The Fallacy of the 100% Score
If you're a defense contractor in the South Puget Sound, you've likely spent the last few months sorting out your CMMC timeline. But while most business owners are focused on when their third-party audits will begin, a much more immediate threat is already active: the Supplier Performance Risk System (SPRS) self-assessment audits. And many contractors are unknowingly painting a giant bullseye on their backs by making a simple math mistake.
Most business owners are conditioned to think in terms of school grades. When logging into the SPRS portal to submit their self-assessment, they enter "100" or "100%," assuming it represents a solid "A" grade or a high level of compliance. But that is not how the U.S. Department of Defense (DoD) scores cybersecurity.
Under the official NIST SP 800-171 assessment methodology, the scoring system uses a deductive scale that begins at +110 (representing perfect implementation of all 110 controls). For every control that is missing or incomplete, points are subtracted. Deductions range from 1, 3, to 5 points depending on the severity of the control.
Because of this deductive system, a contractor with zero controls implemented starts with a score of -203 (negative 203). Entering a score of "100" does not mean "100% compliance." It means you have exactly 10 points worth of total deductions—an incredibly rare achievement that is almost impossible to reach without years of deliberate, expensive cybersecurity prep. To the DoD, submitting a "100" is an immediate mathematical warning sign that your business either doesn't understand the rules or is inflating its numbers.
| SPRS Score Entry | What It Represents in Reality | DoD / DIBCAC Action |
|---|---|---|
| 100 or 100% | Misunderstood grading scale. Implies exactly 10 points of deductions (only 2 to 10 unimplemented controls). | Immediate Audit Target. High risk of score inflation. |
| +110 | Perfect compliance. All 110 NIST 800-171 controls are fully active. | Requires comprehensive System Security Plan (SSP) evidence. |
| -170 to -203 | Baseline setup. The majority of security controls are not yet active. | Expected starting score for first-time assessments. Requires a POA&M. |
The $507,000 Reality Check: LOGZONE Inc.
For years, contractors assumed that self-assessment scores were an honor system with no real inspection. The Department of Justice (DOJ) shattered that Corporate illusion on June 18, 2026, when it announced a $507,144 settlement with Alabama-based defense contractor LOGZONE Inc. to resolve allegations of False Claims Act violations.
The case details are a textbook example of the SPRS scoring trap. Back in October 2021, LOGZONE submitted a self-assessed score of 110 (perfect compliance) to the SPRS portal to qualify for two U.S. Navy contracts. However, in February 2024, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)—the DoD's dedicated auditing unit—conducted a physical assessment of LOGZONE’s network.
DIBCAC’s findings were stark: they calculated LOGZONE’s actual compliance score at -170.
The company had signed an executive affirmation declaring perfect compliance while actually meeting almost none of the requirements. The resulting half-million-dollar penalty shows that the DOJ is no longer waiting for whistleblowers. They are using DIBCAC audits to cross-reference SPRS scores directly, treating inflated self-certifications as federal fraud.
The False Claims Act and Your Business
The legal consequences of submitting an inaccurate SPRS score are severe. Under the False Claims Act, civil penalties can easily destroy a small-to-mid-sized business in Tacoma or Lakewood. If the government determines you knowingly misrepresented your compliance to secure a contract, you face treble (triple) damages plus individual fines of $14,308 to $28,619 per invoice submitted.
Crucially, "knowingly" does not require intent to defraud. Under the law, "reckless disregard" or "deliberate ignorance"—such as letting an administrative employee type "100" into the portal without conducting a formal NIST 800-171 gap analysis—meets the standard for fraud. Prime contractors are also starting to audit their own supply chains because they cannot afford to have their contracts disrupted by a sub-tier contractor's DIBCAC audit.
How to Calculate a Compliant, Audit-Safe Score
Getting your CMMC and NIST compliance right is not about scoring a perfect 110 on day one. The DoD expects contractors to have gaps; that is why they allow a Plan of Action and Milestones (POA&M). The key is honesty and evidence. To calculate an audit-safe score:
First, perform a formal CMMC readiness assessment to audit your environment against the 110 NIST SP 800-171 controls. Second, draft a comprehensive System Security Plan (SSP) that documents exactly how every active control is implemented. Third, for every control that is not yet met, list it on a POA&M with a clear completion date and subtract the appropriate points (1, 3, or 5) from the 110 baseline. Finally, submit the resulting score (even if it is negative) in the SPRS portal, referencing your System Security Plan (SSP) details.
This demonstrates a compliant process. An accurate negative score with an active POA&M is legally safe and keeps you in the running. An inflated positive score is a liability.
How Spyderweb Helps
Spyderweb Communications has supported defense contractors and JBLM-adjacent firms in Lakewood, Tacoma, and across the Puget Sound since 2003. We specialize in taking the guesswork out of compliance. Our team runs the technical audits, migrates teams to secure cloud environments like GCC High, and builds the documentation—including the SSP and POA&M—that protects your business from False Claims Act liabilities. Contact us today for a free CMMC readiness discovery call, and let’s make sure your SPRS score stands up to DIBCAC scrutiny.
