One defense contractor submitted a compliance score of 104 out of 110. Their actual score, when a third party looked, was negative 142. They paid $4.6 million. The IT company that helped them build that score is still in business.
| $4.6M paid by MORSE Corp for submitting a false SPRS score — the whistleblower got $851K |
-142 MORSE Corp’s actual CMMC score — vs. the 104 out of 110 they reported to the DoD |
$11.25M settlement paid by Health Net for falsely certifying compliance for three years |
YOU the person who signs the affirmation — and the person personally liable when it’s wrong |
Here’s something nobody in the compliance industry will say out loud, so I will.
The checklist your IT company gave you is probably wrong.
Not wrong because they’re incompetent. Not wrong because they cut corners intentionally. Wrong because compliance — real compliance, the kind that holds up under a DOJ investigation — is not a checklist. It’s a documented, tested, evidence-backed state of your actual security environment. And most of the checklists circulating through the OC and LA defense supply chain right now were built by IT professionals who understand technology but not the legal weight of what they’re asking you to sign.
Because here’s what most business owners don’t realize: when you submit your SPRS score or sign an annual CMMC affirmation, the affirming official — a senior company executive — is personally attesting to compliance under penalty of law. This is not a task to delegate to IT without verification.
The IT company fills out the checklist. The IT company calculates the score. Then the IT company hands you a pen.
And you sign it.
⚠ This Is Not a Hypothetical
In 2025, MORSE Corp paid $4.6 million to resolve False Claims Act allegations. They had submitted an SPRS score of 104 out of a maximum of 110. When a third-party consultant actually looked at their environment, the real score was negative 142. The case was initiated by a whistleblower — a former employee — who received $851,000 as part of the settlement. The IT team that built that score was not named in the settlement. The company was. The executives who signed were. The IT vendor moved on to the next client.
How a Business Owner Ends Up Signing a Wrong Compliance Checklist
It doesn’t happen because of malice. It happens because of a very understandable sequence of events that plays out across the OC defense supply chain constantly.
Step 1: You hire an IT company to handle compliance.
Your prime contractor starts asking about CMMC. You don’t have time to become a cybersecurity expert. Your IT company says they handle this. You’re relieved. You move on.
Step 2: Your IT company gives you a checklist.
They run through your environment, check some boxes, calculate a score, and produce documentation. It looks thorough. It has sections and subsections and checkmarks. The SPRS score they calculate is pretty good — maybe not perfect, but respectable. You review it briefly. It looks fine.
Step 3: You sign.
The affirmation goes into SPRS. Your score is posted. You’re compliant, on paper.
Step 4: Nobody checks — until someone does.
For months or years, nobody looks too closely. Your contracts continue. Renewals go through. Everything is fine. Until it isn’t.
A competitor loses a contract to you and files a qui tam action. A disgruntled former employee knows the documentation doesn’t match reality. A government audit flags inconsistencies between your submitted score and what an assessor finds when they actually test your environment.
Now the DOJ is involved. Now the question isn’t whether your IT company’s checklist was accurate. The question is whether you knowingly — or recklessly — submitted a false certification.
The False Claims Act does not require specific intent to defraud. “Knowingly” means actual knowledge, deliberate ignorance of the truth, or reckless disregard of the truth or falsity of information. A contractor that signs an annual affirmation without verifying the accuracy of its compliance status may be accused of acting with “reckless disregard” sufficient to establish FCA liability.
Reckless disregard. Not intentional fraud. Reckless disregard.
That means signing a checklist you didn’t personally verify may be enough.
📌 Three Real Cases. Three Different Companies. The Same Pattern.
MORSE Corp (2025): Submitted SPRS score of 104. Real score: -142. Settlement: $4.6 million. Whistleblower: a former employee who received $851K.
Health Net Federal Services (2025): Falsely certified cybersecurity compliance in their TRICARE contract from 2015–2018. Failures in vulnerability scanning, patch management, and password policies — while continuing to claim compliance in annual reports. Settlement: $11.25 million.
Raytheon/RTX Corporation (2025): Falsely represented compliance while using a noncompliant internal system across 29 DoD contracts. Settlement: $8.3 million. Whistleblower: a former Director of Engineering. In all three cases, the organization signed off on compliance that didn’t exist. In all three cases, someone inside knew.
