- Self-assessed SPRS scores run roughly 100 points higher than what an actual third-party assessor finds. The gap is industry-wide, and it's the gap that drives the False Claims Act cases.
- **$52 million in FY2025 cybersecurity settlements. Five of nine filed by whistleblowers.** The people best placed to know your score is wrong have a financial incentive to report it: 15 to 30 percent of the recovery.
- Title 48 CFR took effect November 10, 2025. Contracting officers now actively screen on SPRS scores in award decisions. The score that didn't matter in 2024 disqualifies you from contracts in 2026.
- The annual affirmation is a *personal* signature, not a corporate one. Under the False Claims Act, you don't have to lie. Failing to verify is enough — that's the reckless-disregard standard.
- The score reflects 110 NIST 800-171 controls, weighted by security impact, on a range of −203 to +110. **A control is fully implemented or it isn't. There's no partial credit.**
In April 2025, a Massachusetts defense contractor wrote a check for $4.6 million.1 MORSECORP had submitted a Supplier Performance Risk System score of 104. When a third-party assessment ran the math against the actual environment, the real score was −142. Three months passed between the DOJ subpoena and the contractor correcting the number in SPRS. The settlement was the precedent case for FY2025: nine False Claims Act cybersecurity cases, $52 million in recoveries, five of them filed by whistleblowers — current employees and former employees who knew what they had seen.2
Your SPRS score is no longer an administrative checkbox. Title 48 CFR took effect on November 10, 2025. DoD contracting officers now actively review SPRS scores in award decisions.3 The number you submitted three years ago — possibly without remembering exactly how you arrived at it — can disqualify you from contracts, trigger a DIBCAC audit, and expose whoever signed the affirmation to personal liability under the False Claims Act.
This is what the score actually is. How the math actually works. Why most self-reported scores are wrong. And what to do this week if yours is one of them.
What SPRS actually is, and what changed.
SPRS is the Supplier Performance Risk System. It’s the DoD’s central database for contractor risk data, and the part that matters to anyone handling Controlled Unclassified Information is the NIST SP 800-171 self-assessment score. A number between −203 and +110 that reflects how many of 110 security controls you’ve fully implemented, weighted by their security impact.
The requirement to submit it sits in DFARS 252.204-7019. If your contracts reference that clause — and most CUI-related contracts do — you must have a current score in SPRS before contract award. Three-year validity. Older than that is treated as non-compliant.4
What changed in 2025 was enforcement. Three things landed in close succession.
Title 48 CFR took effect November 10, 2025. What had been an advisory metric became an active factor in contract-award decisions. Contracting officers stopped reading scores and started screening on them.
DOJ closed five False Claims Act cybersecurity settlements in 2025, several specifically citing inflated SPRS scores as the basis for the case.
Prime contractors began setting minimum SPRS thresholds for their subcontractors. Boeing made it a condition of award. L3Harris followed in July 2026. HII has been doing it for over a year.5 The enforcement isn’t waiting on the DoD anymore.
The score that mattered as a competitive nice-to-have in 2024 is now a contractual gate, an audit trigger, and a personal legal exposure for the executive who signed the affirmation.
How the math actually works.
The methodology surprises people. You don’t start at zero and earn points. You start at 110 — a perfect score — and lose points for every control you haven’t fully implemented. Each of the 110 NIST 800-171 controls is weighted at 1, 3, or 5 points, based on what would happen if you skipped it.
If you skip these, the data walks out the door.
Access enforcement. Multi-factor authentication. Encryption of CUI at rest and in transit. Audit logging. Incident response. The controls where failure leads directly to CUI compromise. There are 42 of these.
Specific security effect, but bounded.
Configuration management. Session controls. Personnel security. Media protection. Controls with real consequences when they're missing, but not the ones that turn into front-page incidents.
The administrative requirements.
Policy documentation. Role assignment. Indirect security impact. Easy to underestimate, but the assessor still asks for them — and a missing 1-pointer is still a missing control.
If you’d implemented none of the 110 controls, you’d lose all the weighted deductions and land at −203. That’s the floor. In practice, most first-time honest assessments come in between −20 and 60. A score above 88 puts a contractor in the upper quartile. A score above 100 puts you in territory DIBCAC will want to verify.
There’s no partial credit. A control is either fully implemented or it isn’t. If MFA is rolled out to administrators but not to engineering staff handling CUI, the control isn’t met. You lose the full 5 points, not 3.5 or 4. This catches contractors off guard more than any other rule. The DoD’s Assessment Methodology is binary.
