DoD's Cybersecurity Compliance Crisis: $50 Million in Fraud Settlements Expose a Broken Contracting Culture
The Department of Justice settled seven cybersecurity fraud cases against defense contractors in 2025, recovering nearly $50 million [6]. These weren't minor paperwork oversights. Contractors submitted fictitious cybersecurity scores to win DoD contracts, failed to run basic antivirus software on systems handling sensitive research, and shared controlled unclassified information with unauthorized foreign companies [1][2]. The enforcement wave arrived alongside CMMC 2.0's Phase 1 going live on November 10, 2025, creating a new regime where cybersecurity compliance failures carry real financial and criminal consequences [7].
This pattern of contractor non-compliance isn't new, but the government's willingness to prosecute it aggressively is. Four contractors pleaded guilty to bid-rigging, fraud, and bribery schemes tied to IT sales to DoD, each facing up to 20 years in prison [6]. The DOJ's Criminal Division formally announced procurement and federal program fraud as enforcement priorities in May 2025 [6]. Defense contractors who treated cybersecurity requirements as optional paperwork now face a fundamentally different risk calculus.
The Enforcement Cases: What Actually Happened
The Georgia Tech Research Corporation case is instructive. Whistleblowers Christopher Craig and Kyle Koza, both former Georgia Tech cybersecurity team members, revealed that the institution failed to install, update, or run anti-malware tools on desktops, laptops, servers, and networks during sensitive cyber-defense research for the Air Force and DARPA [1]. Worse, Georgia Tech submitted a cybersecurity assessment score of 98 to DoD. That score was based on a fictitious environment [1]. The settlement cost $875,000, a relatively modest sum that belies the severity of the underlying conduct: a major research university fabricating its security posture while handling defense-relevant work [1].
Aero Turbine Inc. and its private equity owner Gallant Capital Partners paid $1.75 million to resolve False Claims Act liability for cybersecurity violations between 2018 and 2020 [2]. The company failed to implement NIST SP 800-171 controls required under its Air Force contract. A Gallant employee directed the improper sharing of controlled unclassified information with an Egypt-based software company [2]. This case marked the first FCA settlement involving a private equity firm since 2021, putting PE-backed defense contractors on notice that acquisition doesn't erase compliance obligations [2].
These cases share a common thread. The failures weren't sophisticated technical shortcomings. They were basic governance breakdowns: not running antivirus, fabricating scores, sharing sensitive data with unauthorized parties. As one DOJ official noted, "When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats" [1].
CMMC 2.0: The New Enforcement Regime
CMMC Phase 1's activation in November 2025 fundamentally changed the compliance environment [7]. Requirements are now being embedded directly into DoD contracts, with the pace accelerating through 2026 [4]. This isn't a distant future concern. Contractors who haven't started the compliance process are already facing contract eligibility exclusion [4].
The annual affirmation requirement creates a particularly sharp legal exposure. Affirming officials must personally attest to their organization's compliance status under penalty of law [7]. False certifications can trigger treble damages and per-claim penalties under the False Claims Act [7]. Holland & Knight's analysis is blunt: "This is not an administrative checkbox; it is a recurring certification submitted to the federal government as a condition of contract eligibility" [7].
The scope is staggering. Over 220,000 companies in the Defense Industrial Base are now directly impacted by CMMC 2.0, and small and mid-sized businesses comprise over 70 percent of the defense supply chain [5]. For these SMBs, Level 2 compliance can consume a substantial portion of annual profits [5]. The administrative burden frequently drives smaller firms to engage consultants or managed security service providers, adding cost layers that squeeze already thin margins [5].
Governance Gaps, Not Technical Failures
The most striking finding across the enforcement actions and compliance assessments: most CMMC failures stem from governance gaps rather than technical shortcomings [5]. Contractors aren't losing contracts because they can't configure firewalls. They're losing them because they never documented their system boundaries, never mapped where controlled unclassified information lives, and never built the policy frameworks that NIST SP 800-171 demands.
This distinction matters for understanding the low-bid problem. When contractors slash proposal budgets to win awards, the first casualties are compliance staff, documentation processes, and governance programs. A company can deploy endpoint detection tools cheaply enough. Building and maintaining the System Security Plan, the Plan of Action and Milestones, and the continuous monitoring program that makes those tools meaningful requires sustained investment in people and processes. That's exactly the work that gets cut when price pressure dominates evaluation criteria.
The real work of data mapping, system boundaries, and documentation cannot be rushed for 2026 solicitations [4]. Prime contractors are becoming accountable for supply chain compliance, reducing their tolerance for downstream risk from subcontractors who haven't done the work [4]. Past performance and technical excellence carry less weight once a contractor loses basic eligibility [4].
The Waiver Problem and External Risks
GAO has flagged a significant structural weakness in CMMC implementation: DoD's reliance on a waiver process that could undermine cybersecurity verification goals [3]. The frequency and number of waivers DoD grants will determine whether CMMC actually changes contractor behavior or becomes another paper exercise. GAO specifically warned that "depending on the frequency and number of waivers DOD uses, the process could also undermine the long-term viability of the CMMC program" [3].
DoD outsourced a large portion of contractor verification to private sector assessment teams [3]. Ecosystem capacity, meaning whether enough qualified assessors exist to evaluate 220,000-plus companies, is a key external risk factor [3]. CMMC requirements are also based on the 2021 version of NIST standards, which may need updates to address current threats [3]. A framework built on five-year-old security standards defending against 2026 threat actors has obvious limitations.
