DoD Cybersecurity Whistleblower / CMMC Qui Tam Risk: What Defense Contractors Should Verify Before They Certify
Educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, the Department of Justice, or any U.S. government agency.
On June 18, 2026, a Huntsville logistics contractor named LOGZONE agreed to pay $507,144 to the United States. The Justice Department’s announcement describes no breach — nobody is alleged to have stolen anything. The problem was a number: in October 2021 the company reported a perfect self-assessment score of 110 in the Pentagon’s supplier system, and in 2024 a government assessment scored the same environment at negative 170, 280 points lower. That gap is the case.
Here’s the bottom line. “DoD cybersecurity whistleblower / CMMC qui tam” risk is real, it is active, and it is almost never about being hacked. It’s about a cybersecurity statement — an SPRS score, a CMMC affirmation, a System Security Plan, a proposal certification, a subcontractor attestation — that you cannot back up with evidence. The False Claims Act lets the government, and private whistleblowers acting on its behalf, pursue contractors who knowingly make false statements tied to government payments or contract eligibility (31 U.S.C. § 3729). In fiscal year 2025, DOJ reported roughly $52 million across approximately nine cybersecurity False Claims Act settlements, and the trend is accelerating.
If something just happened — an employee raised a concern, a prime demanded proof, an executive is about to click “affirm,” or you found a score that doesn’t add up — the next section tells you exactly where to start. We’ll be honest about what this page can and can’t do for you, walk through the DOJ cases that define the risk, and map your situation to the next correct step. No fear-mongering. Just the primary sources and a clear path.
Which situation are you in? Start here.
Different triggers need different first moves. Find yours, then read the section it points to.
| If this just happened | Your first move | Do not do this |
|---|---|---|
| An employee, consultant, or ex-employee raised a cybersecurity/CMMC concern | Preserve the records and bring in qualified counsel before you respond | Don’t retaliate, delete tickets, or treat it as ordinary HR noise — see “Someone raised a concern” below |
| An executive is about to affirm CMMC status in SPRS | Verify scope, score, SSP, POA&M, and the evidence behind each control first | Don’t click “affirm” because “we’re working on it” — see “Is your SPRS score defensible?” |
| A prime asked you to certify CMMC or NIST 800-171 posture | Map the clause, the data, the system, and the required level before you answer | Don’t send CUI, drawings, or contract details through email or a form |
| You found an inflated SPRS score | Freeze the evidence trail, then get legal and compliance triage | Don’t quietly overwrite the record — see “What if you already posted a bad score?” |
| You’re an employee who saw something and wonder if you can report it | Understand the qui tam process and your protections, then talk to a qualified False Claims Act attorney | Don’t assume a web page (this one included) can tell you whether you have a case — jump to your options as a whistleblower |
| A C3PAO assessment is scheduled but gaps remain | Confirm readiness and POA&M eligibility | Don’t ask the assessor to fix the environment they’re going to assess |
This page is built mostly for the defense contractor side — the owner, CISO, IT director, FSO, contracts officer, or compliance lead asking “could one of our statements be used against us, and what do we fix first?” If you’re an employee weighing whether to report your employer, we serve you too — honestly, and without a sales pitch — in a dedicated section below.
What we actually verified for this guide
Who: The Defense Compliance Report Editorial Team.
How: We verified the cited False Claims Act sections against the official U.S. Code; confirmed the 2025 per-claim penalty figures against the Justice Department’s inflation-adjustment rule in the Federal Register; pulled the FY2025 recovery totals from DOJ’s published False Claims Act statistics; read the LOGZONE, MORSECORP, Aerojet Rocketdyne, and Georgia Tech DOJ press releases and, where publicly available, the court and settlement documents; cross-walked 32 CFR Part 170 and DFARS 252.204-7019, -7020, -7021, and -7025 for the contractual-representation chain; and confirmed SPRS field definitions against DISA’s published SPRS documentation.
Limitations: This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your CMMC level — not a checklist. Do not submit CUI, drawings, or sensitive contract details through any public form.
Can a DoD cybersecurity whistleblower bring a CMMC qui tam case?
Yes. A cybersecurity insider can bring a “qui tam” case — a whistleblower lawsuit under the False Claims Act, where a private person (a “relator”) sues on the government’s behalf and shares in any recovery (31 U.S.C. § 3730). But “CMMC qui tam” is shorthand, not a separate bounty program. The exposure comes from knowingly false or unsupported cybersecurity statements tied to government payment, award eligibility, or contract performance.
Qui tam is older than the Pentagon. The phrase is Latin, the statute dates to the Civil War, and the mechanics are simple: an individual with knowledge of fraud against the United States files a complaint under seal in federal court, hands the government a written disclosure of their evidence, and the Department of Justice decides whether to take over the case. If the government joins (“intervenes”), the relator collects 15% to 25% of the recovery. If the government declines, the relator can proceed alone and collect 25% to 30%.
