Can You Get Sued for False CMMC Certification?

Yes — you can get sued for false CMMC certification. Knowingly misrepresenting your CMMC (Cybersecurity Maturity Model Certification) status, your NIST SP 800-171 self-assessment score, or your annual compliance affirmation can expose your company — and potentially the executive who signs — to the federal False Claims Act (FCA), the government’s main anti-fraud statute (31 U.S.C. § 3729). The penalty is steep: triple the government’s damages plus a per-claim fine that currently runs $14,308 to $28,619, stacked per invoice.

By 2025 this stopped being theoretical. In the fiscal year ending September 2025, the U.S. Department of Justice (DOJ) recovered $52 million across nine cybersecurity False Claims Act settlements, and civil cyber-fraud recoveries have more than tripled in each of the last two years. Most of those cases were built not on CMMC certificates — which are only now being required in contracts — but on the same NIST SP 800-171 controls, SPRS scores, and DFARScybersecurity clauses that now sit underneath CMMC Level 2. They’re not a footnote. They’re a preview.

Here is the part most contractors get backward, and it is the whole game: liability does not turn on whether you have a security gap. It turns on whether you made a claim you could not support. That distinction is also the way out. Below is exactly when a compliance gap becomes a lawsuit, who can bring it, what it costs, and the one move that protects you going forward.

Find your situation

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path toolto map your situation to the right provider category before you request quotes — do not submit CUI, drawings, or sensitive contract details.

Educational provider-category triage only. We may receive compensation for qualified introductions or partner referrals when disclosed; compensation does not control our analysis or recommendations.

Can you actually get sued for false CMMC certification?

Yes. A false CMMC certification, SPRS score, or annual affirmation can create False Claims Act liability when it is knowingly false, material to a government payment or contract decision, and tied to a claim for federal money. DOJ recovered more than $52 million across nine cybersecurity False Claims Act settlements in the fiscal year ending September 2025, and civil cyber-fraud recoveries have more than tripled in each of the last two years. This is a documented enforcement pattern, not a theoretical risk.

The government can bring the case itself, or a private individual — a “relator,” almost always an insider — can file it on the government’s behalf under the FCA’s whistleblower provisions. Either way, the theory is the one DOJ has used for cybersecurity since it launched its Civil Cyber-Fraud Initiative in October 2021: when a contractor represents that it meets cybersecurity requirements as a condition of getting paid or winning an award, and that representation is false, the contractor has submitted a false claim.

The head of the DOJ unit that runs this enforcement has been blunt about what these cases are and are not. Speaking at an industry conference in January 2026, Deputy Assistant Attorney General Brenna Jenny — the DOJ’s top False Claims Act official — drew the distinction that matters most here: cyber-fraud cases, she said, are “not about data breaches” but are instead “premised on misrepresentations.”Read that twice, because it is the most reassuring sentence on this page. You can have zero breaches and still be exposed if you certified something you couldn’t support. And you can have a real gap and no exposure if you reported it accurately.

And the enforcement has accelerated, not slowed. DOJ’s June 2026 settlement announcement referenced both a new Task Force to Eliminate Fraud and a National Fraud Enforcement Division — procurement and cybersecurity fraud sit squarely inside that mandate. The curve is pointing up.

Has this actually happened to real companies?

Yes — repeatedly, and the cases share a fingerprint. In nearly every recent defense cyber-FCA settlement, a contractor represented a level of NIST SP 800-171 compliance it did not have, often through an inflated self-assessment score in SPRS (the Supplier Performance Risk System), and a current or former insider flagged the gap. Settlements in 2024–2026 have ranged from roughly $421,000 to more than $11 million.Below is what we pulled directly from the DOJ’s own releases.

The single most useful detail across these cases is the gap between the score the contractor claimed and the score that turned out to be real. That gap is the engine of the lawsuit.

Every entry above is a settlement, and a settlement is not a finding of liability — each company resolved allegations without an admission. Not all are CMMC-certificate cases; CMMC certification was not yet required when most of this conduct occurred. They are cyber-FCA cases built on the same NIST SP 800-171 and DFARS obligations that now sit underneath CMMC Level 2 — which is exactly why they’re a preview, not a footnote. Last verified June 2026.

