Primary-sourced · Updated June 2026

CMMC Non-Compliance Penalties: What Actually Happens If You’re Not Ready

Primary sources: 32 CFR Part 170 · DFARS 204.7502–204.7503 and 252.204-7012/-7019/-7020/-7021/-7025 · NIST SP 800-171 Rev. 2 and NIST SP 800-171A · 28 CFR 85.5 and the False Claims Act (31 U.S.C. 3729) · 18 U.S.C. 1001 · DOJ Civil Cyber-Fraud Initiative settlements through June 18, 2026.

If a defense contract requires CMMC and you can’t prove you have it, the government doesn’t mail you a fine. It does something quieter and, for most companies, worse: it stops doing business with you.

That’s the part most articles about CMMC non-compliance penaltiesget wrong. They picture a fine schedule that doesn’t exist. The real penalties come from two completely separate directions — and the more dangerous one isn’t triggered by being behind on your controls. It’s triggered by saying you’re compliant when you’re not.

Two days before we last updated this page, the Justice Department handed us the cleanest example we’ve ever seen of that second bucket — a contractor that posted a perfectscore it didn’t have. We’ll get to it. First, the map.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

This is educational research, not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. Confirm scope and applicability with a CMMC Registered Practitioner / Registered Provider Organization (RP/RPO) or a qualified federal-contracts attorney. Do not submit CUI, drawings, export-controlled technical data, or sensitive contract details through any form on this site.

First, the honest part: there is no CMMC “fine schedule”

There is no published list that says “fail this CMMC control, pay this dollar amount.” We’ve read the rules, and that schedule doesn’t exist. Anyone handing you a precise “CMMC fine” number is guessing — because the real financial exposure depends on facts that only your contract, your claims, and (if it ever gets that far) a court can settle. That’s the truth, and we’d rather tell you than sell you a scary number.

Here’s why that matters, and why it’s good news for you. CMMC non-compliance is not a parking ticket with a fixed price. The consequence depends on the clause in your contract, the level it requires, your assessment type, the accuracy of your SPRS record, what information you handle, what stage your contract is at, and — this is the hinge — what your company knewwhen it made a representation to the government. Get the framing right and most of the panic drains out, because you stop bracing for a fine that isn’t coming and start triaging the risk that actually applies to you.

What we cangive you is the part nobody else has assembled in one place: the exact consequence by trigger, the primary source behind it, what it means in practice, and the first safe move. That’s the rest of this page.

Which CMMC non-compliance penalties actually apply to you? (Start here)

The fastest way to calm a CMMC scare is to figure out which bucket you’re in, because a stale affirmation, a missing certificate, an expired conditional status, an inflated SPRS score, and a knowingly false claim are different problems with different next steps. Find your row below before you do anything else — and before you call a single vendor.

Notice the pattern. Almost everything in the “eligibility” rows is fixable on your own timeline. The rows that cross into “legal” all share one ingredient — a representation that doesn’t match reality, made knowingly. Being behind is not, by itself, a False Claims Act case. Saying you’re not behind when you are is where the real exposure begins. That distinction runs through this entire page.

The right next step also isn’t the same for every contractor. The category you need — a C3PAO (Certified Third-Party Assessment Organization), an RPO (Registered Provider Organization), an MSSP (Managed Security Service Provider), a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI (Federal Contract Information) or CUI (Controlled Unclassified Information), your assessment type, your cloud and IT environment, and your contract timeline.

Bucket 1: How CMMC non-compliance costs you contracts

The most common CMMC penalty isn’t a fine — it’s disqualification. When a solicitation requires a CMMC level, DFARS 204.7503(b) directs the contracting officer to check SPRS and not awarda contract, task order, or delivery order to an offeror that lacks a current CMMC status at the required level, or higher, for each system that will handle FCI or CUI. It’s an eligibility gate, not a citation: you either have the status posted in SPRS or you don’t, and if you don’t, the rule directs the officer not to award.