What changed is the subject matter. In October 2021, the Department of Justice launched its Civil Cyber-Fraud Initiative, announcing it would use the False Claims Act against contractors and grant recipients that knowingly provide deficient cybersecurity, knowingly misrepresent their security practices, or knowingly fail to report incidents (DOJ). DOJ has made clear that this initiative is not going away — and in January 2026, Deputy Assistant Attorney General Brenna Jenny stated at an industry conference that these cases are “not about data breaches” but are instead “premised on misrepresentations.”
The numbers show the trend is accelerating. In fiscal year 2025, DOJ’s False Claims Act statistics reported a record $6.8 billion in total recoveries and an all-time-high 1,297 new qui tam suits; cyber-fraud cases accounted for roughly $52 million across about nine settlements, and DOJ reported that cyber-fraud recoveries have more than tripled in each of the last two years (DOJ FY2025 statistics).
What this page can’t do — and why that makes it useful. This page cannot tell you whether your company has False Claims Act liability, whether a particular employee has a viable case, or whether you’re legally required to disclose something. Those are questions for a qualified federal-contracts attorney. What we can do is help you see which of your cybersecurity statements is most exposed, what evidence sits behind it, and which kind of help you actually need next — counsel, readiness, remediation, scope reduction, or assessment — so you don’t spend six figures aimed at the wrong problem.
Is CMMC noncompliance itself a False Claims Act violation?
Not automatically. The False Claims Act targets knowingly false claims, records, or statements that are material to government payment — not honest imperfection. Noncompliance becomes dangerous when it’s paired with a proposal, invoice, SPRS score, CMMC affirmation, SSP, or attestation that doesn’t match reality, and the evidence shows the company knew or recklessly disregarded the gap (31 U.S.C. § 3729).
There are three very different situations, and only two of them are real problems:
- Imperfect compliance, honestly documented. You have open gaps, they’re in your Plan of Action and Milestones (POA&M), your score reflects reality, and you’re working the plan. This is a compliance problem. It is normal. It is not fraud.
- An unsupported official statement. You told the government — through a score, an affirmation, a certification, or a claim for payment — that you met requirements you couldn’t back up at the time you said it. This is where False Claims Act risk lives.
- A known gap plus continued false statements. You knew the statement was wrong and kept making it. This is the highest-risk posture, and it’s where the largest settlements come from.
The engine behind all of this is the word “knowingly.” Under 31 U.S.C. § 3729(b), it means actual knowledge, deliberate ignorance, or reckless disregard for the truth. You do not need to intend to defraud anyone. “We were optimistic” is not a defense if the evidence shows you should have known better. And there does not need to be a breach.
So the question to ask about every external cybersecurity statement your company makes isn’t “are we perfect?” It’s: does this statement claim more than our evidence can prove today?
Why this matters specifically for CMMC
CMMC makes the control set identifiable, which makes the comparison easy for anyone — a prime, a C3PAO, the Defense Contract Management Agency, or a whistleblower. CMMC Level 1 covers Federal Contract Information (FCI) and requires the 15 basic safeguards in FAR 52.204-21, checked by an annual self-assessment. CMMC Level 2 covers Controlled Unclassified Information (CUI) and requires the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, via self-assessment or C3PAO certification depending on the contract. CMMC Level 3 adds requirements from NIST SP 800-172 and is assessed by DCMA DIBCAC. The rule is at 32 CFR Part 170. One precision note: for CMMC purposes, Level 2 maps to NIST SP 800-171 Revision 2 — not Revision 3, which NIST has published in its own publication line but DoD has not adopted for CMMC.
What changed when CMMC became contractual?
The CMMC Program Rule took effect under 32 CFR Part 170 on December 16, 2024, and the DFARS rule that puts CMMC into contracts took effect November 10, 2025. Together they turned certain cybersecurity statements into conditions of contract award, visible to contracting officers through SPRS. Some of your security claims are no longer vague readiness talk — they’re award-eligibility facts.
This is the structural shift that took cyber-FCA risk from “theoretical” to “operational.” The chain below shows exactly how an internal security claim becomes a government-relied-upon representation.
The CMMC Contractual Representation Chain
| Source | The statement it creates | Where it appears | Who checks it | Why it matters for FCA risk |
|---|---|---|---|---|
| 32 CFR Part 170 | The level, assessment type, conditional/final status, and the annual affirmation duty | The program rule | Cyber AB ecosystem, C3PAOs, DIBCAC | Defines what “compliant” means, so a false claim of compliance is measurable |
| DFARS 252.204-7012 | “We safeguard covered defense info, use FedRAMP-Moderate-equivalent cloud, and report incidents within 72 hours” | Contract clause | DoD; DIBCAC on assessment | A non-equivalent cloud or unreported incident is a documented gap (MORSECORP, Penn State) |
| DFARS 252.204-7019 / -7020 | “Our NIST SP 800-171 self-assessment score is current and posted” | Solicitation + contract | DoD checks SPRS; DIBCAC can reassess | The score is a dated, government-relied-upon number (LOGZONE: 110 → −170) |
| DFARS 252.204-7021 | “We hold and maintain the required CMMC status; our affirming official affirms continuous compliance annually” | Contract clause | Contracting officer checks SPRS | The affirmation is a recurring representation tied to performance |
| DFARS 252.204-7025 | “We’re eligible for award: current status + current affirmation in SPRS for each system” | Solicitation provision | Contracting officer (cannot award without it) | Ties the representation directly to getting paid — the FCA’s core trigger |
| SPRS | The number and status everyone above relies on | The system of record | DoD, primes (via verification), DIBCAC | It’s the visible artifact a whistleblower or assessor compares against reality |
A few of those clauses deserve a plain-English note. DFARS 252.204-7021 requires contractors to achieve and maintain the required CMMC status, submit and update CMMC UIDs in SPRS, file annual affirmations of continuous compliance, and close out POA&Ms. DFARS 252.204-7025 provides that an offeror is not eligible for award unless it has a current CMMC status and a current affirmation in SPRS for each applicable system. DFARS 204.7503 directs contracting officers to check SPRS and not award, exercise an option, or extend performance without a current status posted at the required level.
