
Loading summary
A
All right, folks, it is June of 2026 and the first False Claims act cybersecurity settlement for alleged non compliance with DoD cyber security requirements just dropped. And boy, is it a doozy. Can a single phone call from DIBCAC auditors cost you 75% of the value of your defense contract? That's what we're going to talk about today. Jason, this is a spicy one because this False Claims act settlement did not have a whistleblower. The contractor entered a perfect 110 self assessment score into the SPRs database. DIBCAC called them up in 2024 and it turns out their actual score was a negative 107 70. Now they're paying $57,000 to the government and the contracts that are in question were only worth 680 grand.
B
Jacob, you say that there was no whistleblower, but sometimes people just telling themselves. It's like when you try to sneak a couple cookies and forget to get all the crumbs that are on your chin, right? Especially with you, I'm sure things get
A
100% a lot, right?
B
This blows my mind. And why this blows my mind, Jacob, is because of the percentage value attached to the penalty. Every FCA that we've kind of talked about before, I think the general consensus was like, I'm so surprised. This is so low. I'm so surprised this is so low. And then all of a sudden, right here, no whistleblower attached, they told on themselves, put in the score, Dip cat, came a calling. This one's going to sting a little bit.
A
I mean, you might think that 500 grand isn't very expensive. If, if that's true, can you adopt me? Because $500,000 is a lot of money. $500,000 is especially a lot of money for this contractor because they have less than 50 employees. It's also a lot for this contractor because they only got paid 680 grand on the contracts in question. So with overhead, cost of business, all that stuff, plus the inflation after, you know, two or three years after they got paid, they definitely lost money on those contracts. I don't know a lot of small business defense contractors that can afford to lose money on contracts that they get awarded.
B
So.
A
So when you hear 500 grand, you're like, oh, that's not a lot of money on a relative basis. It's a ton of money.
B
And when you think about it, is the FCA juice really worth the squeeze? And I don't know, bro.
A
Well, you know, we're gonna talk about this at the end But I have a theory that we know a lot more about those alleged hundred plus FCA cases that we've been waiting to come around the corner. I think it might have something to do with how DIBCAC approached this one. I think there's going to be a lot of cases that are very similar to this. Let's just get right into the details here. DFARS 7012, CMMC. Newsflash everybody. They are different things. They are distinctly different things. Defense contracts have had DFARS clause 2522047012 in them since 2017. By accepting the contract, you are attesting to compliance with the CyberSecurity requirements in DFARS 7012. That means you are telling the government you have fully implemented the requirements in NIST Special Publication 800 171. In 2020, the CMMC 1.0 rule was released. But everybody forgets that it had two parts to the rule. One part was CMMC that was put on hold while we waited for years for the rulemaking process to complete, which has now completed and now we're in phase one of the rollout. But the other part that never went on pause was the DoD assessment methodology. That was the part that created DFARS clause 252204, 7019 and 7020. Those were the mechanisms that were making you conduct a self assessment, calculate a score and upload that score into the SPRS database. All of that was real and valid. 7012, 7019 70, 20. While everyone was thinking that CMMC was never going to happen. So a lot of People pencil whipped perfect 110 self assessment scores, uploaded those scores into SPRs. SPRs score submissions folks are official statements to the government. The second that you submit an invoice to get paid under those contracts, you, you have now committed fraud. You have now violated the False Claims act. And whether a whistleblower turns you in or whether the government decides to pursue you all on their own, that's now outside of your control. So a lot of people got visits from DIBCAC auditors as a result of these perfect scores. We had DIBCAC at CS2. We talked about the DIBCAC slides on this podcast and the DOD told everybody a red flag blaring red light is if you have a perfect score in SPRs, we're going to call you and we're going to ask you a couple questions to see if you pass the sniff test. In this case they didn't pass the sniff test. They were fined for non compliance on contracts that they worked on years ago. Nothing to do with cmmc. So if you entered a perfect score into SPRS and then you got a phone call from dibcac, you probably know better than I do. Let us know in chat. Are you part of an upcoming FCA settlement?
