Primary-sourced · Updated June 2026
What Happens If You Lie on Your SPRS Score?
Here’s what happens if you lie on your SPRS score: if you knowingly inflate your SPRS score — or leave a wrong one sitting in the system after you know it’s wrong — the real danger isn’t the number. It’s the federal contract representation behind it. A false SPRS score can expose your company to the civil False Claims Act (treble damages plus a penalty of $14,308 to $28,619 per claim), criminal false-statement charges (up to five years in prison), loss of the contract, suspension or debarment, and a whistleblower lawsuit filed by one of your own employees. Here’s the part most contractors get backwards: an honest low score — even a deeply negative one — is legal. The lie is the danger, not the low number. What changes your exposure is whether your score is backed by a real assessment, a system security plan, and a plan of action — or whether it’s a number you can’t defend on the day someone checks.
We say “the day someone checks” on purpose, because in the last two years, someone did. We read three separate Department of Justice settlements built on false cybersecurity scores, and the gaps were not rounding errors. One contractor reported a 104 when its real score was -142. Another reported a flawless 110 that a government review later put at -170. A third submitted a 98that turned out to describe a network that didn’t exist. Below, we walk through exactly what happened in each case, what it cost, and — if you’re here because your own number is shaky — the calm, defensible way to fix it before it becomes evidence.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
By The Defense Compliance Report Editorial Team · Last reviewed June 2026 · Every regulatory and case claim on this page links to its primary source.
Not legal advice. This page is educational research, not legal, contractual, or compliance advice. If a wrong score may have touched a bid, an award, an invoice, an option exercise, a subcontract, or an executive affirmation, talk to a qualified federal-contracts attorney beforeyou make any corrective statement to a contracting officer or a prime. The contract clause and your CUI handling set your obligations — not a checklist.
Independent publication disclosure. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, SPRS, PIEE, or any U.S. government agency. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or status verification.
The 30-second version
| Your situation | What can happen | First safer move |
|---|---|---|
| Honest math or scoping mistake | Correctable. Document how it happened, then update the record. | Recalculate against your actual scope and keep the worksheet. |
| Inflated score you can’t support | Award risk, contract remedies, DIBCAC scrutiny, and False Claims Act exposure if it was material. | Stop repeating the number; involve counsel if it touched a bid or payment. |
| Score tied to the wrong system, CAGE, or environment | Assessment failure and award/status risk — the Georgia Tech problem. | Fix the scope before you recalculate. |
| A POA&M item counted as “implemented” | Unsupported score; conditional CMMC status can lapse. | Separate what’s done from what’s planned. |
| A subcontractor’s false score you relied on | Flow-down and reliance risk lands on the prime, too. | Pause reliance; request a non-CUI proof packet. |
| An old score left up after major changes | Out-of-date and increasingly hard to defend. | Reassess the current environment and update. |
The rest of this page answers every follow-up in the order you’re likely to ask it — what counts as lying, what each consequence actually is, who gets caught and how, what the real cases cost, and the step-by-step way to correct a bad score without making a worse one.
What happens if you lie on your SPRS score?
A knowingly false or unsupported SPRS score can create five kinds of trouble: award-eligibility problems, contract remedies, government assessment scrutiny, CMMC status or affirmation failures, and False Claims Act exposure. The severity depends on the contract clauses, whether the score was material to an award or a payment, whether the company knew it was wrong, and how it corrected the record. The higher-risk fact pattern is never “we have a low score.” It’s “we claimed a score we couldn’t support.”
First, the plumbing, because it explains the legal weight. SPRSis the Supplier Performance Risk System — the Department of Defense database where contractors post their NIST SP 800-171 self-assessment score. NIST SP 800-171 Revision 2 is the federal standard of 110 security requirements, organized into 14 control families, for protecting Controlled Unclassified Information (CUI) on contractor systems. Two clauses make the score mandatory when they apply to a covered system relevant to the offer or contract: under DFARS 252.204-7019, an offeror must have a current assessment (no more than three years old) posted in SPRS to be considered for award; under DFARS 252.204-7020, the contractor must post summary scores in SPRS and flow the requirement down to subcontractors. The underlying obligation to actually implement the controls comes from DFARS 252.204-7012.
That’s why a score is not a marketing profile. It’s a representation tied to a federal contract, sitting in a federal system, that a contracting officer can pull before award. When it’s false, the exposure splits into four legal tracks. We built the table below by reading the statutes and the DOJ settlements directly — so you can see the trigger, the mental state the government has to prove, and the ceiling on each one in a single view.