Status currency — the precise rule.
A Final Level 1 (Self) status is current for one year. Final Level 2 (Self), Final Level 2 (C3PAO), and Final Level 3 (DIBCAC) statuses are current for three years — but the affirmation of continuous compliance must be renewed annually in every case. A Conditional Level 2 or Level 3 status must be closed out within 180 days. If the required current status or affirmation is missing, DFARS 252.204-7025 makes the offeror ineligible for award. See our full guide to CMMC annual affirmations and affirming official personal liability.
One timing fact to keep in front of leadership: Phase 1 runs November 10, 2025 through November 9, 2026, focused largely on Level 1 and Level 2 self-assessment requirements and affirmations in solicitations. Phase 2 enforcement begins November 10, 2026, when third-party (C3PAO) certification requirements expand for contractors handling CUI (Federal Register, DFARS final rule). The clock is real, and it’s in the rule.
Which cybersecurity claims create the most CMMC qui tam risk?
The highest-risk claims are the ones someone can compare against your records: SPRS scores, CMMC affirmations, SSP scope, POA&M status, cloud and external-provider responsibilities, incident-reporting obligations, subcontractor attestations, and proposal certifications. Risk climbs when internal evidence shows the statement was unsupported when it was made.
The DCR CMMC Qui Tam Risk Map
| Trigger | Statement that could be challenged | Primary source / visibility | DOJ case pattern | Evidence to preserve first | Next provider category |
|---|---|---|---|---|---|
| Executive about to affirm CMMC status in SPRS | “We meet, and will maintain, the required CMMC security requirements for this scope.” | DFARS 252.204-7025 ties award eligibility to current status + affirmation; DFARS 204.7503 directs COs to check SPRS before award | MORSECORP: a near-perfect SPRS score a later assessment contradicted | Current SPRS record, assessment date, score, scope, SSP version/date, POA&M, evidence index, signer identity, internal warnings | Counsel if false-statement risk exists; RP/RPO + GRC if evidence is incomplete |
| Inflated SPRS score discovered | “Our NIST SP 800-171 score accurately reflects implemented controls.” | SPRS stores the score, date, scope, CAGE codes, SSP name/version/date, POA&M date; range runs −203 to +110 | LOGZONE: self-reported 110, DIBCAC scored −170; MORSECORP: self-reported 104 | Prior score calculation, methodology, consultant reports, control-by-control evidence, remediation timeline | Counsel first; RP/RPO for scoring and evidence; MSSP/vCISO for operational gaps |
| SSP doesn’t describe the real environment | “Our system boundaries, environment, and implementation are documented.” | CMMC Level 2 maps to NIST SP 800-171 Rev. 2; assessment inputs include SSP name, date, version | MORSECORP: lacked a consolidated written SSP for covered systems during part of the period | SSP versions, diagrams, asset inventories, cloud responsibility matrix, ESP/CSP contracts | RP/RPO for scoping and SSP; GRC platform if evidence is scattered |
| Cloud, email, or MSP handles CUI/CDI but responsibilities are unclear | “Our third-party environment supports required safeguarding and reporting.” | 32 CFR Part 170 requires external-provider relationships to be documented in SSP and assessed in scope; DFARS 252.204-7012 requires FedRAMP-Moderate-equivalent cloud | MORSECORP: third-party email hosting allegedly didn’t meet FedRAMP-Moderate-equivalent obligations | Customer Responsibility Matrix, shared-responsibility docs, contracts, FedRAMP/equivalency evidence, data-flow diagrams | CUI enclave or GCC High/GovCloud partner; RP/RPO; counsel if prior statements conflict |
| Prime asks sub to certify CMMC or NIST 800-171 posture | “Our subcontractor cyber posture is adequate for the CUI/FCI we receive.” | DFARS 252.204-7021 flows CMMC requirements down; subs must post self-assessments and affirmations in SPRS | Swiss Automation: a machining supplier’s cyber obligations on drawings supplied to DoD primes | Flow-down language, CUI marking decisions, subcontractor attestations, no-CUI evidence-collection process | Prime/sub compliance workflow; RP/RPO; counsel for disputed claims |
| Employee, consultant, or former security lead raises a concern | “Management knew, or should have known, the claim was unsupported.” | The FCA lets private parties sue on the government’s behalf; complaints filed under seal (31 U.S.C. § 3730) | Aerojet Rocketdyne: filed by a former cybersecurity director | Complaint text, tickets, emails, meeting notes, assessment evidence, retaliation-sensitive HR records | Qualified federal-contracts/FCA counsel first — do not route this to a vendor |
| Conditional CMMC status or open POA&M | “Our conditional status and POA&M are valid and will be closed out.” | A conditional Level 2 status requires allowed POA&M items closed within 180 days; failure causes expiration (32 CFR Part 170) | DOJ cyber-FCA cases repeatedly target the gap between the claim and actual safeguards | POA&M, prohibited-item review, closeout plan, evidence owners, schedule, current status date | RP/RPO + MSSP/vCISO; C3PAO only for assessment/closeout when appropriate |
The pattern across every row is the same: a requirement existed, a statement was made, the statement mattered to money or eligibility, and the evidence didn’t match.
