CMMC Affirmation Trap: FCA Exposure for Defense Contractors and Acquirers

Defense contractors subject to Cybersecurity Maturity Model Certification (CMMC) compliance under government contracts will be subject to False Claims Act (FCA) liability risks going forward. The CMMC program went live on November 10, 2025, and the annual certification requirement creates recurring FCA exposure that many defense contractors may have overlooked. The U.S. Department of Justice (DOJ) settled seven cybersecurity fraud cases in 2025 alone, including the first enforcement action against a subcontractor and a case holding a business liable for violations by a federal contractor it acquired prior to the acquisition. This Holland & Knight blog post raises these considerations for defense contractors and prospective acquirers.

The Affirmation Requirement Is a Legal Certification

Under 32 C.F.R. 170.22, an "affirming official" (a senior company executive) must submit an annual affirmation in the Supplier Performance Risk System (SPRS) attesting that the organization "has implemented and will maintain implementation of all applicable CMMC security requirements." This affirmation is required upon achieving CMMC status, annually thereafter, and at Plan of Action and Milestones (POA&M) closeout.

Here is the big catch: no current affirmation, no contract. The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 makes a "current" affirmation a prerequisite for contract award and option exercise. For CMMC Level 1 compliance, only final status is permitted; no conditional status is allowed. For CMMC Level 2 and Level 3, contractors may hold conditional status for up to 180 days while closing out a POA&M, but a current affirmation from an affirming official is still required.

This is not an administrative checkbox; it is a recurring certification submitted to the federal government as a condition of contract eligibility. Under the FCA, certifications that are false when made, or made with reckless disregard for their truth, can trigger treble damages and per-claim penalties.

The DOJ's Civil Cyber-Fraud Initiative

In October 2021, Deputy Attorney General Lisa O. Monaco announced the Civil Cyber-Fraud Initiative, signaling that the DOJ would use the FCA as a primary enforcement tool against government contractors and grantees who fail to meet cybersecurity obligations. The initiative targets three categories of conduct: knowing failures to comply with cybersecurity standards, knowing misrepresentations of security practices and knowing failures to report cyber incidents.

The enforcement theory is straightforward. When a contractor certifies compliance with DFARS 252.204-7012 or CMMC requirements as a condition of payment or contract eligibility, and that certification is false, the contractor has submitted a false claim or made a false statement material to a false claim under 31 U.S.C. Section 3729.

In 2025, the DOJ settled seven cybersecurity-related FCA cases, sending an unmistakable signal about enforcement priorities.

The 2025 Settlement Wave

In February 2025, the DOJ announced an $11.25 million settlement with a managed care provider that administered health benefits for military servicemembers. The government alleged the company falsely certified compliance with cybersecurity requirements in connection with a TRICARE contract between 2015 and 2018.

In April 2025, a defense contractor agreed to pay $4.6 million to resolve allegations that it submitted a false SPRS score. According to the settlement, the contractor reported a positive cybersecurity assessment score when its actual score was negative 142. It did not correct the score until three months after receiving a DOJ subpoena.

July 2025 brought two separate settlements. One, for $8.4 million, involved a defense contractor acquisition where the acquiring company was explicitly named as "successor in liability" for the target's preacquisition cybersecurity failures. The underlying conduct – a failure to maintain a system security plan for an internal development system – occurred between 2015 and 2021, years before the deal closed. Another July settlement for $1.75 million held both a contractor and its private equity owner liable for DFARS cybersecurity violations, including alleged improper sharing of sensitive defense information with an unauthorized foreign software company.

In September 2025, a major university research institution agreed to pay $875,000 to resolve allegations that it submitted a false SPRS score and failed to install anti-malware tools on systems in a research lab handling Controlled Unclassified Information (CUI).

In December 2025, the DOJ announced its first settlement targeting the defense supply chain when a precision machining subcontractor in Illinois agreed to pay approximately $421,000 to resolve allegations that it failed to provide adequate cybersecurity protections for technical drawings supplied to prime contractors. The case originated as a qui tam action filed by a former quality control manager.

The "Knowing" Standard Is Lower Than Many Think

The FCA does not require specific intent to defraud. Under 31 U.S.C Section 3729(b)(1), "knowingly" means actual knowledge, deliberate ignorance of the truth, or falsity of information or reckless disregard of the truth or falsity of information.

