No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • Artificial Intelligence (AI)
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Downloads
    • Download Whitepapers & Reports
    • Download eBooks
  • Research
  • Books
    • CCI Press
    • New: Bribery Beyond Borders: The Story of the Foreign Corrupt Practices Act by Severin Wirz
    • CCI Press & Compliance Bookshelf
    • The Seven Elements Book Club
  • Podcasts
  • Webinars
  • Videos
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

CMMC Cybersecurity Rules Are Rolling Into Defense Contracts

An inaccurate self-certification can expose defense contractors to False Claims Act liability, including treble damages and whistleblower suits

by Ambika Biggs
July 6, 2026
in Cybersecurity
pentagon building and potomac

US defense contractors are now encountering CMMC cybersecurity requirements in their contracts. Ambika Biggs of Hirschler reviews the program’s structure, the levels at which contractors may self-certify and where inaccurate certifications have drawn False Claims Act scrutiny from the Justice Department.

A US government focus on cybersecurity is not new. DFARS 252.204-7012, which is included in defense contracts involving controlled unclassified information (CUI), became effective in 2016. However, after a defense department inspector general report in 2019 found that defense contractors were not consistently implementing security requirements to protect CUI, the defense department developed the cybersecurity maturity model certification (CMMC) program to assess implementation of cybersecurity requirements by defense contractors and subcontractors. 

A final rule was published in November 2020 and became effective in 2024; the department began incorporating CMMC program requirements in contracts in November 2025, and phased-in implementation is proceeding as scheduled through 2028.

CMMC program and implementation

The CMMC program has three levels:

Level 1: Basic safeguarding of FCI

  • Mandates basic safeguarding requirements and procedures to protect contractor information systems that process, store or transmit federal contract information (FCI), which is information that’s not intended for public release and is provided by or generated for the government.
  • Requires an annual self-assessment of compliance with the 15 security requirements in FAR 52.204-21.
  • Requires submission of an annual affirmation of compliance into the supplier performance risk system (SPRS).

Level 2: Broad protection of CUI

  • Addresses protection of controlled unclassified information, which is information that requires safeguarding or dissemination controls.
  • Requires compliance with the security requirements in National Institute of Standards and Technology (NIST) special publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” as required by DFARS 252.204-7012.
  • Requires either a self-assessment or an independent assessment by an authorized CMMC third-party assessment organization (C3PAO) every three years, as stated in the solicitation.
  • Requires an annual affirmation of compliance with the 110 security requirements in NIST publication.

 Level 3: Higher-level protection of CUI against advanced persistent threats

  • Must achieve CMMC status of final Level 2.
  • Requires an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.
  • Requires an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.

The Department of War implemented a phased approach to give contractors time to prepare for third-party certification, which can be a costly and time-consuming process as companies assess and correct any gaps in security requirements then undergo the third-party assessment. CMMC assessments are being implemented in four phases over three years:

  • Phase 1: November 2025, solicitations will require Level 1 or Level 2 self-assessment, where applicable
  • Phase 2: November 2026, solicitations will require Level 2 certification, where applicable
  • Phase 3: November 2027, solicitations will require Level 3 certification, where applicable
  • Phase 4: November 2028, all solicitations will include applicable CMMC level requires as a condition of award of the contract
pentagon aerial view
Cybersecurity

CMMC Phase One Reality Check: Documentation Alone Won’t Pass Muster

by Marci Womack
January 29, 2026

With Phase Two enforcement approaching in November 2026, early preparation matters in a market where assessment capacity has become limited

Read moreDetails

Misrepresentation can lead to False Claims Act liability

At this time, contractors are able to self-certify their compliance with Level 1 and Level 2 cybersecurity requirements. While this may seem like an easier process than undergoing a third-party assessment, self-certification poses risks of misrepresentation of their self-assessed scores for compliance.

In 2021, the DOJ launched its civil cyber-fraud initiative to enforce government contracting and grant cybersecurity requirements. Under the initiative, the Department of Justice pursues contractors and individuals who provide deficient cybersecurity products or services; mispresent their cybersecurity practices or protocols; or do not meet their obligations to monitor and report cybersecurity incidents and breaches. The DOJ uses the False Claims Act (FCA) to enforce the government’s cybersecurity objectives for government contractors.

Under the FCA, companies and individuals can be held liable for knowingly making a false claim to the government. This can include falsely certifying that a company has certain cybersecurity requirements in place in order to induce the government to award it a contract, or certifying compliance with cybersecurity requirements in connection with a claim for payment under a government contract. Under the implied-certification theory, a contractor implicitly certifies that it has complied with all material contractual provisions when it submits a claim for payment. 

The government can investigate false claims and bring lawsuits under the False Claims Act, and via qui tam actions, individuals can bring False Claims Act lawsuits against contractors and, if successful, be awarded between 15% to 30% of the damages, depending on how much the individual contributes to the lawsuit and whether the government intervenes in the litigation. These individuals, known as relators, are highly incentivized to bring these cases and often are whistleblowers or disgruntled employees.