Three of them are worth sitting with.

LOGZONE (June 2026) is the cleanest illustration of the risk, and the freshest. According to the DOJ and court documents, LOGZONE submitted a perfect self-assessment score of 110 in SPRS in October 2021. In February 2024, DCMA ran its own assessment and scored the company −170 — 280 points below what it had claimed — and the government alleged LOGZONE kept billing the Navy through March 2025 anyway, receiving roughly $682,000. The pattern is the one that shows up in every high-exposure case: an inflated number posted, evidence of the real gap available internally, continued billing. See the full breakdown on the DOJ press release.

Georgia Tech (September 2025)is the “fictitious environment” case. The government alleged the university submitted a summary score of 98 in December 2020 that supposedly applied campus-wide — except there was no campus-wide system, and the score was built on a virtual environment that didn’t process real covered information. The relators were two members of its own cybersecurity team, and they collected $201,250. But Georgia Tech also fought hard, arguing the research didn’t involve CUI, that it never expressly certified compliance on its invoices, and that DoD didn’t treat the score as material because it kept paying after learning of the issues. The case settled at mediation for a relatively modest $875,000 with no determination of liability. The disputed falsity and materiality questions are exactly why these cases are fact-specific rather than automatic — for either side.

MORSECORP (March 2025)was, in the words of the whistleblower’s own counsel, the first major defense-contractor FCA settlement built on failing to implement required cybersecurity controls. The number to remember is 104 versus −142 — the score MORSE posted versus the score a third-party assessment actually calculated. The relator, Kevin Berich, was the company’s own head of security according to case filings, and he received an $851,000 share.

What law lets the government — or a whistleblower — sue you?

The vehicle is the False Claims Act (FCA), 31 U.S.C. § 3729 — the federal government’s primary fraud statute. It imposes liability on anyone who knowingly submits a false claim for payment, or a false record material to one. The penalty is treble (three times) the government’s damages plus a per-claim civil penalty of $14,308 to $28,619, adjusted yearly for inflation. That penalty stacks per claim, which is why FCA exposure routinely dwarfs the size of the underlying compliance gap.

There are two ways a certification becomes “false” under the Act. An express false certification is the obvious one: you signed or posted something untrue — an inflated SPRS score, an annual affirmation you couldn’t support. An implied false certification is subtler and, for contractors, scarier: you submitted invoices for payment while knowingly out of compliance with a requirement that was a condition of payment. The Supreme Court confirmed the implied-certification theory in Universal Health Services, Inc. v. United States ex rel. Escobar, 579 U.S. 176 (2016), and set the test that the misrepresentation must be material— defined in the statute as having “a natural tendency to influence, or be capable of influencing,” the government’s decision to pay (§ 3729(b)(4)). In practice, that means you don’t have to sign a document titled “I certify CMMC compliance” to be exposed. Billing while knowingly noncompliant can be enough.

Why does CMMC raise the temperature? Because it converts cybersecurity from “we’re working on it” to “we attest we have implemented this,” and the acquisition rule makes your CMMC status a condition of award. Under DFARS 252.204-7025, an offeror is not eligible for awardwithout a current CMMC status at the required level and a current affirmation posted in SPRS for each system that will handle FCI or CUI. When a requirement is a condition of eligibility, a false statement about it is much easier for the government to call “material.”

Can you go to jail, or is this only civil?

The False Claims Act is civil — the penalty is money, not prison — and every CMMC-adjacent cyber-fraud case to date has resolved as a civil settlement. The same underlying conduct can carry separate criminal exposure under statutes like 18 U.S.C. § 287 (false claims) and 18 U.S.C. § 1001 (false statements), each carrying up to five years, and DOJ can pursue civil and criminal tracks in parallel — but criminal prosecution is reserved for the most egregious, clearly intentional conduct. For the overwhelming majority of contractors worried about an optimistic SPRS score, the realistic exposure is civil FCA liability, not handcuffs.

