Hello, Guest!

GovCon Expert Payam Pourkhomami: DOD GovCons Face Rising Whistleblower Risk Under CMMC 2.0

By Payam Pourkhomami, President & CEO of OSIbeyond

The Department of Defense’s Dec. 16, 2024 final rule on the Cybersecurity Maturity Model Certification program marks a decisive shift in how defense contractors must approach cybersecurity compliance.

Under the CMMC clause (DFARS 252.204-7021), contractors must meet one of three certification levels based on the sensitivity of the information they handle. Level 1 requires annual self-assessments for basic Federal Contract Information, or FCI, while Level 2 demands either self-assessments or third-party certification for Controlled Unclassified Information, or CUI. The most stringent, Level 3, requires Department of Defense assessments for critical programs and high-value assets.

Any contractor that signs a contract with the DFARS 252.204-7021 clause is legally attesting to compliance with some or all of NIST SP 800-171, a set of requirements whose primary goal is to ensure that CUI is protected when it resides in nonfederal information systems and organizations. When contractors knowingly misrepresent their compliance with required security controls, they expose themselves to potential False Claims Act lawsuits, which can be initiated by employees who witness non-compliance.

False Claims Act: The Government’s Cyber Enforcement Tool

The False Claims Act, originally enacted in 1863 to combat Civil War procurement fraud, remains the federal government’s primary tool for combating fraud against taxpayers. The Act imposes liability on any person or organization that knowingly submits false claims to the government, makes false statements material to a false claim, or deliberately avoids obligations to pay the government.

Recent examples of the FCA being wielded against procurement fraud are easy to find. Last year, Boeing paid $8.1 million to resolve FCA violations from approximately 2007 through 2018 related to the V-22 Osprey aircraft manufacturing program, which were reported by two former employees. According to the press release issued by the Office of Public Affairs, “Boeing failed to perform required monthly testing on autoclaves used in the composite cure process and was not in compliance with additional requirements related to the testing.”

Early this year, Booz Allen Hamilton agreed to pay $377.4 million in one of the largest procurement fraud settlements in history. The case began when former employee Sarah Feinberg filed a whistleblower complaint alleging that the company had systematically overcharged the government by improperly billing commercial and international costs to its government contracts from approximately 2011 to 2021.

In October 2021, the Department of Justice dramatically expanded the FCA’s scope with its Civil Cyber-Fraud Initiative. This program builds on the FCA’s whistleblower provisions, encouraging employees to report contractors that are:

  • knowingly providing deficient cybersecurity products or services;
  • knowingly misrepresenting cybersecurity practices or protocols;
  • knowingly failing to monitor and report cybersecurity incidents and breaches.

The Initiative’s impact is already evident in cases like the ongoing False Claims Act suit against Georgia Tech Research Corporation. Two whistleblowers, Christopher Craig and Kyle Koza, revealed that the institution allegedly failed to protect CUI as required by NIST 800-171 standards.

“Specifically, the lawsuit alleges that until at least February 2020, the Astrolavos Lab at Georgia Tech failed to develop and implement a System Security Plan, which is required by DoD cybersecurity regulations, that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab,” states the Office of Public Affairs in its press release.

In all of these cases, the whistleblowers were at least partially motivated by the so-called “qui tam” FCA provisions, which allow whistleblowers–called “relators”– to receive between 15% and 30% of any recovery when they expose fraudulent conduct. For example, the Boeing whistleblowers received $1.5 million of the settlement amount, while the Booz Allen whistleblower received approximately $70 million.

In addition to financial rewards, the FCA provides robust protection against retaliation for whistleblowers. These protections include reinstatement if the employee is wrongfully terminated, double back pay with interest, and compensation for any legal fees or costs associated with the whistleblower’s action.

CMMC Compliance: A Matter of Business Survival

The intersection of CMMC compliance and the False Claims Act creates a particularly high-risk environment for contractors. When organizations submit their System Security Plan and associated score to the Supplier Performance Risk System, they are making a material representation to the government about their cybersecurity posture. Any knowing misrepresentation in these submissions can trigger False Claims Act liability.

Common scenarios that could trigger liability include overstating SPRS scores by claiming implementation of controls that aren’t fully operational, failing to maintain implemented controls after certification, submitting inaccurate Plans of Action and Milestones, and not reporting security incidents as required by DFARS 252.204-7012.

These compliance failures carry severe financial consequences. Under CMMC Level 2, which applies to companies handling CUI, contractors must implement 110 distinct NIST SP 800-171 controls. Each control violation that is knowingly misrepresented can trigger False Claims Act penalties of $10,000, plus triple damages sustained by the government, as adjusted by the Federal Civil Penalties Inflation Adjustment Act of 1990. To put this in perspective, a contractor that claims compliance while failing to implement even 20 controls could face base penalties starting at $200,000.

Given these financial stakes, defense contractors must prioritize their CMMC compliance programs—it’s essential for continuing to do business with the Department of Defense. Non-compliance with CMMC 2.0, particularly when handling CUI, can lead to huge financial penalties, government contract cancellations, and long-term damage to a company’s reputation.

To avoid such risks, defense contractors are encouraged to partner with Registered Practitioner Organizations, or RPOs. Such organizations specialize in helping companies prepare for third-party evaluations by implementing all necessary cybersecurity controls. Post-evaluation, RPOs can provide ongoing compliance monitoring to guarantee sustained adherence to CMMC requirements and rapid identification of potential compliance gaps before they become whistleblower liabilities.

Furthermore, organizations should establish robust internal reporting mechanisms for cybersecurity concerns. This approach serves two purposes: it helps identify and address compliance gaps before they become serious issues, and it demonstrates a good-faith effort to maintain compliance, which can be essential if facing False Claims Act allegations. Regular third-party assessments, even before they’re required, can provide additional assurance and documentation of compliance efforts.

Conclusion

With potential whistleblower rewards in the millions and the Department of Justice actively encouraging cybersecurity-related False Claims Act cases, defense contractors cannot afford to take a reactive approach to CMMC compliance. The time to act is now—before employees spot compliance gaps and face the decision of whether to become whistleblowers themselves. The good news is that achieving and maintaining CMMC compliance is entirely possible, especially with the right partner and approach.

Video of the Day