The SPRS False-Score Liability Map ·
| Consequence | What triggers it | What the government must show | Maximum exposure | Primary source | Real example |
|---|---|---|---|---|---|
| Civil — False Claims Act | Submitting or affirming a score you knew (or recklessly disregarded) was false, then invoicing under the contract | “Knowingly” — which includes reckless disregard or deliberate ignorance, with no intent to defraud required | Treble (3×) damages plus $14,308–$28,619 per false claim; each invoice can count as a separate claim | 31 U.S.C. § 3729; penalty rates at 28 CFR § 85.5 | MORSE — $4.6M |
| Criminal — False Statements | Knowingly and willfully entering a materially false score into SPRS, a federal system | “Knowingly and willfully” — a higher bar; the person generally knew the conduct was unlawful | Felony, up to 5 years in prison per count, plus fines; reaches individuals, not just the company | 18 U.S.C. § 1001 | No SPRS-score criminal case among those we reviewed; § 1001 is the statute to understand |
| Contractual / Administrative | A material misrepresentation found by a contracting officer, DIBCAC, or an audit | Varies by clause, contract facts, and agency action | Contract remedies up to termination; suspension; debarment (loss of all federal eligibility) | FAR 9.406 / 9.407 | A common collateral consequence in these matters |
| Whistleblower / Qui Tam | An insider — often your own security or IT lead — files a sealed False Claims Act complaint | Same standard as the civil FCA | The relator collects 15%–30% of the recovery; you also pay their attorney’s fees | 31 U.S.C. § 3730 | MORSE whistleblower received $851,000 |
Keep this map in mind as you read. Almost everything else on this page is just these four tracks in more detail — and the single thread connecting them is knowledge. A wrong score made in good faith is a different animal from a wrong score you knew about and rode anyway. That distinction is the next section, and it matters more than any other sentence here.
What actually counts as “lying” on an SPRS score — and what doesn’t
An honest calculation mistake, a scoping error, or an out-of-date score is not automatically fraud. The risk starts when the company knows — or willfully avoids knowing — that the score is wrong, and keeps using it in bids, prime questionnaires, affirmations, or invoices. The danger isn’t imperfection. It’s the gap between what you reported and what your evidence can prove, combined with knowledge of that gap.
Here’s how the score is actually built, because “lying” only makes sense against the real mechanics. Under the DoD Assessment Methodology — codified at 32 CFR § 170.24 — you start at a perfect 110 and subtract a weighted value (1, 3, or 5 points) for every one of the 110 requirements you have not fully implemented. Partial credit is rare: the rule allows it only in limited cases, such as multi-factor authentication (IA.L2-3.5.3) and FIPS-validated encryption (SC.L2-3.13.11, where you lose three points if your encryption isn’t FIPS-validated and five if it’s absent). For everything else, a requirement is either fully met — with evidence in final form, not draft— or it scores zero. The result can fall to -203, the floor of the range. A self-generated score is a Basic Assessment, and the methodology rates its confidence level as “Low” precisely because you scored yourself.
So what tips a score from “wrong” into “dangerous”? In practice, it’s one of these:
- A score posted before a real System Security Plan (SSP) exists. The SSP defines which system you’re scoring and howeach control is implemented. Under § 170.24, the absence of a current SSP at assessment time means the assessment can’t even be completed. No SSP, no defensible score.
- Controls marked “MET” on the strength of drafts or intentions. A policy that isn’t approved, a tool that isn’t deployed, a process nobody runs — those don’t make a requirement met.
- A Plan of Action and Milestones (POA&M) treated as if the work were done. A POA&M is a promise to fix something later. The rule is explicit: a not-implemented requirement scores as NOT MET whether it’s on a POA&M or not.
- The wrong scope— an “enterprise” score applied to a covered system it doesn’t actually describe, or the wrong CAGE code and system boundary. This is the trap that snared Georgia Tech, which we get to below.
- A known-wrong score left in place while you keep using it in proposals, supplier forms, or affirmations.
One honest admission before we go further
We can’t tell you whether your company violated the False Claims Act, whether you should self-disclose, or what to say to your contracting officer. That turns on facts, intent, contract language, and legal advice we’re not positioned to give. What we cando — and what the rest of this page does — is lay out the regulatory facts that make an unsupported score dangerous, show you the real enforcement record, and map the operational steps that stop the problem from getting worse.
And here’s the reassuring half of that admission, because it’s the single most misunderstood point in this whole topic: a low or even negative SPRS score is legal.Plenty of capable contractors score below zero on their first honest assessment. The False Claims Act does not punish a low score. It punishes a false one. An honest 64 with a real SSP and a credible plan is a stronger, safer position than a 110 you can’t back up.
Quick self-check: which situation are you actually in?
Before you call anyone, it helps to know what kind of problem you have. The SPRS Correction Self-Checkwalks you through six questions — Was the score used in a bid, award, or invoice? Is an award, option, or invoice pending? Did you share it with a prime? Do you have a current SSP? Do you know your real, evidence-supported score? Has DIBCAC, a C3PAO, or a prime already asked questions? — and points you to the right first move: counsel-first, readiness-first, control-operations-first, evidence-first, scope-reduction-first, or formal assessment. It’s an orientation tool, not legal advice, and it does not ask for CUI, drawings, scores, or contract details.
The civil consequence: False Claims Act treble damages and per-claim penalties
The most common consequence of a false SPRS score is a civil False Claims Act case. The statute allows the government to recover three times its damages, plus a penalty of $14,308 to $28,619 for each false claim. Because every invoice submitted while the false score was posted can count as a separate claim, exposure compounds fast — which is how a small contractor ends up writing a seven-figure check.
The False Claims Act (31 U.S.C. § 3729) is the federal government’s primary fraud-recovery tool. We verified the current penalty figures against the Federal Register notice published July 3, 2025, reflected in 28 CFR § 85.5: for violations after November 2, 2015 penalized after July 3, 2025, the per-claim range is $14,308 to $28,619, on top of treble damages. Those numbers are adjusted for inflation every year, so they’ll move — but the structure won’t.
