Penalty for Inaccurate SPRS Score: What Can Happen and How to Correct It

The contractors getting hit hardest usually aren’t the ones who made an honest scoring mistake. They’re the ones who did one specific thing afterthey found out — and we’ll show you exactly what that is, with the real cases, below.

A wrong number in the Supplier Performance Risk System (SPRS) — the Department of Defense database where contractors post their cybersecurity self-assessment scores — is fixable. The shape of the fix depends on whether the error is a math mistake you haven’t used yet, or a knowingly wrong number you’ve been invoicing on for years. We’ll help you figure out which kind of problem you have, then route you to the right next step.

What is the penalty for inaccurate SPRS score reporting? (and the math everyone gets wrong)

The single most repeated claim about SPRS penalties on the open web is wrong. Vendor blogs say an inaccurate score can cost you “up to three times the contract value.” That is not what the statute says. The False Claims Act (31 U.S.C. §§ 3729–3733) imposes treble damages — three times the government’s damages, not three times your contract value — plus a separate, flat penalty for each false claim. Those are two different calculations, and conflating them either over-scares the honest contractor or under-prepares the one with real exposure.

Why does the “3× contract value” myth matter? Because it both over-scares the honest contractor and under-prepares the one with real exposure. The actual ceiling can be far higher than 3× a single contract once per-claim penalties stack across every invoice — or far lower, because treble damages attach to the government’s provendamages, which in a cybersecurity case are frequently disputed. Aerojet Rocketdyne is the cleanest illustration: the whistleblower’s treble-damages theory ran to billions, but the case settled for $9 million.

Is there an automatic penalty for an inaccurate SPRS score?

Think of it as a ladder, not a switch. Most SPRS problems sit on the bottom rungs — administrative cleanup. The cases that make headlines live near the top, and they almost always involve a score that was both wrong and used to get paid.

The key insight competitors skip: where your problem lands on this ladder depends less on how wrong the number is and more on what the number was used for and what you knew when you used it.That’s the question the rest of this page answers.

When does a wrong SPRS score become False Claims Act risk?

The word doing the heavy lifting is “knowingly,” and it’s broader than most people assume. Under 31 U.S.C. § 3729(b)(1), “knowing” and “knowingly” mean actual knowledge, deliberate ignorance of the truth, or reckless disregard of the truth — and the statute expressly says no proof of specific intent to defraud is required.Translation: “We didn’t mean to lie” is not a defense. “We didn’t know it was wrong” is a defense — but a weak one if your own consultant calculated a much lower number and you kept the old number in SPRS.

The second trigger is materiality. The same wrong number is far more serious if it was used in a proposal, an invoice, an SPRS affirmation, a prime’s supplier questionnaire, or a CMMC status representation, because the score had to actually matter to the government’s decision to award or pay. In the enforcement cases we read, DOJ repeatedly framed the inaccurate cybersecurity score as a condition of award — which is precisely what makes it material. In October 2021, the Justice Department launched the Civil Cyber-Fraud Initiative (CCFI) specifically to use the FCA against contractors that knowingly misrepresent their cybersecurity. In fiscal year 2025, total FCA recoveries hit a record $6.8 billion. See our full guide: False Claims Act CMMC risk — the complete map.

What did DOJ actually do in SPRS and cybersecurity false-claims cases?

Settlements resolve allegations; they are not court findings of liability unless the settlement says otherwise. Several of these companies expressly denied wrongdoing.

LOGZONE: when a perfect 110 collapses to −170

This one is fresh — DOJ announced it on June 18, 2026. LOGZONE Inc., a Huntsville, Alabama logistics provider (reported to be a service-disabled veteran-owned small business), submitted a perfect self-assessment score of 110 in SPRS in October 2021. In February 2024, a DCMA DIBCAC review of the same systems scored the company at −170 — near the bottom of a scale that ends at −203. DOJ alleged LOGZONE kept billing two Navy contracts from 2021 through 2025 while out of compliance. The company agreed to pay $507,144, including $253,572 in restitution, without admitting liability.

The takeaway for small suppliers: LOGZONE is a small business, not a defense giant — and size was no shield. The trigger was the gap between a self-assessed number and what a government assessor actually found.

MORSECORP: the “you knew, and you didn’t fix it” case

MORSECORP is the case we point contractors to most. Per the DOJ settlement, MORSE posted a 104 in January 2021. After bringing in a third-party consultant for a gap analysis, the company learned it had implemented only about 22% of the required NIST SP 800-171 controls — a real score of about −142. MORSE did not update SPRS in a timely way. The company agreed to pay $4.6 million in March 2025; the whistleblower — a former employee — received $851,000.