B
So, Jacob, I might know some people that might be letting us know in chat because a lot of organizations I talk to are like, hey, I've got this requirement that's just. And we break it down, let them know that it's just a DFAR7012 requirement, the input of the score and things like that. I'm just going to put in this 110 while we're getting the work done so that I can continue to build a government. And what I say is this is not going to turn out the way that you think it's going to turn out. One of the things that stuck out, particularly in this FCA case when reading was that they continuously build the government and every time they build the government was essentially lying, saying that I am compliant, I'm not. Which is what every single one of those people that I talk to and I'm like, this isn't going to end out good. Yeah, this is what it turns out to be, Jacob. This is. I'm telling you, this is. We're going to see a lot more of this.
A
I think so. I think so. But let's talk about this other detail because this was causing people to go for a loop on LinkedIn when we posted this. There was no whistleblower. So the False Claims act has a whistleblower provision in which an employee of a company committing fraud on government contracts can blow the whistle and file a key tam que tam. Whichever way, they can file a lawsuit essentially saying that this company is committing fraud and then the government can join that lawsuit and the whistleblower, if the settlement is reached or fines are issued, gets part of the money. And it's very lucrative for the whistleblowers. We've seen lots of whistleblower settlements come through the pipe over the last couple years regarding this exact same kind of non compliance. There was no whistleblower in this case. DIBCAC conducted what was known as a medium assessment under the DoD assessment methodology. Dibcat can show up to this day, to this day. Right now they can show up at any time and say, we want to see what's going on in here with regards to your cybersecurity compliance with existing cybersecurity requirements, folks. Nothing to do with the CMMC phase rollout. Fun fact. DIBCAC high assessments, as they were commonly referred to, were assessments and are assessments conducted in person on premises. Medium assessments were typically done just over the phone. So the posture of this contractor specifically was allegedly so bad that DIBCAC knew just over the phone that they were in gross violation, allegedly referred the case over to the DOJ, moved on to the next perfect score submitted in SPRs. And now a little while later, these guys are writing a check for $500,000.
B
Yeah, I think that's the. One of the craziest parts of this entire story is that, like, the medium assessment probably would be the one that if you were able to fluff it just a little bit, you're able to get through that without any, you know, testing of.
A
You're just talking to them on the phone. They're not looking at anything.
B
Hey, what are you doing here? Sounds like you know what you got going on, right? Like, this is a good story. You have been putting in 110. You have gotten $600,000 plus in contract money ordered to you. You can't even get the story right.
A
Yep. Yep. I mean, this could be because they didn't know what 171A was. It could be because they just put in a perfect score and said, we'll update it later. Could be lots of reasons why the score was entered as a 110. But ultimately, it doesn't matter because you told the government you were perfect. You got paid saying that you had done the thing. Turns out you didn't do the thing. And so now they want their money back, plus interest.
B
It's. It's the. The old adage. And, you know, I hate to jump off the topic, but, like, one of my favorite television shows is Modern Family, so I don't know if you've ever watched Modern Family, but the naggy step in the family house, right?
A
The.
B
The step that goes down from upstairs to downstairs. It. Phil constantly trips one. Every time he trips one, he goes, I should really fix that. Right? That's kind of what this is. We got the 110. We know. It's the naggy stare. Everybody is like, man, we should really fix that. We should really fix that. But they just keep tripping over it, and eventually somebody falls down the steps or you get hit with an FCA claim.
A
Yeah, well, I mean, this could be a pretty. A pretty lengthy staircase here, because I think that there are a lot more FCA cases to come that are exactly like this. If you've Been listening to the podcast. You know, we have heard through the rumor mill, through the grapevine that there are an absolute ton of, of these False Claims act cases moving their way through the system. We just talked about this on our halfway through the year prediction review show because this is the first one we've seen seen all year. DIBCAC made a lot of these phone calls from 2021 to 2025. We covered years ago a DOD IG note that came out during the holidays saying that DIBCAC was actively referring cases to the Department of Justice. And and so I think there's going to be a lot of these settlements that come out that don't have a whistleblower. They were the result of a DIBCAC medium confidence assessment. The contractor was completely off from their perfect score. They slap them with a fine and then they moved on. And then they moved on and they moved on and they moved on. There could easily be dozens and dozens or 100 or more of these cases exactly like this one that could all just go drop, drop, drop, drop, drop. And by the end of the year we could have a ton of these exactly in the same situation.