The consequences for false certification are steep. A contractor can be liable for up to three times the amount of the government’s damages. Additionally, a contractor could have to pay penalties from between about $14,300 and $28,600 for each violation, which is for each false invoice.

Several companies already have settled False Claims Act violation allegations with the government as a result of lax cybersecurity. A few of the settlements are noted below:

  • Health Net Federal Services and its parent, Centene Corp., agreed to pay $11.2 million in February 2025 to settle claims that Health Net falsely certified compliance with cybersecurity requirements in a contract to administer the TRICARE health benefits program for military members and their families. The government alleged that Health Net ignored reports from third-party auditors and its internal audit department about cybersecurity risks on its networks, and falsely attested that it was in compliance with cybersecurity standards, among other issues.
  • Raytheon Co., RTX Corp., Nightwing Group and Nightwing Intelligence Solutions agreed to pay $8.4 million in May 2025 to resolve allegations that Raytheon failed to comply with cybersecurity requirements in Department of Defense contracts or subcontracts. A whistleblower initiated the lawsuit and alleged that Raytheon did not implement required cybersecurity controls on an internal system that was used to perform unclassified work; did not develop and implement a required system security plan; and did not ensure that the system complied with DFARS 252.204-7012 and FAR 52.204-21.
  • Aerojet Rocketdyne paid $9 million in July 2022 to settle a qui tam lawsuit by a former employer who alleged that the company misrepresented its compliance with cybersecurity requirements and did not disclose the full extent of its noncompliance with DFARS and NASA cybersecurity regulations. 

Tips for navigating cybersecurity requirements

The DOJ has indicated that it intends to continue focusing on cybersecurity enforcement through the use of the False Claims Act. Contractors need to ensure that they are complying with all applicable cybersecurity requirements and that they flow the requirements down to their subcontractors to reduce vulnerabilities in the supply chain. Contractors should take the following steps to ensure compliance with cybersecurity regulations:

  • Review contracts to understand the cybersecurity requirements.
  • Assess compliance with cybersecurity requirements and accurately report scores in SPRS.
  • Prepare for third-party assessment.
  • Create procedures to ensure ongoing compliance with cybersecurity regulations.
  • Implement a process to flow-down cybersecurity requirements to applicable subcontractors and suppliers.
  • Report cybersecurity incidents promptly and in accordance with contractual requirements.
  • Take seriously and investigate any allegations of noncompliance with cybersecurity requirements.
  • Have a policy in place that prohibits retaliation against whistleblowers.
  • If a violation or noncompliance is discovered, make a mandatory disclosure to the government.

These are key actions that must be taken to ensure compliance with the CMMC program and related cybersecurity regulations. Given the government’s focus in this area, and frequent cyberattacks aimed at gaining access to FCI and CUI, contractors must stay vigilant in maintaining their cybersecurity programs. 

Tags: Contract ManagementCyber RiskFalse Claims Act (FCA)
Previous Post

Quantifind Announces $200M Growth Round

Next Post

A Helpful Guide to Corporate Governance at US Broker-Dealers

Ambika Biggs

Ambika Biggs

Ambika Biggs is a government contracts attorney at Hirschler Fleischer. Her practice focuses on representing government contractors and counseling them on the complex regulations governing federal procurement.

Related Posts

data abstract pixelated

Most DIB Firms Fear AI-Powered Cyber Attack

by Staff and Wire Reports
July 1, 2026

Plus: More than half of enterprises would sacrifice data security for efficiency

global risk concept satellite image

How Do You Counter a Threat Actor Who Just Wants to Fight?

by Avani Desai
June 29, 2026

The changing nature of geopolitical risk brings a new world of cyber exposure

hourglass time running out

New DEI Rule Puts Federal Contractors on the Compliance Clock

by Andrew Turnbull
June 26, 2026

Aside from potential legal trouble, new obligations could spark business and operational friction

NRF Litigation Trends Midyear Pulse

2026 Litigation Trends Survey: Midyear Pulse

by Corporate Compliance Insights
June 17, 2026

Norton Rose Fulbright's 2026 midyear litigation pulse examines how dispute exposure is shifting across sectors as cybersecurity, AI and employment...

Next Post
financial markets concept candlestick chart

A Helpful Guide to Corporate Governance at US Broker-Dealers

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2026 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • Artificial Intelligence (AI)
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Downloads
    • Download Whitepapers & Reports
    • Download eBooks
  • Research
  • Books
    • CCI Press
    • New: Bribery Beyond Borders: The Story of the Foreign Corrupt Practices Act by Severin Wirz
    • CCI Press & Compliance Bookshelf
    • The Seven Elements Book Club
  • Podcasts
  • Webinars
  • Videos
  • Subscribe

© 2026 Corporate Compliance Insights