We want to be precise rather than alarmist, because the “can I go to jail” fear sends people into the two worst reactions: panic-deleting records, or freezing and doing nothing. Both make things worse. The criminal statutes exist, and a deliberately fabricated certification tied to fraud could in theory draw a criminal referral. But the documented pattern — MORSECORP, Georgia Tech, Raytheon, LOGZONE — is civil, and DOJ has repeatedly said it credits self-disclosure, cooperation, and remediation. That last point is your opening, and we’ll come back to it.

What actually counts as a “false” CMMC certification — and do they have to prove you meant to lie?

No — the government does not have to prove you intended to defraud anyone. The False Claims Act defines “knowing” to include actual knowledge, deliberate ignorance, or reckless disregard of the truth, and it expressly requires no proof of specific intent to defraud (31 U.S.C. § 3729(b)(1)). In plain terms: signing an affirmation or posting an SPRS score without verifying it’s accurate — or leaving a score standing after you’ve been told it’s wrong — can meet the legal standard.This is the single most misunderstood point in CMMC, and it’s why “we didn’t mean to” is not the shield people think it is.

Let’s make the standard concrete with three ways a contractor crosses it:

• Actual knowledge. You knew the posted score was higher than your real implementation and submitted it anyway. (MORSECORP’s score sat at 104 while the company allegedly knew the real figure was far lower.)
• Deliberate ignorance. You suspected the score was inflated and made a point of not checking before you signed.
• Reckless disregard. You signed an annual affirmation with no verification process behind it at all — no evidence review, no idea whether the controls were actually implemented.

That last one catches a lot of well-meaning executives. A “should have known” failure of oversight can be enough. Signing because someone in IT said “we’re good” — without seeing the evidence — is the reckless-disregard zone. For a deeper look at the affirming-official exposure, see our page on CMMC affirming official personal liability.

But here is the other half, and it’s the reassuring half: an accurate score is not a false claim, even if it’s a low one. The Act punishes the misrepresentation, not the gap. A contractor who honestly posts a 62, documents a real plan of action to close the gaps, and updates the record as it improves has not made a false claim — it has done exactly what the system asks. We’ll say this more than once because contractors keep getting it backward: a low, accurate score is far safer than a high, false one.

Where your CMMC claim legally “lives”

“False CMMC certification” is bigger than a fake certificate. It’s any cybersecurity representation the government can treat as a claim. Here’s every place yours lives, what governs it, what tips it from “incomplete” into “false,” and the case that proves the point.

The word “certified” is the trap

A lot of avoidable exposure comes from sloppy language, not bad faith. “Certified” means something specific under CMMC, and using it loosely is its own risk. Here’s how to keep your claims true.

Note the distinction in that first row: Level 2 (Self) is an assessment you perform on yourself; Level 2 (C3PAO) is performed by an accredited Certified Third-Party Assessment Organization (C3PAO). Calling a self-assessment a “certification” blurs the two — and it’s exactly the kind of statement a relator or contracting officer notices. (We break the two apart in detail in CMMC self-assessment vs. C3PAO assessment.)

The four-question test: when does a wrong CMMC statement become a lawsuit?

A wrong cybersecurity statement becomes a False Claims Act problem when four things line up: the statement was false or unsupported; it was made knowingly, with deliberate ignorance, or with reckless disregard; it was material to a contract or payment decision; and it was connected to a claim for government money. Miss any one element and the FCA case weakens — which is also where contractors’ real defenses live.Run any worrying statement through this screen before you panic, and before you “fix” anything.

Georgia Tech is the live example of how a defendant fights on these elements — arguing no CUI was involved (attacking falsity and materiality), no express certification on invoices (attacking the claim connection), and continued government payment after notice (attacking materiality). It worked well enough that the case resolved for a relatively modest sum. The point isn’t that you should plan to litigate. It’s that “we had a gap” and “we have FCA liability” are not the same sentence, and the space between them is where qualified counsel earns their fee.

