Essex Junction, VT802-335-2662dkoran@davidkoran.com
DK
David Koran& Associates
SPRS · NIST SP 800-171 · CMMC Level 2

What Is an SPRS Score, and What Happens When Someone Checks It?

Many defense contractors whose systems handle CUI must keep a current NIST SP 800-171 assessment score on file with the Department of Defense. For a lot of companies, that score has never been independently tested. CMMC assessments, DIBCAC reviews, and prime contractor scrutiny are making the gap between the posted score and the supporting evidence hard to ignore, and expensive to discover late.

Home SPRS Score

If you hold a Department of Defense contract that involves controlled unclassified information, your company has almost certainly posted a score in the Supplier Performance Risk System, known as SPRS. Many executives signed off on that number years ago, under deadline pressure, based on a self-assessment that was optimistic at the time and has not been revisited since. This page explains what that score actually is, why it can go far below zero, why it suddenly matters in 2026, and what to do if you suspect your posted score would not survive scrutiny.

The Basics

The score, in plain terms

SPRS is a Department of Defense database. Among other things, it holds each contractor's assessment score against NIST SP 800-171, the set of 110 security requirements for protecting controlled unclassified information on contractor systems. Two DFARS clauses, 252.204-7019 and 252.204-7020, require contractors to have a current score on file before the government awards a contract involving covered defense information.3,4 Current means no more than three years old.

The score is not a percentage and it is not graded on a curve. Under the DoD Assessment Methodology, you start at 110 and subtract points for every requirement you have not fully implemented. The subtractions are weighted. The requirements DoD considers most critical cost you 5 points each when missing, others cost 3, and the remainder cost 1. Because the penalties are weighted and there are 110 requirements, the scale runs from a perfect 110 all the way down to negative 203.

That bottom number surprises people. A company can have real IT staff, real firewalls, and a genuine security culture and still score deep in negative territory, because the methodology measures implementation of specific requirements with specific evidence, not general diligence. A shop that has never done a formal gap analysis and posts a score based on a quick read of the requirement titles is almost always posting a number that is too high, and often by a wide margin.

The Mechanisms

One number, four ways it gets tested

Part of the confusion around SPRS comes from the fact that several different mechanisms touch the same underlying question, and they are not interchangeable. It helps to see them side by side.

MechanismWho performs itWhat it establishes
Basic Assessment
(DFARS 7019/7020)
Your company A self-reported score under the DoD Assessment Methodology, based on your system security plan. DoD treats it as a low confidence result precisely because nobody outside the company has examined it.
DIBCAC Medium or High Assessment The government (DCMA) A government examination of your actual implementation. The High assessment tests against the assessment objectives in NIST SP 800-171A, with evidence. This is what produced LOGZONE's negative 170.
CMMC Level 2 Self-Assessment Your company A Level 2 Self status for contracts that allow it, with a senior company official personally affirming compliance annually. The affirmation puts a named executive behind the result.
CMMC Level 2 Certification Assessment An authorized C3PAO A third party certification, conditional or final, examined requirement by requirement against the 800-171A objectives.6 Which Level 2 path applies depends on what the solicitation requires.

The pattern to notice: the score most companies have on file today came from the first row, the only row where nobody checks. Every other row is a form of verification, and every form of verification is becoming more common.

The conditional status fine print

If a Level 2 certification assessment finds open items, conditional status is available only within strict limits. The score must be at least 88 of 110. The POA&M may generally contain only one point requirements, with a single higher weight exception for SC.L2-3.13.11 where encryption is in place but not FIPS validated, and it may not contain AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, or PE.L2-3.10.5. Every open item must then be verified closed within 180 days of the conditional status date, by a C3PAO in the certification case, or the conditional status expires.6

What Changed

Why the quiet period is over

For the first several years of the SPRS regime, the posted score was checked in only a small fraction of cases. Contractors posted a number, contracting officers confirmed a number existed, and business proceeded. A high score cost nothing and an honest low score invited uncomfortable questions, so scores drifted upward. Everyone in the industry knows this, including the Department of Defense.

Three things have ended that quiet period. First, CMMC is now in contracts. Since November 2025, the CMMC acquisition rule has allowed the requirement to appear in new solicitations, and the phase-in expands through 2028.5 Second, government assessments carry consequences. DCMA's DIBCAC unit has been assessing contractors for years, and its findings now feed enforcement, as the matters below show. Third, prime contractors are tightening flowdowns. Primes generally cannot look up a subcontractor's score in SPRS, so they increasingly require suppliers to state their score and affirm its accuracy in writing. That affirmation is itself a representation, made by your company, that someone can later hold up next to the facts.

The Record

Two companies found out what the gap costs

These are not hypotheticals. They are settled Department of Justice matters, and the fact patterns will sound familiar to a lot of contractors.

