False Claims Act CMMC Risk: When a Wrong SPRS Score or Affirmation Becomes Fraud Liability

This is educational research, not legal, contractual, or compliance advice. Whether any particular statement creates liability is a legal question. Confirm your exposure with a qualified federal-contracts or False Claims Act attorney, and confirm your CMMC scope and provider category with a CMMC Registered Practitioner (RP) or RPO. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. Do not submit CUI, drawings, export-controlled technical data, or sensitive contract details through any form on this site.

False Claims Act CMMC risk is the risk that a knowingly false or unsupported cybersecurity statement tied to a federal contract — a wrong SPRS score, an overstated NIST SP 800-171 self-assessment, or a CMMC affirmation you can’t back up — becomes a federal fraud case carrying triple the government’s damages plus a civil penalty of $14,308 to $28,619 per false claim under the False Claims Act (31 U.S.C. § 3729).

In October 2021, a small Navy logistics contractor in Huntsville, Alabama posted a perfect cybersecurity self-assessment score — a 110 — into the Pentagon’s Supplier Performance Risk System (SPRS). In February 2024, the Defense Department’s own assessors scored the same company a negative 170. On June 18, 2026, that company, LOGZONE Inc., agreed to pay $507,144 to settle False Claims Act allegations tied to two Navy contracts. The gap between what you attested and what you can actually prove is the whole story.

The law turns on what you knew when you signed, not on whether you’re perfect. Below, we map exactly which statements are dangerous, what evidence makes each one defensible, what DOJ has actually done — with the receipts — and what to do before you sign, bid, correct, or flow requirements down to a subcontractor.

False Claims Act CMMC risk in one screen

Before the detail, here’s the verdict for the five statements most likely to put a contractor in the crosshairs.

The rest of this page is the work behind that table — and the steps that turn each red row green.

What “False Claims Act CMMC risk” actually means

32 CFR Part 170 (effective December 16, 2024) sets the cybersecurity requirements. The False Claims Act is a separate, much older fraud statute the government uses when a contractor knowingly misrepresents compliance with those requirements to win or keep federal business. The risk isn’t inherent in having a gap — it’s in attesting you don’t have one when you do.

What “knowingly” really means (and the myth to ignore)

The False Claims Act defines “knowingly” as one of three mental states at the time of the claim: actual knowledge that the statement is false, deliberate ignorance of whether it’s true, or reckless disregard of its truth (31 U.S.C. § 3729(b)). The statute also says no proof of specific intent to defraud is required.So both things are true: you don’t need to be a cartoon villain scheming to deceive. But a good-faith mistake you never investigated — after an employee flagged it — can still meet “deliberate ignorance.”

That distinction is the single most important idea on this page, because it tells you precisely where the risk lives and how to defend against it.

How the legal elements line up against the CMMC statements you actually make

Why the DOJ is leaning into this

In October 2021, DOJ launched its Civil Cyber-Fraud Initiative, explicitly to use the False Claims Act against contractors and grant recipients who knowingly misrepresent their cybersecurity, knowingly provide deficient security, or knowingly violate obligations to monitor and report incidents (U.S. DOJ). In fiscal year 2025, the DOJ recovered more than $6.8 billion through the False Claims Act, including a record 1,297 new qui tam suits filed by whistleblowers (DOJ FY2025 announcement). This isn’t a wave that’s about to break — it’s the new baseline.

The CMMC False Claims Act Risk Map

Methodology: built from primary sources reviewed June 19, 2026 — 31 U.S.C. § 3729, DOJ Civil Cyber-Fraud materials, 32 CFR Part 170, DFARS 252.204-7012/-7019/-7020/-7021/-7025, and DoD CMMC guidance. Educational research, not legal advice.

Can a false SPRS score lead to False Claims Act liability?

The Supplier Performance Risk System (SPRS) is where DoD contractors post the summary score from a NIST SP 800-171 self-assessment. A perfect implementation of all 110 requirements scores 110; the scoring methodology subtracts points for unmet controls and can run deep into negative territory. The score is not a marketing number. Since 2020, posting it has been a condition of doing certain DoD work — which is exactly what makes a false one dangerous.

Two recent settlements show how literally DOJ takes the gap between a posted score and reality:

• LOGZONE self-posted a 110 in October 2021. When DCMA’s assessment center (DIBCAC) reviewed the work in February 2024, the real score was −170. The company settled for $507,144 in June 2026, with no admission of liability (U.S. DOJ).
• Georgia Tech Research Corporation allegedly submitted a summary score of 98 in December 2020 said to apply campus-wide — but the government alleged it was based on a “fictitious” environment that didn’t match any actual system handling covered defense information. GTRC settled for $875,000 on September 30, 2025 (U.S. DOJ).