Two features of the law catch contractors off guard.
First, “I didn’t mean to lie” is not a defense. The FCA’s knowledge standard reaches not just actual knowledge but deliberate ignorance and reckless disregard of the truth — and it requires no specific intent to defraud. In plain terms: if you posted a number you had no real basis for, “we were sloppy, not dishonest” doesn’t get you out. Recklessness is enough.
Second, the penalties multiply per claim.A “claim” is, broadly, any request for government money. Each invoice you submitted while the false score sat in SPRS can be its own claim, each carrying its own penalty. Run the arithmetic on a few dozen invoices and the theoreticalexposure is staggering — a couple dozen claims at the maximum per-claim penalty crosses half a million dollars in penalties alone, before damages.
A fair caveat, because we won’t inflate the threat: in practice the government rarely extracts the theoretical maximum. These matters almost always settlefor a negotiated number that’s a fraction of the headline exposure — but still far more than the original contract was worth. MORSE paid $4.6 million to resolve allegations tied to Army and Air Force contracts. The math is what brings a contractor to the table; the settlement is what they actually pay.
Can you go to jail for a false SPRS score? The criminal exposure
Yes — intentional falsification can be charged criminally under 18 U.S.C. § 1001, the federal false-statements statute, which carries up to five years in prison per count and reaches individuals, not just the company. The criminal bar is higher than the civil one, and whether a specific SPRS entry creates criminal exposure depends on the facts, materiality, and proof of willfulness.
18 U.S.C. § 1001 makes it a felony to knowingly and willfully make a materially false statement, or conceal a material fact, in a matter within federal jurisdiction. You don’t have to be under oath. A false entry submitted through a federal agency’s online system is the type of conduct the statute covers — and SPRS is exactly that. The mental-state requirement is tougher than the civil FCA’s: prosecutors must show you acted “knowingly and willfully,”meaning you generally understood the conduct was unlawful. Reckless sloppiness that’s enough for civil liability won’t, by itself, support a criminal charge.
Two things keep this in proportion. To date, the SPRS-score cases we reviewed resolved civilly under the False Claims Act, not as criminal prosecutions. But the criminal statute is on the books, and it reaches individuals— the executives who sign these representations, not just the company. Under CMMC, that personal exposure sharpens: a named senior official has to affirm continuing compliance, by name, in SPRS. More on that below.
If you may already be exposed, read this before you do anything else
If a wrong score touched a bid, an award, an invoice, an option, or a prime representation — or if a subpoena, a DIBCAC inquiry, a C3PAO finding, or a whistleblower is already in the picture — stop here and call a qualified federal-contracts or False Claims Act defense attorney before you contact a provider or your contracting officer. That conversation is protected by privilege; the timing and wording of any correction carry legal consequences a website can’t manage for you. This is not a step we can sell you, and it’s the most important one on the page. Get it first. Everything else can wait a day.
Beyond the fine: losing the contract, suspension, and debarment
A false score doesn’t just cost money. It can create contract-remedy risk up to termination, and a serious misrepresentation can lead to suspension or debarment — which strips your ability to win any federal contract at all. For a company that lives on DoD work, that’s not a line item. It’s the business.
Suspension and debarment are the government’s eligibility weapons, and they don’t require a criminal conviction. A serious misrepresentation or other offense affecting present responsibility can be enough to put eligibility on the table. For a small or mid-size DIB supplier whose pipeline is mostly defense, an exclusion is an extinction-level event — which is exactly why the calm correction path in the back half of this page matters more than the fear in the front half.
| Action | Who acts | Practical effect | Primary source |
|---|---|---|---|
| Contract remedy | Contracting officer | The agency can pursue remedies on the affected contract, up to termination | The contract’s terms and the FAR |
| Suspension | Suspending and debarring official | Temporary, government-wide exclusion from new federal awards during an investigation | FAR 9.407 |
| Debarment | Suspending and debarring official | Fixed-term, government-wide exclusion (commonly up to three years) | FAR 9.406 |
Who turns you in? The whistleblower (qui tam) reality
Several recent cybersecurity False Claims Act matters started with insiders — your own security lead, IT director, CISO, or compliance manager — rather than a government audit. Under the FCA’s qui tam provisions, that whistleblower (a “relator”) can collect 15% to 30% of whatever the government recovers, and you pay their legal fees. You often won’t know until the case is unsealed, sometimes years later.
This is the part that changes the risk calculus, so sit with it. The False Claims Act (31 U.S.C. § 3730) lets a private person sue on the government’s behalf and share in the recovery. People with inside knowledge make powerful relators, and the money is real. Look at who these whistleblowers actually were.
| Case | Who filed it (as identified by DOJ) | Relator’s share | Score-specific? |
|---|---|---|---|
| MORSE | The company’s own Head of Security / Facility Security Officer | $851,000 | SPRS score |
| Georgia Tech | Two former members of the cybersecurity team | $201,250 (combined) | Summary cyber score |
| Raytheon | A former Director of Engineering | $1,512,000 | Controls / SSP, not a score |
| Penn State | The former CIO of the Applied Research Laboratory | $250,000 | Score dates / POA&Ms |
The pattern is unmistakable: the people who know your real score are the people best positioned to report it. That’s not a reason to panic. It’s a reason to make sure the people inside your building never have a true story to tell. An honest score and a documented correction process protect you from the government and from the disgruntled-insider lawsuit that triggers the government in the first place.
