CMMC is one of the most modern cybersecurity frameworks out there, and while it’s limited to just the Department of Defense contractor chain, it’s still very important to know about it if you’re part of that ecosystem. After all, over 300,000 organizations are part of the defense ecosystem and DIB.
The point of CMMC is simple: securing controlled unclassified information and federal contract information from top to bottom in the defense supply chain.
The details are not so simple. With over 100 security controls across 14 domains, it’s an immense feat of technological and engineering implementations, as well as personnel training and engagement.
Since the stakes are high, so too are the responsibilities and the penalties. One of the biggest details to know is the FCA liability you face, not just as a company, but as the affirming official who signs off on CMMC implementation.
Let’s go over everything you need to know, so you’re prepared, aware of the responsibilities, and forewarned of the consequences of failure.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontCMMC is a modern DoD contractor cyber framework to secure controlled unclassified information and federal contract information across the defense supply chain. The framework has 100+ controls across 14 domains and needs technical work, staff education, and senior leadership buy-in. A named Affirming Official must attest to compliance every year and faces False Claims Act exposure with heavy fines, contract loss, and personal career harm.
Who Is Your CMMC Affirming Official?
First, what is a CMMC affirming official, and who in your organization takes on that role?
The Affirming Official is the new name for an older role, known under previous iterations of CMMC as the Senior Official.
Your company’s Affirming Official needs to be a senior staff member who is ultimately responsible for your company’s CMMC implementation. For many companies, that means a director or C-level executive. For smaller businesses, this can be the CEO themselves. For larger firms, it could be a Chief Information Officer or a Chief Information Security Officer. A Director of Cybersecurity or Director of Information Security role can also play the part.
There are no requirements for the specific role an individual has to have to be the Affirming Official. Instead, it’s about responsibility. The person who takes on the mantle of the Affirming Official has to be high enough in your organization to be able to take responsibility for the implementation of CMMC… and the penalties for failure.
In other words, you can’t hand off this responsibility to a low-level employee so you can throw them under the bus if things go wrong. Your Affirming Official has to be someone with the power to guide and implement CMMC across your organization.
This holds true no matter what level of CMMC certification you’re seeking; you need a designated Affirming Official.
The Affirming Official is also a specific person, not a role.
This is a significant change from CMMC before the 2025 final rule. Prior to this point, organizations could sign off on CMMC as an organization, more or less anonymously. Penalties could fall on the company as a whole, but companies can take a lot of punishment and still keep going, so the penalties didn’t come across as sufficiently punitive to guide behavior.
In fact, it was a common issue for mid-level IT managers to handle the work, an IT director to sign off on it, and the documentation to be submitted; then, if gaps occurred, the senior leadership could claim they didn’t know, regardless of whether or not they actually had notice.
Obviously, this isn’t a good way to manage a framework that secures national security information. So, the DoD implemented the Affirming Official system to place that responsibility on an individual.
Many now-responsible individuals have encountered this change in a manner reminiscent to a deer in the headlights. What was once a company-level responsibility now falls squarely on the shoulders of a specific person, and that person needs to be capable of handling the burden.
If you’re doing everything right, this should be no problem. If you were hoping to maintain ignorance and an avenue to disavow knowledge of problems, you’re going to face a rude awakening.
Not a One-Time Responsibility
It’s also important to recognize that under the current CMMC final rule, this attestation is not a one-time thing. Your affirming official will need to review and re-attest to the state of security on an annual basis. CMMC is not a one-and-done framework; it’s an ongoing state of compliance with continuous monitoring, evolving standards, and adaptation to a changing threat environment.
This also means that, if your leadership changes, you will need to assign a new Affirming Official to sign off on documentation. You can’t be left without a person responsible for your security.
All of this is a serious legal responsibility, not a formality.
What is the FCA?
The purpose of having an Affirming Official is to designate an individual responsible for implementing CMMC effectively. CMMC may be complex, but it’s not unattainable. The security controls and their goals are all well-outlined, both in CMMC and in the underlying documents like NIST SP 800-171.
In other words, there’s no excuse to fall short of the mark and still sign off on your implementation.
Your Affirming Official is responsible for saying, “Yes, we have complied, we’ve passed our audit, and we’re keeping on top of changing threats.”
Since CMMC is now a key part of many federal contracts within the DoD supply chain, many organizations are finding that they need this attestation to be valid before they can win their contracts, even contracts they had before.
Every requirement has its penalty for failure. Every attestation has a punishment for lying.
This is where the FCA comes in.
The FCA is the False Claims Act.
Unlike CMMC, the False Claims Act is very much not new. Its origins stretch all the way back to 1863 and the Civil War. Back then, defense contractors saw the war as a great opportunity to make money, especially by selling supplies to the government. But, there were many instances of companies sending invoices for goods or services to the government, only to never actually provide those goods or services.
The solution, signed into law by Abraham Lincoln, is the False Claims Act. The law prohibits fraudulent activity amongst government contractors.
