The Scale of the Problem

The Supplier Performance Risk System is a Department of Defense managed database where defense contractors submit a self-assessed score reflecting their implementation of the 110 security requirements in NIST SP 800-171. That score, which ranges from 110 for full implementation down to negative 203 for no implementation, is directly tied to contract eligibility. The Department of Defense uses it to evaluate cybersecurity posture before awarding work, and under CMMC, it becomes the baseline that everything else is measured against.

In many cases, the score is wrong. Not slightly wrong, not off by a few points due to a difference in interpretation. Wrong by 50, 75, sometimes 100 points or more from the actual security posture of the organization. A company reports a score of 90 to the Department of Defense, wins contracts based on that representation, and the technical reality of its environment is a negative 10. Every day that score sits in a federal database attached to an active contract, the legal exposure grows.

Reported SPRS Score
104
MORSECORP self-assessment
Actual SPRS Score
-142
Third-party evaluation
246
Point discrepancy / $4.6M settlement

How Scores Become This Inaccurate

Some of the inflation is intentional, but a significant amount of it is not. Much of the inaccuracy comes from organizations that used an internal checklist, relied on an underqualified consultant, or simply did not understand what NIST SP 800-171 was actually requiring. They reviewed 110 requirements, checked the ones they believed applied, gave themselves credit for controls that were partially implemented or planned but never executed, and arrived at a number that appeared reasonable.

Some were told by their IT provider that they were compliant. Some used a template found online. Some estimated based on assumptions rather than evidence. The result is the same regardless of intent: scores that are off by 50, 75, sometimes 100 or more points from reality, and every one of those scores is a representation to the federal government that specific security controls are in place when they are not.

The gap between intention and execution is where the liability accumulates. A control that is partially implemented is not implemented. A policy that exists in a document but is not enforced operationally does not satisfy the requirement. A configuration that was correct when it was set up but has drifted due to staff changes, system updates, or operational workarounds is no longer compliant. Self-assessment methodologies that do not account for these realities produce scores that overstate the organization's actual posture, and the overstatement carries legal consequences.

The False Claims Act Standard Applied to SPRS

The False Claims Act framework applies directly to inaccurate SPRS scores. The statute does not require proof of intent to defraud. It requires only that the organization knew, or should have known, that its representation was false. An executive who signed off on a compliance attestation without verifying the technical accuracy of the underlying work can be found to have known that the representation was inaccurate.

An organization that reported a 90 when the reality was a negative 10 will not be treated as having made a reasonable mistake. The gap is too large for any court to accept ignorance as a credible defense. The per-claim penalties, currently $14,308 to $28,619 per false claim plus treble damages, apply to every invoice submitted against a contract where the SPRS score was a condition of award or continued performance. A multi-year contract with monthly invoicing can generate dozens of individual claims, each carrying its own penalty.

C3PAO Assessments Create the Evidence

Before CMMC, the government had limited visibility into the actual security posture of its contractors. Self-assessment meant self-reporting, and verification was rare. That dynamic is changing as C3PAO assessments scale across the defense industrial base.

When a C3PAO begins a formal Assessment Certification, it starts by reviewing the System Security Plan and the SPRS score. The assessment team compares what the score claims against what the systems actually do. When that comparison reveals that an organization's actual posture is 100 or more points below its reported SPRS score, the assessment generates documented, independent proof of the discrepancy. That documentation becomes available evidence in any subsequent enforcement action.

The MORSECORP settlement illustrates this dynamic precisely. The company reported an SPRS score of 104. A subsequent third-party evaluation produced a score of negative 142. The documented proof of the 246-point discrepancy was central to the $4.6 million settlement. As C3PAO assessments become more widespread, the volume of documented evidence available to the Department of Justice and to qui tam relators will increase substantially.

The Whistleblower Dynamic

The qui tam provisions of the False Claims Act apply with particular force to SPRS score inaccuracies, because the person most likely to know that an organization's score does not reflect reality is someone who works inside the organization. The system administrator who knows the controls are not implemented. The IT manager who raised concerns that were overridden. The compliance officer who documented gaps that were never addressed. The former employee who left knowing the score was inflated.