Has anyone actually been penalized? MORSE, Georgia Tech, LOGZONE, and the enforcement record
Yes — and the cases are recent and specific. We read the Department of Justice settlement materials directly. Two of the three headline cases turned on a score posted in SPRS; the third turned on a false summary-level cybersecurity assessment score submitted to DoD. The most recent landed on June 18, 2026: a contractor that posted a perfect 110 it couldn’t support, caught by a government review that scored it -170.
This isn’t hypothetical enforcement. DOJ’s Civil Cyber-Fraud Initiative, announced October 6, 2021, expressly uses the False Claims Act against contractors that knowingly provide deficient cybersecurity, knowingly misrepresent their cybersecurity practices, or knowingly violate reporting obligations. The cases below are drawn from DOJ’s own announcements.
MORSECORP — the 104 that was really -142 ($4.6M)
We read the DOJ settlement announcement (Press Release 25-303, March 26, 2025). The timeline is the lesson. In January 2021, MORSE submitted an SPRS score of 104 — near the top of the -203-to-110 range. In July 2022, a third-party consultant told the company its real score was -142. MORSE did not correct the record in SPRS until June 2023 — three months after the United States served it with a subpoena. The company eventually remediated all the way to a perfect 110. It still paid $4.6 million, and its whistleblower — MORSE’s own Head of Security — received $851,000. The case is United States ex rel. Berich v. MORSECORP, Inc., No. 23-cv-10130 (D. Mass.).
The takeaway isn’t “they had gaps.” Every contractor has gaps. The damaging fact was the distancebetween the reported number and the real one — and the decision to leave it untouched after they knew.
Georgia Tech Research Corporation — the 98 for a network that didn’t exist ($875K)
We read the DOJ announcement (Press Release 25-1012, September 30, 2025). DOJ alleged that in December 2020, Georgia Tech submitted a summary-level cybersecurity assessment score of 98that supposedly applied campus-wide — and that the score was false because there was no campus-wide IT system, and the number was premised on a “fictitious” or “virtual” environment that didn’t describe any actual covered system processing covered defense information. The case settled for $875,000; two former cybersecurity-team members received $201,250. The claims are allegations only, with no determination of liability.
This is why we keep repeating scope before score. A high number tied to the wrong environment can be more dangerous than a low number tied to the right one. The first is a misrepresentation; the second is just a to-do list.
LOGZONE — the perfect 110 that a DIBCAC review put at -170 ($507K)
We read the DOJ announcement, dated June 18, 2026— two days before this page was last verified. LOGZONE, a Huntsville, Alabama defense contractor, submitted a perfect self-assessment score of 110 in SPRS in October 2021 for two Navy contracts. When the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — the DCMA unit that conducts the government’s own assessments — reviewed the company in 2024, it scored LOGZONE -170, near the bottom of the range. DOJ alleged the company knowingly billed the Navy from 2021 through 2025 despite the noncompliance, and LOGZONE agreed to pay $507,144. No admission of liability.
LOGZONE matters for two reasons. It proves the government is still finding these gaps and acting on them right now. And it shows the discovery mechanism plainly: you can post a self-assessed 110, and a government assessment can put the real number 280 points lower.
The broader enforcement record
The two cases below weren’t about a false score— they show the wider pattern around cybersecurity contract requirements. Every row in this table is verified against the DOJ press release we read.
Cybersecurity False Claims Act settlements ·
| Contractor | DOJ date | Amount | What DOJ alleged | Score-specific? |
|---|---|---|---|---|
| MORSECORP | Mar 2025 | $4.6M | Reported 104; real score -142; not corrected until after a subpoena | Yes — SPRS score |
| Georgia Tech Research Corp. | Sep 2025 | $875K | False summary cybersecurity score of 98 for a “virtual”/fictitious environment | Yes — summary score |
| LOGZONE | Jun 2026 | $507,144 | Reported 110 in SPRS; a 2024 DIBCAC review found -170 | Yes — SPRS score |
| Raytheon / RTX / Nightwing | May 2025 | $8.4M | Failed to implement controls and an SSP on an internal development system across 29 DoD contracts; conduct predated Nightwing’s acquisition | No — controls/SSP |
| Penn State | Oct 2024 | $1.25M | Submitted scores reflecting unimplemented controls, but misrepresented the dates it would fix them and did not pursue POA&Ms, across 15 DoD/NASA contracts | Score dates / POA&Ms |
Penn State is the quiet cautionary tale here: its scores reportedly reflected what it had and hadn’t done — the alleged falsehood was the timeline it promised and never pursued. Even an accurate-looking score can create exposure through the representations around it.
A cyberattack isn’t required — and fixing your score later doesn’t erase the past
You do not need to have been breached to face liability. In MORSE, Georgia Tech, and LOGZONE, DOJ’s allegations focused on false claims, cybersecurity noncompliance, and score or scope problems — not on proving that a breach occurred. And correcting your score later does not undo a false score you already submitted: MORSE remediated to a perfect 110 and still paid $4.6 million. But moving from a false posture to an honest one now, with counsel, is materially better than waiting to be caught.