The 88 threshold isn’t what you think.
Under CMMC 2.0, a score of 88 is the minimum for conditional Level 2 certification. Most published guidance stops there. The critical detail it leaves out is the part that fails contractors at assessment.
All 5-point controls must be fully implemented. A Plan of Action & Milestones cannot be used for any 5-point control. POA&Ms are only permitted for 1-point and 3-point controls. If you’re missing even one 5-point control, you fail the assessment regardless of your overall score.
An overall score of 90 with one missing 5-point control fails. An overall score of 88 with no missing 5-point controls and a credible POA&M passes conditionally.
Most contractors who fail at conditional certification fail because they had a 5-point control on a POA&M they thought was allowed. The DoD’s Assessment Methodology cares about the composition of the score, not just its magnitude.
The 88 threshold is also conditional, not final. Conditional Level 2 status grants 180 days to close every outstanding POA&M. If any remain open after 180 days, the certification is revoked and you restart the assessment process — including paying for a new C3PAO assessment.6
CMMC Readiness Assessor
Twelve questions. Tier-specific diagnosis of where you actually are against the 110 controls — same logic C3PAO assessors use. Free. Email only to send you the report.
Why your self-reported score is probably wrong.
When the DoD first required SPRS submissions in 2020, many contractors self-reported a score of 110. Full compliance. When DIBCAC began auditing those claims, it found that most perfect scores were inaccurate. That discovery is what led to CMMC 2.0 and the shift toward mandatory third-party assessment.
Self-reported scores diverge from reality for four predictable reasons.
Self-assessment is more generous than assessor methodology. A control rated “implemented” by an internal team often becomes “partial” or “not implemented” under C3PAO scrutiny. Multi-factor authentication enabled for administrators but not for every CUI-handling user. Encryption on some file shares but not others. Audit logging configured on the SIEM but with critical events excluded. Each of these is “mostly done.” None of them is implemented under the methodology. A missing or incomplete SSP results in “No Score” in SPRS — which is worse than a negative score.7
Interpretation drift since 2017. The 800-171 controls were written in 2017. Industry interpretation has tightened since then. Assessor guidance has clarified the line between “documented” and “operating.” The CMMC methodology codified expectations that were ambiguous in the original text. A score calculated against 2018 understanding doesn’t reflect 2026 assessor expectations.
Decay without re-scoring. People leave. Vendors change. Policies lapse. The score reflects implementation at the moment it was calculated. Most companies don’t re-score when the environment changes. Migrating to a new tenant, adopting new SaaS for CUI handling, hiring remote workers, retiring the security analyst who knew where every audit log lived — each one invalidates the prior score in ways the affirming official rarely sees.
Optimistic partial credit. A control that’s “mostly implemented” is scored as zero, not partial. Most self-assessments interpret partial implementation more generously than the methodology allows. Template SSPs amplify the problem: a System Security Plan filled in from a generic template describes a generic environment, not yours, and the gap between the template and your real systems is where the partial-credit assumptions live.
There’s a fifth reason, less polite to name. Some contractors rounded up. They claimed implementation of controls they had partially achieved or were planning to achieve. Until 2024, the practical risk of doing so was small. After 2025, it’s no longer small.
The affirmation trap, and who’s actually on the hook.
Under 32 CFR 170.22, an affirming official — a senior company executive — must submit an annual SPRS affirmation attesting that the organization “has implemented and will maintain implementation of all applicable CMMC security requirements.” The affirmation is required upon achieving CMMC status, annually thereafter, and at POA&M closeout.8
DFARS 252.204-7021 makes a current affirmation a prerequisite for contract award and option exercise. No current affirmation, no contract.
The legal exposure is what matters. Under 31 U.S.C. § 3729(b)(1), “knowingly” includes actual knowledge, deliberate ignorance, or reckless disregard of the truth. A contractor that signs an annual affirmation without verifying compliance status — or that ignores known gaps — may be accused of acting with reckless disregard sufficient to establish False Claims Act liability.9 Holland & Knight, in a January 2026 analysis of the 2025 enforcement record, calls this the “affirmation trap” — the point where a routine annual check-the-box submission becomes a personal legal exposure for the executive who signed it.
The 2025 enforcement record makes the abstract concrete.