“No specific intent required” does notmean “every mistake is fraud.” It means the government doesn’t have to prove you set out to cheat anyone — but it still has to prove you acted knowingly, that the statement mattered, and that money was on the line. An honest, documented, corrected mistake is a very different animal from an inflated score you left standing for a year.

Does the risk change by CMMC level and assessment type?

Yes. Level 1 and Level 2 (Self) rely on self-assessment, which puts the weight on your own evidence and your signer’s discipline. Level 2 (C3PAO) and Level 3 add an outside or government assessor — but false statements about scope, current status, annual affirmation, POA&M closeout, or post-assessment drift can still create FCA exposure. The contract clause sets your required level and assessment type — not your preference, and not a checklist. A clean assessment is a snapshot, not a permanent shield.

A quick grounding in the levels, all from 32 CFR Part 170: Level 1 covers FCI and maps to the 15 basic safeguarding requirements in FAR 52.204-21, with an annual self-assessment and affirmation and no POA&M allowed. Level 2 covers CUI and maps to the 110 security requirements of NIST SP 800-171 Revision 2, organized into 14 control families — by self-assessment for some contracts, or by a C3PAO certification assessment for others. Level 3 adds a subset of enhanced requirements from NIST SP 800-172 and is assessed by the government’s DCMA DIBCAC. One important accuracy note: for CMMC purposes, Level 2 currently maps to NIST SP 800-171 Revision 2, even though NIST has since superseded Rev. 2 — do not represent Rev. 3 as the controlling CMMC requirement unless and until DoD amends the rule.

The recurring trap at the C3PAO and DIBCAC levels: contractors treat the certificate as permanent. It isn’t. Your status has a defined scope and date, your annual affirmation still has to be true every year, and controls drift. “We passed our assessment” is true on the assessment date. Whether it’s still true today is a separate question, and the one a relator will ask. See our CMMC annual affirmation legal liability guide for the full picture on what the signer is actually committing to.

Who can be on the hook — the company, the executive who signs, a subcontractor, an acquirer?

Potentially all of them, but the role determines the exposure. The company faces FCA and contract liability for false cybersecurity claims. A senior executive can carry signer and governance risk as the Affirming Official. Subcontractors create flowdown and supplier risk. And in 2025, DOJ extended liability to an acquirer and a private-equity owner — so cyber-fraud exposure can travel through an M&A deal. This is not just an IT-department problem.

The whistleblower (qui tam). The FCA’s qui tam provision (31 U.S.C. § 3730) lets a private individual file suit on the government’s behalf, under seal, and share in the recovery — 15% to 25% if the government intervenes, and up to 30% if it declines and the relator proceeds alone. Fiscal year 2025 set a record with 1,297 qui tamsuits filed. And in these cyber cases, the relator is rarely an outsider. It was the head of security (MORSECORP, $851,000 share). It was two members of the cybersecurity team (Georgia Tech, who split $201,250). It was a director of engineering (Raytheon, ~$1.5 million). It was a quality-control manager at a small subcontractor (Swiss Automation, $65,291). The people best positioned to notice the gap between what was certified and what’s real are the people who built the evidence — and the statute pays them to come forward. The durable defense isn’t secrecy. It’s having no gap to report.

The executive who signs. Under 32 CFR § 170.22, a senior company official — the “Affirming Official” — is the senior-level representative responsible for ensuring the organization’s compliance with CMMC requirements and authorized to affirm continuing compliance in SPRS after assessment and annually thereafter. That signature is a legal certification, and the signer is responsible for its accuracy. Signing without seeing the evidence is the reckless-disregard zone, and it’s a question for the C-suite and counsel, not a formality to delegate. (Our CMMC annual affirmation guide covers who signs and what the signer needs.)

The subcontractor and the prime.CMMC requirements flow down through the supply chain when a subcontractor processes, stores, or transmits FCI or CUI (32 CFR § 170.23). The December 2025 settlement with Swiss Automation — a supply-chain cyber-FCA action brought by a former quality-control manager over inadequate protection of technical drawings — shows suppliers are squarely in scope. For primes, the lesson is the inverse: collecting a screenshot and moving on isn’t due diligence. You need consistent evidence standards for suppliers who touch CUI.