The gap between the posted score and the assessed score
NIST SP 800-171 DoD Assessment Methodology scale: negative 203 to 110
LOGZONE Inc. · Settled June 2026 · $507,144
Posted: 110
Government assessment: −170
MORSECORP Inc. · Settled March 2025 · $4.6 Million
Posted: 104
Third party finding: −142
Sources: U.S. Department of Justice settlement announcements, June 18, 2026 and March 26, 2025. See sources 1 and 2 below.

LOGZONE. A Huntsville, Alabama logistics contractor posted a perfect self-assessment score of 110 in October 2021 on two Navy contracts. When DCMA's assessment center examined the company's actual implementation, the score came back at negative 170, near the bottom of the scale. In June 2026, LOGZONE agreed to pay $507,144 to resolve False Claims Act allegations that it billed the Navy while knowing it had not met the cybersecurity requirements its contracts demanded.1 The matter did not involve a breach. It grew out of the gap between what the company represented and what the assessment found.

MORSE. A Cambridge, Massachusetts defense contractor posted a score of 104 in January 2021. In 2022 the company hired an outside firm to run a gap analysis, which found that roughly a fifth of the required controls were actually implemented and calculated the real score at negative 142. MORSE left the 104 on file and did not correct it until mid 2023, after the government had served a subpoena. The case began when one of the company's own employees filed a whistleblower complaint. MORSE settled for $4.6 million, admitted specified facts as part of the settlement, and the whistleblower received roughly $851,000.2 The admitted facts went beyond the score itself, including an email provider that did not meet federal requirements and the absence of a consolidated system security plan for part of the period.

In both matters, the Department of Justice pursued False Claims Act theories tied to known cybersecurity noncompliance. The gap between the posted score and the documented implementation was a central fact in the record, woven into a broader pattern of billing on contracts whose requirements were not met.

The LOGZONE settlement resolved allegations without a determination of liability. MORSE admitted specified facts as part of its settlement.

How It Happens

How honest companies end up with numbers they cannot defend

It is worth saying plainly that most indefensible scores are not lies. In practice, the common causes look like this. The score was calculated against the wrong system boundary, so whole environments where CUI actually moves were never assessed. An MSP or IT provider asserted that controls were in place and nobody verified the assertions. Controls that were planned or budgeted were counted as implemented. The self-assessment was scored against the requirement titles rather than the assessment objectives, which is roughly the difference between skimming the questions and answering them. Or the score was reasonable when posted and simply went stale as systems, staff, and contracts changed.

Which of these applies to your company matters, practically and legally. A score gap by itself is not automatic liability. The False Claims Act turns on what the company knew and whether the misstatement mattered to getting paid, which is why the settled matters above involved companies that had reason to know their numbers were wrong. Establishing how your number was actually produced, and by whom, is therefore the first order of business, and it should happen before anyone assigns motives, inside the company or outside it.

The Real Situation

The fear behind the fear

Here is the situation many executives are actually in, even if nobody says it in a meeting. The company posted a strong score years ago. The company handles CUI today. The company knows, or half knows, that the score would not hold up if an assessor examined the evidence. And so the assessment stops looking like a compliance milestone and starts looking like the moment the gap becomes visible, with contract eligibility, prime relationships, and legal questions all attached to it.

Some contractors respond to that fear by delaying as long as possible. That is the one strategy the two matters above should take off the table. Delay did not protect LOGZONE, because DIBCAC arrived on its own schedule. Delay did not protect MORSE, because the truth walked out the door with an employee. The score is already on file, the billing continues month by month, and time spent knowing about a material gap without addressing it is what turns a fixable problem into a record. Waiting does not preserve your position. It compounds it.

The part that is genuinely good news

The MORSE matter contains the most important fact in this entire subject, and it is a hopeful one. After the gap analysis found negative 142, MORSE went to work. It posted a third party verified score of 57 in 2023, then 82 later that year, then a full 110 in May 2024. The remediation was achievable. What cost MORSE $4.6 million was not the low score. It was the two years the company left a known overstated score on file, correcting it only after a subpoena arrived.

That is the distinction that matters. An honest low score with a remediation plan is a business problem, and business problems have schedules and budgets. A known false high score is a legal problem, and legal problems have subpoenas and settlement multipliers. Under DFARS 252.204-7019, the baseline condition is generally that a current assessment is on file; the clause itself does not set a universal minimum score, though individual solicitations can require more, and CMMC Level 2 status carries its own thresholds.6 Correcting an overstated score is not an admission that ends your defense business. One honest caveat belongs here: correction ends the ongoing misstatement, but it does not by itself settle questions about the period already billed. Early discovery gives management options. It does not erase history, which is why a large gap should be worked through a deliberate corrective process rather than a quiet edit.

The Plan

What to do, starting Monday

The order of these steps matters. A company that may have a material historical gap should not change a government representation before it has preserved its records and taken advice. This sequence keeps management in control of the process.