This matters for CMMC affirmations. A contractor that signs an annual affirmation without verifying the accuracy of its compliance status or that ignores known gaps may be accused of acting with "reckless disregard" sufficient to establish FCA liability. The April 2025 settlement involving a negative 142 SPRS score is illustrative: The contractor allegedly knew or should have known the score was wrong yet left it uncorrected for years.

The qui tam provisions add another layer of risk. Whistleblowers who report FCA violations are entitled to between 15 percent and 25 percent of any recovery. The December 2025 supply chain settlement originated from a qui tam complaint filed by a former employee. Information technology (IT) staff, compliance officers and security personnel are well positioned to identify gaps between certifications and reality.

Implications for Corporate Mergers and Acquisitions (M&A) Transactions

For acquirers of defense contractors, the July 2025 successor liability settlement changes the calculus. The acquiring company in that case inherited FCA exposure for cybersecurity deficiencies that predated the acquisition by years. As a result, CMMC and DFARS compliance is no longer just about operational considerations or short-term risk exposure; it presents long-term risks that can haunt an acquirer post-closing.

Buyers evaluating targets with U.S. Department of War (DOW) contracts, subcontracts or other touchpoints with CUI should treat CMMC compliance as a core diligence workstream. This includes targets that may not self-identify as defense contractors but nonetheless fall within defense supply chains, such as commercial technology providers, component manufacturers and software vendors.

Key diligence considerations include:

• SPRS Verification. Prime contractors do not have automated access to subcontractor SPRS data. Request screenshots of the target's SPRS assessment, affirmation records and any POA&M documentation directly from the target.
• Certification Accuracy. Review the target's history of DFARS compliance representations in government contracts. If the target has been self-attesting to National Institute of Standards and Technology (NIST) SP 800-171 compliance under DFARS 252.204-7012, verify that the underlying controls were actually implemented. A negative gap assessment can be a material issue.
• CUI Scoping. Understand which information systems the target has designated as in-scope for CMMC. Acquisition targets may narrowly define their CUI environment to minimize compliance burdens, but scoping decisions that are too aggressive may create FCA exposure if the government later disagrees.
• Incident History. Request disclosure of any cybersecurity incidents, near-misses or internal audit findings. Under DFARS 252.204-7012, contractors must report cyber incidents to the DOW/DOD within 72 hours. A pattern of unreported or underreported incidents is a material concern.
• Deal Protection. Consider representations and warranties specifically covering CMMC status, SPRS scores, prior certifications and the absence of known FCA exposure. Indemnification and insurance coverage should factor in successor liability for preclosing cybersecurity deficiencies.

What Defense Contractors Should Do Now

CMMC Phase 1 is live, so contractors bidding on covered solicitations must have a current CMMC status and affirmation on file. For those who have already submitted affirmations, or will soon, here are practical steps to consider in managing FCA risk:

• Treat Affirmations as Legal Certifications. The affirming official should understand that they are personally attesting to compliance under penalty of law. This is not a task to delegate to IT without verification.
• Conduct an Internal Gap Assessment Before Affirming. An organization that has not recently validated its implementation of NIST SP 800-171 controls for Level 2 or the additional Level 3 requirements should timely do so before the next affirmation is due.
• Document Remediation Efforts. If gaps exist, document them in a POA&M and track progress. The DOJ has credited self-disclosure and good faith remediation efforts in past settlements. The July 2025 settlement involving a private equity-backed contractor specifically noted that the contractor received credit for self-disclosure.
• Monitor for Changes. The affirmation requires attesting that compliance has been maintained since the last assessment, so it is advisable to establish processes for identifying and tracking material changes such as personnel departures, system migrations or new subcontractors that could affect compliance.
• Be Very Mindful of Whistleblower Risks. Employees who observe gaps between certifications and reality may file qui tam complaints, particularly where they become disgruntled or get enticed by the potential for a significant payout. The best mitigation is to ensure there are no gaps to report and be transparent with the government when potential issues are identified.

Conclusion

The CMMC affirmation requirement is now a recurring legal certification with real enforcement teeth. The DOJ's 2025 settlement activity, including the first supply chain enforcement and the successor liability case, demonstrates that the Civil Cyber-Fraud Initiative is not theoretical or a waning risk. Defense contractors and their acquirers should treat CMMC compliance as a legal and enterprise risk management priority, not just an IT project.