When defense contractors think about CMMC, their minds go straight to technical requirements — system security plans, access controls, or the 110 practices in NIST 800-171. But the Department of Justice has made it clear that failing to meet the legal side of CMMC can be just as devastating as a cyber breach. Missteps in compliance documentation, self-assessments, or subcontractor oversight have already led to multimillion-dollar settlements, even for companies that never suffered an incident.
At CMMC CON 2025, Michael Gruden, Partner at Crowell & Moring and a former Pentagon and DHS cybersecurity lawyer, will break down how enforcement actions are reshaping compliance expectations. His session, “Legal Insights: Regulatory Landscape with Guest Counsel – Part Two,” will show contractors where legal risk hides in plain sight.
Gruden explains how the DOJ’s Civil Cyber-Fraud Initiative has turned self-attestation and contract clauses into high-stakes legal commitments. Contractors that inaccurately reported their compliance scores in the Supplier Performance Risk System (SPRS) have been investigated and fined — even when the errors came from misunderstanding scope or boundary definitions. Recent cases against companies like Aerojet Rocketdyne, Guidehouse, and MORSECORP prove that enforcement doesn’t require a data breach. Inaccurate self-assessments or using noncompliant cloud providers are enough to trigger action.
Subcontractors are also now on notice. The DOJ’s case against Nan McKay & Associates, alongside its prime, shows that liability flows down the supply chain. If you handle controlled unclassified information, you’re accountable — whether you’re the prime contractor or several tiers removed.
Gruden will highlight strategies to reduce legal exposure before CMMC certification. That includes conducting readiness assessments with experts, ensuring policies are tailored rather than boilerplate, and tracking compliance gaps with documented remediation. He’ll also stress the importance of responding to internal concerns, since whistleblower provisions under the False Claims Act often serve as the starting point for federal investigations.
With CMMC enforcement beginning this fall, contractors can’t afford to see compliance as a box-checking exercise. The organizations that understand both the technical and legal dimensions will secure their contracts and protect their reputations. Those that don’t risk becoming the next headline settlement.
Register now for CMMC CON 2025 to hear Gruden reveal the legal risks that could derail your compliance program and learn how to avoid them.