The acquirer and the investor.The Aero Turbine settlement in July 2025 named not just the contractor but its private-equity owner, Gallant Capital Partners, after the government alleged a PE-firm employee was directly involved in the cybersecurity failures. Translation: cyber-fraud exposure is now a live diligence item in defense-sector M&A, and an investor that gets into the weeds of a portfolio company’s compliance can be pulled in.

You think a past claim may be wrong. What do you do now?

Do not panic, do not delete or rewrite records, do not repeat the claim, and do not rush out a public “correction” without legal guidance. Preserve the evidence, identify exactly where the statement was made and whether it touched a contract or payment, bring in qualified federal-contracts counsel if a past claim may be material, then use technical specialists to verify scope and remediate.The single biggest mistake here is a well-intentioned, lawyer-free “fix” that creates a worse record than the original problem.

Your first hours, in order:

1. Preserve the relevant records. SSP, POA&M, scoring worksheet, system boundary, CMMC UID, affirmation history, the SPRS submission itself. Do not alter anything.
2. Stop repeating the questionable claim. No new invoices, proposals, or supplier attestations that lean on it.
3. Identify the exact claim — SPRS score, CMMC status, annual affirmation, proposal language, invoice support, supplier attestation, or marketing copy.
4. Identify where it was made and who relied on it — DoD, a contracting officer, a prime, an auditor, a C3PAO, an internal approver.
5. Trace the contract/payment link. Was the statement tied to award eligibility, an invoice, or an option?
6. Bring in qualified federal-contracts counsel if the claim may already be material. The disclosure decision is a legal judgment — and a real one, because the FCA reduces damages to as low as two times (instead of three) for violations a contractor reports within 30 days of discovery, with full cooperation, where no investigation or action has already begun (§ 3729(a)).
7. Then assign technical remediation — re-score against reality, build a genuine POA&M, and document the good-faith effort.

When Aero Turbine and its owner voluntarily disclosed their cybersecurity failures and cooperated — submitting written disclosures and working with the government — DOJ credited that cooperation in the resolution. DOJ has been explicit, repeatedly, that it rewards early disclosure, cooperation, and remediation. The contractors who get crushed are the ones who wait for a whistleblower or an audit. The ones who get a path are the ones who move first.

How do you correct a wrong SPRS score or CMMC affirmation without making it worse?

Carefully, and in the right order. If the prior score or affirmation may have been material to an award or payment, talk to qualified federal-contracts counsel before you touch the record — the correction and any disclosure are legal decisions. Once you have that guidance, the technical fix is straightforward: re-assess against your real implementation, post the accurate score (even if it’s lower), and document the basis.SPRS scores are meant to be updated as your posture changes; the danger isn’t updating the record, it’s updating it carelessly or quietly papering over a claim that already mattered.

A safe correction sequence:

1. Pause and get legal input if the old claim was material. Counsel decides whether and how to disclose; you don’t have to make that call alone.
2. Pin down what you’re correcting. The exact record (SPRS score, CMMC UID, affirmation), the scope it covered, and the date it was posted.
3. Re-score against reality. Have your actual control implementation validated objective-by-objective, and bring the SPRS score to the truth. An accurate low score is far safer than an inflated one. (Our walkthrough of what happens if you lie on your SPRS score covers the score mechanics in depth.)
4. Build and start executing a real POA&M, and make sure your next affirmation reflects current status — not aspiration.
5. Document the whole thing — the gap assessment, the decision, the rationale, the dates. A documented good-faith correction is the opposite of a cover-up, and it’s the record you want if anyone ever asks.

What you should notdo: silently overwrite the old score with no documentation, backdate anything, or keep billing on the old representation while you “sort it out.” Those instincts feel protective. They aren’t.

How do you keep your next SPRS score and affirmation from becoming the next false claim?

