The Aerojet Rocketdyne settlement was $9 million. A former employee filed a qui tam lawsuit alleging the company misrepresented its cybersecurity compliance on Department of Defense (redesignated the Department of War by executive order, September 2025) (DoD) and NASA contracts. The core allegation: Aerojet knew it was not meeting the required security controls and certified anyway.
That settlement is not the last one. The DoJ Civil Division has an active CMMC enforcement initiative, and the False Claims Act creates a mechanism for employees, competitors, and whistleblowers to report misrepresentation directly to the government.
Most CMMC compliance failures are not intentional fraud. They are the result of predictable, preventable mistakes that are made repeatedly across the defense industrial base. This article covers the five most common and most costly ones.
The most damaging mistake a defense contractor can make is treating CMMC as a contract response task. The thinking goes: when a solicitation requires CMMC Level 2 C3PAO certification, we will start the process.
The problem is that C3PAO certification has a real-world lead time measured in months, not weeks. A gap assessment and initial scoping exercise takes weeks. Remediation of significant gaps takes 12 to 24 months for organizations starting from a low baseline. The C3PAO assessment itself requires scheduling in advance. Conditional certification allows 180 days to close out POA&M items. Add these together and the minimum realistic timeline from starting to certified is 12 months for a well-prepared organization, and 18 to 24 months for organizations with significant gaps.
When Phase 2 solicitations begin appearing in late 2026, any contractor who has not started their program will be unable to compete for those awards. The window to build a CMMC program that supports contract performance during the Phase 2 and Phase 3 rollout is open right now and narrowing.
What to do instead: Start your gap assessment now, regardless of whether a specific solicitation has arrived. If you handle CUI under a DoD contract, you already have a compliance obligation under DFARS 252.204-7012. Treat CMMC readiness as an ongoing program, not a pre-bid activity.
The Supplier Performance Risk System score is where many compliance representations go wrong. Organizations self-assess, find that their actual score is lower than they would like it to be, and then either ignore gaps in their scoring or over-interpret "partial implementation" as "Met."
This is a serious problem for two reasons.
First, inflating your SPRS score is a potential False Claims Act violation. When a senior official affirms the accuracy of a SPRS submission under penalty of law, and the submission overstates compliance, the affirmation creates civil liability. Under 31 U.S.C. § 3729, the government can recover treble damages and civil penalties. Any employee who knows about the misrepresentation can file a qui tam lawsuit.
Second, an inflated SPRS score creates operational security risk. If you tell yourself and your customers that you have security controls you actually do not have, you are operating under a false picture of your actual risk posture. When a breach occurs, the gap between your stated compliance and your actual controls will be very visible in the litigation record.
What to do instead: Score accurately. A lower SPRS score is not a disqualifier in and of itself. It is data. It tells you what gaps need to be fixed and in what priority order. Build a POA&M, remediate the gaps systematically, and resubmit as your posture improves. A well-documented gap assessment and an honest SPRS score with a credible POA&M is far better than a fraudulent score.
The System Security Plan is the most commonly deficient artifact in CMMC gap assessments. It is also the artifact that C3PAO assessors rely on most heavily to understand your environment and evaluate your controls.
Two SSP failure modes appear repeatedly:
A third SSP failure is the outdated SSP: a document that was written a year or two ago and has not been updated to reflect changes to the IT environment, new systems, new personnel, or changes to how CUI is handled.
What to do instead: Build the SSP to reflect your current, actual security posture. For each requirement, document the current implementation status (Implemented, Partially Implemented, Planned, Alternative Implementation, or Not Applicable), describe specifically how it is implemented, and reference supporting evidence artifacts. Update it when your environment changes. Treat it as a living document, not a one-time deliverable.
Plan of Actions and Milestones (POA&M) management has three common failure modes.
What to do instead: Before finalizing your POA&M, verify that none of the six prohibited controls are included. Build realistic timelines based on actual remediation complexity and your team’s bandwidth. When pursuing Conditional certification, treat the 180-day window as a hard deadline and plan for the work to be complete at least 30 days before the deadline to allow for closeout preparation.
This mistake is not visible until it is too late. An organization selects a CMMC Registered Provider Organization (RPO) based on the lowest price and receives a gap assessment that looks comprehensive, produces a polished deliverable, and leaves the organization believing they are ready for a C3PAO assessment.
When the C3PAO arrives and starts testing actual controls, they find gaps the RPO missed. Evidence documentation is missing. The SSP describes controls that are not implemented. The assessment produces a long list of Not Met findings, remediation requirements, and a delayed or failed certification.
The cost of choosing the wrong RPO is measured in: the C3PAO assessment fees spent on an unsuccessful assessment, the time and cost of additional remediation, the delay in achieving certification, and potentially lost contracts during the gap period.
What distinguishes a capable CMMC RPO from a less capable one:
What to do instead: Vet your CMMC RPO before signing an engagement. Ask about credentials, methodology, and the specific experience of the people who will work on your engagement. A lower price with a less capable team is a false economy.
These five mistakes share a common thread: they all stem from treating CMMC as a documentation exercise rather than a real security program.
CMMC is a verification program. C3PAOs are trained to distinguish between organizations that have actually implemented security controls and organizations that have written documents saying they have. The depth of testing in a C3PAO assessment, including technical verification, system log review, and interviews with multiple personnel, is designed specifically to find the gap between documentation and reality.
The organizations that succeed in CMMC assessments are the ones that built real security programs, documented them accurately, and engaged partners who understood what assessors actually look for.
For the complete CMMC framework, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Concerned your current CMMC program has one of these gaps? NR Labs provides CMMC gap assessments and program reviews designed to identify and fix exactly these kinds of issues before they become assessment failures. Contact us to schedule a review.
