CMMC Compliance in the Crosshairs: What DOJ’s Cyber-Fraud Crackdown Means for Defense Contractors

CMMC Compliance has officially entered a new era—one where cybersecurity claims aren’t merely

checked for accuracy, but examined with prosecutorial intensity. In a recent episode of Bourbon & Bytes, Terry McGraw sat down with Zach Terwilliger, Managing Partner of Vinson & Elkins’ Washington, D.C. office and former U.S. Attorney for the Eastern District of Virginia, to unpack a sobering reality:

The Department of Justice (DOJ) is no longer treating cybersecurity misrepresentation as a technical issue. It’s treating it as fraud.

And with the escalation of the Civil Cyber-Fraud Initiative, the spotlight is now firmly fixed on organizations that claim to meet CMMC Compliance, maintain accurate SPRS scores, and protect Controlled Unclassified Information (CUI).

DOJ’s New Enforcement Engine: The Civil Cyber-Fraud Initiative

Terwilliger lays out the mechanics behind this major shift. Any time DOJ launches an “initiative,” it signals priority—and priority means attention, resources, and results. For CMMC Compliance specifically, that translates into:

Cyber Fraud Coordinators in Every U.S. Attorney’s Office

Each office now assigns a point person responsible for tracking cyber-related False Claims Act cases. These coordinators gather statistics and feed them up to DOJ headquarters—creating a feedback loop that drives further enforcement.

Growing Bench Strength Inside DOJ

Subject matter experts are emerging across districts as cyber fraud cases accumulate. Just as some U.S. Attorney’s Offices became known for prosecuting organized crime or public corruption, certain districts are now developing reputations for pursuing cybersecurity fraud.

Resource Reallocation

Funding, personnel, and investigative bandwidth are being shifted toward cyber fraud. DOJ is building the infrastructure to pursue CMMC Compliance violations with the same seriousness as healthcare fraud, procurement fraud, or financial crime.

The message is unmistakable:

Misrepresenting your cybersecurity posture—intentionally or recklessly—is becoming one of DOJ’s top enforcement priorities.

False Claims Act + CMMC Compliance:

A High-Risk Intersection

Terwilliger explains why the False Claims Act (FCA) is the weapon of choice. The FCA allows the government to pursue treble damages and per-claim penalties for fraudulent statements.

In the context of CMMC Compliance, that means:

• Fabricated SPRS scores

• Unsupported attestations of NIST 800-171 implementation

• Misleading statements made in bids or ongoing contracts

• Security controls that exist “on paper” but not in practice

And because so many defense contractors rely on recurring submissions—monthly, quarterly, annually—each submission becomes a potential separate false claim.

That can turn a cybersecurity lapse into an extinction-level event.

The Whistleblower Pipeline Is Growing

One of the most eye-opening parts of the conversation is Terwilliger’s breakdown of the whistleblower ecosystem. These cases often begin not with law enforcement, but with insiders—CISOs, IT staff, analysts, former employees—who believe an organization is falsely claiming compliance.

Because whistleblowers (relators) can receive a percentage of DOJ recoveries, the incentive is enormous.

And DOJ’s visible success in these cases only encourages more filings.

If your CMMC Compliance claims are shaky, someone inside your organization may already be documenting it.

CMMC Compliance Is No Longer a Paper Exercise

The episode reinforces a core point that many organizations still underestimate:CMMC Compliance is now an auditable, prosecutable standard.

Believing you’re compliant isn’t enough. Purchasing tools isn’t enough. Having policies isn’t enough.

DOJ cares about evidence.CMMC assessors care about artifacts.Whistleblowers care about discrepancies.And the government contracting ecosystem cares about truth.

As Terwilliger put it, the days of “hoping nobody finds out” are over.

Avoiding the FCA Trap: What Organizations Must Do Now

Zach outlines a clear set of priorities for companies handling CUI or pursuing CMMC Compliance:

1. Validate Your Current Cyber Posture

Most organizations think they’re compliant—and many are wrong. Independent assessments and technical validation are no longer optional.

2. Create a Culture of Accuracy and Transparency

Executives, boards, and compliance teams must understand the gravity of cybersecurity attestations. Misstatements, even unintentional ones, can form the basis of FCA liability.

3. Document Everything

CMMC assessors, DOJ investigators, and contracting officers all expect traceability. If you can’t prove it, it doesn’t exist.

4. If a CID Arrives, Don’t Wait

Civil Investigative Demands (CIDs) are serious. Companies should immediately engage experienced counsel who understand both FCA and cybersecurity.

The Future of CMMC Compliance: Increasing Scrutiny, Higher Stakes

The DOJ has explicitly identified procurement fraud, including cyber-related fraud, as a priority area. Combined with the growing sophistication of cyber fraud coordinators and the whistleblower pipeline, contractors should expect:

• More investigations

• More audits tied to CMMC

• More False Claims Act cases

• Greater scrutiny on SPRS score accuracy

• Higher expectations for technical evidence

CMMC Compliance is no longer a checkbox. It’s a risk surface with legal, financial, and existential consequences.

Final Thought: Act Now, Not Later

Terwilliger’s discussion makes one thing clear:Organizations must treat CMMC Compliance with the same seriousness as financial compliance under Sarbanes-Oxley.

Boards must demand visibility.

Executives must ensure accuracy.

Security teams must deliver evidence.

And the entire organization must understand that mistakes aren’t just technical—they’re legal.

CMMC Compliance has been elevated to a national security mandate backed by DOJ enforcement power.

If you handle CUI, the time to mature your cybersecurity posture is not “before the audit.”It’s now, before the whistleblower, the investigator, or the CID shows up.