Many defense contractors whose systems handle CUI must keep a current NIST SP 800-171 assessment score on file with the Department of Defense. For a lot of companies, that score has never been independently tested. CMMC assessments, DIBCAC reviews, and prime contractor scrutiny are making the gap between the posted score and the supporting evidence hard to ignore, and expensive to discover late.
If you hold a Department of Defense contract that involves controlled unclassified information, your company has almost certainly posted a score in the Supplier Performance Risk System, known as SPRS. Many executives signed off on that number years ago, under deadline pressure, based on a self-assessment that was optimistic at the time and has not been revisited since. This page explains what that score actually is, why it can go far below zero, why it suddenly matters in 2026, and what to do if you suspect your posted score would not survive scrutiny.
SPRS is a Department of Defense database. Among other things, it holds each contractor's assessment score against NIST SP 800-171, the set of 110 security requirements for protecting controlled unclassified information on contractor systems. Two DFARS clauses, 252.204-7019 and 252.204-7020, require contractors to have a current score on file before the government awards a contract involving covered defense information.3,4 Current means no more than three years old.
The score is not a percentage and it is not graded on a curve. Under the DoD Assessment Methodology, you start at 110 and subtract points for every requirement you have not fully implemented. The subtractions are weighted. The requirements DoD considers most critical cost you 5 points each when missing, others cost 3, and the remainder cost 1. Because the penalties are weighted and there are 110 requirements, the scale runs from a perfect 110 all the way down to negative 203.
That bottom number surprises people. A company can have real IT staff, real firewalls, and a genuine security culture and still score deep in negative territory, because the methodology measures implementation of specific requirements with specific evidence, not general diligence. A shop that has never done a formal gap analysis and posts a score based on a quick read of the requirement titles is almost always posting a number that is too high, and often by a wide margin.
Part of the confusion around SPRS comes from the fact that several different mechanisms touch the same underlying question, and they are not interchangeable. It helps to see them side by side.
| Mechanism | Who performs it | What it establishes |
|---|---|---|
| Basic Assessment (DFARS 7019/7020) |
Your company | A self-reported score under the DoD Assessment Methodology, based on your system security plan. DoD treats it as a low confidence result precisely because nobody outside the company has examined it. |
| DIBCAC Medium or High Assessment | The government (DCMA) | A government examination of your actual implementation. The High assessment tests against the assessment objectives in NIST SP 800-171A, with evidence. This is what produced LOGZONE's negative 170. |
| CMMC Level 2 Self-Assessment | Your company | A Level 2 Self status for contracts that allow it, with a senior company official personally affirming compliance annually. The affirmation puts a named executive behind the result. |
| CMMC Level 2 Certification Assessment | An authorized C3PAO | A third party certification, conditional or final, examined requirement by requirement against the 800-171A objectives.6 Which Level 2 path applies depends on what the solicitation requires. |
The pattern to notice: the score most companies have on file today came from the first row, the only row where nobody checks. Every other row is a form of verification, and every form of verification is becoming more common.
The conditional status fine print
If a Level 2 certification assessment finds open items, conditional status is available only within strict limits. The score must be at least 88 of 110. The POA&M may generally contain only one point requirements, with a single higher weight exception for SC.L2-3.13.11 where encryption is in place but not FIPS validated, and it may not contain AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, or PE.L2-3.10.5. Every open item must then be verified closed within 180 days of the conditional status date, by a C3PAO in the certification case, or the conditional status expires.6
For the first several years of the SPRS regime, the posted score was checked in only a small fraction of cases. Contractors posted a number, contracting officers confirmed a number existed, and business proceeded. A high score cost nothing and an honest low score invited uncomfortable questions, so scores drifted upward. Everyone in the industry knows this, including the Department of Defense.
Three things have ended that quiet period. First, CMMC is now in contracts. Since November 2025, the CMMC acquisition rule has allowed the requirement to appear in new solicitations, and the phase-in expands through 2028.5 Second, government assessments carry consequences. DCMA's DIBCAC unit has been assessing contractors for years, and its findings now feed enforcement, as the matters below show. Third, prime contractors are tightening flowdowns. Primes generally cannot look up a subcontractor's score in SPRS, so they increasingly require suppliers to state their score and affirm its accuracy in writing. That affirmation is itself a representation, made by your company, that someone can later hold up next to the facts.
These are not hypotheticals. They are settled Department of Justice matters, and the fact patterns will sound familiar to a lot of contractors.
LOGZONE. A Huntsville, Alabama logistics contractor posted a perfect self-assessment score of 110 in October 2021 on two Navy contracts. When DCMA's assessment center examined the company's actual implementation, the score came back at negative 170, near the bottom of the scale. In June 2026, LOGZONE agreed to pay $507,144 to resolve False Claims Act allegations that it billed the Navy while knowing it had not met the cybersecurity requirements its contracts demanded.1 The matter did not involve a breach. It grew out of the gap between what the company represented and what the assessment found.