Two myths die here.
Myth one: “Nothing bad happened, so there’s no harm.” In these matters, DOJ pursued liability without alleging that the false score led to a breach. The misrepresentation itself — made to win or keep a contract — is the harm. No hack required.
Myth two: “I’ll just quietly fix the number and move on.” Updating SPRS is necessary, but it doesn’t erase liability for the period the false score was live and being relied upon. MORSE’s eventual 110 didn’t save it. That said — and this is the hopeful, true part — DOJ’s False Claims Act practice does reward voluntary self-disclosure, cooperation, and remediation. The difference between cleaning this up on yourterms, with counsel, and having it cleaned up on the government’s terms after a subpoena, is enormous. It just has to be done in the right order. That order is the rest of this page.
How could a false SPRS score be discovered?
A false or unsupported score can surface through a DIBCAC Medium or High Assessment, a C3PAO assessment, a CMMC annual affirmation, a contracting officer’s award check, prime or subcontractor due diligence, a cyber incident, a whistleblower, or a simple mismatch between the SSP, POA&M, CAGE scope, and the score. A score that can’t survive an evidence review is fragile even if no one has asked about it yet.
The LOGZONE case shows the most direct path: the government runs its own assessment and the real number comes out. But there are many doors.
| How it surfaces | What happens |
|---|---|
| DIBCAC Medium or High Assessment | The government assesses your implementation directly. LOGZONE’s self-reported 110 became -170 this way. |
| C3PAO assessment | A Certified Third-Party Assessment Organization checks your evidence against all 110 requirements before certification. |
| CMMC annual affirmation | A named senior official re-attests compliance in SPRS — on the record, by name. |
| Contracting officer award check | The CO pulls your score or CMMC status in SPRS before award. |
| Prime or subcontractor diligence | A prime asks for proof; a subcontractor’s false score becomes the prime’s problem. |
| Cyber incident | An incident can contradict the controls your score claimed were in place. |
| Whistleblower | An insider files a sealed False Claims Act complaint. |
| Internal inconsistency | The SSP, POA&M, CAGE scope, and score don’t line up under review. |
Can your prime see your SPRS score?Not automatically, and not universally. DoD personnel can access posted scores, and your own authorized representatives can view your company’s score. A prime can aska subcontractor to provide score or status evidence for flow-down diligence — but it does not have automatic, universal access to every subcontractor’s SPRS record. That’s why the subcontractor section below is built around requesting proof, not assuming visibility.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Is a low or negative SPRS score better than an unsupported high score?
Usually, yes. A low or negative score can create real business and readiness pain, but it is not the lie. An unsupported high score can create representation risk because it tells DoD, a prime, or your own affirming official a story your evidence may not survive. A negative score is allowed by the scoring methodology; the danger is pretending the number is higher than the evidence supports.
This is the page’s whole point, distilled. If your number is low and accurate, the low score itself isn’t a false statement — you’re not compounding a gap with a lie. You may still have real work to do: the controls are contractually required under DFARS 252.204-7012, a low score can affect award consideration under DFARS 252.204-7019, and your CMMC status under DFARS 252.204-7021 still has to be earned. But those are solvable problems, and they’re solvable in the open. A low score tells the truth about work still needed. An inflated score tells a story your evidence may not survive. Choose the version you can defend.
What to do in the first 72 hours if your SPRS score is wrong
Do not panic-email your prime, overwrite old worksheets, delete emails, or rush a new score into SPRS before you understand the contract context. The safe sequence is: stop repeating the unsupported number, preserve every record, identify which clauses and timelines apply, decide whether counsel needs to lead, recalculate from your real scope, and only then correct the record through the right channel.
Work these in order.
1. Stop repeating the unsupported score.Pull the inflated number out of sales decks. Stop sending the old screenshot. Pause supplier questionnaires that ask you to certify a score. Stop telling primes “we’re compliant” when what you mean is “we have a plan.” Every repetition of a known-wrong claim makes the record harder to defend.
2. Preserve evidence — do not clean house.This is the step contractors get exactly backwards. Deleting old scoring worksheets, SSP drafts, or consultant emails after you discover a problem can look far worse than the original mistake. Preserve the old SPRS submissions, scoring worksheets, every SSP version, the POA&Ms, consultant correspondence, prime questionnaires, bid representations, and your CAGE/system-boundary decisions. Assume the file is discoverable and treat it that way.
3. Identify your clauses and timing. Pull the contract and the solicitation and find which obligations actually apply: DFARS 252.204-7012 (safeguarding CUI and incident reporting); DFARS 252.204-7019 and -7020 (the SPRS score requirement and government assessments); DFARS 252.204-7021 (the CMMC clause and annual affirmation); and DFARS 252.204-7025, the solicitation provision effective November 10, 2025 where the contracting officer states the required level — CMMC Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). Then note the timing that raises the stakes: a pending bid, an upcoming award, an option exercise, or an invoice cycle.
4. Decide whether counsel needs to lead. Bring in a federal-contracts attorney beforeexternal corrective statements if any of these are true: the score touched a bid, award, invoice, option, or prime representation; the company knew it was wrong and kept using it; there’s a subpoena, DIBCAC inquiry, C3PAO finding, whistleblower, or incident; an executive signed or approved the representation; or a subcontractor’s false score affected your reliance.
