CMMC went live on November 10, 2025. The annual affirmation now required in SPRS is not a formality — it is a signed legal representation that, if inaccurate, can expose the company and its affirming official to treble damages and per-claim penalties under the False Claims Act. DOJ's Civil Cyber-Fraud Initiative recovered roughly $52 million across nine cybersecurity settlements in FY2025, and every case rested not on a data breach but on a misrepresentation. With Phase 2 — third-party (C3PAO) certification for applicable new contracts — scheduled to begin November 10, 2026, the scope of that exposure is about to grow.
DFARS clause 252.204-7021 makes a current CMMC status a condition of contract award, option exercise, and continued performance. A senior company executive — the "affirming official" — must submit an annual affirmation of continuous compliance in SPRS. Because that affirmation is a certification the government relies on to pay and to keep awarding work, an inaccurate one can be a False Claims Act violation carrying treble damages and per-claim penalties. The annual cadence makes the exposure recurring. If you have read our guides to standing up a cleared government contracting company and the proposed FOCI rule for uncleared contractors, this is the third leg of the same stool: the government is steadily converting industrial-security expectations into hard, enforceable conditions of doing business. CMMC is the cybersecurity leg — and it now comes with a False Claims Act edge.
From Checklist to Certification
For years, defense contractors treated cybersecurity as an IT problem: implement the controls in NIST SP 800-171, post a self-assessed score to SPRS under DFARS 252.204-7012 and -7019, and move on. The score was a number a contractor gave itself. CMMC changes the character of that obligation. It converts a self-graded checklist into a certified status that the government verifies and that a senior official must personally re-attest every year. That shift — from quiet self-assessment to recurring certified representation — is what makes CMMC different from its predecessor, and what gives the annual affirmation its legal weight.
What the Affirmation Actually Is
CMMC rests on two regulatory pillars. The program rule (32 C.F.R. Part 170, effective December 16, 2024) defines the levels, assessments, and obligations. The acquisition rule amending the DFARS (published September 10, 2025; effective November 10, 2025) supplies the contractual hook: DFARS 252.204-7021, the clause that makes CMMC a condition of award and performance, with the required level specified in each solicitation.
Three features of the framework create the exposure this article addresses.
The CMMC Annual Affirmation
Under 32 C.F.R. § 170.22, an affirming official — a senior company executive identified under § 170.4 — must submit an affirmation in SPRS that the organization has implemented, and will continue to maintain, the security requirements for its CMMC level. This affirmation is required at the time of the assessment and annually thereafter. It is not an administrative checkbox; it is a signed representation to the federal government that the company relies on to obtain payment and continued contract eligibility — and that, if false, can satisfy the materiality element of a False Claims Act claim.
Conditional Versus Final Status
For CMMC Level 1, only a final status is permitted — there is no conditional grace period. For Levels 2 and 3, a contractor may hold a conditional status for up to 180 days while it closes out a plan of action and milestones (POA&M), but a current affirmation from the affirming official is still required throughout. A contractor cannot use the annual affirmation to paper over known gaps that remain unresolved.
The Eligibility Gate
DFARS 252.204-7021 makes a current affirmation a prerequisite for award and for the exercise of options. A lapsed or stale affirmation does not merely create legal risk; it can render a contractor ineligible for the next award or option year. Compliance, certification, and continued revenue are now bound together.
Why an Affirmation Is a False Claims Act Trigger
The False Claims Act (31 U.S.C. § 3729) imposes liability on a party that knowingly submits, or causes the submission of, a false claim for payment — or that makes a false statement material to such a claim. When a contractor certifies CMMC or DFARS 252.204-7012 compliance as a condition of payment or eligibility, and that certification is false, the government's theory is straightforward: the contractor has made a false statement material to the claims it then submits for payment.
Materiality remains a key element of every False Claims Act case — the Supreme Court underscored as much in Universal Health Services, Inc. v. United States ex rel. Escobar (2016). But because CMMC status is now expressly tied to award and option eligibility under DFARS 252.204-7021, an inaccurate certification is well-positioned to satisfy that element in an enforcement action.
The critical point for contractors is the standard of knowledge. "Knowingly" under 31 U.S.C. § 3729(b)(1) does not require intent to defraud. It includes actual knowledge, deliberate ignorance of the truth, and reckless disregard of the truth or falsity of the information. A CMMC affirming official who signs the annual affirmation without verifying the company's actual compliance — or who signs while aware of unremediated gaps — may be found to have acted with reckless disregard of the true state of the company's cybersecurity posture.
