What Are The Risks If My Business Doesn’t Get NIST, CMMC Compliant?

If you’re a contractor or subcontractor within the U.S. Defense Industrial Base (DIB), then you’re well aware of the cybersecurity requirements outlined by the National Institute of Standards and Technology (NIST).

You also know that language for the newly adopted Cybersecurity Maturity Model Certification (CMMC) 2.0 is already showing up in Department of Defense (DoD) contracts.

These cybersecurity regulations are intended to strengthen the protections around handling and disseminating sensitive federal information by nonfederal organizations working with the government in some capacity.

But what are the potential consequences of failing to meet NIST SP 800-171 or CMMC 2.0 compliance?

In this article, we’ll discuss some recent cases involving the government’s increased focus on enforcing compliance with these federal cybersecurity regulations. We’ll also share some tips for strengthening your cybersecurity posture to meet those requirements.

With this information, you’ll be able to help ensure that you become compliant, pass your assessment, and get certified to maintain your existing federal contracts and be eligible to bid on new ones.

How Are NIST SP 800-171 And CMMC 2.0 Related?

Following a rash of cybersecurity incidents, the DoD sought to strengthen its supply chain by establishing a system to verify that businesses within the Defense Industrial Base (DIB) have implemented the cybersecurity protections that they attested to when submitting their Supplier Performance Risk System (SPRS) scores.

CMMC 2.0 incorporates the 110 security controls of NIST SP 800-171 and leans heavily on other existing security requirements, including Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR).

Contractors and other organizations working with the federal government that handle federal contract information (FCI) and controlled unclassified information (CUI) should already be compliant with those security mandates.

CMMC 2.0 differs from those regulations, and even earlier versions of the security framework itself, in that it establishes a three-tiered compliance and assessment system. The intent of the regulation is to provide a way for the DoD to verify compliance and add weight to its enforcement efforts to protect FCI and CUI.

Under the CMMC 2.0 Final Rule, which went into effect December 16, 2024, contractors are assigned one of three levels, with increasingly stiffer security and assessment requirements with each ascending level.

Your CMMC level depends on the type of FCI or CUI you store, process, or transmit.

How Has The Government Enforced NIST, CMMC Compliance?

The government has stepped up its enforcement efforts for federal cybersecurity regulations including NIST SP 800-171 and CMMC 2.0.

Related Article: What Is CMMC Compliance? 5 Key Steps To Help With CMMC Certification

This crackdown has resulted in substantial penalties and fines against noncompliant organizations.

In one recent example, Cambridge, Mass.-based MORSE Corporation, Inc. agreed to pay $4.6 million to settle claims that the defense contractor violated the False Claims Act by failing to comply with cybersecurity requirements in its contracts with the U.S. Army and Air Force.

In its settlement announced in March 2025, the company agreed with the government that it shouldn’t have received payment on its contracts with those departments because the company knew it hadn’t met the required cybersecurity requirements.

MORSE admitted to several critical cybersecurity violations, including:

• Using a third-party cloud email vendor without verifying that the vendor met various requirements for data preservation, incident response and reporting, and others

• Failing to satisfy all 110 NIST SP 800-171 cybersecurity controls as required in its contracts

• Submitting a Supplier Performance Risk System (SPRS) score of 104 (out of a maximum 110 for the NIST controls) in January 2021. In May 2022, a third-party cybersecurity consultant the company hired to perform a gap analysis discovered that its score was actually -142.

• Failing to develop and implement a comprehensive, written cybersecurity plan for its systems, including a detailed description of the included systems, system boundaries, environments, and the security controls the company put in place to protect the sensitive information within those boundaries.

What Is The False Claims Act?

The False Claims Act is a federal law that has a provision that allows individual whistleblowers to sue companies on behalf of the U.S. government for alleged violations. The government can choose to intervene to take over the litigation of such cases.

If the charges are proven, violators can face substantial fines and penalties, including something known as treble damages—which is having to pay three times the amount of the government’s damages. Businesses can also face significant civil penalties.

In addition, a number of states have established their own false claims regulations, meaning that offending businesses could be hit with even more penalties and restitution costs.

Keep in mind that defense contractors aren’t the only ones required to meet NIST SP 800-171 and CMMC cybersecurity requirements. Any organization that stores, processes, or transmits CUI in the process of carrying out their federal contract or grant must implement the required security measures.