Build an evidence-backed signoff package before any SPRS submission, annual affirmation, proposal statement, or supplier representation — and make every claim specific, dated, and scoped. Under 32 CFR § 170.24, a requirement counts as MET only when all of its assessment objectives are satisfied by evidence in final form; drafts and “in progress” don’t count.The safest claim is narrow and true. The dangerous one is the broad “we’re compliant” that nobody can defend objective-by-objective.

Before your Affirming Official signs anything, the package on the desk should include:

• the required level and the contract clause that sets it;
• your FCI/CUI scope statement, a system boundary diagram, and an asset inventory;
• the SSP (a 32 CFR § 170.22 affirmation rests on it) and the POA&M with its eligibility and closeout dates;
• a control-owner matrix and an evidence index mapped to each NIST SP 800-171A assessment objective;
• the responsibility matrix for any MSP, MSSP, or cloud provider, with FedRAMP or equivalency evidence where it applies (DFARS 252.204-7012);
• the CMMC UID and current SPRS status (DFARS 252.204-7019/-7020); and
• a dated signoff memo.

If any of those is missing, you are not ready to sign — you are about to make a representation you can’t support.

The “final, not draft” standard is the one people trip on. A policy that exists in a Google Doc nobody approved is not implemented. A control that’s “scheduled for next quarter” is not MET. If your real, evidence-backed score is lower than what’s posted, lower the posting. We’ll say it a third time because it’s the whole lesson of this page: a lower, accurate score beats a higher, false one — every time.

Which provider category actually helps with each kind of risk?

The right help depends on the problem. A federal-contracts attorney handles legal exposure and disclosure. An RP/RPO helps with scoping and readiness. An MSP/MSSP implements and operates controls. A GRC platform manages evidence. A CUI enclave can shrink your scope. A C3PAO performs the formal certification assessment — and must stay separate from the team that remediated you. Hiring the wrong category first is how contractors burn six figures and end up no safer.

That last row is not a nicety — it’s a conflict-of-interest rule. Under 32 CFR Part 170 (§ 170.9) and the Cyber AB’s Code of Professional Conduct, a C3PAO cannot provide consulting, advisory, or implementation services to an organization it will then assess. If a firm helps you prepare or remediate, you must use a different C3PAO for the certification assessment. No C3PAO can guarantee certification, either. And you can only confirm a firm is actually authorized on the official Cyber AB Marketplace. So don’t let anyone sell you a single engagement that “fixes you and then certifies you.”

How worried should you actually be? An honest risk read

Your exposure scales with two things: how far your real security posture diverges from what you certified, and whether you knew (or should have known). An inflated score left standing, controls that exist only on paper, a signed affirmation with no verification behind it, a disgruntled insider, or an M&A event push you toward the high end. An accurate score, a documented POA&M you’re actually executing, and a briefed Affirming Official pull you toward the low end.The statute targets the misrepresentation, not the gap — which is precisely why the fix is forward-looking and within your control.

The basis for this read: the FCA’s knowledge and materiality standards (31 U.S.C. § 3729(b)); the annual affirmation requirement (32 CFR § 170.22); the “final evidence” scoring standard (32 CFR § 170.24); and the documented DOJ cyber-FCA settlements above.

If you see your company on the left, that’s not a verdict — it’s a to-do list. The companies in the settlements above weren’t doomed by having gaps. They were exposed by representing they didn’t. For the full penalty picture, see our guide to CMMC non-compliance penalties and penalties for an inaccurate SPRS score.

What we verified for this page

This page was built from primary and authoritative sources, not summarized from other articles. We read the governing rules and the statute directly, pulled every case fact from DOJ’s own releases (and the signed MORSECORP settlement agreement), and dated each figure that can change.

We did not independently audit any company’s systems, and we are not a law firm. This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. See our editorial standards and corrections policy.

Frequently asked questions

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This is educational research, not legal, contractual, or compliance advice; the contract clause and CUI handling set your level, not a checklist. Do not submit CUI, drawings, export-controlled data, contract numbers, or sensitive contract details through any form on this site.