DOJ Is Suing Defense Contractors Who Fake Their Cybersecurity Scores

For years, defense contractors have self-reported their NIST 800-171 compliance scores to SPRS with essentially no verification. Many submitted inflated numbers. Some submitted perfect scores while running flat networks with no MFA, no logging, and no written security policies.

The Department of Justice has noticed. And it's using the False Claims Act to go after them.

In late 2025, DOJ announced significant enforcement actions against two DoD contractors for misrepresenting their cybersecurity posture. These weren't slaps on the wrist. False Claims Act penalties include treble damages -- three times the amount the government paid on contracts where compliance was a condition. For a small contractor, that's an existential number.

This isn't a theoretical risk anymore. It's an active enforcement priority for 2026, and small contractors need to understand what it means for their business.

The Civil Cyber-Fraud Initiative

DOJ launched the Civil Cyber-Fraud Initiative in October 2021 specifically to pursue government contractors and grant recipients who fail to meet cybersecurity standards. The mechanism is the False Claims Act, which has been around since the Civil War. It allows the government to recover damages from anyone who knowingly submits false claims for payment.

The key word is "knowingly." Under the False Claims Act, that includes actual knowledge, deliberate ignorance, and reckless disregard. You don't have to intend to defraud the government. If you submitted a SPRS score of 95 without actually assessing your environment against the 110 NIST 800-171 controls, that likely qualifies as reckless disregard.

The initiative also leverages qui tam provisions -- whistleblower lawsuits. Any employee, subcontractor, or competitor who knows a contractor is misrepresenting their compliance can file a qui tam action and collect a portion of the recovery. DOJ has publicly encouraged these filings.

What's Already Happened

The enforcement pipeline has been building since 2022. Here's where things stand:

Penn State (2023): A whistleblower alleged that Penn State's Applied Research Laboratory failed to implement required NIST 800-171 controls on systems handling CUI for DoD and NASA contracts. The case was filed under the False Claims Act and put the entire university research community on notice.

Georgia Tech (2024): DOJ intervened in a qui tam case alleging that Georgia Tech's Astrolavos Lab failed to implement a cybersecurity plan on a DoD contract and then misrepresented its compliance status. The government's decision to intervene signals it considers the evidence strong enough to pursue.

Late 2025 actions: DOJ announced cases against two additional DoD contractors for deficient cybersecurity practices. Alston & Bird, a major law firm tracking these cases, reported that "DFARS 7012 compliance will continue to be an enforcement priority in 2026." The trajectory is clear: more cases, not fewer.

These are the cases we know about. Qui tam lawsuits are filed under seal and can remain confidential for months or years before DOJ decides whether to intervene. There's no way to know how many are currently pending.

Why Small Contractors Are Exposed

Large defense primes have compliance teams, legal departments, and dedicated cybersecurity budgets. When DOJ comes knocking, they have documentation and resources to mount a defense. Small contractors don't have that infrastructure.

The typical small defense subcontractor -- 20 to 100 employees, doing $5M-$50M in revenue -- submitted a SPRS score years ago when their prime told them to. Many used an internal estimate rather than a formal assessment. Some had an IT person eyeball the requirements and check boxes. The score went into SPRS, contracts were awarded, and everyone moved on.

That score is now a legal document. If it doesn't accurately reflect your security posture at the time it was submitted, and you received contract payments where DFARS 252.204-7012 compliance was a condition, the False Claims Act math starts working against you.

The Whistleblower Factor

This is the part that should keep contractors up at night. Qui tam relators -- whistleblowers -- can collect 15-30% of whatever the government recovers. On a $10M contract with treble damages, that's $4.5M to $9M in potential recovery, with the whistleblower taking home $675K to $2.7M.

That's a strong financial incentive. The people most likely to know about a contractor's actual cybersecurity posture are current and former employees, IT staff, and subcontractors who've seen the inside of the network.

A disgruntled IT admin who knows the SPRS score is inflated now has a seven-figure reason to pick up the phone. So does a competing contractor who lost a bid to a company they know isn't actually compliant.

What CMMC Changes About the Equation

CMMC doesn't eliminate False Claims Act risk -- it actually increases it in some ways. Under the current self-assessment model, a contractor can argue ambiguity. "We interpreted the control differently" or "we were in the process of implementing" can at least muddy the waters.

Once C3PAO assessments become mandatory under Phase 2 (November 10, 2026), the compliance picture gets binary. You either pass or you don't. If you claim CMMC certification you don't have, or if you make material misrepresentations during the assessment process, the False Claims Act exposure is even more clear-cut.

The flip side: contractors who get properly assessed and certified have a documented defense. A clean C3PAO assessment is evidence that you took compliance seriously and invested in meeting the requirements. That matters if questions ever arise about your security posture.

Five Steps to Reduce Your Exposure

1. Conduct a real gap assessment now. Not an internal estimate. Not a checklist your IT person fills out over lunch. A formal assessment by a qualified professional against all 110 NIST 800-171 controls. This establishes your actual baseline and gives you a defensible starting point.

2. Update your SPRS score to reflect reality. If your current score is inflated, submit a corrected assessment. Yes, a lower score feels uncomfortable. It's far less uncomfortable than a False Claims Act investigation. An honest score with a documented remediation plan is a defensible position. A fabricated high score is not.

3. Document everything. Create your System Security Plan and Plan of Action & Milestones. Record what controls you meet, which ones you're working on, and your timeline for closing gaps. Documentation creates an evidence trail that shows good faith effort -- and good faith matters in enforcement decisions.

4. Start CMMC preparation. Phase 2 is nine months away. Getting certified before it's required demonstrates proactive compliance. It also gives you a competitive advantage in bidding, since primes are already evaluating their supply chains for CMMC readiness.

5. Brief your leadership. If you're the IT director or security lead, make sure your executives understand the legal exposure. This isn't just a cybersecurity issue -- it's a business risk issue. The budget conversation changes when the alternative is treble damages under the False Claims Act.

The Bottom Line

DOJ isn't making empty threats. The Civil Cyber-Fraud Initiative has produced real cases, real interventions, and real consequences. The enforcement posture for 2026 is aggressive, and the combination of CMMC Phase 2, whistleblower incentives, and an active DOJ pipeline means the risk of running on inflated compliance scores has never been higher.

The contractors who come out of this well are the ones who get honest about their current posture, invest in actual compliance, and document the work. The ones who keep hoping nobody checks are betting their business on a hand that's getting worse every quarter.