Defense contractors subject to Cybersecurity Maturity Model Certification (CMMC) compliance under government contracts will be subject to False Claims Act (FCA) liability risks going forward. The CMMC program went live on November 10, 2025, and the annual certification requirement creates recurring FCA exposure that many defense contractors may have overlooked. The U.S. Department of Justice (DOJ) settled seven cybersecurity fraud cases in 2025 alone, including the first enforcement action against a subcontractor and a case holding a business liable for violations by a federal contractor it acquired prior to the acquisition. This Holland & Knight blog post raises these considerations for defense contractors and prospective acquirers.
Under 32 C.F.R. 170.22, an "affirming official" (a senior company executive) must submit an annual affirmation in the Supplier Performance Risk System (SPRS) attesting that the organization "has implemented and will maintain implementation of all applicable CMMC security requirements." This affirmation is required upon achieving CMMC status, annually thereafter, and at Plan of Action and Milestones (POA&M) closeout.
Here is the big catch: no current affirmation, no contract. The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021 makes a "current" affirmation a prerequisite for contract award and option exercise. For CMMC Level 1 compliance, only final status is...
The United States Court of Appeals for the First Circuit affirmed the dismissal of a retaliation claim under the False Claims Act, brought by a federal employee at Veterans Affairs Maine Healthcar...