Each of these individuals has a direct financial incentive to report the discrepancy. Whistleblowers in cybersecurity cases received more than $4.5 million in collective awards in FY2025. Five of the nine cybersecurity settlements that year were initiated by whistleblowers. The combination of financial incentive and the ease of demonstrating that a reported score does not match the actual environment makes SPRS score inaccuracy one of the most accessible qui tam opportunities in the defense industrial base.

Personal Liability for the Signing Executive

The SPRS self-assessment requires an executive with authority to bind the organization to certify the accuracy of the reported score. Under 32 CFR 170.22, a senior company official must submit an annual affirmation in SPRS attesting that the organization has implemented and will maintain implementation of all applicable requirements. That signature creates personal accountability.

The standard is not whether the executive personally evaluated every control. The standard is whether the executive should have known that the score was inaccurate. If the executive signed a certification for a score of 90 without any independent verification that the score was accurate, a court can find that the executive should have known. Willful blindness is not a defense under the False Claims Act. The December 2025 criminal indictment of a former senior manager at a defense contractor, for cybersecurity fraud exceeding $29 million, signals that the Department of Justice is willing to pursue individuals when the scale warrants it.

The GRC Platform Risk

Many defense contractors have adopted automated governance, risk, and compliance platforms to manage CMMC compliance. From a legal risk perspective, that decision deserves careful consideration.

These platforms create a permanent, discoverable record of every known vulnerability and every internal deficiency the organization has identified and documented. Data stored in a standard commercial platform is not protected by attorney-client privilege. A subpoena to the GRC vendor is sufficient to place every gap analysis, every acknowledged deficiency, and every red flag in front of a Department of Justice investigator or a whistleblower's attorney.

The practical effect is that the organization may be paying a software company to build a comprehensive database of everything it knows it is doing wrong, fully accessible to anyone with a subpoena. That dynamic is worth understanding before populating one of these systems with candid assessments of compliance gaps.

What to Do If the Score Is Wrong

If there is reason to believe that the organization's SPRS score does not accurately reflect its actual security posture, the most important step is to involve qualified legal counsel before taking any other action. Not after running a new gap analysis. Not after updating the SSP. Not after correcting the score in the system. Before any of those actions.

The Sequence Matters

1
Engage legal counsel first. An attorney who understands both the False Claims Act and CMMC compliance can evaluate exposure, structure remediation for legal protection, and advise on how to bring the score into alignment without creating additional liability.
2
Technical assessment under counsel's direction. The organization's compliance advisor, whether a Registered Practitioner Advanced or other qualified consultant, determines what the actual score should be. The legal structure around how that work gets applied and documented is something only counsel can properly advise on.
3
Structured remediation and score correction. With counsel directing the process, the organization remediates identified gaps and updates the SPRS score to reflect the actual posture. The order in which these steps are taken matters substantially. Getting the sequence wrong can turn a correctable problem into a documented admission.

This is not an area where an organization should act first and seek legal advice afterward. The enforcement cases described in this article and in the companion analysis of CMMC and the False Claims Act demonstrate that the Department of Justice is actively targeting SPRS score discrepancies. The difference between an organization that corrects its score through proper legal channels and one that generates a discoverable record of its own non-compliance is often the involvement of counsel at the right point in the process.

Further Reading

The CMMC Decision, Second Edition

Chapter 9 ("Your SPRS Score") covers the full scope of SPRS attestation risk, including how scores become inaccurate, the False Claims Act standard applied to scoring discrepancies, the whistleblower dynamic, GRC platform discovery risk, and the specific sequence of steps that matters when a score needs correction. Chapter 1 ("The Teeth of Compliance") provides the complete enforcement framework.

Free Download →

The Question for Executives

For executives reading this analysis, the question is straightforward. Is the organization's SPRS score accurate? If the answer is yes, with confidence grounded in independent verification rather than assumption, the enforcement framework described here is not a concern. If the answer is uncertain, the time to address that uncertainty is now, through legal counsel, before a C3PAO assessment, a whistleblower, or a Department of Justice investigation resolves the question on less favorable terms.

The enforcement trajectory is not ambiguous. Cybersecurity-related False Claims Act recoveries exceeded $52 million in FY2025, more than tripling for the second consecutive year. Whistleblower filings reached an all-time high of 1,297 new qui tam suits. The defense industrial base is now entering a period where C3PAO assessments are generating documented, independent proof of compliance postures across thousands of organizations. Every assessment that reveals a significant discrepancy between a reported SPRS score and actual implementation creates a potential enforcement matter.