Cybersecurity FCA & CMMC Liability

The DOJ Civil Cyber-Fraud Initiative — how false certifications of cybersecurity compliance create FCA liability for defense contractors.

In October 2021, the Department of Justice announced the Civil Cyber-Fraud Initiative (CCFI) — a coordinated effort to use the False Claims Act to pursue cybersecurity fraud by federal contractors and grant recipients. The initiative has produced a growing line of significant settlements and remains a major focus area for DOJ enforcement, particularly against defense contractors. This paper sets out the legal framework, the principal categories of cybersecurity fraud now drawing FCA enforcement, and the role of insider whistleblowers in initiating these cases.

The Theory of Liability

The CCFI's theory is straightforward: when a federal contractor represents — expressly or impliedly — that it complies with applicable cybersecurity requirements, and submits invoices for payment despite known noncompliance, the contractor has presented false claims for payment within the meaning of the FCA.

This theory applies in three principal ways:

Express false certifications — where the contractor has signed certifications attesting to specific cybersecurity controls (CMMC level, NIST SP 800-171 implementation, FedRAMP authorization) that the contractor knows to be false;
Implied false certifications — where the contract incorporates cybersecurity requirements as material conditions of payment, such that submission of invoices constitutes an implicit representation of compliance;
Failure to report cyber incidents — where the contractor is contractually required to report cybersecurity incidents but fails to do so, concealing material noncompliance.

Materiality After Escobar

The Supreme Court's decision in Universal Health Services v. United States ex rel. Escobar, 579 U.S. 176 (2016), established that FCA liability requires materiality — meaning the misrepresentation must be capable of influencing the government's payment decision. In the cybersecurity context, this question turns on whether the cybersecurity requirement was material to the government's decision to enter the contract and to continue paying invoices.

DOJ's position — supported by the structure of CMMC, DFARS 7012, and the executive orders driving cybersecurity in federal contracting — is that cybersecurity requirements are routinely material because the government has made cybersecurity a condition of doing business with the federal sector. Several settled cases have endorsed this view, though the materiality fight in any given case will depend on the specific contract terms, the agency's pattern of practice, and the nature of the noncompliance.

The Principal Cybersecurity Frameworks at Issue

DFARS 252.204-7012 — Safeguarding Covered Defense Information

The DFARS 252.204-7012 clause is the foundational defense-contracting cybersecurity requirement. It requires contractors handling covered defense information (CDI) or controlled unclassified information (CUI) to:

Implement the security controls specified in NIST Special Publication 800-171;
Report cyber incidents to DoD within 72 hours of discovery;
Submit forensic information and malicious software samples;
Flow the requirements down to subcontractors.

FCA cases under DFARS 7012 typically allege that the contractor falsely represented full implementation of the 110 controls in NIST 800-171 when significant gaps existed.

CMMC — The Cybersecurity Maturity Model Certification

The CMMC framework is the Department of Defense's evolving cybersecurity certification regime, requiring defense contractors to obtain third-party assessments of their cybersecurity posture before being eligible for certain contract awards. CMMC implementation has proceeded in phases and continues to evolve. False certifications of CMMC level — or false representations during the assessment process — give rise to FCA liability.

NIST SP 800-171 Self-Assessments

Under DFARS 252.204-7019/7020, contractors handling CUI must conduct a self-assessment scored against NIST 800-171 controls and post the score in the Supplier Performance Risk System (SPRS). Knowing falsification of self-assessment scores is a textbook CCFI case. Several major settlements have involved precisely this conduct.

FedRAMP — Federal Risk and Authorization Management Program

Cloud service providers serving federal agencies must obtain FedRAMP authorization at appropriate impact levels. False representations of FedRAMP authorization status, or noncompliance with FedRAMP continuous monitoring requirements, give rise to FCA liability.

Categories of Cybersecurity Fraud Drawing Enforcement

1. False Self-Assessment Scores

The most common pattern. The contractor submits a NIST 800-171 self-assessment score that significantly overstates the maturity of implemented controls. Internal documentation typically reflects the actual gaps. Whistleblowers — particularly cybersecurity engineers, compliance officers, and IT staff — are uniquely positioned to identify the discrepancy.

2. Failure to Report Cyber Incidents

DFARS 7012 requires reporting of cyber incidents within 72 hours. Contractors that experience incidents but fail to report — or report only after extended delay — violate a material contractual obligation. Where the failure to report is knowing, FCA liability follows.

3. False Certifications During CMMC Assessment

Where contractors mislead third-party assessors during CMMC evaluations — concealing the actual scope of CUI handling, presenting an artificially limited assessment scope, or falsely representing implementation status — the resulting CMMC certification is false and any subsequent contract claims that depend on it are exposed to FCA liability.

4. Subcontractor Flow-Down Failures

Prime contractors must flow DFARS 7012 and related requirements down to subcontractors handling CDI/CUI. Where the prime knowingly allows subcontractors to perform without the required controls, and certifies otherwise, FCA liability extends to the prime.

5. Failure to Maintain Required Controls After Award

Cybersecurity is not a point-in-time certification — it is an ongoing operational requirement. Contractors that obtain initial certification or self-assessment scores and then allow controls to lapse, while continuing to invoice the government, present false claims with each invoice.

The Whistleblower's Role

Cybersecurity FCA cases depend heavily on insider information. The relevant evidence — internal vulnerability assessments, penetration test results, gap analyses, incident logs, communications between IT staff and management — is rarely visible to government auditors and is almost never available in the public record.

Effective cyber-fraud relators typically have technical roles that gave them access to the underlying gap evidence:

Cybersecurity engineers and architects;
Compliance and audit personnel;
IT security officers and CISOs;
External assessors and consultants who reviewed the company's posture.

Service members assigned to defense industrial base programs, contracting officers' representatives, and program managers may also possess the kind of direct knowledge that supports a strong qui tam complaint.

Practice note · Documentation matters more than recollection Cyber-fraud cases turn on documentary evidence — gap assessments, internal emails, certification submissions, incident records. Witness testimony is necessary but not sufficient. Potential relators should preserve documentation lawfully and avoid removing material that the contractor would consider proprietary or trade-secret. Counsel can guide what is appropriate to retain and how to handle classified or controlled information that may be implicated.

This paper is one of six on the principal issues facing service-member and defense-contractor whistleblowers. See the full series at the Military Whistleblower Project.