And because the affirmation recurs annually, each year's signature is a fresh opportunity for exposure. A single inaccurate affirmation can taint every invoice submitted under the affected contracts for that period.
What the 2025–2026 Settlements Teach
This is not theoretical. DOJ's Civil Cyber-Fraud Initiative, launched in October 2021, has produced a steady run of settlements that map almost perfectly onto the risks CMMC now formalizes.
Stale Scores: MORSECORP ($4.6 Million)
In March 2025, Massachusetts defense contractor MORSECORP agreed to pay $4.6 million. The company had posted a strong SPRS self-assessment score, but a later assessment concluded that its actual NIST SP 800-171 implementation was substantially below what the reported score indicated, and it did not promptly update the figure. The lesson: a self-assessment score or SPRS affirmation that the contractor knows — or should know — does not reflect its actual posture, left uncorrected, can itself become the basis of a false statement claim.
Subcontractors Are in Scope: Swiss Automation ($421,234)
In December 2025, DOJ announced its first cyber-fraud settlement with a defense subcontractor — an Illinois precision-machining supplier that allegedly failed to provide adequate cybersecurity for the technical drawings of parts it supplied to prime contractors. The alleged conduct spanned less than a year and the dollar figure was modest, which is precisely the point: the settlement signals how far down the supply chain, and how small a lapse, enforcement can reach. Primes that flow down CMMC requirements should treat this case as a reminder that a subcontractor's false affirmation can become a prime's problem through its own contractual representations.
Missing Security Plans and Successor Liability: Raytheon / Nightwing ($8.4 Million)
A May 2025 settlement resolved allegations that an internal development system used for unclassified DoD work lacked a required system security plan and other controls across years of contracts. Two features stand out. First, the absence of a documented system security plan — a basic NIST SP 800-171 requirement — was central to the case. Second, the entity that acquired the business inherited the liability as a successor, a reminder that cyber-fraud exposure travels with a transaction and belongs on the M&A diligence checklist.
Private Equity Is Not Insulated ($1.75 Million)
A July 2025 settlement was the first cyber-fraud resolution involving a private-equity owner, which agreed to pay alongside its portfolio company after a voluntary self-disclosure. The companies received cooperation credit for disclosing. The signal to sponsors and investors is unambiguous: ownership of a defense contractor carries diligence obligations around cybersecurity representations, and the government will look up the ownership chain.
The Whistleblower Engine
Nearly every case above began with an insider. Quality-control managers, engineers, and security leads are the people who know whether the SPRS score is real and whether the affirmation is true, and the False Claims Act pays them to come forward: a relator who files a successful qui tam suit receives between 15% and 30% of the recovery. FY2025 saw a record number of qui tam filings.
Senior DOJ officials have framed these cases plainly: they are not about data breaches but are premised on misrepresentations. The government is not punishing companies that suffer sophisticated attacks despite genuine compliance; it is punishing companies that told the government they were compliant when they were not. That framing is good news for honest contractors and a warning to careless ones — and it makes how a company handles internal complaints about cybersecurity gaps a frontline risk-management issue, not just a personnel matter.
The M&A and Investment Dimension
Two of the settlements above turned on ownership: an acquirer that inherited successor liability, and a private-equity sponsor pulled into a portfolio company's exposure. For anyone buying, selling, or investing in a defense contractor, CMMC affirmations and SPRS scores now belong on the diligence checklist beside FOCI disclosures and financial representations. A target's historical affirmations are representations the buyer may inherit. Pre-closing verification of the target's actual CMMC compliance — and, where gaps exist, voluntary disclosure before closing — can meaningfully reduce post-acquisition exposure.
What Prudent Contractors Do Now
- Verify before affirming. Treat the annual affirmation as a signed legal representation, not a formality. The affirming official should require documented evidence of compliance before signing.
- Maintain a real system security plan. A current, accurate SSP that maps each control is both a compliance requirement and the best evidence of good faith in the event of a later inquiry.
- Keep SPRS scores honest and current. If a third-party assessment or internal review lowers your score, update it promptly. A known-stale score is the MORSECORP fact pattern.
- Run POA&Ms on a disciplined clock. For Levels 2 and 3, treat the 180-day conditional window as a hard deadline, not a suggestion.
- Vet your subcontractors. Flow-down obligations mean a subcontractor's false affirmation can become the prime's problem. Confirm certification and affirmation status before award.
- Take internal complaints seriously. Investigate, document, and respond to employee cybersecurity concerns. Most cyber-fraud cases start with an insider who felt unheard.
- Build affirmations into M&A diligence. Buyers should examine a target's affirmation history and SPRS record, and weigh voluntary disclosure where gaps appear before closing.