5. Recalculate from the real scope. Not the desired future state. Score the current covered system, against the current SSP, for the real CUI/FCI footprint, using the evidence you actually have today.
6. Build a corrected score file and correct the record. Document the new worksheet, your assumptions, the evidence map, the SSP version, the POA&M, and an executive sign-off — then update SPRS and any external representations through a documented process. When bids, payments, or awards are involved, let counsel set the timing and the wording.
If a consultant produced the wrong score:you still own the record. Preserve their workpapers and recalculate from your real evidence. “Our consultant did it” is not, by itself, a defense if your company submitted or relied on the number.
How to correct an SPRS score without making it worse
The safer correction path is evidence first, statement second. Rebuild the score from the actual system boundary, the current SSP, the right CAGE scope, the NIST SP 800-171 requirements, and final evidence — then update SPRS and external communications through a documented process. The goal is to fix the path, not to create a second bad record.
Four principles govern every defensible correction.
- Scope before score.If the boundary is wrong, the number is meaningless — accurate or not. Define what system you’re actually scoring first.
- Evidence before assertion.A score is only as defensible as the evidence folder behind it. If you can’t show it, you can’t claim it.
- A POA&M is not implementation. Under 32 CFR Part 170, planned work scores zero. POA&M use is also limited: Level 1 allows none; a conditional Level 2 status requires a minimum score of 88 (80% of 110), with POA&Ms only on certain lower-weight requirements, and conditional status must be closed out within 180 days.
- Counsel before external corrective statements whenever legal exposure is possible. This keeps a good-faith fix from becoming an admission delivered at the wrong moment.
The corrected-score evidence checklist
| Correction item | Why it matters |
|---|---|
| Current SSP | Anchors exactly which system is being scored |
| CAGE / system mapping | Prevents a wrong-entity or wrong-boundary score |
| Asset inventory | Shows what’s in and out of scope |
| CUI / FCI data flow | Shows why this level and scope apply |
| Requirement-by-requirement worksheet | Shows your scoring logic, control by control |
| Evidence folder | Supports every “MET” determination, in final form |
| POA&M | Shows what isn’t finished yet, with owners and dates |
| Executive sign-off | Shows accountable governance behind the number |
| SPRS update log | Documents the correction history |
| External-communications log | Records what was represented, to whom, and when |
What if a subcontractor lied about its SPRS or CMMC self-assessment?
Treat it as a supplier-risk and contract-reliance problem, not just a cybersecurity one. As the prime, pause reliance on the unsupported claim, request a non-CUI proof packet, review your flow-down obligations, and involve counsel if the subcontractor’s false statement affected an award, performance, delivery, or CUI handling. You can be harmed by a subcontractor’s misrepresentation even when you can’t see its SPRS record directly.
This scenario is more common than the headlines suggest, and the instinct is usually either to ignore it or to fire off an accusatory email. Do neither. Start with a request.
The non-CUI proof packet to ask for:the CAGE code tied to the assessment; the date of the SPRS score; the assessment level and type; the SSP name, version, and date; a scoring worksheet; a POA&M summary (no CUI); a boundary description (no sensitive architecture); and, where relevant, the CMMC unique identifier. Flow-down for these requirements runs through DFARS 252.204-7020 and the CMMC rules, and CMMC obligations follow FCI and CUI down the supply chain under 32 CFR Part 170.
What never goes through email or a web form: CUI drawings, export-controlled technical data, sensitive contract attachments, vulnerability details, passwords, or logs.
| The subcontractor’s situation | The prime’s path |
|---|---|
| Honest error, non-critical supplier, no CUI shared yet | Require a correction plan and updated proof |
| CUI already shared to an unsupported environment | Counsel-led review, containment, remediation |
| Subcontractor refuses to provide proof | Pause, replace, or escalate per the contract |
| Subcontractor knowingly submitted a false score | Counsel-led response; preserve all communications |
| Supplier can be fixed with a controlled environment | Route to a CUI enclave / readiness category |
Which provider category actually helps after a false score
Do not start with a C3PAO unless you’re already assessment-ready. If legal exposure is possible, start with a federal-contracts attorney. If the problem is the scoring, scope, SSP, or POA&M, start with an RPO or Registered Practitioner. If controls simply aren’t running, start with an MSSP. If evidence is scattered, add a GRC platform. If CUI is sprawling everywhere, look at a CUI enclave. The wrong first stop wastes money and, worse, can turn a readiness problem into a legal one.
