Federal Contract Eligibility Granted on a Security Score the Contractor Knew Was False

The Department of Defense requires defense contractors handling Controlled Unclassified Information to demonstrate compliance with the cybersecurity standards defined in NIST Special Publication 800-171. Compliance is self-assessed by the contractor and reported as a numerical score in the Supplier Performance Risk System, a federal database used by contracting officers to evaluate contractor eligibility. A contractor that submits a score is certifying, as a condition of payment and contract award, that its cybersecurity posture corresponds to the score on file.

The self-assessment structure places the burden of compliance determination on the entity being assessed. The contracting agency receives the score. It does not independently verify the security practices that produced it. The score is the credential. Contract eligibility follows from the score. The relationship between the score and the underlying security architecture is defined entirely by the contractor's own evaluation of its own systems.

The contractor submitted a positive SPRS score indicating satisfactory compliance with the required cybersecurity standards. Its own internal assessment had produced a score of negative 142 — a result reflecting substantial non-compliance across the control domains defined by NIST 800-171. The positive score and the negative assessment existed simultaneously. The score on file with the federal government said the contractor was compliant. The contractor's own records said it was not.

The discrepancy was not self-reported. The contractor did not correct the SPRS score until three months after receiving a Department of Justice subpoena. The False Claims Act settlement of $4.6 million followed. The case was among seven cybersecurity-related FCA settlements the Department of Justice announced in 2025 under its Civil Cyber-Fraud Initiative, which targets contractors that knowingly misrepresent their cybersecurity compliance as a condition of receiving federal funds.

The SPRS score functions as a compliance credential. Contracting officers rely on it to determine whether a contractor's systems meet the security requirements attached to the contract. The score does not describe the contractor's security posture in detail. It asserts, through a single number, that the posture has been evaluated and meets the required threshold. The relying party — the contracting officer, the awarding agency, the government program the contract serves — accepts the assertion. There is no independent verification channel between the score on file and the security controls it represents.

When the submitted score is positive and the actual assessed score is negative 142, the credential is not inaccurate in the way that estimates are inaccurate. It asserts a condition that the contractor's own evaluation had determined did not exist. The evidentiary boundary — the precise condition the credential verified and the conditions it did not — was never encoded in the credential itself. The government had no mechanism at the point of contract award to evaluate whether the score corresponded to the underlying posture. The score was the only instrument available. The score said compliant. The contract followed.

The structural condition this case documents is not unique to this contractor or this settlement. The SPRS self-assessment architecture places compliance determination entirely within the entity being assessed, reported to a system that accepts the determination without independent verification. Every contractor operating under this structure presents the same credential architecture: a self-certified score, accepted at the point of reliance, with no encoded boundary between what the score asserts and what the underlying security posture contains.

The Department of Justice settled the case for $4.6 million under the False Claims Act. The Civil Cyber-Fraud Initiative, now in its fifth year, recovered more than $52 million in cybersecurity-related FCA settlements across eight cases in 2025 — a 233 percent increase over 2024 recoveries. The enforcement mechanism operates after contract award and after payment has occurred. It recovers funds once a false claim has been identified and investigated. It does not operate at the point of reliance. The credential is accepted at award. The discrepancy, when it is discovered, is discovered downstream.