← Custodia

The CMMC False Claims Act Risk: What's Real, What's Hype (2026)

Vendors love to scare small contractors about the False Claims Act and CMMC. Here's the actual DOJ track record since the Civil Cyber-Fraud Initiative, what triggers liability at Level 1, and the practical guardrails that make this a non-issue.

By Custodia Compliance Team· Information security engineers, CustodiaMay 24, 20268 min read

If you've sat through a CMMC vendor demo in the last 18 months, you've heard the line: “Sign that SPRS affirmation wrong and you're going to federal prison under the False Claims Act.”It's usually delivered five minutes before the price reveal.

Here's the honest version. FCA exposure on CMMC is real. It is also frequently overstated to sell consulting services. The difference between “real” and “the FBI is coming” is worth knowing — both so you don't panic, and so you take the actual risk seriously where it lives.

What the False Claims Act actually is

The False Claims Act (31 U.S.C. §§ 3729–3733) is a Civil War-era statute that lets the federal government (and private whistleblowers, called relators) recover damages from anyone who knowingly submits a false claim for payment to the government. It is the federal government's most-used civil anti-fraud tool. In FY2024, DOJ recovered over $2.9 billion in FCA settlements and judgments.

Penalties: treble (3x) damages plus a per-claim civil penalty (around $14,000–$28,000 per false claim, indexed for inflation). Whistleblowers get 15–30% of the recovery. The statute does not require an intent to defraud — “reckless disregard” for the truth is enough.

The Civil Cyber-Fraud Initiative

On October 6, 2021, Deputy Attorney General Lisa Monaco launched the Civil Cyber-Fraud Initiative (CCFI) — a coordinated DOJ effort to use the FCA against contractors that:

  • Knowingly provide deficient cybersecurity products or services.
  • Misrepresent their cybersecurity practices or protocols.
  • Violate obligations to monitor and report cyber incidents and breaches.

The CCFI is the policy frame that connects CMMC affirmations to FCA liability. Once a CMMC affirmation is a material condition of a federal contract — which it became when DFARS 252.204-7021 took effect on November 10, 2025 — a knowingly false affirmation fits squarely inside the CCFI's stated targets.

The cybersecurity FCA cases that exist

As of mid-2026, no CMMC-specific affirmation has gone to settlement — the 48 CFR rule is too new. But the line of cybersecurity-cyber cases under CCFI is exactly the precedent you should read as a Level 1 contractor.

United States ex rel. Markus v. Aerojet Rocketdyne (2022, $9M)

Aerojet's former senior director of cyber-security sued under the FCA, alleging that Aerojet won DoD contracts after representing compliance with NIST SP 800-171 and DFARS 252.204-7012 that it did not actually have. The case survived summary judgment(a major signal that this theory works) and Aerojet settled for $9 million in 2022.

Penn State University (2024, $1.25M)

DOJ settled with The Pennsylvania State University for $1.25M over allegations that Penn State falsely represented compliance with DoD contract cybersecurity requirements (including NIST SP 800-171) between 2018 and 2023. The settlement was driven in significant part by internal documentation showing the university knew of the gaps.

What both cases have in common

  • The representations were made on contracts already in force.
  • Internal records (emails, audit reports) showed the contractor knew the controls weren't in place.
  • The defendants were not small businesses — they were sophisticated organizations with cyber teams.
  • Whistleblowers brought the cases. (Aerojet's was the former CISO.)
Where contractors fail to follow required cybersecurity standards, the Department of Justice will not hesitate to use the False Claims Act to ensure the integrity of federal contracts and grants.DOJ Civil Cyber-Fraud Initiative announcement, Oct 6 2021

The three elements DOJ has to prove

An FCA case under CCFI for a bad CMMC affirmation requires DOJ (or a whistleblower) to prove all three of these:

  1. Falsity. The affirmation said one thing; the facts said another. (You affirmed all 15 Level 1 requirements were MET when in fact at least one was not implemented.)
  2. Materiality. The false statement was material to a government payment decision. After DFARS -7021, a CMMC affirmation is generally material because it is an express condition of award and performance.
  3. Scienter (knowledge). You knew the affirmation was false, or you acted in deliberate ignorance, or you acted in reckless disregard for the truth. Honest mistakes — even bad ones — generally fail this element.

The third element is what protects honest contractors. If you ran a real self-assessment, wrote down what you found, and the senior official signed off after reading it, you have a strong defense to scienter. If your CFO signed a SPRS affirmation while the founders were arguing in Slack about whether MFA was actually on, you don't.

What this means at CMMC Level 1

Level 1 is self-assessed. There is no C3PAO. The system is built on the premise that the senior official affirmation is honest. The FCA is the backstop that makes that premise enforceable.

