US Penalties Against Defense Contractors for Cybersecurity False Claims

by

Jean-michel Newberg

CyJurII Theorist

on 20 January 2026

Abstract

Compliance for cybersecurity in the US Defense Industrial Base (DIB) is changing for contractors who handle controlled unclassified information (CUI). With the solidification of the Cybersecurity Maturity Model Certification (CMMC) program, defense contractors who falsely claim compliance are meeting the consequences of their actions. This article explores the CMMC cyber law cases on false claims and the contextual information affecting the outcomes as well as the potential implications for the Department of Defense (DoD) and the DIB.

Keywords: DFARS 7012, CMMC, cyber compliance, NIST SP 800-171.

1.0 Introduction

Cybersecurity compliance for the federal contractors of the US DIB has been severely lacking for many years. For example, a study on cybersecurity compliance for DIB contractors in 2024 found that 41% or less than half of the respondents have completed the self-assessment requirement for CMMC and one out of five contractor companies implemented multi-factor authentication (MFA).[1] The same study conducted just two years earlier yielded similar results: 46% of the respondents completed the self-assessment, meaning little has shifted with contractor’s compliance outlooks.[2]

2.0 Clearing the Air on DFARS 7012, NIST SP 800-171, and CMMC

There is much confusion on the US cybersecurity compliance for federal contractors with the above terms and conditions and conflating one with the other. The following is a summarized understanding of CMMC:

1. DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting. This is the law that has requires defense contractor’s IT systems to be subject to the NIST SP 800-171 security requirements for controlled unclassified information (CUI). Since 2017–2018, DoD has required those security controls to be implemented to meet this contractual obligation. One could view this as “what” a defense contractor must do to comply with the law for CUI.[3] 

2. NIST SP 800-171: This is the publication by the National Institute of Standards and Technology that states the objectives and controls a defense contractor company’s IT system must comply with to comply. This includes technical controls and documents and guidance on implementation. One could view this as “how” a defense contractor must do to their IT systems to comply with the law.[4] 

3. CMMC: As shown in the 1.0 Introduction section, many defense contractor companies were not complying with the DFARS 7012 rule (or worse yet as will be shown in the next section, falsely claiming that they were compliant). The CMMC program was created to verify that defense contracting companies are actually implementing the controls accurately and sufficiently from NIST SP 800-171. One could view this as “verifying” that a defense contractor is implementing the NIST SP 800-171 controls correctly.[5] 

Instead of implementing the controls and creating the documentation required to satisfy the CMMC requirements, some companies have falsely claimed that they were complying and moved on. However, the US government is now clamping down on these false claims.

3.0 Cyber Cases on US Defense False Claims

Since the introduction of the CMMC program, there are a few companies who falsely claimed compliance with CMMC in 2025:

1. Defense contractor MORSECORP settles cybersecurity fraud allegations in a $4.6 million lawsuit: From January 2018 to September 2022, MORSECORP used a 3rd party company to host MORSE emails. This 3rd party did not meet the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline required for security purposes. Moreover, from January 2018 to February 2023, MORSECORP had not implemented all NIST SP 800-171 controls.[6]

2. Defense contractor Aero Turbine Inc settles in a $1.75 million case. From January 2018 to February 2020, Aero Turbine Inc failed to implement the NIST SP 800-171 controls. Moreover, the company failed to control the flow of, and limit unauthorized access to, sensitive defense information by providing a software company based in Egypt with files containing such information, even though the software company and its foreign citizen personnel were not authorized to receive sensitive defense information under the Air Force contract.[7]

3. Defense giants Raytheon and Nightwing payout in $8.4 million fraud case. From 2015 to 2021, Raytheon failed to implement failed to implement required cybersecurity controls on an internal development system that was used to perform unclassified work on certain DoD contracts.[8]

An analysis of these cases shows interesting extrapolations:

1. Whether you’re a large or small defense contracting company, the US government will enforce the law and penalties: In the past, some may have felt that micro or small business contract companies will not be a target in the eyes of US law, but this is not the case. Raytheon (now RTX) is a defense giant for the United States while a company such as MORSE Corp is relatively new and very small.

2. Those with information on false claims are encouraged to act as whistleblowers: Under the False Claims Act, a whistleblower provision permits private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery. In two of the three cases above, the Department of Justice references whether a whistleblower was active in the case and how much money they were awarded from the lawsuit. The lowest amount was around $850,000 and the highest was just over $1.5 million.

4.0 Conclusion

Cyber compliance for US defense contractors has been revitalized, and the government is not backing down from enforcing penalties for failure to comply. With the combination of legislative crackdown and financial motivations for potential whistleblowers, the pressure for defense contractors to implement the NIST SP 800-171 controls accurately and sufficiently will continue to increase.

References

1. https://cybersheath.com/resources/downloads/defense-on-the-brink-the-perilous-state-of-cybersecurity-across-the-dib/

2. https://info.cybersheath.com/Download-Defenseless-The-State-of-the-DIB-Merrill-Research

3. https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting

4. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

5. https://dodcio.defense.gov/cmmc/About/

6. https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud

7. https://www.justice.gov/opa/pr/california-defense-contractor-and-private-equity-firm-agree-pay-175m-resolve-false-claims

8. https://www.justice.gov/opa/pr/raytheon-companies-and-nightwing-group-pay-84m-resolve-false-claims-act-allegations-relating