CMMC Guy LogoTHE_CMMC_GUY
NEWSBLOGCALCULATORPROVIDERSABOUT
←BACK_TO_INTEL
FALSE_CLAIMS_ACTDOJ_ENFORCEMENTCOMPLIANCELEGAL

False Claims Act & CMMC: Why Lying Costs $28,619 Per Violation

Mike Torres
Mike Torres
Manufacturing Security Advisor
2025-12-08
12 min read
Share

Advised global manufacturers and machine shops across Asia and US for 7 years. Now helping small shops navigate CMMC compliance without the BS.

SHARE_ON_XSHARE_ON_LINKEDIN
⚠ ⚠ NEXT_STEP

RUN READINESS CHECK

Get your CMMC readiness score + cost estimate. 2 minutes. No signup.

GET_CMMC_UPDATES

Enforcement news, deadline alerts, and compliance tips. No spam.

RELATED_INTEL

Read More

CMMC Tools That Actually Work (For Under $500/Month)
ToolsBudgetGetting StartedCompliance

CMMC Tools That Actually Work (For Under $500/Month)

Budget-friendly compliance tools tested on real machine shops. What you need for asset tracking, password management, backups, and more.

Dec 23, 2025•12 min read
What IS CMMC? (And Why Your Shop Needs It)
CMMC BasicsGetting StartedDoD ContractsCompliance

What IS CMMC? (And Why Your Shop Needs It)

No jargon explanation of CMMC for machine shops making DoD parts. What it is, what it costs, and why Phase 1 enforcement started November 2025.

Dec 21, 2025•8 min read
No Small Business Exemption: What This REALLY Means
Small BusinessComplianceRequirementsSubcontractors

No Small Business Exemption: What This REALLY Means

5-person shop? Subcontractor? Solo consultant? Doesn't matter. No exemptions. DoD confirmed: if you handle CUI, you need Level 2 regardless of company size.

Dec 17, 2025•9 min read

TABLE_OF_CONTENTS

False Claims Act & CMMC: Why Lying Costs $28,619 Per Violation

Raytheon paid $8.4 million. MORSECORP paid $4.6 million. A California defense contractor paid $1.75 million.

All for the same thing: lying about CMMC compliance.

The Department of Justice's Civil Cyber-Fraud Initiative isn't theoretical. It's real. And it's expensive.

What Is the False Claims Act?

The False Claims Act (FCA) dates back to the Civil War. The idea: if you lie to the government to get paid, you pay penalties.

Big penalties.

For each false claim:

  • Civil penalty: up to $28,619 (2025 amount, adjusted annually for inflation)
  • Plus three times the damages the government sustained
  • Plus you might get banned from future contracts

And here's the kicker: each of the 110 NIST 800-171 controls required for CMMC Level 2 could trigger a separate FCA penalty if you falsely claim compliance.

Do the math. 110 controls × $28,619 = $3.1 million in penalties. Before treble damages.

How FCA Applies to CMMC

The DFARS clause 252.204-7021 requires contractors to:

  1. Attest that they meet the required CMMC level
  2. Maintain compliance throughout the contract
  3. Re-attest at least annually
  4. Report any lapses in compliance

If you attest compliance but you're actually not compliant, that's a false claim.

And the DOJ is watching.

It's Not About Breaches

Here's what contractors get wrong: FCA enforcement doesn't require a data breach.

You don't have to get hacked. You don't have to lose data. You just have to lie about your compliance status.

The violation is the false attestation itself.

Real example from the MORSECORP settlement: They claimed full implementation of NIST 800-171 controls. Investigation found they hadn't actually implemented them. No breach occurred. Didn't matter. $4.6 million settlement.

Recent Settlements (Real Numbers)

Raytheon (RTX) - $8.4 Million (May 2025)

Allegations:

  • Failed to meet required cybersecurity obligations
  • Certified compliance despite knowing they weren't compliant
  • Multiple instances across different contracts

The DOJ didn't allege a breach. They alleged Raytheon knew they weren't compliant and certified anyway.

MORSECORP - $4.6 Million (March 2025)

Allegations:

  • Falsely represented compliance with cybersecurity clauses
  • Claimed full implementation of NIST 800-171 controls
  • Reality: hadn't implemented the controls they claimed

This was a whistleblower case. One of their own employees reported them. The employee gets 15-30% of the settlement as a reward.

California Defense Contractor - $1.75 Million (July 2025)

This one's interesting because they self-disclosed.

The company discovered their own non-compliance, voluntarily disclosed it to the DOJ, and still paid $1.75 million.

Self-disclosure got them a reduced penalty. But it didn't eliminate it.

What Counts as a "False Claim"?

Scenario 1: The Initial Attestation

You bid on a contract requiring CMMC Level 2. You check the box saying you're compliant.

But you're not. Maybe you have 95 of 110 controls implemented. Close, right?

Nope. That's a false claim. Each missing control could be a separate violation.

Scenario 2: The Annual Re-Attestation

You were compliant when you won the contract. But six months in, you let things slip. Employee leaves and you don't revoke their access. Patch management falls behind. Backup system breaks and you don't fix it.

Then your annual re-attestation comes up. You certify compliance anyway because "we'll fix it soon."

That's a false claim.

Scenario 3: The "We're Working On It" Lie

You're not compliant but you're implementing controls. You interpret "implementing" as "compliant."

Wrong. Until controls are fully implemented and effective, you're not compliant. Attesting otherwise is a false claim.

Scenario 4: The Subcontractor Flow-Down

You're a prime with CMMC requirements. Your subcontractor handles CUI. You ask if they're compliant. They say yes. You don't verify.

Turns out they lied. The DOJ can come after YOU for not ensuring flow-down compliance.

