DOJ Civil Cyber Fraud Defense Contractor: FCA Exposure, the Public Settlement Matrix, and What to Verify First

For a defense contractor, “DOJ civil cyber fraud” used to be a phrase you could file under “someday.” That window is closed.

Bottom line up front: The DOJ Civil Cyber-Fraud Initiative is the Justice Department’s use of the False Claims Act (31 U.S.C. §§ 3729–3733) to pursue government contractors that knowingly misrepresent their cybersecurity — most often by posting an inflated NIST SP 800-171 score in SPRS(the Supplier Performance Risk System, where defense contractors post their cybersecurity self-assessment scores), claiming a compliance posture their System Security Plan can’t support, or billing under contracts while failing to implement required controls. Two conditions change your next move, and you need both:

• If you’ve already received a subpoena, a civil investigative demand, or notice of a qui tam (whistleblower) lawsuit — or you already know that a statement your company made was false — your next call is a federal-contracts / False Claims Act attorney. Not a vendor. Not a tool. Not us. We’ll repeat that on this page, because on this topic the honest answer matters more than the click.
• If you’re trying to get ahead of this before your next CMMC affirmation, the safest first move is not chasing a perfect score. It’s freezing unsupported claims and reconciling what you told the government against what you can actually prove.

Here’s the part most contractors miss: in these cases, the government almost never has to prove you got hacked. It has to prove you saidsomething — in a score, a certification, an affirmation, or an invoice — that didn’t match reality. Below, we map the public DOJ cyber-fraud settlements we verified for this matrix, the exact evidence each one turned on, and the specific artifacts you should reconcile now.

If this just happened to you, verify this first

Most people landing on this page were pushed here by a specific event. Find your trigger, confirm the one thing that matters most, and you’ll already be ahead of the panic.

What does DOJ civil cyber fraud mean for a defense contractor in 2026?

The DOJ Civil Cyber-Fraud Initiative (CCFI)is a Department of Justice enforcement program, announced October 6, 2021, that uses the False Claims Act to hold government contractors and grant recipients accountable for knowingly (1) providing deficient cybersecurity products or services, (2) misrepresenting their cybersecurity practices or protocols, or (3) failing to monitor and report cybersecurity incidents. For a defense contractor, the risk almost always starts when a cybersecurity representation — a score, a certification, an affirmation, or an invoice — can’t be reconciled with evidence.

It is not slowing down. On January 16, 2026, the DOJ announced that False Claims Act recoveries exceeded $6.8 billion in fiscal year 2025 — the largest single-year total in the statute’s history — including more than $52 million across nine cybersecurity-fraud settlements, with the department noting that cyber-fraud settlements have more than tripled in each of the past two years.

The three things DOJ is actually looking for

Categories from the DOJ Civil Cyber-Fraud Initiative announcement, October 6, 2021:

1. Knowingly providing deficient cybersecurity products or services — selling the government something that doesn’t do what you said it does.
2. Knowingly misrepresenting your cybersecurity practices or protocols — the SPRS-score and certification cases live here.
3. Knowingly violating obligations to monitor and report cybersecurity incidents — including blowing the 72-hour reporting clock in DFARS 252.204-7012.

Why this is different from a normal CMMC gap

A normal readiness gap says: “We’re not fully implemented yet, here’s our plan.” A DOJ/FCA problem says: “We may have told the government — or a prime, or a payment system — something that doesn’t match reality.” The first is an engineering and budgeting problem. The second is a legal one. Confusing the two is how contractors make their situation worse.

The chain is short: contract clause → cybersecurity requirement → score/affirmation/certification → claim, payment, award, or option → FCA exposure if the statement was knowingly false and material. Every link in that chain is a place to verify before you sign.