What DOJ cyber-fraud cases should defense contractors study?
DOJ’s cyber-fraud cases show the risk isn’t limited to big primes, classified work, or actual breaches. The recurring fact pattern is a cybersecurity obligation, a statement tied to government money, and evidence the contractor knew its claim didn’t match its controls. The cases below are the ones to know — several were driven by whistleblowers, and the settlements run from roughly $421,000 to nearly $15 million.
We keep this table current because it’s the clearest possible answer to “is the government really doing this?”Each case links to its DOJ source. Settlements resolve allegations — none of these involve a court determination of liability.
| Case | Date | Amount | Whistleblower-driven? | What was allegedly misrepresented |
|---|---|---|---|---|
| Aerojet Rocketdyne | Jul 2022 | $9,000,000 | Yes — relator share $2.61M (~29%) | Alleged misrepresentations about compliance with cybersecurity requirements in certain federal contracts; settled on day two of trial |
| Health Net Federal Services / Centene | Feb 2025 | ~$11,200,000 | — | Falsely certifying cybersecurity compliance on a DoD TRICARE contract |
| MORSECORP | Mar 2025 | $4,600,000 | Yes — head of security/FSO | Self-reported SPRS score of 104; email host not FedRAMP-Moderate-equivalent; no consolidated SSP; didn’t implement all 110 NIST 800-171 controls; failed to update SPRS after a lower third-party assessment |
| Raytheon (RTX) / Nightwing | May 2025 | $8,400,000 | Yes | Noncompliance with cybersecurity requirements on DoD contracts/subcontracts |
| Hill Associates (Maryland IT) | Jul 2025 | $14,750,000 | — | Cybersecurity services billed despite alleged scope/evaluation issues |
| Illumina | Jul 2025 | $9,800,000 | Yes | That genomic-sequencing systems adhered to cybersecurity standards including NIST/ISO |
| Aero Turbine / Gallant Capital | Jul 2025 | $1,750,000 | Self-disclosed (cooperation credit) | Inadequate cyber controls; notable for extending liability to the private-equity owner |
| Georgia Tech Research Corp. | Sep 2025 | $875,000 | Yes — relator share $201,250 (~23%) | A false cybersecurity assessment score, antivirus/anti-malware gaps, and SSP timing on DARPA/Air Force work |
| Swiss Automation (IL precision machining) | Dec 2025 | $421,234 | — | A machining supplier’s NIST 800-171 obligations on drawings supplied to DoD primes |
| LOGZONE | Jun 2026 | $507,144 | — | Self-reported a perfect SPRS score of 110; DIBCAC later scored the environment −170; failed to implement NIST 800-171 controls on two Navy contracts |
What these cases have in common
Five threads run through nearly all of them. One: a cybersecurity requirement existed in the contract. Two: a representation was made or implied. Three: that representation mattered to payment, award, or performance. Four: internal or third-party evidence contradicted it. Five: DOJ treated the mismatch as more than a technical compliance issue. Notice what’s noton that list — a breach. The government recovered in these cases on the strength of the misrepresentation alone.
What these cases do not prove
They don’t prove that every CMMC gap is fraud, that every inaccurate score creates liability, or that every whistleblower complaint is valid. They prove that your cybersecurity representations are now enforcement evidence — and that the trigger is often an assessment (DCMA/DIBCAC in LOGZONE) or an insider (a former cybersecurity director in Aerojet, the head of security in MORSECORP), not a hack. For the full penalty picture, see Can You Get Sued for False CMMC Certification? and our guide to CMMC non-compliance penalties.
How much a whistleblower can actually recover
| Scenario | Relator’s share | Statute | Real cyber example |
|---|---|---|---|
| Government intervenes (joins the case) | 15%–25% | 31 U.S.C. § 3730(d)(1) | Georgia Tech: $201,250 of $875,000 (~23%) |
| Government declines, relator prevails | 25%–30% | 31 U.S.C. § 3730(d)(2) | Aerojet: $2.61M of $9,000,000 (~29%) |
| Case based mainly on public information | Capped at 10% | 31 U.S.C. § 3730(d)(1) | — |
| Relator planned or initiated the fraud | Court may reduce | 31 U.S.C. § 3730(d)(3) | — |
How do damages get large enough to make a 20% share meaningful? The False Claims Act authorizes treble (3×) damages plus a civil penalty of $14,308 to $28,619 per claim for penalties assessed after July 3, 2025 (Federal Register; 31 U.S.C. § 3729). When one contract generates many invoices, the per-claim penalties stack fast.
