Your SPRS score is a False Claims Act exposure, not a checkbox

It is tempting to treat the Supplier Performance Risk System (SPRS) score as a formality — a box to fill so a prime stops emailing you. It is not. Under DFARS 252.204-7019 and -7020, your score is a representation you make to the U.S. government about the state of your NIST SP 800-171 implementation.

That changes the stakes. In October 2021, the Department of Justice announced its Civil Cyber-Fraud Initiative, explicitly using the False Claims Act against contractors who knowingly misrepresent their cybersecurity posture or compliance. Several matters since have resolved in settlements. An inflated SPRS score is not harmless optimism; it can be a knowing misrepresentation about a material fact in a federal contract.

Why scores drift upward

Most overstated scores are not fraud — they are wishful self-grading. "Partially implemented" gets counted as done. A control that works for privileged users but not general users gets full credit it has not earned. The SSP that requirement 3.12.4 demands does not actually exist yet. Each of those is a deduction the methodology requires, and each one a generous self-assessment quietly skips.

What an honest number looks like

The score runs from 110 down to a floor of −203, and the deductions are defined, not negotiable. We did not invent the scoring — every point follows the published DoD Assessment Methodology, and every statement in the documents we draft traces back to the specific answer you gave. That audit trail is the point: it is the difference between a number you can defend and a number you hope no one checks.

The first step is simply knowing where you actually stand. Run the free Muster Score — conservatively scored, no CUI, no signup — and read how we handle your data. A real number is cheaper than a False Claims Act problem.