The False Claims Act and CMMC

The False Claims Act and CMMC

During the American Civil War, defense contractors saw a great opportunity to make a lot of money through selling much-needed equipment and other commodities to the federal government. The problem was that some contractors invoiced the federal government without delivering any equipment or commodities. To put a stop to this kind of fraudulent activity, President Abraham Lincoln signed the False Claims Act (FCA) into law in 1863. Generally speaking, the FCA prohibits any fraudulent activity on the part of government contractors or partners. 

What does this have to do with the pending CMMC rule in 2024?

The NIST 800-171 Self-Assessment Issue

To understand how the False Claims Act has seen a resurgence over the last few years, you have to understand some history about NIST 800-171 reporting and why CMMC came into being. 
The whole concept of Controlled Unclassified Information (CUI) protection, initially, was that companies would assess their compliance with NIST SP 800-171 and report their score into SPRS, the platform designed for just that purpose. It was assumed that contractors would report their scores accurately for the general good. DIBCAC (Defense Industry Base Cybersecurity Assessment Center) found out after performing some of its own assessments that the numbers appearing in the Supplier Performance Risk System (SPRS) were not always accurate. In fact, some of the reported scores were completely falsified. Not only did these falsely reported SPRS scores inspire the development of third-party assessment processes and CMMC, but they also led to the Civil Cyber-Fraud Initiative

The Civil Cyber-Fraud Initiative

The Civil Cyber-Fraud Initiative was launched and announced in 2021. The 2021 press release explains, “The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.” The publication goes on to state, “The initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” 

What This Means For You

When a report is submitted to SPRS, one of the requirements is that a member of the company’s executive team sign off on the submission. Because of the Civil Cyber-Fraud Initiative, that individual can be held liable if the score is found to be fraudulent. While imprisonment is not possible, the fines can be extremely high. 

What You Should Do

The answer is easy on the surface. The executive responsible for signing off on the score submission must commit to due diligence and make sure the score is legitimate. A third-party assessment helps a lot in this regard. In the two years between CMMC certification and recertification, companies have to be cautious about what they are going to report regarding their self-assessment. It is important to remember you are able to edit your SPRS score, so if you need to modify something, do so. It is much better to lower your score and be honest than to submit a potentially false score and be subject to penalties.

How Smithers Can Help

Smithers is at its core an accredited management systems certification body, and those management systems processes are carried into the NIST SP 800-171/CMMC assessment environment. This means that our assessors are ready to perform a surveillance assessment of your CUI protection during the two years where a third-party assessment is not required. This will give your company additional confidence as you submit your score to SPRS. 

If you would like to learn more about SPRS, NIST assessments, or the Smithers difference, contact us today. 


Show Policy

New! NIST 800-171 assessment checklist!

Latest Resources

See all resources