We pulled the regulatory text from Acquisition.gov so we could quote it precisely rather than paraphrase a vendor’s summary. The clause does three things that should reshape how you think about “penalties”:

It blocks awards. Under DFARS 204.7503(b), the contracting officer “shall check SPRS and not award” without your current status posted at the required level for each CMMC unique identifier. No status, no award.

It blocks renewals.This is the one incumbents miss. DFARS 204.7503(c) says the contracting officer “shall check SPRS and not exercise an option or extend the period of performance” unless your current status is posted at the required level. A contract you already hold can stall at the option date if your status lapsed during performance.

It flows downhill.If your prime’s contract carries CMMC requirements and you handle FCI or CUI, the requirement flows down to you (DFARS 252.204-7021; 32 CFR 170.23). Primes don’t wait for the government to act. To protect their own eligibility, they cut suppliers who can’t show the required status — and in a consolidating supply base, “we’re working on it” loses to “we’re done.”

The 180-day relief valve (Levels 2 and 3 only)

You are not automatically locked out the moment you’re imperfect. For CMMC Levels 2 and 3 only, DFARS 204.7502 (mirroring 32 CFR 170.21) permits an award with a Conditional CMMC status for up to 180 daysfrom the conditional date, while you close remaining items on a Plan of Action and Milestones (POA&M). Two cautions: Level 1 cannot use a POA&M at all, and the rule sets a minimum assessment score plus a list of higher-weight requirements that cannotbe deferred — so “we’ll POA&M it” is not a universal escape hatch. Treat the 180 days as a hard clock with proof attached to every closed item.

When the eligibility risk turns on for you

CMMC is phasing into contracts on a published schedule. The 48 CFR CMMC Acquisition Rule took effect November 10, 2025, and the program rolls out over four phases under 32 CFR 170.3(e). DoD built real discretion into the early phases, so read this as the outer envelope of what a contract can require:

Source: 32 CFR 170.3(e). See also: CMMC implementation phases explained.

The takeaway: even if your current solicitations are quiet, the clause is coming. The pool of authorized C3PAOs is small relative to the number of companies that will eventually need one, and scheduling is expected to tighten as the Phase 2 deadline approaches. That’s a real calendar pressure, not a marketing countdown.

Bucket 2: How the False Claims Act turns non-compliance into money owed

The False Claims Act (31 U.S.C. 3729) is where cybersecurity non-compliance can become a financial penalty — and it does not require a data breach. Liability attaches when a contractor knowinglysubmits or causes a false claim, or makes a false statement material to one. The price tag is steep: treble (3×) the government’s damages, plus a civil penalty of $14,308 to $28,619 for every false claim. “Knowingly” is broader than most executives assume — it includes reckless disregard and deliberate ignorance, so “we didn’t look too closely” is not a defense.

We verified the penalty figures against the Department of Justice’s codified table at 28 CFR 85.5. The band — $14,308 minimum to $28,619 maximum per claim — has been in effect for penalties assessed since July 3, 2025 and remains current in 2026, on top of treble damages. Because penalties apply per claim, and a single contract can generate dozens of invoices and affirmations, totals climb into the millions fast.

No breach required.DOJ’s Civil Cyber-Fraud Initiative targets three things: knowingly providing deficient cybersecurity products or services, knowingly misrepresenting cybersecurity practices or protocols, and knowingly violating obligations to monitor or report. None of those requires that information was actually stolen. In the Georgia Tech settlement, for example, the government alleged no data breach at all. You can be fully un-breached and still exposed.

Your own employees can file.The FCA’s qui tam provision (31 U.S.C. 3730) lets a private citizen — usually a current or former insider — sue on the government’s behalf and collect a share of the recovery: generally 15–25% when the government intervenes, and up to 30% when it doesn’t. In the cybersecurity cases, the whistleblowers have been engineers, security leads, and compliance officers. The person who knows your real posture is often the person with the strongest incentive to report it.

Counsel belongs before a vendor. If your exposure is in this bucket, the first call is a qualified federal-contracts attorney, not a remediation quote. We say more about sequencing below.

Is an SPRS score the same as CMMC status?