What should you do if an employee or subcontractor raises a CMMC whistleblower concern?
Treat it as a legal and compliance triage event, not an IT disagreement. Preserve the records, stop making new unsupported statements, do not retaliate, separate fact-finding from remediation, and involve qualified counsel before you decide whether to correct, disclose, or communicate externally. The False Claims Act protects employees, contractors, and agents from retaliation for lawful efforts to stop a violation (31 U.S.C. § 3730(h)).
The first 24 hours matter more than most leaders realize, because the way you respond can either contain the problem or hand a future relator a retaliation claim on top of the underlying one. Retaliation exposure under § 3730(h) is separate from the cybersecurity issue, and its remedies include reinstatement, two times back pay, interest, and special damages plus attorneys’ fees. You can get the cyber question right and still lose badly by mishandling the person who raised it.
The first-24-hours checklist
| Action | Why it matters |
|---|---|
| Preserve tickets, emails, evidence folders, SSPs, POA&Ms, score worksheets | Avoid making the evidence trail look worse than the facts |
| Stop new unsupported SPRS, proposal, or affirmation statements | Don't compound the problem while you investigate |
| Identify the affected contracts and clauses | The clause is what connects the cyber statement to a payment or award decision |
| Map who knew what, and when | Knowledge and reckless disregard are central to FCA risk |
| Involve counsel before interviews or disclosures | Qui tam filings can be sealed; communications can matter later |
| Do not retaliate, in any form | § 3730(h) exposure is independent of the underlying issue |
What not to say internally
Certain sentences create discoverable panic and blame, and they show up in complaints. Strike them from your vocabulary the moment a concern is raised.
- “Delete that.”
- “We can fix it after award.”
- “Everyone does this.”
- “Just sign it.”
- “Don’t put that in writing.”
What to document instead
- “We are preserving the record.”
- “We are pausing unsupported external statements.”
- “We are verifying scope, score, SSP, and POA&M.”
- “Legal and compliance are reviewing before any correction or disclosure.”
How do you check whether a SPRS score or CMMC affirmation is supportable?
A supportable SPRS score or CMMC affirmation needs more than a spreadsheet number and executive confidence. It should trace to assessment scope, SSP version and date, CAGE codes, control-by-control evidence, POA&M status, and any external-provider responsibility documentation. SPRS itself stores the assessment score, date, scope, CAGE codes, SSP name/version/date, and POA&M date.
Before an affirming official signs, the company should be able to put the following in front of them. If a line is missing, the statement may be claiming more than the evidence proves — and that’s the gap DOJ looks for. For a full deep dive on what the signer is actually committing to, see our guide to CMMC annual affirmation legal liability.
The evidence packet before anyone affirms or certifies
| Evidence item | What it proves | Primary source / reason | Internal owner |
|---|---|---|---|
| Contract clause + required level | Whether CMMC status / DFARS cyber requirements apply | DFARS 252.204-7021 / -7025 | Contracts |
| FCI vs CUI determination | Which level and control set apply | 32 CFR Part 170; FAR 52.204-21 | Contracts / Security |
| Assessment scope, CAGE codes, system boundary | What was actually assessed | 32 CFR Part 170 | Security / IT |
| CMMC UID(s) | The system-level identity tied to your status | DFARS 252.204-7021 | Security |
| SPRS assessment date + score | The number you represented, and when | SPRS; DFARS 7019/7020 | Security |
| SSP name, version, date | That your environment is documented | NIST SP 800-171 Rev. 2 | Security |
| Control-by-control evidence index | That controls are implemented, not planned | NIST SP 800-171 Rev. 2 | Security / IT |
| POA&M + eligibility | Known gaps and a real closeout plan | 32 CFR 170.21 | Security |
| ESP/CSP responsibility matrix | Who is responsible for what in the cloud | DFARS 252.204-7012; 32 CFR Part 170 | IT / Vendor mgmt |
| Incident response + 72-hour reporting | You can meet reporting obligations | DFARS 252.204-7012(c) | Security |
| Subcontractor flow-down evidence | Subs meet their required level | DFARS 252.204-7021 | Contracts |
| Affirming official signoff memo | Who relied on what before affirming | 32 CFR 170.22 | Executive |
How do DFARS 252.204-7019 and -7020 turn a self-assessment score into evidence?
DFARS 252.204-7019 and -7020 are the score-posting backbone for NIST SP 800-171 self-assessments — they pre-date CMMC and already require the score to live in SPRS. 7019 conditions award eligibility on having a current NIST SP 800-171 assessment posted in SPRS; 7020 requires you to keep it current, give DoD access for higher-level assessments, and confirm your subcontractors have results posted too.