Do you need a data breach to be sued? No — and that surprises almost everyone

No. The Civil Cyber-Fraud Initiative is built on misrepresentation, not on whether you were hacked. Deputy Assistant Attorney General Brenna Jenny said in January 2026 that these cases are “not about data breaches” — they’re built on misrepresentations. A contractor that posts an inflated SPRS score, claims a compliance posture its SSP can’t support, or bills on a DFARS 252.204-7012 contract while non-compliant can face FCA exposure with no breach.

The legal hook is the implied certification theory, affirmed by the Supreme Court in Universal Health Services v. United States(2016): when you submit a claim for payment while knowingly hiding a material violation of a contract requirement, that submission itself can be a false claim. You don’t have to send the government a letter saying “we’re compliant.” Sending the invoice can be enough.

Keep one line clear: the CCFI is civil enforcement under the False Claims Act. The same underlying conduct can separately trigger criminalexposure (for example under 18 U.S.C. § 1001, false statements), but that’s a different track. The distinction changes what your counsel does next.

When does a cybersecurity gap become a False Claims Act problem?

A cybersecurity gap, by itself, is not automatically a False Claims Act violation. The risk rises when the requirement is contractual and material, the company knowingly makes or uses a false statement, and that statement is tied to payment, award, or another government decision. Critically, the False Claims Act defines “knowingly” to include actual knowledge, deliberate ignorance, and reckless disregard — with no proof of intent to defraud required (31 U.S.C. § 3729(b)).

You do not need a villain. You need a company that signed something it had the ability to check and chose not to.

The five-part exposure formula

What it costs when those five line up

Under 31 U.S.C. § 3729, a defendant owes treble (three times) the government’s damages, plus a civil penalty for each false claim. For 2026, that per-claim penalty runs $14,308 to $28,619 (the range the DOJ set in its July 3, 2025 adjustment, codified at 28 CFR § 85.5). The range holds at 2025 levels for 2026 because the fall 2025 government shutdown disrupted the CPI data the government normally uses for the annual inflation adjustment.

Sit with the phrase “per claim,” because it’s where contractors underestimate the math. The penalty applies to each false claim — each false invoice, each false affirmation — before you even add treble damages:

Civil penalty range only. Treble damages, litigation costs, settlement posture, cooperation credit, and case-specific factors are separate and can move the final number substantially in either direction.

There is one narrow off-ramp worth knowing. The statute allows a court to assess doubledamages instead of treble if the contractor self-discloses the violation to the government within 30 days of learning of it, fully cooperates, and does so before any action and before it knew of an investigation (31 U.S.C. § 3729(a)(2)). Whether, when, and how to use that off-ramp is a legal decision — not a DIY move — but it’s the structural reason DOJ keeps crediting self-disclosure in these settlements.

And the people who report you are usually insiders. The False Claims Act’s qui tam provision lets a private “relator” sue on the government’s behalf and collect 15% to 30% of the recovery. In MORSECORP, a company insider received $851,000. In Aerojet Rocketdyne, a former cybersecurity director received $2.61 million. The person best positioned to notice the gap between your SPRS score and your reality already works for you.

Not every gap is fraud — and an honest low score beats a fake high one

A documented, accurately scoped gap — with a real System Security Plan (SSP) and a real Plan of Action and Milestones (POA&M) — is not the same as an unsupported “we’re fully compliant” claim. The contractors in trouble didn’t have gaps. They had mismatches. An honest score of 72 tied to evidence is almost always more defensible than a 110 that collapses the moment someone asks for proof.

What should you verify first after reading about DOJ cyber fraud?

Start with a fact freeze, not a score change. Preserve the current record, identify your clauses, map your FCI/CUI scope, compare every external statement against your evidence, and separate legal-risk decisions from remediation decisions before you make any new representation to the government.

The instinct to log in and “fix” the score immediately is the wrong one. If a prior statement was material, changing the record without counsel can make a defensible situation worse.

