Most defense contractors understand that submitting an accurate SPRS scoring is a baseline requirement for doing business with the Department of War. What is far less understood, especially outside legal circles, is that misrepresenting your cybersecurity compliance status can expose your company to significant liability under the False Claims Act (FCA), even if no breach ever occurs.
The Department of Justice (DOJ) is making cybersecurity enforcement a priority, using the FCA to pursue companies that knowingly overstate their compliance posture. This includes contractors that submit inaccurate SPRS scores or that cannot substantiate their scores with objective evidence. For business and compliance managers, this represents a material financial, operational, and reputational risk that must be actively managed.

Understanding the False Claims Act in Plain Business Terms

The False Claims Act is a federal law designed to protect the government from fraud. It makes it illegal to knowingly submit false statements or certifications in order to obtain or retain government funds. Importantly, the FCA does not require proof of malicious intent. A company can be liable if it acts with:

• Actual knowledge that a statement is false
• Reckless disregard for the truth
• Deliberate ignorance of whether the statement is accurate

For defense contractors, this matters because cybersecurity compliance representations are now embedded into contracts. When your organization submits an SPRS score, signs a cybersecurity attestation, or certifies compliance during contract performance, it is making representations the government relies on to award and pay contracts. If those representations are false or cannot be substantiated they can qualify as false claims.

This is where many companies get into trouble. Submitting an SPRS score without having a complete System Security Plan, without evidence that controls are implemented, or while knowingly relying on “planned” rather than operational safeguards creates FCA exposure. The risk is not theoretical. DOJ has already demonstrated it is willing to pursue these cases.

Why SPRS Misrepresentation Is a Legal Flashpoint

SPRS scores are not marketing claims; they are compliance assertions. When a contractor inputs a score, it is effectively stating that it has implemented specific NIST SP 800-171 controls.  If that score is inflated or can’t be supported by documentation the submission can be viewed as a false statement made in connection with a federal contract.

A common misconception is that “self-assessment” means “low risk.” In reality, self-assessment shifts responsibility directly onto the contractor. If you self-report a score, you are responsible for being able to prove it. The absence of objective evidence, policies, procedures, configurations, screenshots, logs, training records, creates a significant vulnerability. From an enforcement perspective, DOJ does not need to prove that your cybersecurity program was perfect. It only needs to show that you knowingly overstated it.

The Civil Cyber Fraud Initiative and the Role of Whistleblowers

In 2021, the DOJ launched the Civil Cyber Fraud Initiative to explicitly apply the False Claims Act to cybersecurity-related misconduct. The initiative is designed to encourage enforcement actions where contractors misrepresent compliance, fail to follow required cybersecurity practices, or ignore known deficiencies while continuing to certify compliance.

A critical component of this initiative is the FCA’s whistleblower provision. Under this mechanism, insiders including employees, consultants, IT staff, or even subcontractors can file a lawsuit on behalf of the government if they believe a company is making false compliance claims. If the government recovers money, the whistleblower is entitled to 15% to 30% of the settlement.

This incentive structure changes the risk equation. A compliance gap that might never surface in an audit can still trigger enforcement if someone inside the organization knows the SPRS score does not match reality. DOJ has been clear that it views whistleblowers as essential to identifying cyber fraud, and recent cases confirm this approach is working.

Real Enforcement: The Aerojet Rocketdyne Case and Others

The most well-known example is Aerojet Rocketdyne. In 2022, the company agreed to pay $9 million to resolve allegations that it misrepresented its compliance with DoD and NASA cybersecurity requirements. The whistleblower, a former cybersecurity executive, alleged that Aerojet claimed compliance while knowing that significant NIST SP 800-171 gaps remained. The whistleblower received approximately $2.6 million as part of the settlement.

More recently, smaller contractors have also been targeted. MORSE Corp, a defense contractor supporting DoD programs, paid $4.6 million after DOJ alleged it overstated cybersecurity compliance and submitted inaccurate representations, including an unsupported SPRS score. The whistleblower in that case received $851,000. These cases demonstrate two important realities: company size does not insulate you from FCA risk, and unsupported documentation is enough to trigger enforcement.

Reducing FCA Risk: From “Trust Us” to “Prove It Anytime”

For business and compliance managers, the takeaway is not to fear enforcement, but to operationalize compliance correctly. The most effective way to reduce FCA exposure is to ensure that every SPRS point you claim is backed by objective, well-organized evidence. This is where many organizations struggle, particularly those managing compliance through spreadsheets, shared drives, or disconnected tools.

FutureFeed addresses this problem by giving contractors a structured, auditable way to create, maintain, and curate the documentation required to substantiate SPRS scores. Instead of treating compliance as a one-time exercise, FutureFeed supports continuous alignment by tying each control to specific evidence artifacts and maintaining a living compliance record.

With FutureFeed, organizations can:

• Maintain a current System Security Plan aligned to actual implementation
• Track control-level evidence in one centralized platform
• Ensure SPRS scores reflect reality, not assumptions
• Rapidly demonstrate compliance to primes, auditors, or regulators

This capability supports a simple but powerful posture: “Prove it Anytime.” If a question arises—from a contracting officer, a prime contractor, or a regulator—you can immediately demonstrate how your score was calculated and what evidence supports it. That transparency significantly reduces both operational risk and FCA liability.

Final Thought

Cybersecurity compliance is now inseparable from legal risk management. Submitting an unsupported SPRS score is no longer just a technical misstep—it can be construed as a false claim with multimillion-dollar consequences. The DOJ’s Civil Cyber Fraud Initiative and whistleblower incentives ensure that misrepresentation will be discovered, often from inside the organization.

For defense contractors, the safest path forward is not perfection, but truth, documentation, and evidence. Platforms like FutureFeed help make that path operational, enabling companies to compete confidently, remain eligible, and reduce the risk of becoming the next cautionary enforcement example.