If you work in the Defense Industrial Base, you already know the alphabet soup is real—CMMC, DFARS, FAR, NIST, FCA, DOJ. And you’ve probably felt that gap between technical controls and legal exposure.
We see it every day. Good teams with solid cybersecurity get tripped up by the legal side of compliance. Not because they don’t care. Because clarity is hard in a world built on acronyms and stilted wording.
That’s why we pay attention when experts like Chelsea Zortman (Associate, McDonald Hopkins, Data Privacy & Cybersecurity Practice Group) walk through the legal and business risks that contractors can’t afford to ignore.
As Chelsea put it clearly during her CMMC CON 2025 session, “The bottom line is that no certificate, no award, no option.”
You don’t need a breach to face the consequences of non-compliance. Misrepresenting your posture or stumbling on documentation can trigger investigations, contract termination, or civil penalties.
The legal exposure can be costly, but it’s preventable with the right approach. Here are the core lessons from Chelsea’s session, the ones every prime and subcontractor should internalize.
We’ll start with the basics, then move into the legal risks, and finally give you the practical moves that build a defensible compliance posture now.
What Is CMMC 2.0—And Why Does It Matter Today?
Let’s set the stage quickly. The Cybersecurity Maturity Model Certification is the DOD program designed to protect sensitive but unclassified information like Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) across the defense supply chain.
It didn’t emerge in a vacuum. It evolved from longstanding requirements under DFARS 252.204‑7012 and FAR 52.204‑21, which tie back to NIST SP 800‑171 (and, at higher sensitivity, NIST SP 800‑172).
CMMC 2.0 simplified the original five levels down to three and aligned more directly with NIST, introduced self‑assessment at Level 1 and some Level 2 contracts, and reserved third‑party assessments (C3PAO) for prioritized, more sensitive Level 2 work.
Most contractors will fall under Level 1 or Level 2. Level 3 is reserved for the most sensitive programs.
Why we’re emphasizing this now: CMMC isn’t avoidable anymore. Compliance is a precondition to winning and keeping DOD work.
The Legal Risk Landscape: What Contractors Really Face
The biggest misunderstanding we see is assuming legal exposure only follows a breach. Not so. As Chelsea explained, investigations and penalties often stem from misrepresentation, documentation gaps, or contractual missteps—even when technical controls are in decent shape.
Here are the core categories she highlighted:
1. False Claims Act (FCA) Exposure
Under the False Claims Act, “the FCA penalizes knowingly false statements that were made to the government, either in connection with payment or contracting.” If you certify compliance when you’re not compliant, even via an inaccurate self‑assessment, you can be found liable.
Penalties include treble damages and fines per false claim. Chelsea pointed to Aerojet Rocketdyne, which ultimately settled with the FCA for $9,000,000.
In cases like Aerojet’s, liability doesn’t stem solely from failing to meet cybersecurity requirements—it often arises from making false or reckless claims about compliance. For example, asserting to a contracting agency that your company is fully compliant when it isn’t, or agreeing to specific clauses (such as DFARS 252.204-7012) in a contract while neither meeting those obligations nor taking meaningful steps toward compliance.
The Aerojet settlement underscores a critical lesson: proactive compliance matters. Engaging experts early to understand requirements and implement effective measures can significantly reduce the risk of enforcement actions later.
Your internal representation must align with your System Security Plan (SSP) and Plan of Action and Milestones (POAM). What you “check the box” on needs to be real and implemented defensibly.
2. Contract Termination (Default or Convenience)
CMMC non‑compliance discovered post‑award can end in termination. “Likely this will occur within default termination or termination for convenience,” noted Chelsea.
Even absent fraud, “a lack of due diligence and preparation in itself could just result in that loss of business.” Termination for convenience, which the DOD may use instead of pursuing FCA, can still “have a huge impact on past performance evaluations.”
3. Subcontractor Risk (Flow‑Downs)
In CMMC’s reality, “prime contractors are responsible for ensuring subcontractors meet CMMC requirements.” If subs aren’t compliant, primes can be liable. Weak or absent flow‑down clauses create ambiguity and legal risk. This is especially acute with smaller businesses struggling to meet Level 2 requirements.
“If your subcontractors aren’t CMMC compliant, the prime contractor could be liable,” warned Chelsea. Small and medium-sized businesses don’t mean CMMC exemption. Requirements flow down the supply chain. So even small defense contractors can’t afford to ignore CMMC.
4. Bid Protests
“If a contractor falsely asserts compliance and wins an award, a competitor can file a bid protest,” cautioned Chelsea. That kicks off a detailed review, often resulting in “either a delay of the business, and in worst cases, a complete loss of the business.” The GAO or Court of Federal Claims may uphold a protest if CMMC compliance was improperly evaluated.
5. Civil and Criminal Enforcement
The DOJ Civil Cyber Fraud Initiative “aggressively targets misrepresenting cybersecurity posture.” And here’s the important part: “You can be pursued even without a data breach, and this is a common misconception.”
Chelsea cited a 2022 case where a managed service provider paid $293,000 for certifying compliance with NIST 800 requirements they hadn’t implemented. No breach but still penalized.
Bottom line: “CMMC compliance is not just an IT project, it’s a legal exposure point.”
Why Now: The Business and Legal Case for Immediate CMMC Readiness
You’ve heard “urgency” before, so let’s make it practical. The government has audit rights (DOJ, DCMA) and can compare your SSP/POA&M to representations you made during award. “If what they find doesn’t match what you attested to, it’s not just a failed audit, it could be a legal matter,” said Chelsea.