The False Claims Act has come into and fallen out of relevance many times over the last 150+ years. Most recently, it has come to the forefront because of frameworks like CMMC and the attestation requirements.
You see where this is going, right?
Your CMMC attestation is you saying to the government, “yes, we provide this service”, where “this service” is whatever your company does, secured by CMMC. This attestation, along with your audit results, is submitted to the government via the Supplier Performance Risk System or SPRS.
Modern legislation like the Civil Cyber-Fraud Initiative have used the False Claims Act to pursue contractors for making, you guessed it, false claims. Attesting to security when that security is not actually present is, by definition, a false claim.
How the FCA Matters to Your Affirming Official
We have the pieces; now we put them together.
As a company looking to work as part of the defense supply chain, you need to implement CMMC according to the level required by the information you’ll handle and the services you’ll provide.
This requires a lot of deep and detailed technical and personnel implementations to be considered valid, along with an audit you must pass.
In order to effectively implement CMMC, you need buy-in from leadership. Your top-level executives have to understand how important it is to get it right, and a specific senior-level member needs to stand by it. Whether this is your CEO, CIO, CISO, or someone else, they need power and control.
This is because your affirming official is the one who leads, guides, and enforces CMMC implementation. They may not be the one on the ground level pushing config files to servers, but they’re the one signing off on budgets to spin up monitoring, or system redesigns to segment systems and limit scope, or identify and implement appropriate training for employees who access those systems.
Without the power and the will, there can be no security. If the executive team doesn’t care, it won’t get done.
The affirming official guides the work, and they stand by it. That’s fundamentally what the attestation means. It’s a high-level employee putting their name and career on the line. Submitting the attestation to the SPRS is making a legally-binding statement.
Some organizations have tried to skirt the law by interpreting it narrowly. The FCA says, specifically, that “knowingly” submitting false information is a violation, which leaves the door open for failures that weren’t known to be unpunished. This goes back to the requirement to have an Affirming Official; it’s not just deliberate lying, it also covers deliberate ignorance or reckless disregard for the validity of information.
It’s worth noting that the False Claims Act is not a punishment or penalty for having a poor implementation, or even for failing an audit. It’s specifically for lying about it if you did.
If you get a poor score, submit that poor score. If you have work to do and have to use POA&Ms to do it, say so and do so.
The FCA is used under the Civil Cyber-Fraud Initiative to punish Affirming Officials if they submit fraudulent scores.
That said, so far, the government hasn’t been going after specific individuals directly.
What Are the Penalties for FCA Violations?
FCA violations are mostly financial. An FCA lawsuit, once settled, typically results in a significant fine to the company. This fine can be over $250,000 per violation and tens of thousands more per false record, which means every invoice you’ve submitted since lying about your score or making another false claim. Since these can stack up very rapidly, and the government can fine up to triple the damages they suffer, you can easily reach millions of dollars in fines.
There have been numerous large lawsuits and settlements over the last year or so, all directed at organizations rather than individuals.
- February 2025: Military benefits management firm TRICARE settled for $11.2 million for failing to perform continuous monitoring duties.
- April 2025: Defense contractor MORSECORP settled for $4.6 million under an FCA violation for attesting to a false SPRS score.
- July 2025: Defense contractors Raytheon and others settled for $8.4 million over failure to maintain security from years prior.
- September 2025: Research university Georgia Tech settled for $875,000 over submitting a false SPRS score and failing to maintain security on systems handling CUI.
These are just some of the examples of settlements that have occurred recently. You can be sure that more will follow.
In some cases, especially if there’s egregious misconduct or serious fraud, other penalties can occur. Contractors can lose their contracts and be barred from getting more for several years, or even indefinitely. After all, if you’ve proven that you not only don’t take security seriously but you’re also willing to commit fraud about it, why would the DoD want to work with you again?
Individual Affirming Officials can also suffer significant reputational damage, and often can lose their jobs with their firms for the liability. Needless to say, it’s hard to get another job in the same role once you’ve been responsible for millions of dollars in penalties.
And that’s not to mention secondary damages. Corporate insurance policies hike their rates, other contractors might refuse to work with you, you may need to halt operations to retool security, and more. A lot can go wrong, and those repercussions can linger.
Get it Right and Avoid the FCA
A key part of FCA violations is submitting incorrect information, whether or not you’re fully aware that it’s incorrect. Awareness is critical, both to avoiding FCA violations and to implementing your security properly in the first place.
Here at Ignyte, we’re happy to help. The Ignyte Assurance Platform is our solution to the knowledge burden. Frameworks like CMMC require hundreds of pieces of proof, logs, artifacts, and other details, and it can be very difficult to track each and every one of them across different teams, departments, systems, and apps.
By using our platform, you can track your implementation progress and accumulate all of your documentation in one place, easily accessed and easily used when you need to undergo an audit, validate your monitoring, or submit your scores.
Avoid penalties and the hassle of failure by getting it right the first time with the Ignyte Assurance Platform. To see how we can help, reach out to book a demo or have a discussion about your needs and what we can offer you.
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.