Introduction to the 'Weekly Thoughts' Series RegDOX is excited to introduce a new six-month blog…
Mistakes DIB Suppliers Make
2.
Mistakes DIB Suppliers Make
Welcome to the latest installment in RegDOX’s six-month series, Mistakes DIB Suppliers Make with CMMC Cybersecurity. Each week, we spotlight a new real-world example or critical insight into the cybersecurity challenges facing Defense Industrial Base (DIB) suppliers. These stories highlight common—and often costly—mistakes made while striving to meet CMMC and NIST SP 800-171 requirements. Our goal is to raise awareness, promote better compliance practices, and help organizations like yours avoid falling into similar traps.
As you explore this week’s entry and the broader series, we invite you to share your own experiences—whether it’s a CMMC compliance pitfall you’ve witnessed firsthand or one you’ve proactively sidestepped. Your insights could help others in the community strengthen their cybersecurity posture. Please reach out to us at info@regdox.com.
Weekly Thought #1: Inflated NIST SP 800-171 Self-Assessment Scores
Many DIB suppliers overstate their compliance in the DoD’s SPRS. For example, MORSE Corp. Inc. reported a score of 104—near the top of the possible range—yet a third-party review later revealed their actual score was -142. MORSE didn’t correct SPRS until three months after a DOJ subpoena, ultimately settling for $4.6 million.
Source: DOJ MORSE Corp.
Weekly Thought #2: Lacking a Written System Security Plan (SSP)
Some contractors fail to develop or maintain a consolidated SSP describing how NIST SP 800-171 controls are implemented. In MORSE Corp.’s case, they admitted they “did not have a consolidated written plan for each of its covered information systems” from 2018–2023.
Source: DOJ USA vs Morse
Weekly Thought #3: Not Implementing Required NIST 800-171 Controls
Penn State University settled a False Claims Act suit for $1.25 million after admitting it “did not implement certain NIST SP 800-171 security requirements” from 2018–2023 on multiple contracts involving CUI.
Source: DOJ Penn State
Weekly Thought #4: Using a Non-Compliant Internal System to Handle CUI
Raytheon stored, processed, and developed “covered defense information” on its internal “DarkWeb” network, which lacked the required NIST SP 800-171 controls. Raytheon agreed to pay $8.4 million to resolve these allegations.
Source: Security Week Raytheon
Weekly Thought #5: Delaying Corrections of SPRS Scores After Learning of Inaccuracies
MORSE Corp. learned of its negative SPRS score in July 2022 but did not update their self-assessment until June 2023—three months after DOJ served a subpoena. This delay was central to their $4.6 million settlement.
Source: DOJ Morse Corp
Weekly Thought #6: Misstating Remediation Timelines for NIST Control Implementation
In its SPRS submissions, Penn State misrepresented the dates by which it would implement all 110 NIST SP 800-171 controls and failed to pursue adequate Plans of Action and Milestones (POA&Ms).
Source: DOJ Penn State
Weekly Thought #7: Failing to Flow DOWN DFARS 252.204-7012 to Subcontractors
Georgia Institute of Technology was sued for many reasons including not ensuring its subcontractors complied with DFARS 252.204-7012 requirements, failing to safeguard CUI on collaborative research contracts, and thus violating NIST SP 800-171.
Source: DOJ GIT
Weekly Thought #8: Falsely Certifying Cybersecurity Compliance
Aerojet Rocketdyne Inc. represented to DoD that it met cybersecurity requirements—despite not doing so—and settled for $9 million under the False Claims Act.
Source: DOJ Aerojet Rocketdyne
Weekly Thought #9: Failing to Implement Multi-Factor Authentication (MFA) for CUI Access
MORSE Corp. admitted it “failed to implement multi-factor authentication” on systems processing CUI, in violation of NIST SP 800-171 control 3.5.3. This lack of MFA meant unauthorized users could more easily access CUI, forming a basis for their $4.6 million FCA settlement.
Source: Foley
Weekly Thought #10: Ignoring DFARS 72-Hour Breach Reporting
Health Net Federal Services LLC (Health Net Federal Services) repeatedly failed to scan for known vulnerabilities, ignored critical security flaws, and did not report cyber incidents within 72 hours as required by DFARS. They paid $11.25 million to settle.
Source: Security Week HNFS LLC
Weekly Thought #11: Using End-of-Life Hardware/Software for CUI
Health Net Federal Services LLC continued to operate legacy hardware and unsupported software that could not meet NIST SP 800-171 requirements, contributing to their $11 million settlement.
Source: DOJ HNFS LLC
Weekly Thought #12: Poor Asset Management of CUI-Handling Systems
Health Net Federal Services LLC “ignored reports from third-party security auditors … related to asset management,” failing to track or secure CUI-containing devices per NIST SP 800-171.
Source: Security Week HNFS LLC
Weekly Thought #13: Inadequate Access Controls to CUI
Health Net Federal Services LLC failed to enforce robust access controls and password policies (NIST SP 800-171 AC controls), settling for $11 million when auditors found accounts with excessive privileges and weak passwords.