Here’s how the categories sort out for a false-or-unsupported-score situation. (Full names on first use: C3PAO— Certified Third-Party Assessment Organization; RPO/RP— Registered Provider Organization / Registered Practitioner; MSSP — Managed Security Service Provider; GRC — governance, risk, and compliance software; CUI enclave— a carved-out, controlled environment for CUI.)
| If your real problem is… | Start here | Verify before you engage | Red flag |
|---|---|---|---|
| Possible legal exposure (score touched a bid, award, invoice, or affirmation) | Federal-contracts / FCA attorney | Government-contracts and FCA experience; privilege | Treats it as a paperwork fix, not a legal matter |
| A wrong score, scope, SSP, or POA&M | RPO / RP (readiness) | Registration with the Cyber AB; a real CMMC track record | Promises a specific score or guarantees certification |
| Controls that aren’t running (MFA, logging, endpoint, incident response) | MSSP / managed compliance | Defense/CUI experience; evidence generated over time | Sells tools without operating them |
| Scattered evidence and affirmation trails | GRC platform | Maps cleanly to NIST SP 800-171 and SPRS | Implies software alone makes you compliant |
| CUI spread across email, endpoints, consumer cloud | CUI enclave | A FedRAMP-equivalent posture for CUI | Vague on FedRAMP equivalency |
| Mature evidence; genuinely assessment-ready | C3PAO | Current authorization in the Cyber AB Marketplace; a conflict-of-interest process | Offers to remediate and then assess the same scope |
Two rules protect you from a common sales pitch. First, a Cyber AB CMMC Assessment Process requires a C3PAO to manage impartiality and conflicts of interest — so don’t treat a readiness or remediation provider as your formal assessor unless that C3PAO’s conflict-of-interest process supports independence. Second, no software product, by itself, makes you CMMC compliant. GRC tools organize the work; they don’t do it.
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
How CMMC and annual affirmations raise the stakes
The SPRS self-assessment under DFARS 7019/7020 is already in force and already used in award decisions. CMMC adds a verification layer on top — and a named senior official who personally affirms continuing compliance in SPRS. Same 110 controls (NIST SP 800-171 Rev. 2), tighter proof, and a personal signature on the line.
The Cybersecurity Maturity Model Certification (CMMC) Program Rule, 32 CFR Part 170, became effective December 16, 2024, and the companion DFARS acquisition rule took effect November 10, 2025, opening Phase 1 (which runs through November 9, 2026, with Phase 2 beginning November 10, 2026). Under CMMC, a named Affirming Official— a senior company representative — attests to continuing compliance in SPRS after assessment and annually thereafter. That moves accountability from “the company said” to “this named executive attested.” If today’s score can’t survive an evidence review, the moment to fix the trail is beforean executive signs the next affirmation — not after.
SPRS today vs. SPRS under CMMC ·
| Element | Under the DFARS self-assessment (in force now) | Under CMMC (phasing in) |
|---|---|---|
| The score | A Basic Assessment you generate yourself; “Low” confidence | Same 110 controls, verified by self-assessment or a C3PAO depending on the contract |
| What SPRS holds | The summary score | CMMC status and a CMMC unique identifier |
| Affirmation | A score plus an expected completion date | A named Affirming Official attests continuing compliance, annually |
| POA&Ms | Post a score below 110 with an expected date for all 110 | Limited: none at Level 1; conditional Level 2 needs a minimum 88 (80%), POA&Ms only on certain lower-weight items, closed in 180 days |
| Third-party results | Not applicable | C3PAO Level 2 results flow into SPRS through the CMMC system |
| Government override | DIBCAC can run Medium/High assessments | DIBCAC results take precedence over a prior status |
A word on the standard itself, because it confuses people: NIST has published Revision 3 of SP 800-171, but 32 CFR Part 170 currently incorporates NIST SP 800-171 Revision 2by reference for CMMC Level 2 — so Revision 2 remains the controlling standard for CMMC unless and until DoD amends the rule. For most contracts handling CUI, the relevant level is CMMC Level 2, which maps to those 110 controls and, for prioritized acquisitions, requires a C3PAO assessment. Level 1 (FCI only) is an annual self-assessment of the 15 basic safeguarding requirements in FAR 52.204-21. Level 3 adds 24 selected enhanced requirements from NIST SP 800-172 (Feb. 2021) and is assessed by DCMA DIBCAC. The contract clause — not a self-diagnosis — tells you which one applies.
What we actually verified for this page
We separate three kinds of claims: regulatory facts (tied to the controlling authority), case facts (tied to DOJ records we read in full), and editorial judgments (clearly labeled as our analysis, not legal advice). Here’s what we checked and where, as of .
| What we verified | Source we read | Last verified |
|---|---|---|
| FCA penalty range ($14,308–$28,619 per claim, plus treble damages) | Federal Register 90 FR 29445; 28 CFR § 85.5 | |
| The SPRS score requirement and government assessments | DFARS 252.204-7019 / -7020 (Acquisition.gov) | |
| The underlying CUI safeguarding obligation | DFARS 252.204-7012 (Acquisition.gov) | |
| Required CMMC level designations in solicitations | DFARS 252.204-7025 (Acquisition.gov) | |
| Scoring mechanics, partial-credit exceptions, SSP/POA&M rules | 32 CFR § 170.24 (eCFR) | |
| MORSE — 104 vs -142, $4.6M, $851K relator share | DOJ Press Release 25-303 (read in full) | |
| Georgia Tech — false summary score of 98 for a “virtual” environment, $875K | DOJ Press Release 25-1012 (read in full) | |
| LOGZONE — 110 in SPRS vs -170 DIBCAC review, $507,144 | DOJ press release, June 18, 2026 (read in full) | |
| Raytheon / RTX / Nightwing — $8.4M, internal system/SSP, pre-acquisition conduct, relator share | DOJ Press Release 25-454 (read in full) | |
| Penn State — $1.25M, misrepresented implementation dates and POA&Ms, relator share | DOJ release, Oct 22, 2024 (read in full) | |
| Criminal false-statements exposure | 18 U.S.C. § 1001 | |
| CMMC program, phases, Affirming Official, NIST Rev. 2 incorporation, Level 3 = 24 selected SP 800-172 requirements | 32 CFR Part 170 (eCFR); Federal Register CMMC Program Rule |
Frequently asked questions
Can you get in trouble for a false SPRS score?