MORSE. A Cambridge, Massachusetts defense contractor posted a score of 104 in January 2021. In 2022 the company hired an outside firm to run a gap analysis, which found that roughly a fifth of the required controls were actually implemented and calculated the real score at negative 142. MORSE left the 104 on file and did not correct it until mid 2023, after the government had served a subpoena. The case began when one of the company's own employees filed a whistleblower complaint. MORSE settled for $4.6 million, admitted specified facts as part of the settlement, and the whistleblower received roughly $851,000.2 The admitted facts went beyond the score itself, including an email provider that did not meet federal requirements and the absence of a consolidated system security plan for part of the period.
The LOGZONE settlement resolved allegations without a determination of liability. MORSE admitted specified facts as part of its settlement.
It is worth saying plainly that most indefensible scores are not lies. In practice, the common causes look like this. The score was calculated against the wrong system boundary, so whole environments where CUI actually moves were never assessed. An MSP or IT provider asserted that controls were in place and nobody verified the assertions. Controls that were planned or budgeted were counted as implemented. The self-assessment was scored against the requirement titles rather than the assessment objectives, which is roughly the difference between skimming the questions and answering them. Or the score was reasonable when posted and simply went stale as systems, staff, and contracts changed.
Which of these applies to your company matters, practically and legally. A score gap by itself is not automatic liability. The False Claims Act turns on what the company knew and whether the misstatement mattered to getting paid, which is why the settled matters above involved companies that had reason to know their numbers were wrong. Establishing how your number was actually produced, and by whom, is therefore the first order of business, and it should happen before anyone assigns motives, inside the company or outside it.
Here is the situation many executives are actually in, even if nobody says it in a meeting. The company posted a strong score years ago. The company handles CUI today. The company knows, or half knows, that the score would not hold up if an assessor examined the evidence. And so the assessment stops looking like a compliance milestone and starts looking like the moment the gap becomes visible, with contract eligibility, prime relationships, and legal questions all attached to it.
Some contractors respond to that fear by delaying as long as possible. That is the one strategy the two matters above should take off the table. Delay did not protect LOGZONE, because DIBCAC arrived on its own schedule. Delay did not protect MORSE, because the truth walked out the door with an employee. The score is already on file, the billing continues month by month, and time spent knowing about a material gap without addressing it is what turns a fixable problem into a record. Waiting does not preserve your position. It compounds it.
The MORSE matter contains the most important fact in this entire subject, and it is a hopeful one. After the gap analysis found negative 142, MORSE went to work. It posted a third party verified score of 57 in 2023, then 82 later that year, then a full 110 in May 2024. The remediation was achievable. What cost MORSE $4.6 million was not the low score. It was the two years the company left a known overstated score on file, correcting it only after a subpoena arrived.
That is the distinction that matters. An honest low score with a remediation plan is a business problem, and business problems have schedules and budgets. A known false high score is a legal problem, and legal problems have subpoenas and settlement multipliers. Under DFARS 252.204-7019, the baseline condition is generally that a current assessment is on file; the clause itself does not set a universal minimum score, though individual solicitations can require more, and CMMC Level 2 status carries its own thresholds.6 Correcting an overstated score is not an admission that ends your defense business. One honest caveat belongs here: correction ends the ongoing misstatement, but it does not by itself settle questions about the period already billed. Early discovery gives management options. It does not erase history, which is why a large gap should be worked through a deliberate corrective process rather than a quiet edit.
The order of these steps matters. A company that may have a material historical gap should not change a government representation before it has preserved its records and taken advice. This sequence keeps management in control of the process.
If you are not certain the score on file reflects the environment you are running today, the fastest way to find out is a structured review: how the score was calculated, whether the boundary matches where CUI actually moves, whether the SSP describes the production environment, where the evidence is thin, and which gaps carry the most weight. The output is a factual picture and a sequenced set of options, delivered to leadership, so the decisions that follow are made on facts rather than assumptions.
Yes. Contractors submit and update their own basic self-assessment scores. If the posted score no longer reflects reality, correcting it is generally the right direction. When the gap is large or the score supported past awards, work the timing, documentation, and communication through counsel rather than making a quiet edit.
Under DFARS 252.204-7019, the baseline condition is generally that a current assessment is on file; the clause itself does not set a universal minimum score. Individual solicitations can impose additional requirements. And where CMMC Level 2 status is required, the thresholds are specific: conditional status requires at least 88 of 110, and requirements weighted above one point generally cannot remain on the POA&M. An honest score with a credible remediation plan remains a far stronger position than a high number that cannot be supported.
Government personnel, including contracting officers, can view it in SPRS. Prime contractors generally cannot look up a subcontractor's score directly, which is why primes increasingly require suppliers to state their score and affirm it in writing. That written affirmation is itself a representation your company is accountable for.
The assessed result becomes the verified record of your implementation. A large unexplained gap between the score you posted and the score an assessor found is the fact pattern present in the LOGZONE and MORSE matters. Correcting the self-reported number before an assessment removes the ongoing misstatement and puts management in control of the process. How to handle the period when the old number was on file is a question for counsel, and it is a far better question to bring to counsel yourself than to answer under someone else's timeline.
The risk is real, though liability is not automatic; the False Claims Act turns on knowledge and materiality. LOGZONE paid $507,144 in June 2026 to resolve allegations involving a posted 110 and a government assessment of negative 170, with no determination of liability. MORSE paid $4.6 million in 2025, admitted specified facts, and the case was initiated by its own employee. Neither matter required a breach. The theories centered on representations of compliance made while billing.