The Aerojet Rocketdyne settlement is the most important legal precedent in the CMMC era. It happened before CMMC was fully implemented, and it already defined the enforcement landscape every defense contractor is operating in today.
The facts of the case, the legal theory that succeeded, and the practical lessons are directly applicable to every organization that submits a CMMC self-assessment score and has a senior official affirm it.
Brian Markus, a former senior director of cybersecurity at Aerojet Rocketdyne Holdings, Inc., filed a qui tam lawsuit in 2015 under the False Claims Act. Markus alleged that Aerojet had misrepresented its compliance with cybersecurity requirements in Department of Defense (redesignated the Department of War by executive order, September 2025) (DoD) and NASA contracts.
The specific allegation: Aerojet executives and managers were aware that the company was not meeting its contractual cybersecurity obligations, including requirements derived from NIST 800-171 and the DFARS 252.204-7012 clause, but continued to certify compliance while bidding on and performing government contracts.
Markus alleged that he had internally flagged the cybersecurity gaps to leadership and that the company had chosen to continue certifying compliance rather than remediate the gaps. When his internal reports were ignored, he filed the qui tam complaint.
In July 2022, Aerojet Rocketdyne settled with the Department of Justice for $9 million. The settlement did not require an admission of liability, but the size of the settlement and the factual basis for the complaint established the legal theory’s viability.
The Aerojet case was not built on a direct contractual fraud claim. It was built on the implied certification theory under the False Claims Act.
The implied certification theory, which the Supreme Court affirmed in Universal Health Services, Inc. v. United States (2016), holds that when a contractor submits a claim for payment while failing to disclose a known, material violation of a contractual or statutory requirement, that submission constitutes a false claim. The contractor does not have to explicitly lie. Simply submitting an invoice while knowing you are not meeting a material requirement is enough.
For cybersecurity compliance, the theory works as follows:
Materiality is the key legal element. In Universal Health Services, the Supreme Court established that a condition is material if it goes to the essence of the contract, not just if it was a listed requirement. The Court also noted that whether the government would actually withhold payment is not determinative of materiality.
For CMMC, the DoD has made clear that cybersecurity compliance is a material contract requirement. The mandatory affirmation mechanism, the SPRS submission requirement, and the False Claims Act enforcement program all signal that the DoD considers cybersecurity compliance to go to the essence of its contracts.
Markus filed the complaint as a private citizen using the qui tam (“who as well”) provision of the False Claims Act (31 U.S.C. § 3730). Qui tam allows private individuals, called relators, to file lawsuits on behalf of the federal government. If the case succeeds, the relator receives between 15% and 30% of the government’s recovery.
This mechanism has profound implications for defense contractors:
Any employee who is aware of cybersecurity misrepresentation can file a qui tam complaint. This includes current employees, former employees, consultants, contractors, and anyone else with firsthand knowledge of the gap between stated and actual compliance.
The $9 million settlement means the relator (Markus) received between $1.35 million and $2.7 million for filing the complaint. That financial incentive exists for every employee at every defense contractor who is aware of CMMC misrepresentation.
The DoJ Civil Division has a formal CMMC enforcement initiative. It is actively encouraging qui tam relators in cybersecurity cases. The infrastructure for enforcement is built and operational.
Some contractors look at the Aerojet timeline and note that the complaint was filed in 2015 and settled in 2022. Seven years is a long time. The conclusion they draw: there is enough lead time to address this if it comes up.
That framing misses several important points.
First, the seven-year timeline was the duration of litigation, not a response window. The qui tam complaint was filed under seal. Aerojet did not know about it for years. The investigation was ongoing while the company continued performing on government contracts.
Second, the legal exposure compounds over time. Each payment received under a contract while compliance misrepresentation is ongoing is a potential false claim. The FCA’s treble damages provision means the government can seek three times the total payments received under the affected contracts. For a company like Aerojet with billions in DoD revenue, the potential exposure far exceeded the $9 million settlement.
