CMMC Wake-Up Call

Since launching its Civil Cyber-Fraud Initiative in 2021, the U.S. Department of Justice has made one thing painfully clear: contractors who misrepresent their cybersecurity posture will pay — and often, dearly. 

In just a few short years, the DOJ has already reached nine settlements against companies falsely claiming compliance with NIST SP 800-171, resulting in over $28 million in penalties. And this is just the beginning. 

•  Raytheon & Nightwing Group (2025) – Paid $8.4 million for falsely claiming NIST 800-171 compliance across ~30 DoD contracts. Nightwing was held accountable even though it acquired the violations. 

• MORSECORP (2025) – Paid $4.6 million for submitting inflated SPRS scores and failing to correct them after being flagged by a third-party assessment. 

• Penn State University (2024) – Paid $1.25 million after a whistleblower reported noncompliance by its Applied Research Lab. Even universities are being held accountable. 

• Insight Global (2024) – Paid $2.7 million after failing to secure sensitive health data under a state contract while claiming to meet federal cybersecurity standards. 

• Verizon (2023) – Paid $4 million for DoD contract cybersecurity failures, despite representing compliance with federal IT security obligations. 

• Georgia Tech Research Corp (2024, ongoing) – Currently under DOJ investigation for failing to implement 800-171 controls and retaliating against internal whistleblowers. 

These aren’t isolated events. They’re a deliberate wave of enforcement. In fact, the DOJ has resolved six cyber-related FCA cases in 2024 alone, with more investigations already underway in 2025. 

The message is loud and clear: 

• If your company falsely claims compliance — even if you’re “almost there” — you risk being sued under the False Claims Act. 

• If you’re a subcontractor trying to “stay competitive” by checking the box prematurely — you could cost your company millions and destroy your eligibility. 

• And if you’re hoping CMMC will quietly fade away — you’re dangerously mistaken. 

With Title 48 embedding CMMC into federal contract law, and 32 CFR already in force, the time for hesitation is over. Primes are already flowing down requirements. And DOJ isn’t just watching — it’s acting. 

If you’re not truly ready — technically, operationally, and legally — then saying you are could be the most expensive mistake your company ever makes. 

A Final Note

If you’re unsure where your organization truly stands — or you just want to make sure you’re moving in the right direction — now is the time to engage with experienced partners who understand both the letter and the spirit of CMMC.

Our door is open.
Let’s have a conversation — before the DOJ has one with you. 

Contact us today.

References (APA Style) 

Arnold & Porter. (2025, April). Civil Cyber-Fraud Initiative strikes again. Retrieved from https://www.arnoldporter.com/en/perspectives/blogs/fca-qui-notes/posts/2025/04/civil-cyber-fraud-initiative-strikes-again 

Taxpayers Against Fraud. (2024). False Claims in cybersecurity enforcement update. Retrieved from https://www.taf.org/fbtn2024-cybersecurity 

Clark Hill. (2025). Key lessons from Raytheon’s $8.4 million FCA settlement. Retrieved from https://www.clarkhill.com/news-events/news/key-lessons-on-the-false-claims-act-for-government-contractors-after-raytheons-8-4-million-settlement 

Inside Government Contracts. (2024). Penn State settles FCA cybersecurity case. Retrieved from https://www.insidegovernmentcontracts.com/2024/11/penn-state-agrees-to-pay-1-25m-in-settlement-for-cybersecurity-non-compliance-false-claims-act-allegations