If your company handles Controlled Unclassified Information (CUI) under a DoD contract, you’re required to self-assess your compliance with NIST SP 800-171 and submit a score to the Supplier Performance Risk System (SPRS). That score is a certification to the federal government. If it doesn’t match what’s actually running on your network, and you keep billing the government while it’s on file, you have False Claims Act exposure — a risk that hit $51.8 million in cybersecurity-related settlements last year alone, up 233% from the year before. That’s true regardless of where CMMC’s timeline happens to stand this year.

The False Claims Act isn’t new to defense contracting, either. Congress wrote it in 1863 after Civil War suppliers billed the Union Army for horses, rations, and rifles that didn’t hold up. The mechanism hasn’t changed since: tell the federal government you delivered something you didn’t, get paid for it, and you’ve committed fraud.

How the False Claims Act applies to CMMC and DFARS compliance

Every contractor and subcontractor handling CUI carries DFARS clause 252.204-7012 in its contract, requiring the 110 controls in NIST SP 800-171 and a documented System Security Plan (SSP). Contractors have submitted self-assessment scores to SPRS since late 2020. CMMC just adds a certification layer on top of that obligation.

In October 2021, DOJ launched the Civil Cyber-Fraud Initiative to pursue contractors and grant recipients who knowingly misrepresent their cybersecurity compliance, deliver deficient security products or services, or fail to report known incidents. The FCA gives DOJ two paths into a case: it can sue directly, or a whistleblower (often a current or former employee) can file a qui tam suit and collect a share of whatever the government recovers. Treble damages and per-claim penalties apply either way.

The enforcement data: recoveries are climbing fast

Cybersecurity-related FCA settlements have grown every year since the Initiative launched. DOJ recovered a record $6.8 billion across all False Claims Act matters in fiscal year 2025, the highest total in the law’s history. Within that, cybersecurity-specific settlements hit $51.8 million, up 233% from the year before.

Here are some cases that map directly onto the defense industrial base:

LOGZONE Inc. — $507,144 (June 2026). This Huntsville, Alabama contractor settled after failing to implement required NIST SP 800-171 controls on two Navy contracts from 2021 to 2025. A Defense Contract Management Agency (DCMA) assessment put its actual score at -170, near the bottom of the -203-to-110 range. That’s a long way from whatever it had told the Navy.

Georgia Tech Research Corporation — $875,000 (September 2025 settlement, following a 2024 DOJ complaint). Georgia Tech’s Astrolavos Lab ran DoD cyber-defense research for years with no anti-virus tools installed and no SSP. When it came time to report a score, GTRC submitted a campus-wide 98 out of 110 that DOJ said was based on a “fictitious” environment with no relationship to any system actually processing covered defense information. The two whistleblowers, both former members of Georgia Tech’s own cybersecurity team, split $201,250 of the recovery.

Aero Turbine and Gallant Capital Partners — $1.75 million (July 2025). A reminder that acquiring a defense contractor means acquiring its compliance history, not just its backlog.

Raytheon Company and Nightwing Intelligence Solutions — $8.4 million (May 2025). DOJ alleged Raytheon ran roughly thirty DoD contracts and subcontracts on a network that didn’t meet DFARS 252.204-7008, DFARS 252.204-7012, or FAR 52.204-21. Nightwing, which later acquired the business, was held liable as Raytheon’s successor for conduct that predated the deal.

Health Net Federal Services and Centene Corporation — $11.25 million (February 2025). HNFS falsely certified compliance with at least seven security controls in its TRICARE contract with the Defense Health Agency for three straight years, ignoring its own auditors’ warnings the whole time.

Aerojet Rocketdyne — $9 million (July 2022). One of the Initiative’s first cases. DOJ alleged the aerospace and defense contractor misrepresented its cybersecurity compliance to DoD and NASA for years while continuing to bid on and win contracts.

Since the Initiative started, DOJ has settled fifteen cybersecurity-related FCA cases. More than half came in fiscal year 2025.

The common thread: your score is the evidence

None of these cases started with a data breach. They started with a self-assessment score that didn’t hold up. DOJ didn’t need to prove anyone’s system got hacked. It needed to show the self-assessment score was false and the company kept billing the government while it sat on file. 

What defense contractors should do now

  • Provide an accurate & realistic self-assessment score. An inflated SPRS score is the single piece of evidence DOJ has used in every case above.
  • Close your SSP gap now. Georgia Tech’s exposure turned partly on the fact that no SSP existed for years. That’s a paperwork fix, and it’s cheap relative to a settlement.
  • Validate your score through a third-party. A mock C3PAO assessment or third-party review is the kind of due diligence DOJ credits when deciding how hard to come down on a contractor.
  • Remember DIBCAC and DCMA don’t need a certification deadline to show up. Both agencies assess on their own schedule, and both have triggered settlements on this list.

Where PreVeil Helps

PreVeil is encrypted email and file sharing for CUI, trusted by more than 3,000 organizations to meet DFARS, NIST 800-171, and CMMC requirements, and costs up to 75% less than GCC High.

That makes PreVeil the fastest and most affordable path to an accurate 110 score. It’s been further validated by 100+ perfect 110/110 scores on DIBCAC and C3PAO assessments. 

Book a free 15-minute compliance consultation or see how PreVeil simplifies self-assessment.

Frequently asked questions

What is the False Claims Act?

A federal law, 31 U.S.C. §§ 3729-3733, that makes it illegal to knowingly submit a false claim for payment to the U.S. government. Penalties include triple the government’s damages plus a per-claim fine tied to inflation. For defense contractors, a “claim” includes an invoice submitted while relying on a cybersecurity compliance certification you know is false.

When was the False Claims Act enacted?

1863, during the Civil War, in response to suppliers selling the Union Army defective equipment and billing as if it worked. It was significantly strengthened in 1986 to expand whistleblower incentives, and DOJ extended it into cybersecurity enforcement in 2021 through the Civil Cyber-Fraud Initiative.

Is the False Claims Act civil or criminal?

It’s a civil statute. The same conduct can also support a separate criminal fraud referral, but every cybersecurity settlement listed above was resolved civilly, without an admission of criminal liability.

Who does the False Claims Act protect, and are whistleblowers covered?

It protects the government, and by extension taxpayers, from fraudulent billing, and it protects the whistleblowers who report it. Employees who file qui tam suits are entitled to a share of the recovery, typically 15 to 30 percent, and are protected from retaliation for reporting. The whistleblowers in the Georgia Tech case were former members of the school’s own cybersecurity team.

What does the False Claims Act prohibit for defense contractors specifically?

Knowingly submitting a false SPRS score, knowingly billing DoD while your System Security Plan or NIST SP 800-171 controls don’t match what you’ve certified, and knowingly failing to report a cyber incident you were contractually required to disclose.

How do I report a False Claims Act violation?

Through a qui tam attorney, who can help file a sealed complaint on the government’s behalf, or directly through DOJ’s Fraud Section. Most cybersecurity FCA cases, including several above, started this way.

Does CMMC certification status change False Claims Act exposure?

No. FCA liability attaches to the claim for payment, not to whether a third-party certifier has signed off. Every settlement on this list was built on the existing DFARS 7012 and self-assessment framework, independent of CMMC’s rollout status.