🚨 New for 2025: Many IT and cybersecurity upgrades may now qualify for 100% tax deduction under federal law. Click HERE to see If You Qualify » 🚨

Map of the United States with a security lock icon and a judge's gavel symbolizing cybersecurity law and regulation.

CMMC Wake-Up Call

The DOJ Is Cracking Down — Are You Actually Compliant?

Could a wrong checkbox on your SPRS score cost your company millions?
It's already happened — to Raytheon, Verizon, and Penn State.
Now the DOJ is cracking down, and contractors are getting sued — even if they're "almost" compliant.

Over the past few years, the DOJ has recovered more than $28 million from contractors who misrepresented their adherence to NIST SP 800-171 — and the pressure is only ramping up.

Not sure if your SPRS score would hold up under scrutiny?
Get our free CMMC Checklist

Recent Enforcement Highlights:

  • Raytheon & Nightwing Group (2025):
    Fined $8.4 million for falsely claiming NIST 800-171 compliance across ~30 DoD contracts. Nightwing was penalized even though it inherited the violations through acquisition.

  • MORSECORP (2025):
    Paid $4.6 million after inflating their SPRS score and failing to correct it when flagged by a third-party assessment.

  • Penn State University (2024):
    Fined $1.25 million after a whistleblower exposed cybersecurity failures within its Applied Research Lab. Even universities are being scrutinized.

  • Insight Global (2024):
    Paid $2.7 million for mishandling sensitive health data on a state contract — despite claiming to meet federal cybersecurity requirements.

  • Verizon (2023):
    Settled for $4 million due to federal contract security failures after misrepresenting compliance with IT security obligations.

  • Georgia Tech Research Corp (2024, ongoing):
    Under active DOJ investigation for failing to implement required NIST 800-171 controls — and allegedly retaliating against internal whistleblowers.

These aren't isolated incidents — they represent a systematic wave of enforcement.
Just in 2024, the DOJ resolved six cyber-related False Claims Act (FCA) cases, with more underway in 2025.

What This Means for You

Let's be blunt:

  • If you're not fully compliant, but you're claiming you are — you're at risk.

  • If you're a subcontractor "checking the box" to stay competitive — you could expose your entire company to litigation.

  • If you're waiting to take CMMC seriously, you're already behind.

CMMC is no longer theoretical.

  • Title 48 has embedded it into federal acquisition law.

  • 32 CFR is live.

  • Primes are already flowing down requirements.

  • And the DOJ isn't just warning — it's suing.

Don't Let a False Claim Be Your Most Expensive Mistake

Saying you're compliant when you're not — even if you're "almost there" — could cost you millions and threaten your eligibility for future contracts.

What You Should Do Now

If you're unsure where your organization really stands — or you want a plan that holds up under real-world scrutiny — now is the time to act.

  • We'll help you assess where you are

  • Create a defensible POA&M

  • And build a path to compliance that's technically sound, operationally realistic, and legally safe

Our door is open.
Let's have a conversation — before the DOJ has one with you.

Contact Us

References

  • Arnold & Porter. (2025, April). Civil Cyber-Fraud Initiative strikes again. Link

  • Taxpayers Against Fraud. (2024). False Claims in cybersecurity enforcement update. Link

  • Clark Hill. (2025). Key lessons from Raytheon's $8.4 million FCA settlement. Link

  • Inside Government Contracts. (2024). Penn State settles FCA cybersecurity case. Link