Red flags that your SPRS score may not be defensible

• No current System Security Plan (SSP)
• No defined CUI system boundary
• No scoped asset inventory
• No evidence for controls you’ve marked as “inherited” from a provider
• No POA&M dates, or dates that have quietly expired
• One score covering several environments that were never segmented
• A score a consultant built that leadership never reviewed
• A score never updated after a major IT, cloud, or MSP change

What to do before you post, update, or rely on a score

1. Confirm the contract clause and your CUI/FCI scope.
2. Confirm the system boundary the score applies to.
3. Recalculate the score from your actual SSP and evidence — not from memory.
4. Document the gaps and your POA&M status honestly.
5. Have leadership review it before it goes into SPRS or into a proposal.

The goal isn’t a perfect score. It’s a true one, with the evidence to show why you believed it when you posted it. See also: SPRS score — what it is and how to post one.

Which clauses actually create the risk?

Notice what’s missing from every row above: a breach. You do not need to be hacked for this risk to attach. DOJ’s theory is contractual — you promised a level of security (and, increasingly, attestedto it) as a condition of getting paid, and the promise wasn’t true. Several of the settlements later in this guide involved no breach at all.

Why the CMMC annual affirmation raises the stakes

Three reasons this matters:

A company can have polished policies, an impressive SSP, and a clean assessment history — and still create risk if the executive affirmation no longer matches the live, scoped environment. Scope drifts. An MSP migrates a mailbox. CUI quietly lands in a tool nobody assessed.

The good news: that’s fixable before anyone signs. The defense isn’t a prettier binder. It’s a dated affirmation evidence packet showing that scope, controls, inherited services, POA&M status, and operational changes were reviewed at the time the statement was made. That packet is also your best evidence of good faith if anyone ever asks what you knew — which, as the Supreme Court made clear in 2023, is the question that decides these cases.

What it can cost: treble damages, per-claim penalties, and whistleblowers

The whistleblower engine

Most False Claims Act activity is driven by whistleblowers, not government audits. The law’s qui tam provision lets a private “relator” — usually an employee or former employee — sue on the government’s behalf and share in the recovery (31 U.S.C. § 3730(b)). In the fiscal year ending September 2025, whistleblowers filed a record 1,297 new qui tam suits. The awards are real money: in the 2025 MORSE Corp settlement, the relator — the company’s own Head of Security — received $851,000; in the Raytheon/Nightwing settlement, a former director of engineering received roughly $1.5 million.

The person who can put your company in the government’s crosshairs may not be a hacker. It’s the security lead who told you the score was wrong and watched nothing happen.

The settlements: who’s been hit, for how much, and why

Sources: U.S. DOJ Office of Public Affairs and U.S. Attorney press releases for each matter. Amounts are settlement figures; defendants generally did not admit liability.

What these cases prove — and what they don’t

They do not prove that every CMMC mistake is fraud. They do show a repeatable pattern worth memorizing:

• The score didn’t match the work. LOGZONE’s 110-versus-(−170) and MORSE’s −142 are the clearest examples on record.
• A known gap went unfixed. Georgia Tech allegedly submitted a score built on a fictitious environment. Penn State allegedly misrepresented the timeline to fix gaps and never worked the plan. Health Net allegedly ignored its own auditors’ warnings.
• It’s not just the primes. LOGZONE is a small logistics shop. Georgia Tech is a university research arm. The risk reaches the whole supply chain.
• The deal can pass the liability to the buyer. In the Raytheon and Health Net matters, an acquirer was on the hook for conduct tied to a business it bought — a warning for anyone buying or selling a DIB company.

Who’s actually at risk? (a self-check)

If more than one “raises your risk” cell describes you, two moves come next — and the order matters: talk to counsel (especially if a prior statement may be inaccurate), then get an honest, independent read on where your evidence actually stands so your next score and affirmation are true.

Primes versus subcontractors

Flow-down means subcontractors now make their own affirmations and carry their own exposure. Under 32 CFR § 170.23, the subcontractor minimum tracks the prime’s obligation: if a subcontractor will process, store, or transmit CUI, Level 2 (Self) is the floor; if the prime’s contract requires Level 2 C3PAO, the subcontractor minimum is Level 2 C3PAO; and if the prime carries a Level 3 obligation, the subcontractor minimum is Level 2 C3PAO. A sub that tells a prime “we’re compliant” without the evidence to back it has just created two problems — its own, and the prime’s reliance on it. See also: My prime is asking for my SPRS score and SSP — what do I send?

Can individuals be personally liable? And does “I thought we were compliant” protect me?

Yes, a person can be in the frame. The Affirming Official is, by definition, a named senior individual (32 CFR § 170.4), and DOJ has named individuals in cybersecurity False Claims Act matters — for example, the 2023 Jelly Bean Communications Design settlementnamed both the company and its co-owner and manager. That’s not a reason to refuse to sign — someone has to. It’s a reason to make sure the signature is backed by evidence.

And the “honest belief” defense is narrower than it sounds. In United States ex rel. Schutte v. SuperValu Inc. (598 U.S. 739, decided June 1, 2023), a unanimous Supreme Court held that the False Claims Act’s “knowing” standard hinges on what the defendant actually believed when the claim was submitted— not on whether some hypothetical reasonable person could have read an ambiguous rule a different way. The three states of “knowing” — actual knowledge, deliberate ignorance, and reckless disregard — all look at your real, contemporaneous state of mind.