  1. Preserve the record. Secure the current score, the scoring worksheet behind it, every version of the SSP and POA&M, any assessment reports, and the emails and provider representations that supported the number. Find out who posted the score and when. Many executives discover it was entered by an IT manager or an MSP years ago and nobody in leadership has seen the worksheet.
  2. If the gap may be material, bring in counsel early. Where the discrepancy could touch prior representations or billed contracts, involve qualified government contracts counsel before changing records or communicating externally. This is not an overreaction. It is how you keep options open.
  3. Validate the scope. Establish where CUI is actually processed, stored, and transmitted today, including machine controllers, shared drives, email, and provider environments, and confirm the SSP describes the environment as it runs, not as it was planned. A correct score on the wrong boundary is still the wrong score.
  4. Rescore under controlled conditions. Recalculate against the applicable methodology using documented evidence. The legacy Basic Assessment is defined against your SSP under the DoD Assessment Methodology, but the assessment objectives in NIST SP 800-171A are what DIBCAC High assessments and CMMC Level 2 assessments test,4,7 so they are the standard your number will eventually be measured against. Score to that standard.
  5. Decide the correction and communication path deliberately. Determine how and when SPRS gets updated and what, if anything, needs to be said to primes or contracting personnel. Prompt correction is generally the right direction; the sequencing and documentation are where judgment and counsel earn their keep.
  6. Remediate and build evidence. Identify the 3 and 5 point deficiencies early, because under the CMMC Level 2 POA&M rules they generally cannot remain open at assessment: conditional status requires at least 88 of 110, and requirements weighted above one point cannot sit on the POA&M, with a narrow encryption exception.6 Sequence the rest by security risk, technical dependencies, lead time, and the evidence needed to show sustained operation. Implementation without evidence scores the same as no implementation.
Where to Start

Confidential SPRS Readiness Review

If you are not certain the score on file reflects the environment you are running today, the fastest way to find out is a structured review: how the score was calculated, whether the boundary matches where CUI actually moves, whether the SSP describes the production environment, where the evidence is thin, and which gaps carry the most weight. The output is a factual picture and a sequenced set of options, delivered to leadership, so the decisions that follow are made on facts rather than assumptions.

Questions

Common questions

Can I update my SPRS score?

Yes. Contractors submit and update their own basic self-assessment scores. If the posted score no longer reflects reality, correcting it is generally the right direction. When the gap is large or the score supported past awards, work the timing, documentation, and communication through counsel rather than making a quiet edit.

Does a low score disqualify me from contracts?

Under DFARS 252.204-7019, the baseline condition is generally that a current assessment is on file; the clause itself does not set a universal minimum score. Individual solicitations can impose additional requirements. And where CMMC Level 2 status is required, the thresholds are specific: conditional status requires at least 88 of 110, and requirements weighted above one point generally cannot remain on the POA&M. An honest score with a credible remediation plan remains a far stronger position than a high number that cannot be supported.

Who can see my score?

Government personnel, including contracting officers, can view it in SPRS. Prime contractors generally cannot look up a subcontractor's score directly, which is why primes increasingly require suppliers to state their score and affirm it in writing. That written affirmation is itself a representation your company is accountable for.

What if an assessment comes back different from my self-assessment?

The assessed result becomes the verified record of your implementation. A large unexplained gap between the score you posted and the score an assessor found is the fact pattern present in the LOGZONE and MORSE matters. Correcting the self-reported number before an assessment removes the ongoing misstatement and puts management in control of the process. How to handle the period when the old number was on file is a question for counsel, and it is a far better question to bring to counsel yourself than to answer under someone else's timeline.

Is an overstated score really a legal risk, or is that consultant scare talk?

The risk is real, though liability is not automatic; the False Claims Act turns on knowledge and materiality. LOGZONE paid $507,144 in June 2026 to resolve allegations involving a posted 110 and a government assessment of negative 170, with no determination of liability. MORSE paid $4.6 million in 2025, admitted specified facts, and the case was initiated by its own employee. Neither matter required a breach. The theories centered on representations of compliance made while billing.

References

Sources

  1. U.S. Department of Justice, Office of Public Affairs, "Alabama Defense Contractor Agrees to Pay $507,144 to Resolve False Claims Act Liability Relating to Cybersecurity Violations," June 18, 2026. justice.gov
  2. U.S. Department of Justice, Office of Public Affairs, "Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations," March 26, 2025. justice.gov
  3. DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements. acquisition.gov
  4. DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. acquisition.gov
  5. DFARS 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements. acquisition.gov
  6. 32 CFR 170.21, Plan of Action and Milestones Requirements. ecfr.gov
  7. NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information. csrc.nist.gov
About the Author

David W. Koran is a CyberAB Registered Practitioner Advanced and the author of The CMMC Decision, now in its second edition. He works onsite with defense contractors and their counsel, closing the gap between the score on file and the score an assessor would find. Reach him at 802-335-2662 or dkoran@davidkoran.com.