Yes, if the facts show a knowing false or unsupported representation connected to a federal contract, award, payment, or compliance obligation. DOJ’s Civil Cyber-Fraud Initiative targets knowing cybersecurity misrepresentations under the False Claims Act, which allows treble damages plus a per-claim penalty of $14,308 to $28,619.
Is every wrong SPRS score fraud?
No. A calculation mistake, a scoping error, or an outdated score is not automatically fraud. The legal risk rises when a company knows the score is wrong — or recklessly avoids finding out — and keeps using it in bids, prime questionnaires, annual affirmations, invoices, or contract communications.
Can you go to jail for lying on your SPRS score?
Potentially. Intentional, willful falsification can be charged under 18 U.S.C. § 1001, which carries up to five years in prison per count and reaches individuals, not just the company. To date the known SPRS-score cases resolved civilly under the False Claims Act, but the criminal statute applies depending on the facts and proof of willfulness.
Is a low or negative SPRS score illegal? Do I need a perfect 110?
No. A low or even negative score is legal, and many contractors honestly score below zero on a first assessment. Under the DoD Assessment Methodology the score starts at 110 and can fall to -203. Only a false score is a violation.
Who can see my SPRS score?
DoD personnel can access posted scores, and your own authorized representatives can view your company’s score. A prime may ask a subcontractor to share score or status evidence for flow-down diligence, but it does not have automatic, universal access to every subcontractor’s SPRS record.
How could a false score be discovered?
Through a DIBCAC Medium or High Assessment, a C3PAO assessment, a CMMC annual affirmation, a contracting officer’s award check, prime or subcontractor due diligence, a cyber incident that contradicts the claimed controls, a whistleblower, or a mismatch between the SSP, POA&M, CAGE scope, and the score. In the LOGZONE case, a DIBCAC review put a self-reported 110 at -170.
Should I update my SPRS score if it is wrong?
Usually the record needs to be corrected — but do not make rushed external statements if the wrong score touched a bid, award, invoice, option, subcontract, or executive affirmation. Preserve evidence, involve counsel if legal exposure is possible, recalculate from your actual scope, and then correct through the right channel.
Can I delete or replace the old score?
Do not treat correction as history-erasing. Preserve the old score, the worksheet, every SSP version, communications, and your correction rationale, then update through the right process after a scope, evidence, and (where needed) counsel review. Deleting records after you discover a problem can look worse than the original mistake.
What if my consultant calculated the score wrong?
You still own the record. Preserve the consultant’s workpapers and communications, recalculate from your real evidence, and involve counsel if the incorrect score was used in a contract representation. “Our consultant did it” is not, by itself, a defense if your company submitted or relied on the number.
What if a subcontractor lied about its SPRS score?
Pause reliance on the unsupported claim, request a non-CUI proof packet (CAGE, score date, assessment level, SSP version, worksheet, POA&M summary), review your flow-down obligations, and involve counsel if the subcontractor’s representation affected an award, performance, delivery, or CUI handling.
Does fixing my score later protect me?
It improves your posture going forward, but it does not erase liability for a false score you already submitted — MORSE remediated to a perfect 110 and still paid $4.6 million. DOJ’s False Claims Act practice does credit voluntary self-disclosure, cooperation, and remediation, so a counsel-led correction is materially better than waiting to be caught.
Does CMMC replace SPRS?
No. CMMC statuses and annual affirmations are reflected in SPRS, and C3PAO assessment results flow into SPRS through the CMMC system. SPRS remains the database where DoD sees your assessment and status data.
How we built this page
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We wrote this page by separating regulatory facts, DOJ case facts, and editorial judgment. Regulatory claims are tied to primary sources — the official U.S. Code, the Federal Register, the eCFR, and Acquisition.gov. Case claims are tied to DOJ press releases we read in full. Provider-category recommendations are editorial conclusions based on your risk situation; they are not paid rankings, not endorsements, and not legal advice.
What this page is not:legal advice, a guarantee of any CMMC certification outcome, a substitute for counsel, or a statement of affiliation with the DoD, the Cyber AB, DCMA DIBCAC, NIST, SPRS, or PIEE. Confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.
Related reading from The Defense Compliance Report
- CMMC annual affirmation: who signs it, what it commits you to, and the SPRS deadline
- How to verify a company’s CMMC status in SPRS
- CMMC Level 2 self-assessment vs. C3PAO assessment: which one applies to you
- The CMMC Level 2 checklist
- CMMC provider categories: C3PAO vs. RPO vs. MSSP vs. GRC vs. CUI enclave
- What CMMC actually costs
- CMMC non-compliance penalties: what’s actually at stake
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
The Defense Compliance Report — the independent CMMC decision layer for defense contractors. Choose the right CMMC path before you hire.