No — and conflating them is how good companies stumble into bucket two. An SPRS score reflects your NIST SP 800-171 DoD self-assessment under DFARS 252.204-7019/-7020. CMMC status is the separate verification layer required under DFARS 252.204-7021/-7025 when a solicitation calls for it. The affirmation is a third thing: a senior official’s signed attestation in SPRS that the organization meets its requirements. You can have a posted score, a CMMC status, and an affirmation that don’t all line up — and the gap between them is exactly what enforcement looks for.

In plain terms: the score is a number you self-report; the status is what DoD verifies (by self-assessment or by a C3PAO); the affirmation is a person putting their name behind both. Keep them distinct, because the penalties attach differently. A missing status is an eligibility problem. An inflated score paired with continued billing is a representation problem — the LOGZONE and MORSECORP cases below turn on exactly that.

The affirmation trap: your personal — and criminal — exposure

Under 32 CFR 170.22, a senior official your company designates as the Affirming Official must attest in SPRS that the organization has implemented and will maintain all applicable CMMC requirements — at certification, every year after, and at POA&M closeout. The affirmation language warns that misrepresenting that status may result in criminal prosecution under 18 U.S.C. 1001, civil liability under the False Claims Act, and contract remedies. Each annual affirmation is a fresh, individually signed legal certification. This is the part of CMMC that reaches past the company and touches a person.

We read 32 CFR 170.22 in the eCFR and verified the affirmation warning text from publicly posted CMMC affirmation materials. The government’s own warning is blunt:

“Misrepresentation of this CMMC compliance status to the Government may result in criminal prosecution, including actions under section 1001, Title 18 of the United States Code, civil liability under the False Claims Act, and contract remedies as determined appropriate by the contracting officer.”

Three exposure paths, named in one screen, signed by one person. The Affirming Official is typically a C-level executive or director. Delegating the click to someone who hasn’t been briefed on the real posture doesn’t reduce the exposure; it just adds an unbriefed signature. And because the affirmation is annual, the exposure renews every cycle, whether or not your posture actually held.

What does 18 U.S.C. 1001 mean in practice? It’s the federal false-statements statute: a knowingly and willfullyfalse statement to the government can carry fines and imprisonment of up to five years. Nobody at your company should sign or re-sign an affirmation they can’t personally support with evidence.

Has anyone actually been penalized? (Yes — and here’s the proof)

Yes. Since the Justice Department launched its Civil Cyber-Fraud Initiative in October 2021, it has resolved a steady run of cybersecurity False Claims Act matters against defense contractors, universities, and their owners. The nine defense and federal cybersecurity settlements below total more than $47 million — and across DOJ’s entire False Claims Act docket, FY2025 recoveries exceeded $6.8 billion. The newest cyber case, settled June 18, 2026, is the clearest illustration yet of how a false score becomes a federal penalty.

The case that proves the thesis: LOGZONE (June 2026)

And it isn’t a one-off: MORSECORP (March 2025)

Two cases, same shape: a high posted score, a deeply negative real score, and continued government billing in between. If you take one thing from this page, take that pattern.

The broader enforcement ledger

Every amount below links to the DOJ announcement. CMMC certificates were not yet contractually required during most of this conduct; these cases resolved the underlying NIST SP 800-171 and DFARS obligations that CMMC now verifies.

These are settlements, not verdicts; several explicitly resolve allegations with no admission of liability (MORSE is an exception — it admitted responsibility). The dollar figures are often a fraction of contract value, not a multiple of it. What the record proves is narrow but important: cybersecurity representations are enforced, they’re enforced without a breach, and they’re increasingly surfaced by insiders.

The counter-move that actually helps: self-disclosure

When Aero Turbine and its private-equity owner Gallant Capital discovered their problems — NIST SP 800-171 gaps and improper foreign access to sensitive defense data — they made multiple written self-disclosures, cooperated, and remediated. DOJ explicitly credited that cooperation in the $1.75 million resolution. As the Assistant Attorney General put it, contractors “can mitigate the consequences by making timely self-disclosures, cooperating with investigations, and taking prompt remedial measures.” Translation: hiding it makes it worse; surfacing it — with counsel — can make it materially better.

