Why a Perfect SPRS Score Can Be a Costly Mistake

Written By Joseph Lissenden

Submitting a self assessment score of 110, the maximum possible, to the Supplier Performance Risk System may look like a win. In practice, it can expose an organization and its executives to serious legal, financial, and operational risk if the score is not fully defensible.

Under the Department of Justice Civil Cyber-Fraud Initiative, overstating cybersecurity compliance is treated as a knowing or reckless misrepresentation. This is not theoretical. Enforcement actions are already occurring across the defense industrial base.

Inflated Scores Can Trigger False Claims Act Exposure

An SPRS score is a formal representation the Department of Defense relies on when awarding and maintaining contracts. Reporting a 110 while failing to meet all NIST SP 800-171 requirements can trigger liability under the False Claims Act.

The government may pursue treble damages, three times the contract value, plus statutory penalties for each violation. As of 2025, civil penalties range from roughly $14,308 to $28,619 per claim. If misrepresentation is found to be intentional, criminal exposure becomes possible, including significant fines and prison time.

Contract and Business Impact Is Immediate

Legal penalties are often only part of the damage. The DoD may terminate existing contracts, suspend work, or disqualify a company from future bidding. An inflated score can also trigger a targeted or random audit by the Defense Industrial Base Cybersecurity Assessment Center to validate SPRS data.

Audits that uncover gaps between claimed compliance and reality rarely end quietly.

Whistleblower Risk Is Real

Many False Claims Act cases begin internally. Employees or subcontractors can file qui tam complaints and may receive 15 to 30 percent of any recovered funds. Inflated scores increase both the incentive and the likelihood of internal reporting.

Executive Accountability Is Explicit

SPRS submissions require attestation by a senior executive, the Affirming Official. That signature carries personal responsibility. Executives can be held individually liable if they knowingly affirm an inaccurate score or fail to take reasonable steps to verify compliance.

Not knowing is not a defense when due diligence is absent.

The Question That Matters Most

Before submitting a high SPRS score, especially a 110, one question must be answered clearly:

Do you have a current System Security Plan that documents how each implemented NIST SP 800-171 control is met?

An SSP is not optional. It is the evidence tying controls, processes, and policies together. If a control is not documented, it effectively does not exist from an audit perspective.

A Safer Path Forward

An accurate score supported by a solid SSP and a realistic Plan of Action and Milestones is far safer than a perfect score that cannot withstand scrutiny.

In today’s enforcement environment, accuracy is not conservative. It is essential!

Joseph Lissenden
Previous

CMMC Phase 2 Is 10 Months Away: A No-BS Prep Timeline for Level 2 Third-Party Certification
Next

Is ISO Certification Your Business's Secret Weapon or an Overhyped Checkbox?