US defense contractors are now encountering CMMC cybersecurity requirements in their contracts. Ambika Biggs of Hirschler reviews the program’s structure, the levels at which contractors may self-certify and where inaccurate certifications have drawn False Claims Act scrutiny from the Justice Department.
A US government focus on cybersecurity is not new. DFARS 252.204-7012, which is included in defense contracts involving controlled unclassified information (CUI), became effective in 2016. However, after a defense department inspector general report in 2019 found that defense contractors were not consistently implementing security requirements to protect CUI, the defense department developed the cybersecurity maturity model certification (CMMC) program to assess implementation of cybersecurity requirements by defense contractors and subcontractors.
A final rule was published in November 2020 and became effective in 2024; the department began incorporating CMMC program requirements in contracts in November 2025, and phased-in implementation is proceeding as scheduled through 2028.
CMMC program and implementation
The CMMC program has three levels:
Level 1: Basic safeguarding of FCI
- Mandates basic safeguarding requirements and procedures to protect contractor information systems that process, store or transmit federal contract information (FCI), which is information that’s not intended for public release and is provided by or generated for the government.
- Requires an annual self-assessment of compliance with the 15 security requirements in FAR 52.204-21.
- Requires submission of an annual affirmation of compliance into the supplier performance risk system (SPRS).
Level 2: Broad protection of CUI
- Addresses protection of controlled unclassified information, which is information that requires safeguarding or dissemination controls.
- Requires compliance with the security requirements in National Institute of Standards and Technology (NIST) special publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” as required by DFARS 252.204-7012.
- Requires either a self-assessment or an independent assessment by an authorized CMMC third-party assessment organization (C3PAO) every three years, as stated in the solicitation.
- Requires an annual affirmation of compliance with the 110 security requirements in NIST publication.
Level 3: Higher-level protection of CUI against advanced persistent threats
- Must achieve CMMC status of final Level 2.
- Requires an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.
- Requires an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.
The Department of War implemented a phased approach to give contractors time to prepare for third-party certification, which can be a costly and time-consuming process as companies assess and correct any gaps in security requirements then undergo the third-party assessment. CMMC assessments are being implemented in four phases over three years:
- Phase 1: November 2025, solicitations will require Level 1 or Level 2 self-assessment, where applicable
- Phase 2: November 2026, solicitations will require Level 2 certification, where applicable
- Phase 3: November 2027, solicitations will require Level 3 certification, where applicable
- Phase 4: November 2028, all solicitations will include applicable CMMC level requires as a condition of award of the contract
CMMC Phase One Reality Check: Documentation Alone Won’t Pass Muster
With Phase Two enforcement approaching in November 2026, early preparation matters in a market where assessment capacity has become limited
Read moreDetailsMisrepresentation can lead to False Claims Act liability
At this time, contractors are able to self-certify their compliance with Level 1 and Level 2 cybersecurity requirements. While this may seem like an easier process than undergoing a third-party assessment, self-certification poses risks of misrepresentation of their self-assessed scores for compliance.
In 2021, the DOJ launched its civil cyber-fraud initiative to enforce government contracting and grant cybersecurity requirements. Under the initiative, the Department of Justice pursues contractors and individuals who provide deficient cybersecurity products or services; mispresent their cybersecurity practices or protocols; or do not meet their obligations to monitor and report cybersecurity incidents and breaches. The DOJ uses the False Claims Act (FCA) to enforce the government’s cybersecurity objectives for government contractors.
Under the FCA, companies and individuals can be held liable for knowingly making a false claim to the government. This can include falsely certifying that a company has certain cybersecurity requirements in place in order to induce the government to award it a contract, or certifying compliance with cybersecurity requirements in connection with a claim for payment under a government contract. Under the implied-certification theory, a contractor implicitly certifies that it has complied with all material contractual provisions when it submits a claim for payment.
The government can investigate false claims and bring lawsuits under the False Claims Act, and via qui tam actions, individuals can bring False Claims Act lawsuits against contractors and, if successful, be awarded between 15% to 30% of the damages, depending on how much the individual contributes to the lawsuit and whether the government intervenes in the litigation. These individuals, known as relators, are highly incentivized to bring these cases and often are whistleblowers or disgruntled employees.
The consequences for false certification are steep. A contractor can be liable for up to three times the amount of the government’s damages. Additionally, a contractor could have to pay penalties from between about $14,300 and $28,600 for each violation, which is for each false invoice.
Several companies already have settled False Claims Act violation allegations with the government as a result of lax cybersecurity. A few of the settlements are noted below:
- Health Net Federal Services and its parent, Centene Corp., agreed to pay $11.2 million in February 2025 to settle claims that Health Net falsely certified compliance with cybersecurity requirements in a contract to administer the TRICARE health benefits program for military members and their families. The government alleged that Health Net ignored reports from third-party auditors and its internal audit department about cybersecurity risks on its networks, and falsely attested that it was in compliance with cybersecurity standards, among other issues.
- Raytheon Co., RTX Corp., Nightwing Group and Nightwing Intelligence Solutions agreed to pay $8.4 million in May 2025 to resolve allegations that Raytheon failed to comply with cybersecurity requirements in Department of Defense contracts or subcontracts. A whistleblower initiated the lawsuit and alleged that Raytheon did not implement required cybersecurity controls on an internal system that was used to perform unclassified work; did not develop and implement a required system security plan; and did not ensure that the system complied with DFARS 252.204-7012 and FAR 52.204-21.
- Aerojet Rocketdyne paid $9 million in July 2022 to settle a qui tam lawsuit by a former employer who alleged that the company misrepresented its compliance with cybersecurity requirements and did not disclose the full extent of its noncompliance with DFARS and NASA cybersecurity regulations.
Tips for navigating cybersecurity requirements
The DOJ has indicated that it intends to continue focusing on cybersecurity enforcement through the use of the False Claims Act. Contractors need to ensure that they are complying with all applicable cybersecurity requirements and that they flow the requirements down to their subcontractors to reduce vulnerabilities in the supply chain. Contractors should take the following steps to ensure compliance with cybersecurity regulations:
- Review contracts to understand the cybersecurity requirements.
- Assess compliance with cybersecurity requirements and accurately report scores in SPRS.
- Prepare for third-party assessment.
- Create procedures to ensure ongoing compliance with cybersecurity regulations.
- Implement a process to flow-down cybersecurity requirements to applicable subcontractors and suppliers.
- Report cybersecurity incidents promptly and in accordance with contractual requirements.
- Take seriously and investigate any allegations of noncompliance with cybersecurity requirements.
- Have a policy in place that prohibits retaliation against whistleblowers.
- If a violation or noncompliance is discovered, make a mandatory disclosure to the government.
These are key actions that must be taken to ensure compliance with the CMMC program and related cybersecurity regulations. Given the government’s focus in this area, and frequent cyberattacks aimed at gaining access to FCI and CUI, contractors must stay vigilant in maintaining their cybersecurity programs.


Ambika Biggs is a government contracts attorney at Hirschler Fleischer. Her practice focuses on representing government contractors and counseling them on the complex regulations governing federal procurement. 