2025
The contractor reported a positive SPRS score; the actual score was −142. Three months passed between the DOJ subpoena and the contractor correcting the number. The case turned on the gap between claimed and actual implementation. Not on a breach. The number itself was the violation.
Inflated SPRS score · −246-point gap2025
A major defense contractor settled qui tam allegations that it failed to maintain a System Security Plan for an internal development system. Filed by a whistleblower under the FCA's qui tam provisions. Government intervened.
Whistleblower-initiated · government intervened2025
A defense contractor acquisition where the acquirer was named "successor in liability" for the target's pre-acquisition cybersecurity failures. The conduct occurred between 2015 and 2021 — years before the deal closed. The acquirer paid for the target's history.
Successor liability · pre-deal exposure2025
A contractor and its private-equity owner were both held liable for DFARS cybersecurity violations. The case extended FCA exposure beyond the operating company to the financial sponsor.
Private equity · sponsor liability2025
An Illinois precision-machining subcontractor failed to provide adequate cybersecurity protections for technical drawings supplied to prime contractors. The case originated as a qui tam complaint filed by a former quality-control manager.2
First sub-tier case · whistleblower-initiatedFive of the nine FY2025 settlements came from internal whistleblowers. Not external audits. Not DoD investigations. People inside the company who saw the gap between what was certified and what was actually implemented. Under the False Claims Act, whistleblowers receive 15 to 25 percent of any recovery — up to 30 percent if the government chooses not to intervene.10 In FY2025, whistleblowers in cybersecurity cases collected over $4.5 million.
Internal whistleblowers initiated more than half of the FY2025 cybersecurity settlements. The IT lead, the compliance officer, the departing security analyst — anyone who knows the gap between what’s certified in SPRS and what’s actually implemented has a direct financial incentive to report it.
FY2025 DOJ Civil Cyber-Fraud Initiative · Holland & Knight analysisThe takeaway for the affirming official: the people best placed to know whether your score is wrong are sitting at desks in your company. The MORSECORP case originated from a former employee. So did the December 2025 supply-chain settlement. This isn’t hypothetical. In FY2025, the DOJ’s Civil Cyber-Fraud Initiative produced more whistleblower-driven settlements than any previous year.11
The affirmation isn’t a paperwork submission anymore. It’s a sworn statement, made annually, with personal exposure attached if it’s wrong, and a financial incentive structure pointing at the people best placed to know whether the statement holds.
What primes are doing to their subcontractors.
DoD enforcement is half the picture. The other half is happening inside prime-subcontractor relationships, independent of any DoD action.
Prime contractors are increasingly setting minimum SPRS score thresholds for their subcontractors. The mechanic is straightforward: a prime that requires a Level 2 C3PAO assessment for itself flows down minimum SPRS requirements to its supply chain, often through master subcontract agreements or competitive selection criteria. A subcontractor with a current score of 50 may find that the primes it depended on for revenue last year now require 75 or 88. Not because of regulation. Because the prime is managing its own supply-chain risk.
This creates two pressure points the original SPRS conversation didn’t anticipate.
The subcontractor finds out about the threshold late. Primes communicate scoring requirements through bid packages, PCN amendments, or annual supplier reviews — often with weeks of lead time, not months. A subcontractor whose score is 60 and whose prime newly requires 75 has a remediation timeline measured in weeks, not the 6 to 12 months that proper remediation typically takes.
The subcontractor’s score becomes part of the prime’s due diligence. Acquisitions, joint ventures, and major contract awards now include SPRS-score reviews of every named participant. A weak score doesn’t just affect direct contracting — it affects the deals that get done around the contracting.
For contractors operating in tier-2 or tier-3 of major DoD primes, this is the practical enforcement mechanism that bites first. DoD itself may not audit you for years. Your prime will audit you next quarter.
What “current” actually requires.
The word “current” appears throughout the SPRS regulations, and it’s doing more work than most contractors notice. Three specific obligations sit underneath it.
Score age. Your submitted score must be no more than three years old per DFARS 252.204-7019. An expired score is non-compliant. Contractors with scores from 2022 or earlier are submitting scores the regulation no longer treats as valid.
Annual affirmation. The 32 CFR 170.22 affirmation cycles annually, not at the natural end of the three-year score validity. The affirming official signs every year, attesting that the implementation described by the score remains in place.
Material change updates. When the environment changes materially — cloud migration, new SaaS adopted for CUI handling, change in CUI volume, change in scope — the score must be recalculated and resubmitted. Not held until the next annual cycle.
