CMMCDocs.comFor years, many defense contractors treated DFARS 252.204-7012 as a paperwork exercise. They submitted SPRS scores that did not reflect reality, maintained System Security Plans that described controls they never implemented, and assumed no one would check. The Department of Justice proved them wrong.
The Civil Cyber-Fraud Initiative
In October 2021, Deputy Attorney General Lisa Monaco announced the DOJ's Civil Cyber-Fraud Initiative, which uses the False Claims Act (FCA) to pursue government contractors and grant recipients that knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices, or violate obligations to monitor and report cybersecurity incidents.
The FCA allows the government to recover treble damages plus penalties of over $11,000 per false claim. For contractors submitting false SPRS scores or attesting to compliance they have not achieved, each invoice submitted under that contract can constitute a separate false claim.
Notable Cases
Aerojet Rocketdyne (2022): Aerojet agreed to pay $9 million to settle allegations that it misrepresented its compliance with cybersecurity requirements in government contracts. A whistleblower alleged the company overstated its NIST 800-171 compliance while failing to implement basic controls. This was one of the first major settlements under the Cyber-Fraud Initiative.
Jeli Inc. (2023): The DOJ intervened in a qui tam action against a technology company that allegedly failed to meet NIST 800-171 requirements while representing compliance to the government. The case highlighted that even small technology companies face enforcement risk.
Penn State University (2023): Penn State faced a qui tam lawsuit alleging it failed to comply with NIST 800-171 and DFARS cybersecurity requirements across multiple defense contracts. The case, filed by a former employee, alleged the university submitted false claims while knowingly failing to implement required security controls.
What Contractors Should Learn
The lesson is straightforward: do not submit a SPRS score you cannot defend. Do not sign a System Security Plan that describes controls you have not implemented. The DOJ has made clear that cybersecurity compliance misrepresentation is a priority enforcement area.
If you have gaps, document them honestly in a Plan of Action and Milestones (POA&M). An honest assessment with a credible remediation plan is defensible. A fabricated compliance posture is not. CMMC was designed specifically to address this problem — moving from self-attestation to verified compliance.