This is why a self-assessment score is never just an internal worksheet. Once it’s in SPRS, it’s a dated representation the government relies on — and one DIBCAC can come back and re-score. The LOGZONE matter is the live demonstration: the Navy contracts required the company to implement NIST SP 800-171 controls and report its assessment score through SPRS, the company posted a 110, and a later DIBCAC assessment put the real number at −170. The score range itself, −203 to +110, is now part of a DOJ press release. For more on how scores are used as evidence, see our walkthrough of what happens if you lie on your SPRS score and penalties for an inaccurate SPRS score.
Which provider category helps: lawyer, RPO, MSSP, GRC platform, CUI enclave, or C3PAO?
If there’s a whistleblower complaint, a subpoena, a possible false statement, a retaliation concern, or a disclosure question, start with qualified counsel. If the problem is evidence, scope, SSP, POA&M, controls, or environment design, the next category is usually an RP/RPO, an MSSP or vCISO, a GRC platform, or a CUI enclave provider — not a C3PAO. The assessor is rarely your first remediation call.
Quick definitions: a C3PAO (Certified Third-Party Assessment Organization) performs the formal Level 2 certification assessment; an RP/RPO (Registered Practitioner / Registered Provider Organization) provides readiness and advisory help; an MSSP and a vCISO run operational security; a GRC platform manages evidence and control mapping; and a CUI enclave is a controlled, scope-reducing environment for sensitive data.
| Situation | First category to consider | Why |
|---|---|---|
| Internal whistleblower complaint, subpoena, or suspected false statement | Qualified federal-contracts / FCA counsel | Legal risk, privilege, disclosure, retaliation, and sealed-case issues come first |
| Unsupported SPRS score, unclear SSP, weak POA&M | RP/RPO readiness provider | Scoping, evidence, SSP, POA&M, and control interpretation |
| Real control gaps — monitoring, endpoint, cloud, security operations | MSSP / vCISO / managed compliance | Operational remediation and continuous control support |
| Evidence scattered across spreadsheets, tickets, and docs | GRC platform (a supporting layer, not the whole solution) | Evidence workflow, control mapping, owner tracking, audit trail |
| CUI sprawled across too many systems | CUI enclave / secure-collaboration provider | Scope reduction and a controlled environment |
| Assessment-ready and needs certification | C3PAO | Formal assessment — not readiness remediation for the same engagement |
When is a C3PAO the wrong first call?
A C3PAO is the right call when you’re ready for a formal assessment or need assessment-path clarity — not when you need the same organization to remediate the environment it will then assess. CMMC ecosystem conflict rules require avoiding actual or perceived conflicts of interest: an ecosystem member generally may not participate in a Level 2 certification assessment if it served as a consultant preparing that organization for a CMMC assessment within the previous three years (32 CFR Part 170). Keep readiness help and formal assessment cleanly separated. Verify current Cyber AB ecosystem conflict rules before engaging any provider.
What if you already submitted an inflated score or unsupported affirmation?
Don’t quietly overwrite the record and hope it disappears. Preserve the facts, involve counsel, identify the affected contracts and statements, evaluate your correction or disclosure options, and remediate against the current requirements. DOJ has credited timely self-disclosure, cooperation, and prompt remediation — the Aero Turbine/Gallant settlement is the example.
There’s a wrong way and a safer way, and the difference can be the difference between cooperation credit and a much larger number.
The wrong way: edit records without preserving prior versions; blame one employee before reviewing the evidence; keep submitting proposals on the same unsupported claim; tell staff not to write things down.
The safer sequence: preserve → legal/privilege triage → contract and clause mapping → evidence review → a correction or disclosure decision with counsel→ a remediation plan → controls on future statements.
The statute itself rewards candor. Under 31 U.S.C. § 3729(a)(2), a defendant who furnishes the government all known information about a violation within 30 days of discovering it, fully cooperates, and acts before any action commences may have damages reduced from treble to double. Whether and how to disclose is a legal decision — but the law is built to make honesty cheaper than concealment.
What does this mean for small manufacturers, machine shops, SBIR firms, and subcontractors?
Small size doesn’t remove cyber-FCA risk when contract clauses, CUI, FCI, or DoD supply-chain obligations apply. DOJ’s cyber-fraud settlements already include suppliers and subcontractor-related facts — the Swiss Automation machining case and MORSECORP’s SPRS-score case among them.
For small DIB suppliers, the danger usually isn’t bad intent — it’s evidence maturity. You’re trying to win or keep work, and the paper trail behind your claims is thin. That’s a fixable problem, and fixing it early is far cheaper than litigating it later.