Your 48-hour triage checklist

1. Pull the contract, solicitation, option, or subcontract language — the actual documents, not your memory of them.
2. Identify which clauses apply: DFARS 252.204-7012 (safeguarding + 72-hour reporting), -7019 (SPRS score posting), -7020 (DIBCAC higher-level assessments), -7021 (CMMC requirement), and any CMMC language. For the safeguarding clause specifically, see our DFARS 252.204-7012 explainer.
3. Determine what data you actually handle: FCI, CUI, covered defense information, technical drawings, export-controlled data, or operationally critical support.
4. Snapshot the non-sensitive metadata: your SPRS status, score date, CAGE code, CMMC UID, affirmation date, and status date.
5. Pull the underlying evidence: SSP, POA&M, score worksheet, cloud-provider documentation, your incident-reporting procedure, and your subcontractor flow-down file.
6. Inventory every external representation: proposals, certifications, invoices, supplier portals, prime questionnaires, and emails. This is where claims and reality diverge.
7. If any prior external statement may be false or material, stop — and involve qualified counsel before you change records or contact the government.

What not to do

• Don’t submit a rushed 110. You’ll trade a fixable gap for a fresh false claim.
• Don’t rewrite history without preserving the original record.
• Don’t upload CUI into vendor portals, GRC tools, or matching forms that aren’t authorized for it.
• Don’t ask a C3PAO to remediate your gaps and then assess you on the same engagement. Independence rules exist for a reason, and blurring remediation and assessment can compromise the assessment you’re paying for.

Can a wrong SPRS score or NIST 800-171 self-assessment create DOJ cyber-fraud risk?

Yes — if the score or related statement is knowingly inaccurate and material to a government contract, award, option, or payment.DFARS 252.204-7019 and -7020 tie your NIST SP 800-171 assessment information to SPRS, and the 2025–2026 settlement wave shows that scores, SSPs, cloud controls, and control-implementation evidence become enforcement facts. The recurring villain isn’t a low score. It’s a score that can’t be reconciled to evidence.

For the deep dive on this specific exposure point, see our companion analysis: what happens if you lie on your SPRS score. For penalty figures, see our penalty for inaccurate SPRS score guide.

Your SPRS score reflects a NIST SP 800-171 self-assessment (or a higher-level DoD assessment) on a scale that runs from −203 to 110. It’s tied to a CAGE code, a score date, an assessment scope, and an expected completion date for any open items. The number is shorthand for a much larger evidence story — and that’s the problem when the number and the story don’t match.

Reconcile every SPRS element to evidence

Here’s what makes SPRS different from an internal worksheet: once your score is used for award eligibility or contractor verification, it becomes a record other people can compare against your evidence — a prime, a contracting officer, an assessor, or a whistleblower. The MORSECORP case turned on exactly this gap: a posted score of 104, an actual score of −142 (about 22% of controls implemented), and a correction that didn’t come until aftera federal subpoena (DOJ, March 26, 2025). The score wasn’t just wrong. It was wrong, in writing, in a system the government reads.

How do CMMC affirmations under DFARS 252.204-7021 raise the stakes?

CMMC makes your cybersecurity representations more repeatable — and far easier to compare against evidence — because contractors must maintain a current CMMC status when required and provide affirmations to keep it. A senior official must affirm, in SPRS, that the organization meets the applicable requirements. That turns a one-time score into a recurring certification, and recurring certifications are recurring exposure.

What an affirmation actually is

Under 32 CFR § 170.22 (the CMMC Program rule, effective December 16, 2024), a senior company official — the affirming official — must submit an affirmation in SPRS attesting that the organization has implemented, and will maintain, the applicable CMMC security requirements for the systems in scope. It’s required when you achieve CMMC status, annually after that, and at POA&M closeout.

The SPRS affirmation warns that misrepresenting your CMMC compliance status may result in criminal prosecution under 18 U.S.C. § 1001, civil liability under the False Claims Act, and contract remedies. You are signing a legal certification, not clicking a box. That’s why a question keeps surfacing in DIB forums: “Did you submit the affirmation in SPRS, or just the score?”They’re not the same act, and the affirmation is the one with your name on it.