Why the DOJ Cares About CMMC

The Civil Cyber-Fraud Initiative launched in 2021. The goal: use the False Claims Act to enforce cybersecurity requirements.

Why? Because traditional cybersecurity enforcement wasn't working.

Companies would:

  • Self-report compliance
  • Never get audited
  • Stay non-compliant for years
  • Only fix things after a breach

The DOJ decided: we'll make lying about compliance more expensive than achieving compliance.

And it's working. Settlements are increasing every year.

The Whistleblower Problem

Here's the scariest part for contractors: anyone can blow the whistle.

Employees. Ex-employees. Competitors. Subcontractors. Even customers.

Under the False Claims Act, whistleblowers (called "relators") can file lawsuits on behalf of the government. If the government recovers money, the whistleblower gets 15-30% of the settlement.

That California contractor who self-disclosed? Good move. Because if an employee reported them first, the penalty would've been higher AND the employee would've walked away with six figures.

MORSECORP's $4.6 million settlement? The whistleblower got $690,000 to $1.38 million.

Think about that. If you're not compliant and your employees know it, they have a financial incentive to report you.

How to Not Get Sued Under FCA

1. Don't Lie

Obvious, right? But contractors do it constantly.

If you're not compliant, don't attest compliance. If you can't meet the CMMC requirement, don't bid the contract. Or bid it with a realistic timeline to achieve compliance and get government approval for that timeline.

2. Document Everything

If the DOJ comes knocking, you need proof you were compliant when you attested.

Keep records of:

  • All implemented controls
  • Evidence of effectiveness (logs, screenshots, policies, training records)
  • Dates of implementation
  • Dates of testing/validation
  • Any gaps identified and remediation plans

If you can't prove compliance, assume you weren't compliant.

3. Don't Guess

Contractors get in trouble by interpreting requirements loosely.

"We have antivirus, that's good enough for malware protection, right?"

Maybe. Maybe not. If you're guessing, you're risking a false claim.

When in doubt, hire someone who knows NIST 800-171. A C3PAO, a consultant, a CMMC expert. It's cheaper than a DOJ settlement.

4. Fix Issues Immediately

Remember: you must maintain compliance throughout the contract, not just at award.

If something breaks:

  • Fix it immediately
  • Document the gap and remediation
  • If it's a material gap, report it to the contracting officer

Don't wait until annual re-attestation to address it.

5. Verify Subcontractors

If you're a prime, you're responsible for your subs' compliance.

Don't just ask "Are you compliant?" Get proof:

  • Copy of their C3PAO certificate (if required)
  • Copy of their self-assessment results
  • Evidence they've implemented required controls
  • Verification they're flowing down requirements to THEIR subs

Make it contractual. Include audit rights. Verify regularly.

"But What If We Made an Honest Mistake?"

The FCA requires "knowing" submission of a false claim. But "knowing" is defined broadly:

  1. Actual knowledge: You knew it was false
  2. Deliberate ignorance: You avoided learning the truth
  3. Reckless disregard: You didn't bother to check

"I didn't know we weren't compliant" won't save you if you never bothered to verify.

"Our IT guy said we were good" won't save you if you never asked for proof.

"We thought we were compliant" won't save you if you never tested the controls.

What to Do If You Discover Non-Compliance

Step 1: Stop Attesting Compliance

If you realize you're not compliant, don't certify at the next re-attestation. It'll be obvious you knew and lied.

Step 2: Assess the Scope

How many contracts are affected? How long have you been non-compliant? How material is the gap?

Step 3: Fix the Issue

Remediate immediately. Get back to compliance as fast as possible.

Step 4: Decide Whether to Self-Disclose

This is the hard part. Self-disclosure can reduce penalties but it doesn't eliminate them (see the $1.75M settlement).

Talk to a lawyer who specializes in FCA defense. Not your general corporate counsel. Someone who's handled DOJ Civil Cyber-Fraud cases.

Step 5: Document the Remediation

Whether you self-disclose or not, document everything:

  • When you discovered the issue
  • What the gap was
  • When you fixed it
  • How you verified the fix
  • What you did to prevent recurrence

If the DOJ comes later, this documentation shows good faith.

The Risk-Reward Calculation

Some contractors think: "The odds of getting caught are low. I'll take the risk."

Bad math.

Let's say you have a $2 million/year contract. You're not compliant but you attest anyway.

If you get caught:

  • Penalties: $28,619 per violation × number of controls × number of attestations
  • Treble damages: 3× whatever the government paid you
  • Legal fees: $500K+ to defend an FCA case
  • Reputation damage: good luck getting future contracts
  • Possible suspension/debarment

Achieving compliance might cost $50K-$150K depending on your starting point.

The risk isn't worth it.

The Trend Is Escalating

2021: Civil Cyber-Fraud Initiative announced 2022: First few settlements ($1-2M range) 2023: More settlements, higher amounts 2024: Multiple settlements, $4-8M range 2025: Even more enforcement expected

The DOJ is ramping up. They're hiring more cyber specialists. They're actively soliciting whistleblowers.

This isn't going away. It's accelerating.

The Bottom Line

Don't lie about CMMC compliance.

If you're not compliant, get compliant or don't bid.

If you're compliant, document it thoroughly.

If you discover non-compliance, fix it immediately and consider self-disclosure.

The cost of lying ($28,619 per violation + 3× damages) is way higher than the cost of compliance.

Raytheon learned that at $8.4 million. Don't be next.

Next Steps:

Not sure if you're truly compliant? Get a C3PAO assessment to verify.

Need to understand what controls you're actually required to implement? Read our NIST 800-171 priority guide.

Want to assess your current compliance level? Take our 2-minute quiz.