The implication: a score submitted three years ago, against an environment that has changed twice since, with an affirming official who has signed annually without recalculating — that contractor has technically met the submission requirement, and is in practical violation of every interpretation of “current.”
If you can’t answer yes to all three, your score isn’t current.
- Is your submitted SPRS score less than three years old? A score from 2022 is non-compliant under DFARS 252.204-7019.
- Has the environment described in the score remained materially unchanged since submission? Cloud migrations, new SaaS for CUI, scope changes — each one invalidates the prior score.
- Has the affirming official re-verified before signing each annual affirmation? A signature without verification is the reckless-disregard standard the FCA cases turn on.
A current SPRS score reflects the actual environment, calculated under the actual DoD methodology, by an organization that knows what it implemented and what it didn’t. Most contractors who think their scores are current have a definition of “current” the regulation doesn’t share.
The contractors who pass CMMC Level 2 in 2026 will be the ones who treat the SPRS score as the starting point for real security work. Not a number to game. The 2025 enforcement record changes the cost-benefit calculation for every contractor still managing the score as a paperwork item. The contractors who get this right have a defensible number, an SSP that matches it, and an affirming official who has read the affirmation they signed. The ones who don’t are the names that show up in next year’s settlement announcements.
What to do if your score is low.
The path back to a defensible score has a known sequence. Most contractors who fail at it fail because they take the steps in the wrong order — usually starting with documentation before they understand their actual gaps.
- Get an honest gap assessment first. Before fixing anything, you need to know exactly where you stand. A proper gap assessment against all 110 NIST 800-171 controls. A technical evaluation of the actual environment, not a checklist exercise. The output should be a control-by-control breakdown: met, not met, and for each gap, what specifically needs to change. Most contractors discover they have fewer 5-point gaps than they feared and more 1-point gaps than they realized.
- Fix the 5-point controls first. Multi-factor authentication, encryption of CUI at rest and in transit, access enforcement, audit logging. These are non-negotiable for CMMC Level 2. They cannot be POA&M’d. No amount of documentation gets you past them. Sequence remediation by point value and assessment likelihood: high-value, high-risk control families first.
- Build a real SSP. The System Security Plan is what the assessor follows. It must describe the actual system boundary — which systems handle CUI, which don’t, how data flows between them, and how each control is implemented in your specific environment. A passing SSP is not a template with your company name swapped in. It’s a technical document that an assessor can read, follow, and verify against the live systems. The SSP that doesn’t match the environment fails before the assessment ends.
- Create POA&Ms for the remaining gaps. For 1-point and 3-point controls not yet fully implemented, document them in a Plan of Action & Milestones. Each entry specifies the gap, what’s being done to close it, who’s responsible, and when it will be complete. Conditional certification with POA&Ms grants 180 days to close every entry. If any remain open after 180 days, the certification is revoked.
- Recalculate, resubmit, and don’t inflate. Once remediation is complete, update the SSP, recalculate the score using the DoD Assessment Methodology, and submit. If your score is 47, submit 47. A score of 47 with a credible remediation plan is infinitely preferable to a score of 88 that DIBCAC will discover is fiction. The MORSECORP case is the cautionary tale: 104 reported, −142 actual, $4.6 million settlement. Honest low scores attract scrutiny. Inflated scores attract prosecution.
Three things to do this week.
If the analysis above puts your current SPRS posture in question, three concrete moves before the next affirmation cycle.
Before your next affirmation cycle.
- Pull your current SPRS entry. Log in to PIEE. Navigate to SPRS. Look at what's actually filed. If you don't know who in your company has access, that's the first signal something's off — the affirming official should never be more than one phone call from the system that holds the number they're attesting to.
- Audit the score against your real implementation. Walk through the 110 controls with whoever actually administers your environment. Not the person who signed the affirmation. The person who runs the systems. Note where the documented score and the operational reality diverge. Most contractors find at least three 5-point controls in different states than the SSP describes.
- Decide whether to revise before your next affirmation. A score of 78 with a credible POA&M is safer than a score of 95 that doesn't match observed controls. The reckless-disregard standard means "I didn't know" isn't a defense — but a documented good-faith correction is. The annual affirmation cycle gives you a natural moment to update the record without raising flags. Skipping it after reading this article doesn't.
This is the moment to find out whether your score holds up. Quietly. On your own terms. Before someone with a financial incentive does it for you.