False Claims Act Settlements Show CMMC Compliance Enforcement is Already Here

Defense contractors have been required to implement NIST 800-171 to protect sensitive information since 2017, but many assumed compliance claims were more of a formality than a true enforcement risk. That assumption is now proving very costly.

For years, many defense contractors have entered scores into the Supplier Performance Risk System (SPRS) to meet DFARS 252.204-7012 requirements, often without thoroughly validating their accuracy. Now, with the rollout of the Cybersecurity Maturity Model Certification (CMMC) program, those scores face real scrutiny through mandatory self-assessments or third-party reviews. CMMC highlights the dangers of inflating or misrepresenting compliance, but the truth is this risk isn’t new: submitting an inaccurate score has always carried potential liability under the False Claims Act - a reality reinforced by the government’s recent enforcement actions and settlements. 

“What has been going on with recent settlements?”

In the last four months, the Department of Justice has settled two False Claims Act violations against defense contractors who falsely represented their security posture.

Raytheon & Nightwing Group - $8.4 million

In May 2025, the Department of Justice (DoJ) settled a False Claims dispute with Raytheon and Nightwing Group over activity occurring between 2015 and 2021. The lawsuit, filed under the Whistleblower Act, alleged that Raytheon failed to implement the NIST 800-171 controls required by DFARS 252.204-7012 on a system used to perform unclassified work on 29 Department of Defense (DoD) contracts. The lawsuit further alleged that the system didn’t have a System Security Plan (SSP) - an act that, under CMMC, means you can’t even have a SPRS score. So how does Nightwing come into play? The lawsuit specifically involved Raytheon’s Cybersecurity, Intelligence, and Services business that was acquired by Nightwing in March of 2024 - meaning both Raytheon and Nightwing were ultimately held liable.

Aero Turbine & Gallant Capital Partners - $1.75 million

In August 2025, the DoJ settled another False Claims dispute - this time resulting from a self-reporting entity. From January 2018-February 2020, Aero Turbine allegedly failed to implement certain NIST 800-171 controls on a system supporting contracts falling under DFARS 252.204-7012. In addition, from June to July 2019, they provided a software company based in Egypt with files containing sensitive defense information, even though the company was not authorized to receive the information under the contract. Upon learning of the disclosure, Aero Turbine and Gallant provided multiple written self-disclosures, cooperated with the government’s investigation, and took prompt remedial action - earning them credit from the DoD, but still resulting in heavy fines.

“What does this mean for my company?”

The takeaway is simple: winning contracts without meeting cybersecurity requirements exposes you to False Claims Act liability.

With CMMC, most contracts will require an independent third-party assessment every three years, and your SPRS score will be directly tied to those results. But in the years between certifications, the responsibility doesn’t go away; you must continually assess your compliance and update your score to reflect reality. Marking a perfect 110 in SPRS without doing the work to back it up isn’t just risky; it could land you in the crosshairs of a False Claims Act settlement.

“How can Hive Systems help?”

As an authorized C3PAO, Hive Systems goes beyond certification day - we help you maintain confidence in your SPRS score year-round. Even outside of a formal certification cycle, our team of CMMC Certified Assessors (CCAs) and CMMC Certified Practitioners (CCPs) can conduct annual validations using the CMMC Assessment Process (CAP). Whether serving as your official certifier or as your trusted readiness partner, we ensure your compliance posture stays accurate and defensible. The result: peace of mind for leadership, reduced risk of False Claims Act exposure, and a stronger competitive edge in winning and keeping DoD contracts.

Follow us - stay ahead.