For years, federal contractors operated under an informal honor system when it came to cybersecurity compliance. Self-attestation under the old Defense Federal Acquisition Regulation Supplement (DFARS) 7012 framework meant organizations were, in effect, grading their own homework.
Cybersecurity Maturity Model Certification (CMMC) 2.0 has changed that equation, and the stakes couldn't be higher.
And the risk goes beyond revenue. What was once a compliance checkbox is now a potential legal liability. Claiming compliance without evidence to back it up is no longer a gray area. It’s a risk that can carry serious financial and legal consequences.
The False Claims Act (FCA) is not new—it dates back to the Civil War when knowingly submitting false claims to the federal government imposed treble damages and civil penalties.1
What is new is the law’s application to cybersecurity compliance. The FCA gives the U.S. Department of Justice (DOJ) the authority to pursue contractors who knowingly misrepresent their cybersecurity practices or certification status, and they have made it clear that the law will be enforced.
The updated requirements have moved through review by the Office of Information and Regulatory Affairs (OIRA), signaling that enforcement is not just coming—it’s imminent. With changes tied to the DFARS advancing through the rulemaking process and enforcement expected to ramp, the window to get ahead of this exposure is closing fast.2
Beyond just passing an audit, this is about being able to stand behind every claim you make, because now, those claims carry legal weight.
The False Claims Act leaves DFARS self-attestation in the dust. It changes both how cybersecurity compliance is enforced, and how risk is measured.
In the CMMC context, this means if your organization certifies compliance with NIST SP 800-171's 110 controls, and that certification is later found to be even partially inaccurate, you could face liability that far exceeds the value of the contract itself.3
The DOJ has already demonstrated a clear appetite for cybersecurity-focused FCA cases through its Civil Cyber-Fraud Initiative, launched in 2021. And, over the last few years, some FCA cases demonstrate how cybersecurity noncompliance can lead to sizable penalties—the largest in 2022 over $9 million and the most recent in 2025 over $8 million.4
CMMC 2.0 gives prosecutors a cleaner, more standardized framework against which to measure alleged misrepresentation. And with annual affirmation requirements under the new rule, contractors must regularly re-certify their posture. Each affirmation represents a fresh claim to the government, and a new point of potential FCA exposure if the underlying controls aren't actually in place.5
Under the old framework, self-assessment created ambiguity, something defense contractors could, and often did, use to their advantage. CMMC 2.0 is designed to eliminate that opacity. Starting November 10, 2026, Level 2 compliance, aligned to all 110 controls in NIST SP 800-171, will require certification by an accredited third-party assessment organization, known as a C3PAO.
The phased rollout, running from November 2025 through November 2028, is intentional. It gives the U.S. Department of Defense (DoD) time to scale the assessment ecosystem while contractors transition. Phase 1 (roughly mid-2025 to mid-2026) still permits self-assessment for many Level 2 requirements. Phase 2 introduces mandatory C3PAO verification.
But that transition window comes with risk.
Organizations that use the self-assessment period to paper over genuine control gaps, rather than remediate them, aren’t buying time. They’re building a future liability time bomb.
For healthcare organizations and others handling Controlled Unclassified Information (CUI) within the defense industrial base (DIB), this shift is especially consequential.6 Driven by the rise of military medical contractors and health IT providers, this is a rapidly growing segment.
At the intersection of HIPAA obligations and CMMC requirements, compliance teams are now managing two rigorous frameworks at once. And the risk doesn’t stay contained. FCA exposure can stack up on top of HIPAA enforcement penalties, compounding both financial and operational impact.
One of the most underappreciated risks under the FCA involves subcontractor relationships.
Prime contractors are responsible for ensuring that their subcontractors meet required CMMC levels "as soon as requirements appear in solicitations or contracts.”7 Flow-down obligations are clear, and a prime contractor that knowingly allows a non-compliant subcontractor to handle CUI could share in the FCA liability.
This creates a verification burden that many primes are unprepared for.
Monitoring a multi-tier subcontractor network for CMMC compliance—particularly once C3PAO assessments become mandatory—requires systematic processes, contractual protections, and ongoing monitoring. Proposed updates to the DFARS also introduces a new 72-hour notification requirement for certain cyber incidents, adding another procedural obligation that must be contractually enforced.8
Organizations that rely on informal vendor assurances rather than documented verification are particularly exposed, especially when a DOJ investigator follows the trail of CUI to a subcontractor's misconfigured system.
At this point, the prime contractor's due diligence will be under a microscope.
The good news: there’s still a meaningful runway. But only for organizations that act now.
Building a defensible CMMC 2.0 posture requires more than checking boxes. It demands documented evidence of control implementation, regular internal assessments, and a credible remediation roadmap for identified gaps.
This is where NexusTek delivers.
We help organizations move from assumed compliance to provable, audit-ready posture, with a structured approach that includes:
For organizations managing both CUI and protected data such as health information, NexusTek also helps align frameworks. By mapping CMMC controls to HIPAA technical safeguards, we create a unified compliance model that reduces duplicated effort while strengthening both security and audit readiness.
The result is not just readiness for assessment—it’s a posture you can stand behind when the time comes.
CMMC 2.0 represents a true inflection point in federal cybersecurity enforcement.
Organizations that treat this phase as a window for real remediation will come out of it with stronger security, and a defensible compliance record. Those that use it to maintain the status quo will find the bill comes due—with interest. Now is the time to act.
Reach out to our compliance team to learn how NexusTek can help you build a posture you can prove https://www.nexustek.com/cmmc-2-0-compliance-services
1. Mayer Brown, Department of Defense Releases Long-Anticipated Final Rule Implementing the Cybersecurity Maturity Model Certification Program, September 2025
2. Nichols Law, CMMC 2.0: New Compliance Requirements and Enforcement Risks, accessed April 2026
3. Ibid.
4. Brown LLC, DOJ’s Civil Cyber-Fraud Initiative – Where the False Claims Act Meets Cybersecurity, October 2025
5. Holland & Knight, CMMC Affirmation Trap: FCA Exposure for Defense Contractors and Acquirers, January 2026
6. Nichols Law, CMMC 2.0: New Compliance Requirements and Enforcement Risks, accessed April 2026
7. Ibid.
8. Federal Register, Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements, November 2025