Third, the whistleblower’s personal financial incentive grows over time. Every additional year of false claims is additional damages against which the relator’s 15-30% share is calculated. Long-running misrepresentation is more financially attractive to a potential relator than a short-term gap quickly corrected.
The Aerojet case predates the CMMC affirmation requirement. The cybersecurity compliance misrepresentation in that case was implied through contract clause compliance.
Under CMMC, the affirmation makes the representation explicit. When a senior official affirms a CMMC self-assessment or C3PAO assessment result, they are making a direct, signed, dated attestation of compliance accuracy. That affirmation is recorded in SPRS and is part of the contract award record.
An explicit, signed affirmation that is inaccurate is a materially stronger FCA case than an implied certification case. The relator’s burden of proof is lower. The government’s damages calculation is cleaner. The individual executive who signed the affirmation is personally exposed, not just the corporate entity.
Lesson 1: The security team’s assessment matters legally.
In Aerojet, the cybersecurity team was aware of gaps and documented them internally. That documentation became evidence in the litigation. If your security team identifies gaps and leadership decides not to remediate them, that decision should be made with legal counsel’s input, not treated as a routine business tradeoff.
Lesson 2: Internal reports create a record.
Markus’s internal reports to leadership were central to the complaint. Any internal communication documenting known compliance gaps such as emails, presentations, audit findings, gap assessment reports creates a litigation record. Organizations that know about gaps and have documented them have a smaller window to act before potential liability attaches.
Lesson 3: The SPRS score must reflect reality.
Aerojet’s contracts required cybersecurity compliance. Under CMMC, the SPRS score is the explicit record of the compliance representation. An SPRS score that misrepresents the organization’s actual posture is not just a compliance gap — it is the documentary evidence of a false claim.
Lesson 4: Former employees are the primary source of qui tam complaints.
Markus was a former employee. Most qui tam complainants are former employees. The relationship between your organization and departing employees who worked in security, compliance, or IT is a risk factor. Organizations that treat compliance seriously, address known gaps, and maintain honest records reduce the probability that a departing employee has grounds for a complaint.
Lesson 5: The $9 million settlement is not the ceiling.
Aerojet settled for $9 million. That number reflects the specific facts, the negotiation, and the decision to settle rather than litigate to judgment. For organizations with larger contract bases and longer periods of misrepresentation, the treble damages exposure is higher. The settlement amount should be understood as a data point, not a cap.
The Aerojet case is not an argument for compliance theater — a surface-level compliance program designed to produce records that make it look like you are compliant while knowing you are not. That approach is exactly what the FCA is designed to address.
Good-faith compliance means:
Organizations that approach CMMC this way — honest about gaps, systematic about remediation, transparent in their submissions — have the best legal posture if questions arise about their compliance status. A documented history of good-faith compliance effort is the strongest defense against qui tam liability.
For the full CMMC program overview, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Concerned about your organization’s current compliance posture and the legal exposure it creates? NR Labs provides CMMC gap assessments designed to give you an accurate, defensible picture of where you stand. Contact us to get started.
The implied certification theory, affirmed by the Supreme Court in Universal Health Services v. United States (2016), holds that submitting a claim for payment while knowingly failing to meet a material contractual requirement constitutes a false claim under the False Claims Act. For CMMC, this means any contractor that submits invoices on a DoD contract while knowing they are not meeting cybersecurity requirements is potentially liable for treble damages and civil penalties per false claim.
Yes. The CMMC affirmation is a direct, signed attestation of compliance accuracy recorded in SPRS. When an individual executive signs an affirmation that is inaccurate, they are personally exposed to False Claims Act liability, not just the corporate entity. This makes the CMMC affirmation a materially stronger FCA case than the implied certification theory used in the Aerojet case.
Under the qui tam provision of the False Claims Act (31 U.S.C. § 3730), any individual with firsthand knowledge of cybersecurity compliance misrepresentation can file a lawsuit on behalf of the federal government. If the case succeeds, the relator receives between 15% and 30% of the government’s recovery. In the Aerojet case, this meant the whistleblower received between $1.35 million and $2.7 million from the $9 million settlement.