Georgia Tech: the score that described a system that didn’t exist

The Georgia Tech Research Corporation settlement shows that scope can sink you as fast as math. DOJ alleged GTRC submitted a 98 in December 2020 purporting to cover a campus-wide IT system — except there was no campus-wide system, and the score was based on a “fictitious” environment that didn’t reflect any real system processing covered defense information. The case resolved for $875,000. The lesson: a score has to describe your actual covered contractor information system. Scoring a hypothetical environment to get a flattering number is exactly what DOJ pursues.

What does DFARS require you to post in SPRS?

Your SPRS Basic Assessment record must include:

• The standard assessed (NIST SP 800-171) and who conducted the assessment
• Your CAGE code(s) for the in-scope systems
• The system security plan (SSP) name, version, and date
• The architecture/scope the score covers
• The assessment date and the summary score (the number out of 110)
• The date by which you expect to reach 110 (your plan to close remaining gaps)

Two points contractors miss. First, SPRS stores your score — it does not perform the assessment. Second, a score is only as defensible as the SSP and scope behind it. A number with no real SSP, or one that describes the wrong environment, is exactly the weakness DOJ exploited in Georgia Tech and MORSECORP. DFARS 252.204-7020 then gives DoD the right to conduct its own Medium or High Assessment — which is how a self-assessed 110 becomes a government-assessed −170.

Does this apply to your situation?

Too high vs. too low — they are not the same problem

An overstated score is the high-risk direction, because it makes you look more compliant than you are. If it was material and used to win or keep work, treat it as a legal and compliance event. An understated score is usually a procurement and competitiveness problem, not a fraud problem — understating your compliance is rarely viewed as a false overstatement. The safe move in either direction is the same: only change the number when your SSP, your evidence, and your actual control implementation support it.

Can you update or correct an inaccurate SPRS score?

How and when you update matters, and the order of operations is not the same for every contractor:

Updating SPRS is the easy part. Getting the corrected number right — and sequencing the legal and technical work in the correct order — is what keeps a fixable problem from becoming a worse one.

Will correcting your score make things worse?

The enforcement record points hard in one direction. DOJ has publicly credited contractors that self-disclosed, cooperated, and remediated. When Verizon Business Network Services settled for $4,091,317, the DOJ release was headlined “Cooperating Federal Contractor,” and the government acknowledged Verizon’s cooperation in the settlement. In July 2025, Aero Turbine and its private-equity owner settled for $1.75 million after voluntarily self-disclosing — reporting indicates DOJ applied a reduced damages multiplier. The SPRS-score cases show the mirror image: knowing about a gap and sitting still.

If your bad score has not been used in any offer, payment, certification, or affirmation, the right move is often a prompt, well-documented correction. If it has— that’s where you bring in counsel before you do anything visible. Here’s the sequence, in order.

First 24 hours — freeze and assess, don’t react

Next 7 days — rebuild the real number. Reconstruct the score from your actual covered system, not from the number you wish you had. Confirm scope (what FCI or CUI actually flows, which systems, which cloud, which external service providers), update the SSP so it describes the real environment, test each requirement against the NIST SP 800-171A assessment objectives, apply the DoD scoring methodology, and assemble evidence for every control you claim as implemented.

Next 30 days — separate the lanes. Keep four workstreams distinct: legal response, SPRS correction, technical remediation, and any prime/CO communications. Don’t let your IT team’s eagerness to “fix the number” outrun your legal review.

What not to do — these turn a fixable problem into a new one:

• Don’t backdate SSPs or POA&Ms to fit a past claim. You’d be manufacturing a fresh evidence problem.
• Don’t leave a known-unsupported score in place. The discovery date matters; silence is the worst option.
• Don’t post a 110 because a prime is pressuring you. External pressure does not implement controls.
• Don’t submit CUI — drawings, network diagrams, contract-sensitive details — into any provider-matching form or insecure channel.
• Don’t treat software as compliance. A GRC platform organizes evidence; it does not implement your controls.

Who should help — attorney, RP/RPO, MSSP, GRC platform, CUI enclave, or C3PAO?

One independence rule you cannot blur: under the Cyber AB CMMC Assessment Process, a C3PAO must identify and manage conflicts of interest, and if a conflict cannot be mitigated, the C3PAO must not proceed. Don’t ask one firm to fix your environment and then certify it — keep readiness help and the formal assessment in separate hands. For the broader differences, see our breakdown of C3PAO vs. RPO — which to hire first.

How does an inaccurate SPRS score affect CMMC and your annual affirmation?

The CMMC Program Rule (32 CFR Part 170) became effective December 16, 2024. The contract clause, DFARS 252.204-7021, became effective November 10, 2025, and the program is rolling out in phases — Phase 1 runs November 10, 2025 to November 9, 2026, with Phase 2 enforcement beginning November 10, 2026.