Delay increases risk in three directions:
1. Award risk: Non‑compliance or weak documentation can cost you current and future business due to termination and damaged past performance.
2. Enforcement risk: Civil penalties and investigations, even without a breach.
3. Competitive risk: A rival can challenge your award via a bid protest; if your compliance is shaky, you’re vulnerable.
The path forward is defensible compliance, not perfection for perfection’s sake.
According to Chelsea, “The goal here is not perfection, it’s accountability and diligence.” That’s the mindset shift. And it’s where CyberSheath spends most of its time with customers: tightening representations to match reality, documenting controls, and building an operating rhythm that stands up under audit.
The Moves That Reduce Exposure (And Build Defensible Compliance)
1. Engage Legal Early
“Don’t treat this just as an IT or security task.” Self‑attestation is legal representation: “if there’s a misstatement made here, it can be used as evidence in either civil or criminal cases.” Involve counsel to review SSPs, POAMs, and representations. “You have to treat them like sworn statements,” advised Chelsea.
Practical tip: Draft precise, unambiguous terms in prime/subcontracts. Avoid “to the best of our knowledge” language—it’s weak. Define CMMC obligations clearly so expectations match the actual controls and timelines.
2. Document Everything
“The second mitigation tactic is to document. Document everything,” advised Chelsea.
She added: “Accurate and up to date documentation is your best evidence of compliance to the government.” Maintain your SSP, POAM, training records, audit logs, and assessment reports. Make sure your technical measures align with NIST/CMMC control sets.
Practical tip: Organize artifacts so they’re available on request. Gaps or false documentation discovered during audit can be forwarded to oversight bodies.
3. Train and Get Cross‑Functional Buy‑In
“All of your different departments need to understand their roles within this process,” said Chelsea. That includes procurement, contracts, IT/security, and legal. In solicitations and responses, reflect your status accurately. Include proper flow‑down language. Avoid vague or overly optimistic statements.
Practical tip: If a control isn’t in place, say so. Share your POAM, target dates, and mitigation steps. Overpromising risks civil/criminal penalties and reputational harm.
4. Subcontractor Oversight
“Prime contractors, like we said, can’t just assume that subs are compliant.” Require subs to provide evidence of assessments or certification and include audit rights in contracts. If you rely on templates, confirm they include the correct DFARS/CMMC flow‑downs and the plain‑language obligations behind those clauses.
Practical tip: Periodic reviews and document requests are part of a prime’s legal duty. Treat subcontractor oversight like any other supply‑chain risk.
5. Continuous Monitoring
“Compliance isn’t one and done. It’s a continuous effort that you need to maintain throughout the lifecycle of your contracts,” advised Chelsea. Use vulnerability scanning and monitoring tools aligned with NIST 800‑171/CMMC 2.0. Calendar periodic self‑assessments and track remediation to your POAM.
Practical tip: Integrate audit findings and threat intelligence. The goal is a defensible position if litigation or inquiry hits.
6. Cyber Liability Insurance
If purchasing cyber liability insurance, ensure it covers “regulatory defense and fines, third party claims, and breach response costs tied to federal data.” Confirm coverage aligns with your CMMC exposure profile.
Practical tip: Involve legal to validate policy language against your specific obligations and risks.
Accountability Over Perfection
Chelsea concluded: “CMMC compliance is not just an IT project, it’s a legal exposure point.”
And CMMC success is about building a cybersecurity posture that stands up under scrutiny because the story you tell matches the controls you run, the documents you keep, and the way you manage your supply chain.
We’ve seen that posture win contracts, survive audits, and sidestep investigations. It’s built on clarity, diligence, and the discipline to say exactly what’s true and proves it.
Key Takeaways
- Compliance is table stakes: “No certificate, no award, no option.”
- Legal exposure is real even without a breach: Misrepresentation invites FCA actions, bid protests, and DOJ scrutiny.
- Documentation wins: Accurate, current SSP/POAM, and artifacts are your best defense.
- Primes must verify subs: Clear flow‑downs, audit rights, and evidence reviews are non‑negotiable.
- Operate continuously: Compliance is a living regime; schedule self‑assessments and track remediation.
- Aim for defensible compliance: The goal here is not perfection, it’s accountability and diligence.
Frequently Asked Questions
What legal risks do I face if I self‑attest but haven’t fully implemented controls?
Self‑attestation is a legal representation. Misstatements can be used as evidence in civil or criminal cases, including FCA exposure. Align your SSP/POAM to actual controls and timelines.
Can I be investigated even if we haven’t had a data breach?
Yes. The DOJ’s Civil Cyber Fraud Initiative targets misrepresentations. “You can be pursued even without a data breach,” warned Chelsea.
What could happen to my current contract if gaps are found post‑award?
You risk termination for default or termination for convenience, and either can impact past performance—hurting future bids.
How should primes manage subcontractor compliance?
Build clear flow‑down obligations, require evidence of compliance, and include audit rights. Don’t assume subs are compliant. Instead, verify.
What documentation matters most in an audit?
Maintain an accurate, current SSP, POAM, training records, audit logs, and assessment artifacts. “Accurate and up to date documentation is your best evidence of compliance to the government,” said Chelsea.
Is perfection the goal in CMMC?
No. As Chelsea stated, “The goal here is not perfection, it’s accountability and diligence.”
What’s the fastest way to reduce legal exposure right now?
Engage legal early, reconcile representations against reality, document everything, and tighten prime–sub flow‑downs with audit rights. Start continuous monitoring if you haven’t already.
Disclaimer: This article is for general information only and does not constitute legal advice.