Translated to operational risk for a 10-person sub:

  • The per-claim penalty structure of FCA means a single false affirmation can become large, but settlements scale with the contract value and the deceit. Small business + small contract + honest mistake = the case almost certainly never gets filed.
  • The typicalpath to liability is a disgruntled employee (current or former cyber/IT lead) filing a qui tam relator action with documentation that the company knew controls weren't in place. Document hygiene — write down what you actually do, not what you wish you did — neutralizes this.
  • The Aerojet case is the model: a CISO told leadership in writing that the controls weren't in place; leadership signed the contract anyway. The lesson is not “don't have a CISO” — it's “listen to your CISO.”

Practical guardrails (do these)

  1. Run a real self-assessment.Don't rubber-stamp a vendor template. Walk all 15 FAR 52.204-21 safeguarding requirements and mark each MET or NOT MET against evidence. Custodia's wizard does this; so does any competent in-house process.
  2. Don't affirm with anything NOT MET.32 CFR 170.22 doesn't require perfection on the first try, but the affirmation itself is binary. Remediate first, affirm second.
  3. The senior official reads the SSP before signing. Document that they did (calendar invite, signed acknowledgment). This is the single highest-leverage scienter defense.
  4. Don't write damning emails.If a control is partial, the email says “we're remediating before we affirm,” not “ship it, the prime won't check.”
  5. Refresh annually. The senior official affirms again every 12 months. Each refresh is a fresh chance to catch drift before it becomes a false statement.

Myths to ignore

  • “FCA means prison.” FCA is civil. Prison risk comes from a different statute and requires criminal intent.
  • “Any imperfection is fraud.” The scienter standard exists for a reason. Honest gaps remediated in good faith are not FCA cases.
  • “A C3PAO assessment protects you from FCA.” No — it's evidence of due diligence, but it doesn't immunize you. And it's not even available at Level 1.
  • “Only Level 2 affirmations create FCA risk.” Wrong. The 170.22 affirmation applies at all levels, and -7021 ties it to award at all levels.

FAQ

Has anyone actually been sued under the False Claims Act for CMMC violations?

Yes — but not yet for a CMMC self-affirmation specifically, because CMMC contract clauses only became enforceable in November 2025. There is a growing line of cybersecurity-related FCA cases under the DOJ Civil Cyber-Fraud Initiative (launched October 2021): Aerojet Rocketdyne settled for $9 million in 2022 for misrepresenting NIST SP 800-171 compliance; Penn State settled for $1.25 million in 2024. Both involved false representations about the cybersecurity controls they had in place.

What actually triggers FCA liability under CMMC?

Three elements must all be true: (1) you made a false statement (e.g., affirmed in SPRS that you meet all 15 Level 1 safeguarding requirements when you don't), (2) the statement was material to a government payment decision (post-Nov 2025 with -7021 in your contract, it almost always is), and (3) you knew it was false or acted with reckless disregard for its truth. Honest mistakes — even bad ones — generally don't meet the knowledge element.

Can I personally go to jail for a bad SPRS affirmation?

FCA itself is civil — fines, treble damages, but no jail. Criminal liability is a separate question under 18 U.S.C. § 1001 (false statements to the federal government), which can carry up to 5 years imprisonment, but it requires criminal intent (knowing and willful), which is a much higher bar than the FCA's reckless-disregard standard. Both apply to the named senior official who signed the affirmation under 32 CFR 170.22.

Are honest mistakes protected?

Largely yes. The FCA's knowledge element ("knowingly") covers actual knowledge, deliberate ignorance, and reckless disregard. Good-faith reliance on a documented self-assessment, a System Security Plan, and reasonable evidence collection is the legal answer to a reckless-disregard claim. The contractors who get caught are the ones whose internal email or Slack shows they knew controls weren't in place when they signed.

How do I protect myself from FCA exposure?

Document everything. Run an actual self-assessment, write down the result per requirement, collect evidence, get a senior official's signature on the affirmation only after reviewing the results. Don't sign 'we'll get to it later'. If a requirement is genuinely partial, mark it NOT MET and remediate before affirming. The affirmation is binary: don't sign MET on something you know is partial.

Does CMMC Level 1 self-affirmation actually create more risk than the old SPRS score did?

Yes, but the increase is mostly procedural. Before the 48 CFR rule (Nov 2025), submitting a SPRS score was a procurement requirement but not a clean material misrepresentation hook. After DFARS 252.204-7021, the affirmation is an explicit condition of award and continued performance, which is exactly the materiality element FCA cases need. The mitigation is the same as before: don't sign things you can't back up.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)