Why “I trusted my IT team” won’t protect you

Because the False Claims Act’s “knowing” standard includes reckless disregard and deliberate ignorance, an executive who signs an affirmation without reviewing the basis can be exposed even with no intent to deceive. Willful blindness is not a shield. If you had the ability to know and chose not to look, the law can treat that the same as actual knowledge. The affirming officialis a senior leader putting their name — and, on the wrong facts, their personal exposure — behind the company’s compliance story.

What the affirming official should confirm before signing

• The required CMMC level and the assessment type (self-assessment vs. C3PAO)
• The scope and the CMMC UID
• The FCI/CUI data flow
• The SSP version and date
• POA&M status, and whether POA&Ms are even permitted for your controls
• Any control drift since the last assessment
• Any cloud or external-service-provider changes
• Whether subcontractors now touch FCI or CUI
• The incident-reporting process
• Whether any unresolved issue needs counsel before you sign

The timing pressure is real, and it’s scheduled

The DFARS CMMC acquisition rule took effect November 10, 2025, starting Phase 1, which runs through November 9, 2026 and focuses primarily on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026, introducing Level 2 certification (third-party assessment) requirements where applicable. The affirmation obligation is in front of contractors right now, and the certification phase is on the calendar.

What have DOJ cyber-fraud cases actually alleged against defense contractors?

There’s no single pattern — but there is a single theme: a mismatch between what the contractor said and what it could prove. Across the public settlements, the recurring facts are inaccurate scores, missing or weak SSPs, POA&M problems, cloud and FedRAMP issues, weak access control, subcontractor handling, and failures to implement required NIST SP 800-171 controls.

The DCR Public Cyber-FCA Settlement Matrix

Original DCR analysis. Last verified: June 2026.Inclusion rule: a matter is listed when the DOJ or a U.S. Attorney’s Office publicly described it as cybersecurity-related False Claims Act / Civil Cyber-Fraud Initiative enforcement. Rows summarize public DOJ materials; allegations are not findings of liability unless the source says otherwise.

What the landmark cases actually teach

• MORSECORP is the case every contractor should read. An inflated SPRS score plus a slow correction cost $4.6 million and handed an insider $851,000 — and it’s the first settlement built on failing to promptly update a known-bad score. The lesson isn’t “don’t lie.” It’s “the moment you learn your score is wrong, the clock starts.”
• Aerojet Rocketdyne proves a whistleblower can win alone. The DOJ declined to intervene; the relator took it to trial and settled on the second day for $9 million, collecting $2.61 million. You cannot count on the government “passing” on a case.
• Raytheon / Nightwing is the M&A landmine. An acquirer was named “successor in liability” for the target’s pre-acquisition cyber failures. CMMC status, SPRS scores, and prior affirmations now belong in diligence, reps and warranties, and indemnification.
• Swiss Automation and LOGZONE are the small-supplier wake-up call. A machine shop paid $421,234; a Navy supplier paid $507,144 after a DCMA assessment scored it at −170. Nobody is too small, and a low accurate score would have been the safer position.

The four recurring patterns

1. Representation mismatch — what you said vs. what you could prove.
2. SPRS/assessment mismatch — the score or scope doesn’t match the real system.
3. Cloud/data-flow mismatch — CUI or sensitive data sitting in the wrong environment.
4. Supplier/subcontractor mismatch — primes and subs relying on unsupported claims.

Every settlement summary above uses “alleged” or “resolved allegations” on purpose. Most FCA settlements state that the claims are allegations with no determination of liability (Illumina expressly denied the allegations). MORSECORP is the notable exception — it admitted specific facts.

Which CMMC, SPRS, and DFARS artifacts are most likely to create a mismatch?

The highest-risk artifacts are the ones an outsider can compare against reality: your SPRS score, SSP, POA&M, CMMC affirmation, cloud-provider evidence, subcontractor proof, incident-reporting records, and CUI scope. Every one of them should be dated, scoped, backed by evidence, and consistent with your contract language.