Small DIB cyber-FCA risk by business type
| Business type | Likely data trigger | Common unsupported claim | No-CUI evidence to gather first | First provider category |
|---|---|---|---|---|
| Machine shop / precision manufacturer | CUI drawings and specs from a prime | “We safeguard the drawings per the flow-down” | Flow-down language, CUI markings, where the files actually live | RP/RPO + CUI enclave |
| SBIR/STTR firm | CUI in research data and agency systems | “Our environment meets NIST 800-171” | System inventory, SSP, data-flow map | RP/RPO |
| Software / SaaS supplier | Product handles or stores government data | “Our product meets the required standards” | Standard-mapping evidence, vulnerability history, SBOM | Product-security counsel + secure-dev/GRC |
| Engineering / A&E firm | CUI in designs and deliverables | “Our SPRS score reflects our controls” | Score calculation, SSP, control evidence | RP/RPO + MSSP/vCISO |
| Staffing / services subcontractor | FCI/CUI on contractor systems used for the task | “Our subs are compliant” (a yes/no attestation) | Attestations, CAGE/UID, a no-CUI evidence-request process | Prime/sub workflow + RP/RPO |
| Small prime | A direct contract clause plus flow-down to subs | “We and our subs meet the required level” | Your own status, plus a real subcontractor-verification process | RP/RPO + MSSP; C3PAO when assessment-ready |
The realistic path is the same across all of them: determine whether you handle FCI only, CUI, or both; identify the required level from the contract clause (not a vendor’s checklist); build the SSP and the evidence before you make claims; consider a limited-scope CUI enclave if your environment is sprawling; and never let sales or business development answer a compliance questionnaire on their own.
Companion guides that go deeper: CMMC for small business, CMMC for subcontractors, CMMC for machine shops, CMMC Level 2 cost, CMMC self-assessment vs C3PAO, and the CMMC annual affirmation guide.
If you’re the one who saw something: your options as a whistleblower
If you’re an insider who believes your employer is misrepresenting its cybersecurity compliance to the government, the False Claims Act may let you file a qui tam case and share in any recovery — but the process is technical, the protections matter, and your first call should be a qualified False Claims Act (qui tam) attorney. This publication is not a law firm, we don’t give legal advice, and we will not route you to a vendor.
We built most of this page for contractors, but the search that brought some of you here is different, and you deserve a straight answer too.
How the process works. You (or your attorney) file a complaint under seal in federal court and serve it only on the government, along with a written disclosure of substantially all your material evidence (31 U.S.C. § 3730(b)). The Department of Justice gets at least 60 days— routinely extended — to investigate and decide whether to intervene. The case stays secret from your employer until the court unseals it. If the government joins, it takes the lead and you remain a party. If it declines, you can proceed on your own.
What you can recover. A successful relator receives 15%–25% if the government intervenes and 25%–30% if it declines and you prevail (31 U.S.C. § 3730(d)), plus your attorneys’ fees and costs from the defendant. In cyber cases, real awards have ranged from about $201,250 (Georgia Tech) to $2.61 million(Aerojet). Aerojet’s relator was a former cybersecurity director whose complaint described being terminated after he refused to sign off on the company’s compliance and raised his concerns internally — the kind of fact pattern that also triggers anti-retaliation protection.
The protection you have. The False Claims Act protects employees, contractors, and agents from being fired, demoted, harassed, or otherwise retaliated against for lawful efforts to stop a violation (31 U.S.C. § 3730(h)) — and that protection covers good-faith efforts even before a suit is filed. Remedies include reinstatement, double back pay, interest, special damages, and fees.
The honest part most relator-recruitment pages skip. Most qui tam cases are hard, and many never produce a dollar for the relator; the government joins only a minority of them, cases routinely sit under seal for years, and two doctrines can extinguish a claim before it’s heard — the first-to-file bar (only the first relator to file on a set of facts may proceed, 31 U.S.C. § 3730(b)(5)) and the public-disclosure bar (you generally can’t sue on facts already public, unless you’re an “original source,” 31 U.S.C. § 3730(e)(4)). There’s also a statute of limitations: the later of six years after the violation or three years after the government knew the facts, capped at ten years (31 U.S.C. § 3731(b)). None of this is meant to discourage you — it’s meant to set your expectations honestly, which is exactly what the marketing pages won’t.
What to bring to a False Claims Act attorney.Organize what you legitimately have access to — and do not take anything you aren’t authorized to take. Helpful materials include documentation of what was represented to the government versus the real posture, who knew, when they knew, and the timeline. Then ask the attorney about contingency-fee terms, their experience with Civil Cyber-Fraud cases specifically, the seal process, and your own retaliation exposure.
| Situation | If you’re the contractor | If you’re the employee who saw it | Who to contact first |
|---|---|---|---|
| A cybersecurity claim looks unsupported | Preserve records; pause new statements; map affected contracts | Don’t take materials you aren’t authorized to take; organize what you legitimately have | Contractor → federal-contracts counsel; employee → qui tam counsel |
| Retaliation is a risk | Do not discipline the person who raised it | Document what happens to you after you raise it | Counsel (both sides) |
| A disclosure decision is on the table | Decide correction/disclosure with counsel | Understand the seal and first-to-file rules before acting publicly | Counsel (both sides) |
The Defense Compliance Report is an independent trade publication and is not a law firm. Nothing here is legal advice, and we do not recommend or refer whistleblower attorneys. If you’re weighing a report, consult a qualified False Claims Act / qui tam attorney about your specific situation. This is the one part of this page with no provider form and no pitch — by design.
The honest limits of this page
This is a decision resource, not legal, contractual, or compliance advice. It can’t tell a whistleblower whether to file, tell a contractor whether it has liability, or replace a qualified attorney, RP/RPO, or C3PAO where those roles are required. Its job is to help you identify the next category of help before you make the problem worse.