For instance, in October 2024, Pennsylvania State University reached a $1.25 million settlement as part of the Department of Justice’s Civil Cyber-Fraud Initiative (CFI).

The Justice Department launched the CFI initiative in 2021 in response to a spate of cyberattacks, including ransomware, against contractors and public and private entities that were part of the DoD supply chain.

The enforcement effort was intended to hold organizations receiving federal contracts or grants accountable for failing to become compliant, failing to inform the respective agencies when a breach or cyberattack occurred, and knowingly misrepresenting their cybersecurity posture.

Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks

The Penn State case stemmed from a lawsuit initially brought in 2022 by former Penn State chief information officer (CIO) under the whistleblower provision of the FCA.

In 2023, the government stepped in to take over the case, which alleged that the university failed to implement sufficient security measures to protect the sensitive federal data it handled in its 15 DoD contracts and subcontracts.

The list of violations included failing to ensure that the third-party cloud service vendor it was using to “store, process, or transmit covered defense information” had itself met the necessary cybersecurity standards.

Penn State failed to submit its SPRS score with a timeline detailing when and how it planned to correct security gaps to become compliant through a POAM, according to the settlement.

Related Article: What’s The Difference Between An SPRS Score & A CMMC Score?

What Are Key Tips To Meet CMMC Compliance?

If your organization handles CUI data, then you must put adopt the right security measures to safeguard that information to pass your CMMC assessment and get certified.

Here are three essential tips to help ensure your success:

 1. Understand Your CMMC Level & Scope

• Ensure that you have a complete understanding of the type of federal information you handle and your CMMC level.

Related Article: How To Find CUI Within Your Environment & Set A CUI Boundary For CMMC

• Once you know how the data flows through your environment, you can accurately scope your CUI boundary.

• Doing so will allow you to focus your remediation efforts on only the relevant parts of your environment and exclude out-of-scope areas. This can save you significant time and money on unnecessary security measures.

2. Conduct A Gap Analysis 

• Perform a gap analysis to weigh your current security defenses against the regulatory requirements for CMMC 2.0. 

• This will allow you to see where your security measures fall short of the CMMC security standards and develop a remediation plan to fix any identified security gaps ahead of your CMMC audit. 

3. Put A Plan In Motion

• Don't wait until the last minute to develop a compliance strategy. Doing so could end up being a costly mistake for your business.

• For instance, given the shortage of certified third-party assessor organizations (C3PAOs), if you're a Level 2 business that needs a C3PAO audit, if you drag your feet in scheduling your audit you might discover that there aren't any assessors available within your compliance time frame.

• Likewise, waiting until the last minute to create a system security plan (SSP) could mean that some of your security gaps are overlooked or that your documented policies are not finalized. Missing, incomplete, or outdated documents are not allowed, and will result in a finding of noncompliance for the related security control. 

Related Article: CMMC Step 5: Ensure CMMC Readiness With Pre-Audit Review & Mock Audit

The Bottom Line: Meeting NIST, CMMC Compliance

After reading this article, you now understand just how serious the government is about strengthening its supply chain. DoD contractors, subcontractors, and other third-party organizations should expect enforcement of cybersecurity requirements to continue.

As we’ve shown, the government is willing to pursue lawsuits to recoup damages for noncompliance.

So, failing to implement the right security tools, systems, policies, and procedures to meet the regulatory requirements could have lasting consequences for your business.

Noncompliance could damage your standing with the DoD and jeopardize your existing contracts. Not satisfying the cybersecurity requirements could also make you ineligible to for new contracts.

At Kelser, we have years of experience helping small and medium-sized businesses like yours become compliant with various DoD regulations, including NIST, DFARS, and FAR.

In addition, we have a cybersecurity expert on staff who is also a CMMC Certified Professional (CCP) with extensive regulatory and compliance knowledge. So, we can offer expert guidance and customized CMMC readiness services tailored to your business.

Read How To Choose The Right CMMC Readiness Partner: 6 Factors To Consider to learn more about picking the right partner to guide your compliance process. 

If you’re unsure where you stand in your compliance journey and would like to learn more about how we can help, click the button to schedule a no-obligation readiness consultation.