The FCA Exposure Artifact Map

Regulation-stated vs. what you must operationally verify

Does CMMC Level 2 or NIST SP 800-171 Rev. 2 make this more urgent?

For contractors handling CUI, Level 2 is the main risk zone, because CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, and can be self-assessed or C3PAO-assessed depending on the solicitation. The legal risk isn’t CMMC itself — it’s the mismatch between the cybersecurity claims your contract requires and the evidence behind them.

FCI-only vs. CUI changes everything

Level 1 is for Federal Contract Information (FCI) and maps to the 15 basic safeguarding requirements in FAR 52.204-21; it’s an annual self-assessment. Level 2 is for Controlled Unclassified Information (CUI) and maps to the 110 NIST SP 800-171 Rev. 2 requirements. Level 3 adds a selected subset of NIST SP 800-172 enhanced requirements, is assessed by DCMA DIBCAC, and requires final Level 2 (C3PAO) status as a prerequisite. The contract clause and your CUI handling set the level — not a checklist, and not a vendor’s sales pitch.

Self-assessment vs. C3PAO — same controls, different consequences

A Level 2 self-assessment and a Level 2 C3PAO assessment use the same 110 requirements. What differs is who assesses, where the results flow, and what status you produce — and, for our purposes, how exposed an inaccurate self-attestation is when an independent assessor later validates the environment. As C3PAO and government assessments scale up, there will be two datasets to compare: what you self-reported, and what an independent party found. The MORSECORP and LOGZONE cases are previews of what that comparison looks like. For details, see our CMMC self-assessment vs. C3PAO guide.

One version warning, because it matters

CMMC currently incorporates NIST SP 800-171 Revision 2 in the 32 CFR Part 170 rule text. NIST has since published Revision 3 and marked Revision 2 as superseded for its own purposes— but the CMMC rule still points to Rev. 2. Don’t let anyone tell you Revision 3 controls CMMC today; it doesn’t, unless and until DoD amends the rule. We re-verify this against the eCFR every quarter, and we’ll update this page the moment it changes.

What should a prime do about subcontractor cyber-fraud risk?

A prime should not rely on a subcontractor’s “we’re good” email — especially when that sub will process, store, or transmit FCI or CUI. The cleaner path is to map the CUI flow, require appropriate flow-down terms, collect a controlled non-CUI proof packet, and escalate any unsupported or contradictory representation before you issue the work. The Raytheon and Swiss Automation cases show the supply chain is squarely in scope.

The subcontractor proof packet (no CUI)

Ask each sub that touches FCI or CUI for:

• Required CMMC level and the governing clause
• CAGE code and CMMC UID, if applicable
• SPRS/CMMC status screenshot or printout, where appropriate
• SSP name, version, and date — not the SSP itself if it’s sensitive
• A short scope statement
• POA&M status, where allowed and relevant
• The affirmation date and the affirming official’s name
• A statement confirming no CUI is included in the packet

For a full guide to requesting and managing subcontractor proof, see what to do when a prime asks for your SPRS score and SSP.

What to do when a sub claims “110/110” but has no SSP

What if you already submitted a questionable score, invoice, or affirmation?

Do not quietly clean up the record and pretend the old statement never existed. Preserve everything, stop making new unsupported statements, involve qualified counsel if a prior statement may be material, and build a documented remediation trail that aligns your future claims with evidence. The difference between a defensible position and a worse one is often what you do in the first 48 hours.

DOJ has credited self-disclosure, cooperation, and remediation in several cyber-fraud settlements — Verizon and Aero Turbine among them — and the statute’s double-damages off-ramp exists for exactly this. But whether, when, and how to self-disclose is a legal decision with real strategic consequences. This is not the place to freelance. If the broader contractual and administrative consequences are what’s worrying you, our CMMC non-compliance penalties breakdown covers the parts of this picture that sit outside the False Claims Act.

Which provider category do you actually need?