For current CMMC Level 2, the controlling standard is NIST SP 800-171 Revision 2 — the 110 security requirements across 14 control families. NIST has since published Revision 3, which supersedes Rev. 2 in the NIST publication series — but 32 CFR Part 170 still incorporates Rev. 2 for CMMC Level 2 unless and until DoD changes the rule. See: CMMC Level 2 requirements — all 110.

Beyond your score, the CMMC self-assessment information in SPRS includes your CMMC level, status, scope, CAGE codes, and POA&M usage where applicable — and, separately, an annual affirmation. Under 32 CFR § 170.22, a designated affirming official— a senior company representative responsible for compliance — must submit that affirmation in SPRS, attesting that the organization has implemented and will maintain its applicable CMMC security requirements. It’s required upon achieving CMMC status, annually after, and at POA&M closeout.

The award stakes are split across two clauses. DFARS 252.204-7025 makes an offeror ineligible for award unless each in-scope contractor information system has the required current CMMC status and a current affirmation in SPRS. DFARS 252.204-7021 then requires the contractor to maintain that status and complete annual affirmations during performance. Where the clause applies, no current status and affirmation means no award. If the underlying score or status is wrong and an affirming official signs anyway, you may be putting a named individual’s signature on a false statement.

If your CMMC affirmation is bound up with your SPRS-score question, see our companion guides: The CMMC annual affirmation — who signs and signer risk and False Claims Act CMMC risk — the complete map.

How should primes and subcontractors handle inaccurate SPRS scores?

Primes carry weight here. DFARS 252.204-7012 requires the safeguarding clause to flow down to relevant subcontracts, and DFARS 252.204-7021 adds CMMC status and affirmation obligations where applicable. In practice, under the CMMC Final Rule, subcontractors post their own assessments and affirmations in SPRS, and DoD does not hand a subcontractor’s SPRS record to the prime automatically — primes are expected to verify subcontractor compliance directly. See: My prime is asking for my SPRS score and SSP — what do I send?

For subcontractors fielding a “send us your SPRS score” request while you’re mid-correction, here’s a communications approach (not legal advice) that’s honest without oversharing or overstating:

Two hard rules for both sides: never ask a subcontractor to post a number its evidence doesn’t support, and never request CUI, drawings, or sensitive architecture through an insecure form or email. A flattering score obtained under pressure helps no one when DIBCAC shows up.

What records should you keep if you correct an SPRS score?

Each item below is tied to the enforcement pattern it answers, so this isn’t a generic checklist — it’s a litigation-aware one:

The throughline of every enforcement case we read: the contractors who got hurt couldn’t show a clean, dated, evidence-backed story. The ones who can are in a fundamentally stronger position.

Frequently asked questions

The bottom line, and your next step

An inaccurate SPRS score is not an automatic fine. It’s a fork in the road. Down one path, an honest contractor catches a mistake, rebuilds the number on real evidence, documents the correction, and moves on — and DOJ has shown it gives credit for exactly that. Down the other, a contractor discovers a gap and freezes — and that is the path that runs through the LOGZONE, MORSECORP, and Georgia Tech cases.

You found this page because you want to take the first path. Here’s the order of operations one more time: figure out which kind of problem you have, get a lawyer involved if there’s any chance the score was material to a payment or certification, rebuild the score on a real SSP and real evidence, and route the remediation to the right provider category.

What we actually verified for this page

Last verified June 19, 2026, by The Defense Compliance Report Editorial Team.

• Read 31 U.S.C. § 3729 for the False Claims Act penalty structure and the definition of “knowing.”
• Confirmed the current FCA per-claim penalty range ($14,308–$28,619, for penalties assessed after July 3, 2025) against 28 CFR § 85.5.
• Pulled every settlement figure from DOJ press releases: LOGZONE ($507,144, including $253,572 restitution), MORSECORP ($4.6M; relator $851,000; 104→consultant-calculated −142), Georgia Tech ($875,000; false 98; relators $201,250), Raytheon/Nightwing ($8.4M), Health Net/Centene ($11.25M), Penn State ($1.25M), Aerojet Rocketdyne ($9M), Verizon ($4,091,317; cooperation credit), Aero Turbine/Gallant Capital ($1.75M; voluntary self-disclosure), Comprehensive Health Services ($930,000).
• Read 32 CFR § 170.22 for the CMMC annual-affirmation requirement and confirmed CMMC Program Rule effective December 16, 2024 and DFARS 252.204-7021 effective November 10, 2025.
• Reviewed DFARS 252.204-7012, -7019, -7020, -7021, and -7025 on Acquisition.gov.
• Confirmed CMMC Level 2 maps to NIST SP 800-171 Revision 2 (110 requirements, 14 control families), that NIST published Rev. 3 for its series, and that 32 CFR Part 170 still incorporates Rev. 2 for CMMC.

This is educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.