The 2026 NDAA's Section 866 directs the Secretary of Defense to harmonize cybersecurity requirements across the defense industrial base by June 1, 2026 [9]. This aims to eliminate the duplicative and inconsistent cybersecurity requirements that have created compliance confusion and allowed contractors to cherry-pick which standards they follow [9].
Financial Accountability Gets Teeth
The financial risk model for non-compliant contractors has shifted materially. White & Case's analysis notes that CMMC 2.0 integration into contract terms "attaches real financial accountability to failure, and not just reputational or regulatory risk" [8]. Contractors found at fault for CUI incidents may now be liable for government response and mitigation costs [8]. This transforms cybersecurity from a cost-of-doing-business line item into a direct financial liability.
The DOJ's approach reinforces this. Seven settlements in a single year totaling nearly $50 million, combined with criminal prosecutions carrying 20-year prison terms, signals that enforcement will be sustained [6]. The second Trump administration has maintained a fraud-oriented approach to federal procurement enforcement [6], suggesting this isn't a temporary posture.
Cybersecurity compliance is also normalizing across procurement beyond DoD, altering risk models for contractors who work across multiple federal agencies [8]. Companies can't treat DoD cybersecurity as an isolated requirement when similar expectations are spreading across the federal contracting ecosystem.
The Low-Bid Connection
The original problem persists underneath the new enforcement regime. Contractors still face intense price pressure in DoD acquisitions. The 2026 NDAA raised the cost or pricing data threshold to $10 million from $2 million for contracts after June 30, 2026 [9]. While intended to reduce administrative burden, this change also reduces visibility into how contractors price cybersecurity compliance into their proposals.
The math hasn't changed. A contractor who properly staffs a security operations center, maintains governance documentation, funds continuous training, and licenses appropriate tools will submit a higher bid than one who plans to cut corners and manage the risk of getting caught. CMMC's annual affirmation requirement raises the stakes of that gamble considerably [7], but it doesn't eliminate the incentive structure that rewards underbidding.
Organizations that cannot prove a strong cyber posture risk losing contract eligibility entirely [10]. Zero-trust architecture is becoming a de facto requirement, pushing continuous verification and micro-segmentation [10]. These aren't cheap capabilities. They require sustained investment that low-bid contracting culture actively discourages.
Red Sheep Assessment
Confidence: Moderate
The enforcement data tells a clear story: DoD's contractor cybersecurity problem is primarily a governance and compliance problem, not a technical one. The contractors who got caught weren't defeated by sophisticated threat actors. They simply didn't do the basics. Georgia Tech fabricated a compliance score. Aero Turbine shared CUI with an unauthorized foreign company. These are failures of organizational discipline, precisely the kind of discipline that gets sacrificed when contracts are won on price.
CMMC 2.0 represents the most credible attempt to break this cycle, but its success depends on two factors that are still uncertain. First, whether DoD will exercise restraint with waivers or use them to paper over the supply chain's inability to meet compliance timelines. Second, whether the assessor ecosystem can scale to evaluate over 220,000 companies with genuine rigor rather than becoming a rubber-stamp industry.
The contrarian read: CMMC's compliance burden will drive the smallest, most innovative firms out of the defense industrial base entirely, consolidating work among large primes who can absorb compliance costs but charge more for it. The net effect could be higher contract values with no improvement in actual security posture, just better paperwork. The governance gap finding from Accorian [5] supports this concern. Compliance theater is a real risk when the framework rewards documentation over demonstrated capability.
The DOJ's aggressive enforcement posture is the strongest signal that this time may be different. Nearly $50 million in settlements and criminal prosecutions with 20-year exposure create deterrence that previous policy guidance never achieved. The question is whether enforcement can keep pace as CMMC requirements proliferate across hundreds of thousands of contracts.
Defender's Checklist
- ▢[ ] Review CMMC affirmation obligations. Identify who in your organization serves as the affirming official and verify they understand the personal legal exposure under FCA. Reference Holland & Knight's analysis [7] for the specific liability framework.
- ▢[ ] Audit CUI data flows and system boundaries now. Map where controlled unclassified information lives, who accesses it, and whether any third parties (especially foreign entities) have unauthorized access. The Aero Turbine case [2] shows DOJ prosecutes exactly this failure.
- ▢[ ] Validate your SPRS score against reality. Georgia Tech submitted a score of 98 based on a fictitious environment [1]. Conduct an honest internal assessment against NIST SP 800-171 controls and document gaps in a Plan of Action and Milestones before an assessor or whistleblower finds them.
- ▢[ ] Evaluate supply chain compliance for subcontractors. Prime contractors are now accountable for downstream risk [4]. Require CMMC certification evidence from subcontractors and build compliance verification into subcontract terms.
- ▢[ ] Budget for governance, not just tools. Most CMMC failures are governance failures [5]. Allocate resources for System Security Plan maintenance, continuous monitoring documentation, and compliance staff rather than assuming technical controls alone will satisfy requirements.
References
- Georgia Tech Research Corporation Agrees to Pay $875,000 to Resolve Civil Cyber-Fraud Litigation
- California Defense Contractor and Private Equity Firm Agree to Pay $1.75M to Resolve False Claims Act Liability
- DoD to evaluate 'external' CMMC risks
- Why Some DoD Contractors Will Be Locked Out of 2026 Contracts
- CMMC in 2026: How Small and Mid-Sized Defense Contractors Are Being Reshaped
- DOJ strikes at defense contractors over cybersecurity compliance and pricing issues
- CMMC Affirmation Trap: FCA Exposure for Defense Contractors and Acquirers
- From 2025 upheaval to 2026 strategy: Key regulatory risks and opportunities for government contractors
- Key Provisions for Government Contractors in the 2026 NDAA
- Cybersecurity Trends Shaping Defense Contracting in 2026