If legal exposure may already exist, start with qualified federal-contracts / False Claims Act counsel — full stop. If the problem is operational readiness, match the category to the gap: an RPO/RP for scope and readiness, an MSP/MSSP for implementation, a GRC platform for evidence workflow, a CUI enclave or Government cloud for data containment, a vCISO for governance, and a C3PAOonly when you’re assessment-ready.

The conflict-of-interest guardrail

One rule protects the integrity of your assessment: 32 CFR Part 170 bars a C3PAO from conducting a Level 2 certification assessment for an organization it served as a consultant — to prepare that organization for a CMMC assessment — within the prior three years. In plain terms: the same firm generally can’t both prepare you and then assess you. Keep readiness help and formal assessment appropriately separate. And remember — software alone does not satisfy CMMC. A GRC platform organizes evidence; it doesn’t implement controls or pass an assessment for you. For more on this, see Can You Get Sued for False CMMC Certification?

How to build a defensible CMMC/FCA evidence file before your next bid or affirmation

A defensible file doesn’t prove perfection. It proves that every claim is scoped, dated, sourced, and tied to operating evidence. Build it around your contract clauses, FCI/CUI flow, score calculation, SSP, POA&M, cloud evidence, subcontractor proof, incident reporting, and affirmation approvals.

The evidence file checklist

• Contract clause inventory
• FCI/CUI determination, in writing
• A CUI data-flow map (created, received, stored, processed, transmitted, shared)
• System boundary and asset inventory
• SSP — current version and date
• NIST SP 800-171 score worksheet
• Control evidence index (one row per control, with the artifact)
• POA&M with owners, dates, and status
• Cloud / FedRAMP or equivalency package
• Incident-reporting procedure (with the 72-hour path)
• Subcontractor flow-down proof
• Affirming-official memo documenting the review behind the signature
• A record of every change since the last score or affirmation
• Counsel-reviewed correction or self-disclosure records, if applicable

The formatting rule:every artifact gets an owner, a date, a system boundary, a control mapping, a source, and a CUI flag. Don’t store CUI inside general GRC tools or vendor portals unless that environment is authorized for it. A documented history of genuine compliance effort is the record you want in hand before any future inquiry.

What we actually verified for this page

Last verified: June 2026.

We verified:

• The DOJ Civil Cyber-Fraud Initiative’s launch (October 6, 2021) and its three enforcement categories, against the DOJ announcement.
• The False Claims Act mechanics — treble damages, the “knowing” standard, qui tam, and the double-damages off-ramp — against 31 U.S.C. §§ 3729–3733 and DOJ’s Civil Division materials.
• The 2026 civil penalty range ($14,308–$28,619), against 28 CFR § 85.5 and the DOJ’s July 3, 2025 adjustment, and the carry-forward of 2025 levels into 2026 against federal inflation-adjustment notices.
• DOJ’s FY2025 statistics ($6.8B total; $52M across nine cyber settlements; record qui tam filings), against DOJ’s January 2026 announcement and fact sheet.
• The CMMC Program rule (32 CFR Part 170, effective December 16, 2024), the affirmation obligation (32 CFR § 170.22), and the Level 1/2/3 structure, against the eCFR and the official CMMC materials.
• The DFARS CMMC acquisition rule (effective November 10, 2025) and Phase 1/Phase 2 timing, against the Federal Register and the official CMMC page.
• DFARS 252.204-7012/-7019/-7020/-7021 text, against Acquisition.gov.
• Each settlement in the matrix, against the relevant DOJ Office of Public Affairs or U.S. Attorney’s Office press release.
• The C3PAO conflict-of-interest and three-year consulting restrictions, against 32 CFR Part 170.

We did not verify:

Any named provider’s claims, availability, or compensation relationships; or any individual contractor’s specific legal exposure. For that, you need counsel and your own facts.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This is educational research, not legal, contractual, or compliance advice; confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level, not a checklist. See our editorial standards and corrections policy.

Frequently asked questions

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.