What happens if you fail a CMMC assessment?

Failing a CMMC assessment usually creates an eligibility problem, not an automatic False Claims Act problem. You either don’t receive a status, or — for Levels 2 and 3 — you may receive a Conditional status with 180 days to close your POA&M (DFARS 204.7502). The legal risk rises only when the result is misrepresented, ignored in a later affirmation, or contradicted by claims, invoices, or SPRS records. A failed assessment, handled honestly, is a project plan. A failed assessment, papered over, is the start of a bucket-two problem.

The practical sequence after a miss: confirm whether you qualify for Conditional status, build a POA&M with proof attached to each item, and make sure your SPRS record and any affirmation reflect reality — not the score you wish you had. Do not re-attest to a status you didn’t achieve. That single discipline keeps a bad assessment from becoming a legal one. See also: what to do after a CMMC gap assessment.

CMMC penalties by level: what changes at Level 1, 2, and 3

The consequence of non-compliance scales with the level your contract requires and the assessment type that goes with it. Level 1 covers FCI and is self-assessed annually; Level 2 covers CUI and uses the 110 NIST SP 800-171 Rev. 2 requirements (self-assessed or C3PAO-assessed, depending on the contract); Level 3 adds 24 enhanced requirements selected from NIST SP 800-172 — 134 in total — and is assessed by DIBCAC. Don’t build your plan around NIST SP 800-171 Rev. 3: under the current CMMC Final Rule, Level 2 maps to Rev. 2.

Two specifics that are easy to get wrong: the 110 Level 2 requirements sit across 14 control families and are assessed using the objectives in NIST SP 800-171A (320 of them) — so “we did most of it” is not the same as “we pass.” And the DoD assessment scoring methodology runs from −203 to 110, which is how a company can sincerely believe it’s close while sitting deep in the negatives. See also: CMMC Level 2 requirements explained and the NIST 800-171 checklist.

Is CMMC non-compliance the same as DFARS 252.204-7012 non-compliance?

No. DFARS 252.204-7012 created the underlying duties — safeguard covered defense information and report cyber incidents within 72 hours — years before CMMC existed. CMMC (32 CFR Part 170, implemented by DFARS 252.204-7021) adds a verification and status layer on top. You can carry DFARS 7012 obligations today even if a specific CMMC status requirement hasn’t appeared in your contract yet. “CMMC isn’t in my contract” does not mean “no cyber obligation.”

Most of the DOJ settlements above pre-date the CMMC clause and turned on 7012, 7019, 7020, FAR 52.204-21, and SPRS accuracy. That’s the point: the obligations were always there. CMMC just makes them checkable at the contract gate.

Penalties for subcontractors and primes

Subcontractors face the eligibility penalty most directly: if you can’t show the required status for the FCI or CUI you’ll handle, the prime can refuse to flow work to you — and increasingly, they will, to protect their own contract. Primes carry a two-sided risk: they must verify their subs’ status before sharing covered information, and they inherit exposure when they don’t.

What level does a subcontractor actually need? It depends on the data — not on the prime’s level by default. Per 32 CFR 170.23 and DoD’s CMMC guidance:

For subcontractors, the move is to prepare a clean evidence package — your level, scope, status, and affirmation — that you can share withouttransmitting CUI. For primes, the move is a verification process that requests proof (status in SPRS, certificate details) rather than relying on a vendor’s verbal “we’re compliant.” Neither side should ever route CUI, drawings, or sensitive contract details into a generic form or questionnaire.

What to do first if you discover you’re not compliant

Don’t start with a vendor quote. Start by establishing the facts, in order: identify the clause, confirm whether you handle FCI or CUI, verify your current status in SPRS, preserve the evidence trail, and decide whether counsel is needed before you change anything. The single most expensive mistake we see is “fixing” the paperwork before understanding the facts — because a hasty correction or a fresh affirmation can convert a quiet eligibility gap into a documented false statement.