Call counsel first if:an employee or former employee alleges fraud; you receive a subpoena, Civil Investigative Demand, or an inquiry from DOJ, DIBCAC, DCMA, an Inspector General, or a prime; you suspect a false SPRS score or affirmation; there’s a retaliation concern; you face a disclosure or correction decision; or you’re in an acquisition or due-diligence situation where successor liability is in play.
A provider-category path is appropriate when:you know the issue isn’t a legal dispute yet, and you need to build evidence, remediate controls, reduce CUI scope, or prepare for a future assessment.
The mindset we’d urge on any leader reading this: don’t panic, and don’t paper over it. The contractors who handle this well are the ones who get honest about the gap early, preserve the record, and route each piece of the problem to the right kind of help.
Frequently asked questions
Is "CMMC qui tam" a real thing?
Yes, but it’s shorthand. The legal pathway is the False Claims Act’s qui tam provisions (31 U.S.C. § 3730), not a separate CMMC bounty program. A CMMC-related qui tam theory generally involves an allegedly false cybersecurity statement tied to government payment, award eligibility, or contract obligations.
Can an inaccurate SPRS score create False Claims Act risk?
It can, depending on the facts. The LOGZONE settlement (June 2026) involved a self-reported score of 110 that DIBCAC later assessed at −170, and MORSECORP (March 2025) involved a self-reported 104 the company allegedly failed to update after a lower third-party assessment. Both resolved cyber-fraud allegations under the False Claims Act.
Does DOJ need a data breach to bring a cybersecurity False Claims Act case?
No. The Civil Cyber-Fraud Initiative is not limited to breaches; it targets knowingly deficient cybersecurity, misrepresented cybersecurity practices, and violated monitoring or reporting obligations. Liability turns on knowingly — including with reckless disregard — making a false or unsupported statement material to payment or eligibility (31 U.S.C. § 3729(b)).
Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?
For CMMC as codified in 32 CFR Part 170, Level 2 security requirements are identical to NIST SP 800-171 Revision 2 — the 110 requirements across 14 control families. Do not treat Revision 3 as controlling for CMMC Level 2 unless DoD amends the rule.
How long is a CMMC status "current"?
A Final Level 1 (Self) status is current for one year; Final Level 2 (Self), Final Level 2 (C3PAO), and Final Level 3 (DIBCAC) statuses are current for three years; the affirmation of continuous compliance must be renewed annually in every case; and a Conditional Level 2 or Level 3 status must be closed out within 180 days (DFARS 252.204-7021). See our annual affirmation guide for the full renewal workflow.
Can subcontractors face cybersecurity false-claims risk?
Yes. The Swiss Automation case involved a machining supplier’s cybersecurity obligations on drawings supplied to DoD primes, and DFARS 252.204-7021 flows CMMC requirements down to subcontractors, who must post self-assessments and affirmations in SPRS. See our guide to primes asking subcontractors for SPRS scores.
Should we call a C3PAO if we're worried about a whistleblower complaint?
Usually not first. If there’s a complaint, a suspected false statement, a subpoena, a retaliation issue, or a disclosure question, qualified counsel is the first call. A C3PAO performs formal assessments — it is not legal triage, and it shouldn’t remediate the same environment it will assess.
What's the safest thing to do before signing a CMMC affirmation?
Verify the evidence packet: scope, SSP, CAGE codes, SPRS status, control evidence, POA&M, external-provider responsibilities, and any environment changes since the assessment. DFARS 252.204-7025 ties award eligibility to current CMMC status and a current affirmation in SPRS where the provision applies. See our guide to affirming official personal liability.
Can an employee be retaliated against for raising False Claims Act concerns?
The law prohibits it. Employees, contractors, and agents who are discharged, demoted, suspended, threatened, harassed, or otherwise discriminated against for lawful efforts to stop a violation are entitled to relief, including reinstatement, double back pay, and special damages (31 U.S.C. § 3730(h)).
What if our company was honestly trying to comply?
Good faith matters, but it doesn’t erase the need to correct unsupported statements. The practical line is between documented, good-faith remediation (a compliance issue) and continuing to make statements that exceed your evidence (a legal one).
Can we use Find My CMMC Path for a whistleblower issue?
Use it only for no-CUI provider-category triage on the contractor side. Do not submit CUI, drawings, sensitive contract details, incident details, privileged communications, or the names of whistleblowers. If the issue involves possible legal exposure, counsel comes first.
What to do next
Pick the path that matches your problem. If there’s legal, whistleblower, or false-statement risk, your first call is qualified counsel. If your issue is evidence, scope, or control gaps, readiness and remediation help comes next. If you’re genuinely assessment-ready, a C3PAO assessment is the step.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Do not submit CUI, drawings, export-controlled information, source code, sensitive contract details, incident details, or privileged legal information.
Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This article is educational research, not legal, contractual, or compliance advice; confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney, and — if you’re considering a whistleblower action — with a qualified False Claims Act attorney. The contract clause and your CUI handling set your CMMC level, not a checklist. See our editorial standards and corrections policy.