What a Compliance Checklist Gets Wrong — and Why It Matters for OC Contractors
Most compliance checklists built by IT companies are based on self-reported implementation. Meaning: they ask whether a control exists, not whether it actually works.
Here’s the difference in practice.
A checklist asks: Do you have multi-factor authentication enabled?
Your IT person checks: Yes, MFA is enabled on Microsoft 365.
The checklist marks it: ✓
What the checklist doesn’t ask: Is MFA enforced for all users, on all applications, including legacy protocols that can bypass it? Are there service accounts that aren’t covered? Are remote access tools — VPN, RDP, remote desktop — also behind MFA? Is MFA enforced on your backup systems?
An assessor who actually tests your environment will check all of that. And when they find the gaps — which they almost certainly will — the question becomes: was the check in the box accurate? Or was it aspirational?
This happens across every CMMC domain. Access controls that exist on paper but aren’t actually enforced. Audit logs that are configured but not reviewed. Incident response plans that were written once in 2022 and never tested. System Security Plans that describe what the environment is supposed to look like, not what it actually looks like.
That gap — between “we have a policy” and “the policy is enforced, tested, and documented” — is where False Claims Act liability lives.
🚨 The Whistleblower Is Often Someone You Know
In the MORSE Corp case, the whistleblower was a former employee. In the Raytheon case, a former Director of Engineering. In the Penn State case, a former CIO. These weren’t external investigators who stumbled onto the problem. They were people who worked inside the organization, knew what the documentation said, knew what the reality was, and eventually decided to act on that knowledge. The False Claims Act makes it financially rewarding to do so. Whistleblowers receive between 15% and 30% of the government’s recovery. In the MORSE Corp case, that was $851,000. If someone in your organization knows your SPRS score doesn’t reflect reality, they know what it’s worth to report it.
The Conversation Most Business Owners Haven’t Had With Their IT Company
You hired your IT company to handle compliance. You trusted the checklist. You signed the affirmation. You moved on.
Here are the questions you should have asked — and should ask now, before the next renewal:
- Who specifically built this compliance assessment, and what are their credentials in CMMC or NIST 800-171?
- Is the score based on documented, tested implementation — or self-reported configuration?
- Have you physically tested whether each control actually works, or only confirmed that it exists?
- If an independent C3PAO walked into our environment tomorrow, what would they find?
- What is our actual SPRS score if we score conservatively rather than optimistically?
- Is our System Security Plan current — does it accurately describe our environment as it exists today?
- Have our incident response plan and backup procedures been tested in the last 12 months?
If your IT company hesitates on any of these, that hesitation is information.
And if you’ve been signing compliance documents without asking them — that’s the conversation to have before someone else forces it.
“A lower SPRS score that’s accurate is infinitely better than a high score that isn’t. One is a compliance gap. The other is a federal fraud case.”
What to Do If You’re Not Sure Whether Your Compliance Documentation Is Accurate
First: don’t panic. The DOJ has consistently credited self-disclosure and good-faith remediation in past settlements. Document any gaps in a POA&M and track your progress toward closing them. Self-disclosure and documented remediation have been credited in past settlements — including cases where the initial posture was significantly deficient.
Second: get an independent gap assessment — not from the same company that built your original compliance documentation. An independent review tells you where your real score is, what the gaps are, and what it would take to close them honestly.
Third: if your SPRS score is inaccurate, correct it. A lower accurate score is not an admission of fraud. It’s evidence of good faith. An inflated score that stays on file while you know it’s wrong is the scenario the DOJ is pursuing.
Fourth: understand what you’re personally signing. The CMMC affirmation is not a formality. It is a legal certification under federal law. Before the next renewal, have your compliance posture independently verified by someone with CMMC credentials — not just your existing IT vendor.
Not Sure Whether Your Compliance Documentation Would Hold Up Under Scrutiny?
Intelecis provides independent CMMC gap assessments for Southern California defense contractors. We tell you what your environment actually looks like, what your real SPRS score should be, and what needs to change before you sign another affirmation. No sales agenda. Just an accurate picture.
Request an Independent CMMC Gap Assessment →
📞 949-266-2088 | Fullerton, CA | Serving OC · Los Angeles · San Diego