The practical takeaway is empowering: document your good-faith basis at the moment you attest. A dated record showing what you reviewed, what your scope was, and why you believed the statement was true is exactly the kind of contemporaneous evidence that supports an honest-belief position. Build it before you sign, not after a Civil Investigative Demand arrives.

How should primes and subcontractors reduce flow-down False Claims Act risk?

The subcontractor’s problem. You feel forced to answer a yes/no question that doesn’t have a yes/no answer. Don’t. Answer precisely instead:

• “We handle FCI only and are preparing a Level 1 self-assessment.”
• “We handle CUI and have a current Basic NIST SP 800-171 assessment score posted in SPRS.”
• “We’re pursuing Level 2 C3PAO because the solicitation requires it.”
• “We can’t accept CUI until the agreed environment is ready.”

The supplier evidence packet — request the minimum that proves the point:

The guardrail under all of it: don’t collect CUI, drawings, or full SSPs you don’t actually need. Over-collecting sensitive material creates its own handling and exposure problems.

What to verify before anyone signs a CMMC affirmation or proposal

Hand this to whoever is about to sign. If a line can’t be answered with evidence, that’s your signal to pause. Copy it, drop it into your pre-affirmation checklist, and keep the completed version on file — it doubles as your good-faith record.

When to stop and call counsel: If you come to believe a past SPRS score, affirmation, proposal statement, invoice support, or subcontractor representation may already have been inaccurate or misleading, stop treating it as a routine remediation task and involve qualified federal-contracts/FCA counsel before deciding how to correct, disclose, update, or communicate it.

How to reduce your risk going forward

Seven moves, each one drawn from the patterns in the actual cases:

1. Get an honest gap assessment, then align your SPRS score to it. The LOGZONE and MORSE matters are what happens when the posted number and the real number diverge. A score that matches reality is your single strongest protection. See: CMMC gap assessment services.
2. Keep the score and affirmation current. Re-assess and re-post after any meaningful change in posture — a new tool, a cloud migration, an MSP swap. A stale attestation is a quiet liability.
3. Maintain a real SSP and a worked POA&M. Penn State, Georgia Tech, and Raytheon all involved SSP or plan-of-action failures. Realistic dates, named owners, and actual progress beat an impressive binder every time.
4. Document your good-faith basis at attestation time. This is the SuperValu defense in practice — contemporaneous evidence of what you reviewed and why you believed the statement.
5. Build an internal reporting channel and actually investigate concerns. Most of these cases started with an insider. Treating a cybersecurity complaint as a routine HR matter underestimates the risk.
6. Vet acquisitions and your own ownership for inherited exposure. Successor and investor liability is real (Raytheon, Health Net, Aero Turbine). Put cyber attestations in diligence.
7. If you find a real problem, get counsel and weigh voluntary self-disclosure. DOJ gives cooperation credit for self-disclosure, cooperation, and prompt remediation under the Justice Manual (§ 4-4.112). In the 2023 Verizon matter, settlement put single damages at $2,727,545 and the total at $4,091,317 — roughly a 1.5× multiplier, where DOJ civil-fraud settlements often run closer to 2×.

Which provider category helps which CMMC/FCA risk?

One hard rule we hold to: readiness/remediation help and formal assessment must stay appropriately separated. The Cyber AB’s CMMC Assessment Process (CAP) makes a C3PAO responsible for managing its own impartiality and identifying conflicts of interest before it assesses you. And software alone does not satisfy CMMC. A GRC platform organizes your evidence; it doesn’t implement your controls or assess you. See also: RPO vs. C3PAO — which to hire first · What you can and can’t outsource.

What we verified for this guide

We built this from primary legal, regulatory, and government sources. The editorial conclusion is not that every CMMC mistake creates liability; it’s that CMMC and DFARS statements should be treated as evidence-backed representations before they’re signed, submitted, repeated, or relied on. Last verified: June 19, 2026.

Primary sources verified June 19, 2026:

• The False Claims Act — 31 U.S.C. §§ 3729–3730 (liability, treble damages, “knowingly,” qui tam, relator share)
• DOJ’s Civil Cyber-Fraud Initiative announcement and its FY2025 False Claims Act recovery announcement
• DOJ press releases for LOGZONE, Georgia Tech, Illumina, Aero Turbine, Raytheon/Nightwing, MORSE, Health Net/Centene, Penn State, Verizon, and Aerojet Rocketdyne settlements
• The CMMC Program Rule — 32 CFR Part 170 (including § 170.4 definitions, § 170.22 affirmation, and § 170.23 flow-down)
• DFARS 252.204-7012, -7019, -7020, -7021, and -7025
• NIST SP 800-171 Rev. 2 (the 110 Level 2 requirements across 14 families)
• Supreme Court — Schutte v. SuperValu Inc., 598 U.S. 739 (2023)
• The Cyber AB CMMC Assessment Process (CAP) on C3PAO impartiality and conflicts of interest

False Claims Act CMMC risk: FAQs

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. More: Editorial Standards · Corrections Policy.