CMMC Attestation Risk

Every time an executive uploads a score to the Supplier Performance Risk System (SPRS), they are not filling out a form. They are making a legal representation to the United States government. Under the False Claims Act (FCA), misrepresenting cybersecurity compliance to obtain or maintain a federal contract is fraud. Under the FCA's qui tam provisions, your own IT staff can be the ones to report it — and collect up to 30% of what the government recovers.

What Is the SPRS Affirmation Requirement Under CMMC?

DFARS 252.204-7020 requires DoD contractors to assess their NIST SP 800-171 posture and upload a score to SPRS — a formal declaration to the Department of Defense. DFARS 252.204-7021 requires annual affirmations of CMMC compliance for the life of every contract.

For Level 2 CUI contractors, Year 1 brings a C3PAO audit and certificate. Years 2 and 3 require executive self-assessment and SPRS affirmation. For Level 1 FCI contractors, annual self-attestation is the only verification the government receives. Every upload is a new legal claim.

What Triggers False Claims Act Exposure?

The FCA doesn't require proof of intentional fraud. It requires only that you knew, or should have known, the representation was false. Four patterns drive exposure:

• The ignored IT warning: IT flags a missing control. The executive signs the affirmation anyway. Those emails become the foundation of the lawsuit.
• The inflated SPRS score: DIBCAC audits show self-assessed scores are consistently higher than actual assessed scores. The gap is evidence of misrepresentation.
• The hidden POA&M: Known deficiencies aren't documented. Masking a gap to inflate an SPRS score is fraud, not bookkeeping.
• The post-breach discovery: A breach occurs. Investigators find internal records showing executives knew of vulnerabilities and attested anyway. A cybersecurity incident becomes a legal crisis.

The Aerojet Rocketdyne Case: A Template for Future Enforcement

Brian Markus, Aerojet's former Senior Director for Cybersecurity Compliance, filed a qui tam lawsuit in 2015 alleging Aerojet misrepresented its compliance with DFARS cybersecurity requirements in DoD and NASA contracts. His case was the first cybersecurity FCA complaint to survive a motion to dismiss (2019), establishing that cyber-compliance misrepresentations can be material to government contracting decisions.

The case settled on the second day of trial in April 2022. Aerojet paid $9 million. Markus received $2.61 million. The DoJ's Civil Cyber-Fraud Initiative — launched in October 2021 and explicitly modeled on this case — signals this is the beginning of enforcement activity, not the peak.

The Recurring-Liability Cycle: Why Certification Isn't the Finish Line

CMMC is not a one-time event. Every Year 2 and Year 3 SPRS affirmation is a new legal exposure point, not an administrative formality.

Controls That Reduce Risk

• Evidence retention: Archive the exact artifacts — configurations, screenshots, hashed documents — that proved compliance at the time of each attestation. Keep them for a minimum of three years. An investigation two years later will demand them.
• Accurate POA&Ms: Document deficiencies honestly. A well-maintained POA&M is your strongest defense against an FCA claim — it demonstrates good-faith effort. Masking a gap is the opposite.
• Executive sign-off protocol: IT certifies posture in writing. Legal reviews the representation. The executive signs only after both. Those records become your defense in litigation.
• Mock internal audits: Interview control practice owners before every attestation. The gap between documented policy and actual employee practice is precisely what assessors and FCA attorneys look for.

What Not to Say

The FCA Golden Rule: never claim a compliance posture you cannot defend with documented, verifiable evidence.

• ✗In proposals, use exact NIST 800-171A language — not marketing copy. "We employ FIPS 140-2 validated cryptography per SC.L2-3.13.11" is auditable. "We maintain robust encryption" is not.
• ✗If IT tells you a control is missing, do not instruct them to proceed with attestation. That response is the qui tam complaint.
• ✗If a contract's CUI status is uncertain, ask the contracting officer in writing. Never assume. Document the answer.
• ✗Never publish contract details — program names, delivery locations, award dates — that the government hasn't made public. It violates FCI handling rules and marks you as a target.

The Bottom Line

DFARS 252.204-7021 makes every annual SPRS affirmation a fresh legal claim. The FCA makes every false claim actionable fraud. The qui tam provisions give every employee in your organization a financial incentive to report.

The Aerojet settlement happened because internal evidence showed the company knew it wasn't fully compliant and attested otherwise. Seven years and $9 million later, the lesson is simple: say what you do, do what you say, and never sign an SPRS affirmation you can't defend with evidence.