The finalization of CMMC brings much needed accountability to the Defense Industrial Base (DIB) ensuring that contractors are able to effectively protect CUI. To prove this, contractors must now undergo a third-party audit by a certified organization to prove they have implemented all 110 controls outlined in NIST SP 800-171 or face significant consequences. It's important to note that these requirements are not going away, despite the length of time it has taken to implement them. Katie Arrington, chief information officer of the DoD, has made it clear: CMMC is here to stay. Speaking at the UiPath Public Sector Summit in Washington D.C., she stated "the business of defense is not something we should take lightly. If it's too hard, get out of the business". For contractors who seek to do work with the federal government, failure to comply with NIST 800-171 requirements will result in consequences. This blog will discuss how the DoD plans to utilize the False Claims Act to hold contractors accountable for their security.
What is The False Claims Act?
The False Claims Act was enacted in 1863 during the civil war to combat government contractors who were defrauding the Union. Often called "Lincoln's Law", the FCA included a provision that allowed non-government individuals (known as relators) to report fraud and receive a percentage of recovered damages. The law also offers protection against retaliation for whistleblowers and legal compensation. Since then, the FCA has continued to be used to combat fraud in healthcare, defense contracting, and cybersecurity compliance.
The Civil Cyber-Fraud Initiative
In October of 2021, the Civil Cyber-Fraud Initiative was created by the Department of Justice (DOJ) to utilize the FCA against government contractors who had misrepresented their adherence to cybersecurity compliance requirements. Using the FCA, the DOJ can prosecute government contractors and reclaim any funding that had been granted to them during their contract period. This has resulted in hundreds of thousands of dollars recovered in the past several years from some of the largest government contractors.
The False Claims Act and CMMC
CMMC was put in place because government contractors were not accurately reporting their adherence to NIST SP 800-171 security requirements. In the past, contractors were allowed to conduct a self-assessment and then report their score to the Supplier Performance Risk System (SPRS). However, many of these of these scores were misleading at best and falsified at worst. As Katie Arrington states, "if industry had complied with NIST 800-171, CMMC wouldn't be so hard". This is why the Civil Cyber-Fraud Initiative was created and why the FCA is applicable to any contractor with CMMC requirements. If your organization is found to have misrepresented its CMMC compliance posture, you could face significant fines and litigation.
The False Claims Act in Action
MORSECORP
On March 26, 2025, the DOJ announced that the defense contractor MORSECORP Inc. agreed to pay $4.6 million in damages to settle their cybersecurity fraud allegations. Allegations were made that MORSE had "submitted fraudulent claims for payment on contracts with the Departments of the Army and Air Force" despite knowing they were not compliant with cybersecurity regulations. It was discovered that between January 2018 and September 2022, MORSE hosted their emails using a third-party company that was not up to the standard of the Federal Risk and Authorization Management Program Moderate Baseline. It was also found that MORSE had not implemented all of the controls required by NIST 800-171, submitting a score of 104/110 when in reality their score was actually -142.
Failing the comply with CMMC requirements can be very dangerous for your organization. Compliance is complex, but that doesn't mean it isn't any less important. Your organization must put in the effort to achieve and maintain the required level of security to protect both your business and the nation's national security.
Georgia Tech Research Corporation
In July of 2022, two Georgia Tech cybersecurity team members filed a whistleblower lawsuit under the False Claims Act alleging that the Georgia Tech Research Corporation (GTRC) had made false compliance claims to the DoD. Whistleblowers claimed that the GTRC did not have a system security plan (SSP) until February of 2020, and when created, left out many covered systems (like laptops and desktops). They also claimed that the GTRC had submitted an inaccurate SPRS score, claiming 98/110. Additionally, the GTRC had created a culture where staff felt their warnings were being ignored and, in some cases, employees felt they were isolated from certain projects due to their concern about the organization's compliance posture.
In 2024, the DOJ intervened, marking its first major case through the Civil Cyber-Fraud Initiative. Organizations found to have misrepresented their compliance posture may receive hefty financial consequences. In this case, the DOJ is seeking damages for as much as $30 million based off two of their contracts.
How Can CorpInfoTech Help?
Work with CorpInfoTech and we will help keep your company secure and compliant. With every changing cybersecurity and compliance landscape, it's good to have a partner on your side.
CorpInfoTech is a managed service provider (MSP) that offers IT, cybersecurity, and CMMC compliance solutions to defense contractors. We are among the first MSPs to achieve CMMC L2 compliance via a C3PAO audit, passing with a perfect 110 score. This puts us in a unique position to help organizations that are struggling to meet or maintain security requirements. Through TAS for CMMC Compliance, contractors are able to inherit 200+ of the 320 objectives required by CMMC making compliance cost effective and more efficient.
Contact us today to learn more about how CorpInfoTech can help you reach your compliance goals!