1. Find the clause. Is DFARS 252.204-7021 (and -7025) in the solicitation or contract, and what level does it require?
2. Confirm the data. FCI, CUI, both, or genuinely unclear? This sets your level — the clause and the data do, not a checklist.
3. Verify status in SPRS. What does your record actually say today, and does its scope match the contract?
4. Freeze the evidence.Preserve contracts, SPRS submissions, assessment records, affirmations, SSP versions, POA&Ms, and any internal communications about known gaps — before anyone edits them.
5. Triage legal exposure. If claims, invoices, scores, or affirmations may already be inaccurate, talk to qualified federal-contracts counsel before correcting or re-attesting.
6. Route the remediation to the right provider category based on your scope and stage (next section).
7. Schedule a C3PAO only when you’re assessment-ready— not as step one. See: CMMC Level 2 assessment preparation.

What NOT to do after you find a problem

Do not backdate evidence, “correct up” an SPRS score you can’t support, sign a fresh affirmation to paper over gaps, keep billing while knowingly non-compliant, or send CUI into a vendor form. Each of these can turn a manageable eligibility issue into a False Claims Act or false-statement problem. When in doubt, preserve the record, get the legal question triaged, and separate the legal track from the technical track. This is the cheapest advice on this page, and the most ignored.

• Don’t “fix” the paperwork before you understand the facts.A correction made without counsel can read as an admission — or create a new false statement.
• Don’t treat a POA&M as “implemented.” An open item is an open item; affirming otherwise is the trap.
• Don’t send CUI to vendorsbefore you’ve verified their environment and authorization to receive it.
• Don’t have the firm that will assess you also remediate the same environment. Assessors must manage impartiality; mixing readiness and assessment in one contract is the flag, not the convenience.
• Don’t let sales urgency outrun counselwhen there’s any chance a prior representation was false.

Which provider category fits — and why your assessor usually shouldn’t be your fixer

The right first move depends on your risk type, not on whoever calls first. If false-claim exposure is on the table, start with counsel. If the problem is scope, readiness, or implementation, an RPO, MSSP, or managed-compliance provider fits. If it’s evidence and workflow, a GRC platform supports the others. If CUI is sprawled across email and endpoints, a CUI enclave can shrink your scope. A C3PAO comes last — and only when you’re assessment-ready. A core independence principle runs through all of this: the organization that helps you get ready generally should not be the one that formally assesses you.

If a single vendor offers to both fix and certify the same environment, treat it as a flag, not a convenience. See also: CMMC provider categories.

What we verified for this page

We don’t ask you to take our word for the numbers here. For this update (last reviewed June 20, 2026), here is what we checked and where:

• The eligibility consequence— read directly from DFARS 204.7503(b)–(c) and 204.7502 on Acquisition.gov (the “shall not award” / “shall not exercise an option” language and the 180-day Conditional-status rule for Levels 2 and 3).
• The FCA penalty figures— confirmed against 28 CFR 85.5; the $14,308–$28,619 per-claim band applies since July 3, 2025 and remains current.
• The affirmation requirement and personal exposure— read from 32 CFR 170.22 in the eCFR; the affirmation warning text verified from publicly posted CMMC affirmation materials.
• The enforcement record— compiled from DOJ press releases and settlement agreements; every amount in the ledger links to its DOJ announcement, including the LOGZONE settlement announced June 18, 2026.
• The phased rollout and subcontractor flow-down— verified against 32 CFR 170.3(e) and 170.23.
• The rule baseline— Level 2 maps to NIST SP 800-171 Rev. 2; assessments use NIST SP 800-171A objectives.

Where something is editorial analysis drawn from the sources above, we’ve labeled it accordingly. See our editorial standards and corrections policy.

Frequently asked questions

Most CMMC penalty questions trace back to one misunderstanding: people expect a single fine. The real answer depends on your clause, level, assessment type, SPRS accuracy, CUI scope, contract stage, and whether a representation was knowingly false. Short, sourced answers below.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.