The finalization of CMMC brings much needed accountability to the Defense Industrial Base (DIB) ensuring that contractors are able to effectively protect CUI. To prove this, contractors must now undergo a third-party audit by a certified organization to prove they have implemented all 110 controls outlined in NIST SP 800-171 or face significant consequences. It's important to note that these requirements are not going away, despite the length of time it has taken to implement them. Katie Arrington, chief information officer of the DoD, has made it clear: CMMC is here to stay. Speaking at the UiPath Public Sector Summit in Washington D.C., she stated "the business of defense is not something we should take lightly. If it's too hard, get out of the business". For contractors who seek to do work with the federal government, failure to comply with NIST 800-171 requirements will result in consequences. This blog will discuss how the DoD plans to utilize the False Claims Act to hold contractors accountable for their security.
What is The False Claims Act?
The False Claims Act was enacted in 1863 during the civil war to combat government contractors who were defrauding the Union. Often called "Lincoln's Law", the FCA included a provision that allowed non-government individuals (known as relators) to report fraud and receive a percentage of recovered damages. The law also offers protection against retaliation for whistleblowers and legal compensation. Since then, the FCA has continued to be used to combat fraud in healthcare, defense contracting, and cybersecurity compliance.
The Civil Cyber-Fraud Initiative
In October of 2021, the Civil Cyber-Fraud Initiative was created by the Department of Justice (DOJ) to utilize the FCA against government contractors who had misrepresented their adherence to cybersecurity compliance requirements. Using the FCA, the DOJ can prosecute government contractors and reclaim any funding that had been granted to them during their contract period. This has resulted in hundreds of thousands of dollars recovered in the past several years from some of the largest government contractors.
The False Claims Act and CMMC
CMMC was put in place because government contractors were not accurately reporting their adherence to NIST SP 800-171 security requirements. In the past, contractors were allowed to conduct a self-assessment and then report their score to the Supplier Performance Risk System (SPRS). However, many of these scores were misleading at best and falsified at worst. As Katie Arrington states, "if industry had complied with NIST 800-171, CMMC wouldn't be so hard". This is why the Civil Cyber-Fraud Initiative was created and why the FCA is applicable to any contractor with CMMC requirements. If your organization is found to have misrepresented its CMMC compliance posture, you could face significant fines and litigation. This risk increases as CMMC becomes mandatory for contract eligibility.
The False Claims Act in Action
MORSECORP
On March 26, 2025, the DOJ announced that the defense contractor MORSECORP Inc. agreed to pay $4.6 million in damages to settle their cybersecurity fraud allegations. Allegations were made that MORSE had "submitted fraudulent claims for payment on contracts with the Departments of the Army and Air Force" despite knowing they were not compliant with cybersecurity regulations. It was discovered that between January 2018 and September 2022, MORSE hosted their emails using a third-party company that was not up to the standard of the Federal Risk and Authorization Management Program Moderate Baseline. It was also found that MORSE had not implemented all of the controls required by NIST 800-171, submitting a score of 104/110 when in reality their score was actually -142.
Failing the comply with CMMC requirements can be very dangerous for your organization. Compliance is complex, but that doesn't mean it isn't any less important. Your organization must put in the effort to achieve and maintain the required level of security to protect both your business and the nation's national security.
Georgia Tech Research Corporation
In July of 2022, two Georgia Tech cybersecurity team members filed a whistleblower lawsuit under the False Claims Act alleging that the Georgia Tech Research Corporation (GTRC) had made false compliance claims to the DoD. Whistleblowers claimed that the GTRC did not have a system security plan (SSP) until February of 2020, and when created, left out many covered systems (like laptops and desktops). They also claimed that the GTRC had submitted an inaccurate SPRS score, claiming 98/110. Additionally, the GTRC had created a culture where staff felt their warnings were being ignored and, in some cases, employees felt they were isolated from certain projects due to their concern about the organization's compliance posture.
In 2024, the DOJ intervened, marking its first major case through the Civil Cyber-Fraud Initiative. Organizations found to have misrepresented their compliance posture may receive hefty financial consequences. In this case, the DOJ is seeking damages for as much as $30 million based off two of their contracts.
Aero Turbine Inc
In July of 2025, defense contractor Aero Turbine, and private equity company Gallant Capital Partners, agreed to pay $1.75 million to resolve their liability under the FCA. Aero Turbine and Gallant had, allegedly, failed to comply with NIST 800-171 requirements and had knowingly misrepresented their compliance posture under a Department of the Air Force contract. During this two-year period (2018-2020), the companies had allegedly failed to control the flow of sensitive information by utilizing an unauthorized software based out of Egypt. While no determination of liability was made, the two companies decided to settle.
This case is unique in that both companies' voluntary disclosed their failure to adhere to cybersecurity guidelines. When submitting your SPRS score, it's important to get it right the first time as even self-reported issues can end with an FCA liability.
S.A.F.E Structure Designs & USA Manufacturing
In January of 2025, S.A.F.E. Structure Designs, U.S.A. Manufacturing, and their owner, Johnny Buscema Jr., agreed to pay $1 million to resolve allegations that they violated the False Claims Act by manipulating the competitive bidding process on Defense Logistics Agency (DLA) contracts used by the Department of Defense. The companies allegedly coordinated with a prime vendor and other vendors to submit more than 100 “courtesy bids” — bids submitted with no intention of winning — in order to make other bids appear legitimate and satisfy competitive bidding requirements. Buscema also allegedly paid other vendors to submit similar bids and submitted bids from both of his companies on the same solicitations. According to the government, this conduct undermined fair competition and resulted in the DoD overpaying for goods and services purchased under these contracts.
This case highlights that the FCA is utilized for more than compliance misrepresentation and applies to traditional fraud within the DoD supply chain as well.
What These Cases Signal for DoD Contractors
- Cybersecurity is now a legal liability, not just a technical requirement.
- Misrepresenting your NIST 800-171 or CMMC readiness can trigger FCA exposure.
- Your SPRS score must be accurate. Inflated or unverified scores are risky.
- Prime contractors are watching their sub-contractors more closely.
- Self-disclosure will not negate penalties, but it may reduce them.
How Can CorpInfoTech Help?
Work with CorpInfoTech and we will help keep your company secure and compliant. With every changing cybersecurity and compliance landscape, it's good to have a partner on your side.
CorpInfoTech is a managed service provider (MSP) that offers IT, cybersecurity, and CMMC compliance solutions to defense contractors. We are among the first MSPs to achieve CMMC L2 compliance via a C3PAO audit, passing with a perfect 110 score. This puts us in a unique position to help organizations that are struggling to meet or maintain security requirements. Through TAS for CMMC Compliance, contractors are able to inherit 200+ of the 320 objectives required by CMMC making compliance cost effective and more efficient.
Contact us today to learn more about how CorpInfoTech can help you reach your compliance goals!
Key Takeaways
-
The False Claims Act (FCA) is a U.S. law from 1863 (“Lincoln’s Law”) that allows the government—and whistleblowers—to pursue fraud against federal programs and contracts.
- The DOJ’s Civil Cyber-Fraud Initiative (2021) uses the FCA to prosecute contractors that falsely claim compliance with cybersecurity requirements.
- CMMC and NIST SP 800-171 compliance are now enforceable liabilities—misrepresenting cybersecurity posture can lead to fines, lawsuits, and repayment of contract funds.
- Several recent FCA cases against defense contractors show the government actively enforcing cybersecurity compliance. Examples of enforcement include multimillion-dollar settlements against companies that misreported NIST 800-171 compliance or mishandled sensitive information.
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