Frequently Asked Questions
Does CMMC create new legal risk, or just new cybersecurity work?
Both. The technical controls are familiar — they derive from NIST SP 800-171. What is new is the recurring formal certification: the annual affirmation converts a compliance gap into potential False Claims Act exposure. The cybersecurity work has always been required; CMMC makes the legal consequence of failing to do it explicit and recurring.
Who is the "affirming official," and is that person personally exposed?
The affirming official is a senior company executive who submits the affirmation in SPRS under 32 C.F.R. § 170.4. While settlements to date have resolved corporate liability, the False Claims Act permits claims against individuals in appropriate circumstances, and the affirming official is the person whose signature the government relies on. The role should be filled deliberately and supported with real evidence before each signature.
We only self-assess at Level 1 or Level 2 — are we still exposed?
Yes. A self-assessment posted to SPRS and the accompanying affirmation are still certifications to the government. MORSECORP involved a self-assessed score. Self-assessment lowers the assessment burden, not the honesty requirement.
What does "knowingly" mean under the False Claims Act?
It is broader than intent to defraud. Under 31 U.S.C. § 3729(b)(1) it includes actual knowledge, deliberate ignorance, and reckless disregard. Signing an affirmation without verifying compliance can meet that standard. The government does not need to show the affirming official intended to deceive; it needs to show the official was not careful enough to know whether the representation was true.
Does this risk transfer when a company is bought or sold?
It can. In one 2025 settlement, an acquiring company inherited the target's liability as a successor. In another, a private-equity owner paid alongside its portfolio company. CMMC affirmation history and SPRS accuracy should be part of pre-closing due diligence in any defense-contractor acquisition, alongside FOCI and financial representations.
We think a past affirmation may have been inaccurate. What now?
Stop and consult qualified counsel before taking any corrective action on your own. The False Claims Act has a voluntary disclosure framework, and DOJ has consistently credited companies that come forward — the private equity settlement above involved a voluntary self-disclosure and resulted in cooperation credit. The worst outcome is learning about a gap from a relator rather than disclosing it yourself. Counsel can help you assess the materiality of the gap, the appropriate correction to make in SPRS, and whether a proactive disclosure is warranted. Document what you know and when you knew it.
How We Can Help
My office advises defense contractors on the legal dimensions of CMMC compliance — including reviewing affirmation processes to ensure the affirming official has real evidence before signing, assessing SPRS accuracy and the risk profile of existing scores, evaluating successor liability in the context of defense-contractor acquisitions, and counseling companies that have identified a potential gap and are weighing voluntary disclosure. I bring a 26-year background in federal security and intelligence community operations, DCSA Facility Security Officer certification, and direct experience advising contractors entering and operating within the defense industrial base.
If your company holds DoD contracts and you are uncertain whether your annual CMMC affirmation process reflects your actual compliance posture, a review now — before the next signature — is significantly less expensive than a qui tam investigation later. For questions about CMMC, DFARS cybersecurity obligations, or how CMMC status intersects with individual security clearances, schedule a consultation.
This article is intended for general informational purposes only and does not constitute legal advice. False Claims Act exposure is highly fact-specific, and the settlements described represent past enforcement outcomes rather than predictions of future results. Companies that have identified potential compliance gaps should consult with qualified legal counsel before taking corrective action or making disclosures. If you believe a past CMMC affirmation may have been inaccurate, schedule a consultation before acting.
This article is for general educational purposes only and does not constitute legal advice. NFA and firearms laws vary by state and change frequently. Consult a qualified attorney before making any legal decisions.
Related Articles
$400K National Security Jobs: What the New Pay Authority Means for Your Clearance
The government approved salaries up to $400,000 for national security investment roles. A former CIA officer and clearance attorney explains why the clearance — not the salary — is the real gate, and how foreign-influence issues affect these jobs.
Pentagon Legal Opinion Ends the DCSA Clearance Hearing Program: What It Means for Clearance Holders
The Pentagon determined DCSA cannot conduct security clearance personal appearance hearings because it is also the investigating entity. A former CIA officer explains what it means for clearance holders, SOR responses, and cases now referred to DOHA.
How to Start a Classified Government Contracting Company: FCL, Sponsorship, and DCSA Requirements
A Facility Security Clearance isn't something a company applies for — it's something it's sponsored into. A DCSA-certified Facility Security Officer and Insider Threat Program Senior Official explains the FCL process: sponsorship, FOCI review, Key Management Personnel clearances, and the NISPOM obligations that don't end at approval.