B
Yeah. One of the biggest discussions that we had about the DIBCAC variance and scores was like the 100 point sway from what people reported to what DIBCAC actually had. We had Nick Delroso multiple years ago at CS2 that, you know, showed us the slide that this is the variants that we're seeing right now. And it, like you said, it makes you wonder if those cases that they identified that turned into a slide are now cases that have turned into cases and now we're finally seeing them.
A
Yeah, I guess we should probably go back and look at the slide and see if there is one that says Perfect to negative one. 117. 100, what was it? Negative 117. What was there?
B
170.
A
1 70. Got to go back and look and see if one of the slides had a chart that was negative 170 and maybe that was this one. Maybe. There were lots of people that I've
B
heard of grading on a curve and margin for error, but I've.
A
Those are, you know, this is, this is why the CMMC program exists folks, because they came out with the 1.0 rule. Everybody said this is ridiculous. They put the third party assessment piece on pause. They kept going with the DIBCAC assessment piece and every time they showed up to a perfect self assessment score they had a result like this and they just referred to the doj, referred to the DOJ referred to the doj and now years later people are like, why would they possibly need a third party assessment program? This is why. Because why would you give contracts to people and then wait years later to find out they had messed it up? Make them prove it up front so we can save this whole process. It just makes the process faster. But this is definitely not the last False Claims act case to come out this year. I think we're going to see a lot of them as the result of DIBCAC phone calls which surprised a lot of people on LinkedIn. So if you get a call from DIBCAC, I hope you got your story straight. If you got a perfect score in SPRS and it's not real, you better go update it.
B
It's like that extra contributing player in a playoff run that helps the team get over the hump, right? Like the, the James Jones is world for the heat, right, where you're just draining threes in the playoff. Nobody knew who you were before. Everybody thought that it was just going to be whistleblower after whistleblower after whistleblower. And now a new contestants put their hat in the race. Right. And now we got dibcat contributing. So I'm more confident in our prediction numbers now.
A
Yeah, yeah. We'll have to see, but there you go. We'll link to the settlement below. We'll link to the press release below. What do you think? Do you think we're gonna see. Do you think we're gonna hit the dozen false claims acceleraments by the end of the year that we predicted? We're coming up on less than six months left in the year. I don't know. I think so. Let us know what you think in chat like and subscribe. We'll see you next week.
B
See you next week.
Sum IT Up: CMMC News Roundup Episode: A Perfect SPRS Score Turned Into a $507K Settlement Date: June 25, 2026 Host: Summit 7
This episode dives deep into a landmark False Claims Act (FCA) settlement against a small defense contractor who entered a perfect SPRS (Supplier Performance Risk System) self-assessment score, only to be found massively non-compliant during a DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) phone audit. Without a whistleblower, the government itself initiated the investigation, resulting in a $507,000 settlement — roughly 75% of the value of the contracts in question. The hosts unpack what this means for defense contractors, the risks of inaccurate SPRS scores, and why many more similar settlements could be on the horizon.
Summary of the Case
Size and Impact
Phone (Medium) Assessments
Implication:
Hosts predict dozens, possibly over a hundred, more FCA settlements like this one as DIBCAC wraps up years of audits triggered by suspicious SPRS entries.
Past DIBCAC slide decks have shown massive average swings (up to 100 points) between self-reported and real assessment scores.
The episode reinforces the necessity for third-party assessments (CMMC) to prevent years of unnoticed non-compliance.
On the scale of the fine:
Self-incrimination:
On submitting false scores:
Memorable analogy:
Links to the official press release and settlement are promised in the episode’s show notes. The hosts encourage feedback and discussion from listeners, especially from those who may have gone through or are anticipating DIBCAC assessments and possible FCA claims.
End of Summary