CMMC Attestation Risk

A CMMC self-assessment attestation is a legally binding representation to the United States government, submitted through the Supplier Performance Risk System (SPRS), in which a defense contractor certifies its compliance posture against NIST SP 800-171 controls as required by DFARS 252.204-7021 and 32 CFR Part 170. Every time an executive uploads a score to SPRS, they are making that legal representation. Under the False Claims Act (FCA), misrepresenting cybersecurity compliance to obtain or maintain a federal contract is fraud. Under the FCA's qui tam provisions, your own IT staff can be the ones to report it — and collect up to 30% of what the government recovers.

What Is the SPRS Affirmation Requirement Under CMMC?

DFARS 252.204-7020 requires DoD contractors to assess their NIST SP 800-171 posture and upload a score to SPRS — a formal declaration to the Department of Defense. DFARS 252.204-7021 requires annual affirmations of CMMC compliance for the life of every contract.

For Level 2 CUI contractors, Year 1 brings a C3PAO audit and certificate. Years 2 and 3 require executive self-assessment and SPRS affirmation. For Level 1 FCI contractors, annual self-attestation is the only verification the government receives. Every upload is a new legal claim.

What triggers False Claims Act exposure under CMMC?

The FCA doesn't require proof of intentional fraud. It requires only that you knew, or should have known, the representation was false. Four patterns drive exposure:

• The ignored IT warning: IT flags a missing control. The executive signs the affirmation anyway. Those emails become the foundation of the lawsuit.
• The inflated SPRS score: DIBCAC audits show self-assessed scores are consistently higher than actual assessed scores. The gap is evidence of misrepresentation.
• The hidden POA&M: Known deficiencies aren't documented. Masking a gap to inflate an SPRS score is fraud, not bookkeeping.
• The post-breach discovery: A breach occurs. Investigators find internal records showing executives knew of vulnerabilities and attested anyway. A cybersecurity incident becomes a legal crisis.

What happened in the Aerojet Rocketdyne False Claims Act case?

Brian Markus, Aerojet's former Senior Director for Cybersecurity Compliance, filed a qui tam lawsuit in 2015 alleging Aerojet misrepresented its compliance with DFARS cybersecurity requirements in DoD and NASA contracts. His case was the first cybersecurity FCA complaint to survive a motion to dismiss (2019), establishing that cyber-compliance misrepresentations can be material to government contracting decisions.

The case settled on the second day of trial in April 2022. Aerojet paid $9 million. Markus received $2.61 million. The DoJ's Civil Cyber-Fraud Initiative — launched in October 2021 and explicitly modeled on this case — signals this is the beginning of enforcement activity, not the peak.

Why does CMMC certification not end False Claims Act liability?

CMMC is not a one-time event. Every Year 2 and Year 3 SPRS affirmation is a new legal exposure point, not an administrative formality.

How can contractors reduce False Claims Act risk in CMMC?

• Evidence retention: Archive the exact artifacts — configurations, screenshots, hashed documents — that proved compliance at the time of each attestation. Keep them for a minimum of three years. An investigation two years later will demand them.
• Accurate POA&Ms: Document deficiencies honestly. A well-maintained POA&M is your strongest defense against an FCA claim — it demonstrates good-faith effort. Masking a gap is the opposite.
• Executive sign-off protocol: IT certifies posture in writing. Legal reviews the representation. The executive signs only after both. Those records become your defense in litigation.
• Mock internal audits: Interview control practice owners before every attestation. The gap between documented policy and actual employee practice is precisely what CMMC assessors and FCA attorneys look for.

What should contractors never say in CMMC compliance claims?

The FCA Golden Rule: never claim a compliance posture you cannot defend with documented, verifiable evidence.

• ✗In proposals, use exact NIST 800-171A language — not marketing copy. "We employ FIPS 140-2 validated cryptography per SC.L2-3.13.11" is auditable. "We maintain robust encryption" is not.
• ✗If IT tells you a control is missing, do not instruct them to proceed with attestation. That response is the qui tam complaint.
• ✗If a contract's CUI status is uncertain, ask the contracting officer in writing. Never assume. Document the answer.
• ✗Never publish contract details — program names, delivery locations, award dates — that the government hasn't made public. It violates FCI handling rules and marks you as a target.

The Bottom Line

Before every SPRS affirmation, complete these steps: have IT certify the current compliance posture in writing against each NIST SP 800-171A assessment objective. Have legal review the representation for accuracy. Archive the exact artifacts — configurations, screenshots, hashed documents — that prove compliance at the time of attestation. Document every known deficiency in a POA&M with a remediation timeline. Only then should the executive sign the SPRS affirmation.

Retain all attestation evidence for a minimum of six years — the FCA statute of limitations. Conduct internal mock audits quarterly, interviewing control owners to identify gaps between documented policy and actual practice before an assessor or whistleblower does.