Source: Security Week HNFS LLC
Weekly Thought #14: Lack of Vulnerability Scanning and Patch Management
Between 2015–2018, Health Net Federal Services LLC “failed to timely scan for known vulnerabilities and to remedy security flaws on its networks,” violating NIST Shttps://www.regdox.com/blog/mistakes-dib-suppliers-make/#Week14P 800-171 RA and SI families and costing them $11 million.
Source: Security Week
Weekly Thought #15: Ignoring Third-Party Security Audit Findings
Health Net Federal Services LLC “ignored reports from third-party auditors detailing cybersecurity defects related to asset management, access control, firewalls, patch management, password policies, vulnerability scanning, and legacy hardware and software…,” thus failing to remediate critical CUI vulnerabilities.
Source: Security Week
Weekly Thought #16: Failing to Safeguard CUI in Cloud Environments
In MORSE’s settlement, they admitted using third-party cloud services that did not meet FedRAMP or equivalent requirements, violating DFARS/NIST controls.
Source: Whistleblower LLC
Weekly Thought #17: Submitting a Fictitious and Irrelevant SPRS Assessment Score
Georgia Tech reported a summary level NIST SP 800-171 score of 98 for its campus in December 2020, but that score applied to a “fictitious” or “virtual” environment rather than any actual covered IT system that processed CUI. DOJ’s complaint alleges that Georgia Tech never had a campus-wide system in scope, making the SPRS submission false.
Source: DOJ GIT
Weekly Thought #18: Overlooking Configuration Management of CUI Systems
Health Net Federal Services LLC neglected to enforce secure configuration (CM controls), using insecure configurations on CUI-processing devices.
Source: Security Week
Weekly Thought #19: Misrepresenting Compliance with Cybersecurity Requirements
Aerojet Rocketdyne falsely certified that it met all required NIST SP 800-171 controls and did not disclose known gaps in its cybersecurity program. The DOJ press release notes that Aerojet settled for $9 million under the False Claims Act after admitting it “violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts.”
Source: DOJ Aerojet Rocketdyne
Weekly Thought #20: Lacking an Incident Response Plan
MORSE Corp. had no formal incident response plan to identify, contain, and remediate CUI breaches, despite DFARS requiring a documented IRP; this contributed to their $4.6 million settlement.
Source: DOJ MORSE Corp.
Weekly Thought #21: Insufficient Physical Security for CUI Storage
Penn State admitted to failing to physically secure paper and digital media containing CUI—violating NIST SP 800-171 3.8 (“Media Protection”). They paid $1.25 million.
Source: DOJ Penn State
Weekly Thought #22: Failing to Control CUI Media Transfers
Raytheon did not enforce secure transport controls (e.g., NIST SP 800-171, Control 3.8.5) when moving CUI between sites, leading to their $8.4 million settlement.
Source: National Law Review
Weekly Thought #23: Failing to Implement NIST SP 800-171 Audit & Accountability Controls
Penn State admitted it “did not implement certain NIST SP 800-171 security requirements” for fifteen contracts involving CUI between January 2018 and November 2023, including controls in the Audit & Accountability family (3.3). In effect, Penn State did not generate or review system audit logs to detect unauthorized access to CUI.
Source: DOJ Penn State FCA
Weekly Thought #24: Failing to Mark CUI Properly on Documents and Media
Penn State did not consistently label and track CUI, violating MP-3/MP-4 guidelines under NIST SP 800-171, resulting in their $1.25 million settlement.
Source: DOJ Penn State
Weekly Thought #25: Potentially No Encryption of CUI in Transit
MORSE Corp. used a third-party email hosting provider that did not meet FedRAMP Moderate baseline requirements, meaning that CUI transmitted via email was not protected with required encryption in transit under DFARS 252.204-7012 and NIST SP 800-171 control 3.13.11.
Source: DOJ Morsecorp
Weekly Thought #26: Overlooking CUI Training Requirements
In the Georgia Tech case, relators alleged that numerous failures in handling CUI stemmed from “a lack of training” on NIST SP 800-171 requirements. Because personnel were never properly educated on safeguarding controls, labs continued operating without required malware detection and incident-response procedures, contributing to the DOJ’s intervention.
Source: Arnold Porter
Conclusion: What We’ve Learned from 26 Weeks of CMMC Compliance Missteps
Over the past six months, we’ve explored real-world examples of cybersecurity missteps across the Defense Industrial Base—from inflated SPRS scores and missing SSPs to cloud compliance failures and poor access controls. If there’s one clear takeaway, it’s that CMMC compliance isn’t about perfection. It’s about diligence, documentation, and constant improvement.
The mistakes we’ve covered weren’t made by bad actors, but by organizations that underestimated the complexity of safeguarding Controlled Unclassified Information (CUI). Now more than ever, defense suppliers must move beyond checklists and develop sustainable, organization-wide security programs. Whether you’re a large research institution or a small manufacturer, the risks of getting it wrong are too great to ignore.
Thank you for following this series. If you’ve learned from these cautionary tales or have your own cybersecurity story to share, we’d love to hear from you at info@regdox.com. If you’re ready to strengthen your compliance posture, head to our Contact Us page and we’d be glad to help.
Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments