Department of Defense Finalizes Cybersecurity Maturity Model Certification Rule: Heightened False Claims Act Exposure for Cybersecurity Missteps

The Department of Defense (DOD) has finalized its long-anticipated Cybersecurity Maturity Model Certification (CMMC) rule — and for defense contractors, the implications go well beyond IT compliance. By embedding CMMC requirements directly into contract eligibility and performance through new Defense Federal Acquisition Regulation Supplement (DFARS) clauses, the rule significantly heightens False Claims Act (FCA) exposure for cybersecurity missteps. At the same time, the Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative continues to drive aggressive enforcement, with recoveries climbing year over year. For any contractor handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), cybersecurity representations are potential FCA flashpoints.

Key Takeaways:

Companies contracting with the DOD face increased potential FCA exposure related to the integration of the new CMMC requirements into defense contracts. These new requirements, finalized in a final rule published in September of 2025, arrive during a consistent uptick in FCA enforcement related to cybersecurity non-compliance. The DOJ’s Civil Cyber-Fraud Initiative has leveraged the FCA to police cybersecurity representations made to the government, with recent interventions and settlements underscoring that ambiguous standards and cybersecurity incidents can translate into multi-million dollar exposure. The new DOD rule hardwires cybersecurity verifications into contract eligibility, raising the stakes for any contractor handling FCI or CUI.

FCA and Cybersecurity

As the government’s “primary civil tool to redress false claims for federal funds and property involving government programs and operations,” the FCA contains steep penalties for defendants found liable for submitting or causing the submission of a false or fraudulent claim for payment.¹ Damages include civil penalties for each claim for payment, actual damages valued at the amount the government paid towards the claims, and treble damages calculated at three times the amount of actual damages.² The FCA contains a qui tam provision that allows private individuals or “relators” to bring suit on behalf of the government and share in the recovery.³ Relators, often but not exclusively employees of the FCA defendant, bring the vast majority of FCA actions⁴ and can litigate the case on behalf of the United States if DOJ declines to pursue the suit after being given time to review the facts.⁵

O’Melveny has chronicled the rise in use of the FCA to enforce cybersecurity standards as defendants face growing penalties for allegedly failing to maintain data security. In most cases involving cybersecurity, defendants are investigated for having explicitly certified that they comply with federal statutory, regulatory, or contractual requirements regarding data privacy and security and are alleged to have knowingly failed to meet the standards. Included in these cases are “implied false certifications,” where a company faces liability for failing to disclose non-compliance with federal requirements even where it did not expressly certify compliance.

DOJ continues to recover increasing sums for cybersecurity non-compliance. After securing $36 million in settlements during the first three years of operation between 2021 and 2024, the Civil Cyber-Fraud Initiative recovered $52 million from defendants in fiscal year 2025.⁶

What the Final Rule Does

Effective November 10, 2025, the DOD embedded CMMC requirements in solicitations and contracts through Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204‑7021 and 252.204‑7025. Full implementation of CMMC requirements will be phased-in over the next three years. By the fourth year (on or after November 10, 2028), the framework will apply to a majority of contracts where a contractor’s systems process, store, or transmit FCI or CUI. Contracting officers will be required to verify the status of their compliance with CMMC requirements in annual affirmations in the Supplier Performance Risk System.

Eventually, DOD contracts implicating the CMMC will fall into one of three levels based on the nature of the information involved in the contract. Lower tier contracts (Level 1) involving FCI will require compliance with basic Federal Acquisition Regulations safeguarding and self-assessment and affirmation of compliance. Contracts involving CUI (Level 2) will require compliance with all NIST 800-171 security requirements and require self-assessment and attestation or an assessment by a certified third-party assessor authorized by the Cybersecurity Maturity Model Certification Accreditation Body. Contracts involving CUI for critical government programs or technologies will require compliance with NIST 800-171 and NIST 800-172, must certify compliance with cybersecurity requirements, and be assessed by the DOD Defense Industrial Base Cybersecurity Assessment Center.

Over the next three years, requirements will steadily expand from selected programs to broader coverage: year one introduces targeted inclusion of CMMC levels and Supplier Performance Risk System reporting mechanics; year two increases use of self‑assessments or certified third‑party assessments and reinforces annual affirmations; and year three emphasizes flow down and verification across prime–subcontractor chains. By year four, CMMC will be broadly required wherever FCI or CUI is handled, and contractors must maintain a current status at the required level with annual affirmations.

Implications, Risks, and Practical Steps

The final rule operationalizes cybersecurity representations, transforming them into gating conditions for award and performance, which heightens the FCA risk associated with DOD contracts involving FCI or CUI. Recent DOJ enforcement efforts in the cybersecurity space illustrate how self-assessment scores, system security planning, and control implementation can become focal points for FCA liability. To avoid increased exposure, DOD contractors should monitor and assess their compliance on an ongoing basis in order to submit compliant yearly attestations and should consider potential risks and oversight obligations in this area when working with sub-contractors.

¹ Press Release, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

² 31 USC. § 3729.

³ 31 USC. § 3730.

⁴ See e.g., Press Release, False Claims Act Settlements and Judgments Exceed $2.68 Billion in Fiscal Year 2023, DOJ (Feb. 22, 2024), available at https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-268-billion-fiscal-year-2023.

⁵ Supra Note 3.

⁶ DOJ, Fact Sheet: False Claims Act Settlements and Judgments FY2025, 5 (Jan 12. 2026), available at https://www.justice.gov/opa/media/1424126/dl

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Amanda M. Santella, an O’Melveny partner licensed to practice law in the District of Columbia and Maryland; Sid Mody, an O’Melveny partner licensed to practice law in the Texas; Elizabeth Arias, an O'Melveny counsel licensed to practice law in the California; Hannah E. Dunham, an O'Melveny counsel licensed to practice law in California and the District of Columbia; and Joshua Goode, an O’Melveny associate licensed to practice law in the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2026 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.