False Claims Act, Civil Liability for Knowingly False Claims
31 U.S.C. § 3729, the False Claims Act, imposes civil liability, including treble damages and per-claim penalties, on anyone who knowingly presents a false or fraudulent claim for payment to the federal government. "Knowingly" includes actual knowledge, deliberate ignorance, and reckless disregard, which is why a knowingly false CMMC senior-official affirmation can trigger FCA exposure.
Who must comply
Anyone who submits claims for payment to the federal government, including DoD contractors making CMMC affirmations.
What it requires
- 01Knowingly false claims for payment, false statements material to a claim, and false records used to get a claim paid all trigger civil liability.
- 02Penalties include three times the government's damages plus a per-claim civil penalty (adjusted annually for inflation).
- 03Liability extends to individuals, including the senior official who knowingly signed a false affirmation, not just the company.
- 04The qui tam provisions allow private "relators" (often current or former employees) to file suit on the government's behalf and share in any recovery.
Key points
- The DOJ Civil Cyber-Fraud Initiative, launched October 6, 2021, explicitly uses the FCA to pursue contractors for cybersecurity misrepresentations.
- Multiple settlements since 2022 (Aerojet Rocketdyne, MORSE Corp, Penn State, others) have arisen from inflated NIST 800-171 or DFARS 7012 representations.
Related clauses
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official, defined at 32 CFR 170.4 as the senior level representative responsible for ensuring the contractor's compliance with the CMMC Program requirements who has the authority to affirm its continuing compliance, to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.
- DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.