirmations as legal certifications, conduct an internal gap assessment before affirming, document remediation efforts, monitor for changes, and be mindful of whistleblower risks. Employees who observe gaps between certifications and reality may file qui tam complaints, particularly where they become disgruntled or get enticed by the potential for a significant payout.
Conclusion
The CMMC affirmation requirement is now a recurring legal certification with real enforcement teeth. The DOJ’s 2025 settlement activity, including the first supply chain enforcement and the successor liability case, demonstrates that the Civil Cyber-Fraud Initiative is not theoretical or a waning risk. Defense contractors and their acquirers should treat CMMC compliance as a legal and enterprise risk management priority, not just an IT project. By understanding the risks and taking proactive steps to manage them, defense contractors can minimize their exposure to FCA liability and ensure compliance with CMMC requirements.
