In 2023, the Department of Justice announced that MORSE Corp, a Massachusetts defense contractor, had agreed to pay $4.6 million to settle allegations under the False Claims Act. The claim: MORSE Corp had submitted inflated cybersecurity self-assessment scores to the government in order to obtain and maintain DoD contracts.
That settlement should be on the desk of every small defense subcontractor still treating their SPRS score as a formality.
What SPRS is and why it matters
The Supplier Performance Risk System is the DoD database where contractors submit their NIST SP 800-171 self-assessment scores. The score runs from -203 (every control failed) to 110 (all 110 practices fully implemented). When a prime contractor or contracting officer evaluates a supplier's cybersecurity posture, they look at the SPRS score.
Under DFARS 252.204-7019, DoD contractors that handle Controlled Unclassified Information are required to complete a self-assessment against the 110 controls in NIST 800-171, score it accurately, and submit that score to SPRS before being awarded certain contracts. The requirement has been active since November 2020.
The key word in the previous paragraph is accurately.
What the False Claims Act has to do with cybersecurity
The False Claims Act is a federal statute that creates liability — including treble damages and civil penalties — for submitting false claims to the government in order to receive payment. It was originally designed for defense fraud, but DOJ has explicitly extended it to cybersecurity representations.
The DOJ's Civil Cyber-Fraud Initiative, announced in 2021, exists specifically to pursue False Claims Act cases against contractors who misrepresent their cybersecurity practices. The theory is straightforward: if you certify to the government that your systems meet the required security standards in order to win a contract, and they don't, that certification is a false claim.
MORSE Corp did not go to trial. They settled. But the settlement established that an inflated SPRS self-assessment is precisely the kind of misrepresentation DOJ is pursuing.
What "inflated" means in practice
An inflated score isn't necessarily a number someone made up from scratch. It can result from:
- Claiming a control is "fully implemented" when it's partially implemented or only documented in policy but not actually deployed in systems.
- Assigning no point deduction for a control that hasn't been assessed.
- Scoring controls based on intent or plans rather than current state.
- Failing to account for all in-scope systems, environments, or personnel.
NIST 800-171 has specific assessment procedures. "Fully implemented" has a meaning: the practice is deployed across all applicable systems and consistently applied. A control that exists in a policy document but isn't running in your environment is not fully implemented.
The problem is that most small contractors do not have a security team that knows how to assess this accurately. The assessment gets delegated to whoever manages IT, or rushed during contract onboarding, or scored optimistically because no one wants to report a low number. None of those are defensible positions if DOJ comes knocking.
What a defensible score requires
A defensible SPRS score is one you can support with documentation if the government asks. That means:
- An accurate baseline assessment. Someone has to work through all 110 controls against your current environment — not your policies, your actual systems — and score each based on NIST's assessment procedures.
- A system security plan. NIST 800-171 requires a documented SSP describing how you implement each control. The SSP is the evidence behind the score. If the score and the SSP don't match, that's an inconsistency a reviewer will notice.
- A Plan of Action and Milestones. Any control that isn't fully implemented needs a POA&M documenting the gap and a realistic remediation timeline. A POA&M doesn't hurt your score — it shows you know the gap exists and are working it.
- Contemporaneous documentation. If you updated your score after implementing a control, document when and what evidence supports the change. Score history without supporting records is hard to defend.
What this means for Pacific Northwest contractors
The MORSE Corp settlement is a federal-level case, but the Civil Cyber-Fraud Initiative's enforcement posture applies to every contractor who submits a SPRS score. The Tri-Cities and surrounding region has a substantial defense supply chain — firms supporting primes on DoD programs alongside Hanford and PNNL work. Any of those firms with DoD contract obligations has SPRS exposure.
This is not a theoretical risk. DOJ has used qui tam relators — whistleblowers inside contractor organizations — to initiate these cases. A former employee who knows your cybersecurity practices were overstated is a real threat vector.
A third-party gap assessment doesn't eliminate liability, but it changes the story. If you engaged qualified help to assess your controls, documented the findings, submitted a score that reflects your actual posture, and built a remediation plan for your gaps, you have a defensible record. That is a materially different legal and contractual position than a score entered into SPRS during onboarding without supporting evidence.
Rimrock conducts structured NIST 800-171 gap assessments that walk through all 110 controls against your actual environment, document findings with the specificity your SSP and POA&M need, and produce a score you can stand behind. We're not a C3PAO and don't conduct formal certifications — we give you the documented baseline a defensible SPRS score requires, and verify that controls marked implemented actually work.
If your score was entered without a structured assessment behind it, now is the time to revisit it.
This article is general information, not legal advice. It summarizes publicly reported DOJ enforcement actions; consult qualified counsel about your organization's specific False Claims Act exposure.