Sprs Score Gap Reality

By Acreus Editorial

# The SPRS Score Gap: What Companies Think vs. Reality

*By the CMMCFirst editorial team. Practitioner-

**Defense contractors routinely self-assess their SPRS scores in the +80 to +100 range — only to discover during professional gap assessments or C3PAO reviews that their true scores are negative by 100+ points.** CyberSheath’s landmark survey found **69% of contractors claim DFARS compliance via self-assessment, yet only 4% pass third-party validation.** Real cases confirm the delusion: one client self-assessed at **88, actual score -30** (118-point gap); **MORSECORP claimed 104, audited at -142** (246-point gap); Ntiva-like MSP environments start at **-150** with no monitoring, patching, or Active Directory hygiene.

With Phase 2 (Nov 2026) mandating C3PAO assessments for most CUI-handling contracts, an inflated SPRS score isn’t just inaccurate — it’s a False Claims Act liability. DOJ collected **$51.8M in cyber-FCA settlements in 2025** targeting exactly this misrepresentation, no breach required. This guide dissects the gap, why it persists, and your remediation roadmap to a defensible score before primes like Lockheed drop non-compliant suppliers.

[Free SPRS score review →](https://cmmcfirst.com/cmmc-readiness-assessment/)

—

## SPRS Scoring 101: Why Negative Scores Are the Norm, Not the Exception

The Supplier Performance Risk System (SPRS) score quantifies your NIST SP 800-171 Rev 2 implementation across 110 controls, required under DFARS 252.204-7019/7020 since 2020. **Scores range from -203 (zero controls) to +110 (perfect implementation).** You don’t add points — you start at +110 and **subtract weighted deductions** (1, 3, or 5 points per unmet control) per the DoD Assessment Methodology.

**High-impact controls drive massive deductions:**
– MFA (3.5.3): 5 points
– FIPS-validated crypto (3.13.11): 5 points
– Audit review (3.3.2): 3 points
– Incident response testing (3.6.3): 3 points

CyberSheath’s 2025 DIB survey pegs the **median self-assessed score at 60**, with 17% negative. But practitioner audits reveal the truth: **average audited scores cluster around -20 to +40**, a 50–80 point inflation in self-reports.

Boeing cybersecurity lead Brett Cox notes: **”60% of assessment objectives are paperwork.”** Over 60 controls (164 points) demand policy evidence — existence alone fails without enforcement proof.

—

## The Self-Assessment Delusion: 69% Compliant in Theory, 4% in Practice

Contractors aren’t lying — they’re over-optimistic. **CyberSheath/Merrill Research: 75% believed compliant on self-assessment; only 4% passed third-party.** The “SPRS Score Gap” emerges systematically:

– **Self-assessed median: +60 to +88**
– **Audited reality: -30 to +40**

**Case Study 1: The 88 → -30 Client**
A mid-sized IT services firm (50–150 employees) self-scored +88 after “implementing” MFA, policies, and endpoint tools via their MSP. Gap assessment revealed:
– MFA partial (email only, not VPN/privileged): Full 5-point deduction.
– Policies unsigned, un-enforced: 40+ points lost.
– Scope ignored remote workers/home offices: 25+ endpoints unassessed.
**Net: -30. Gap: 118 points.** Remediation took 9 months, $120K.

**Case Study 2: MORSECORP’s $4.6M Lesson**
MORSECORP self-certified SPRS **+104** using an unverified third-party assessor. DOJ investigation (Mar 2025 settlement) exposed: no SSP updates, incomplete controls. Audited score: **-142**. Gap: **246 points**. No breach — just false certification.

**Case Study 3: Ntiva-Style MSP Baseline**
MSPs like Ntiva (top MSP 501) deliver “managed IT” but start contractors at **-150**: no centralized logging, ad-hoc patching, weak AD. Kieri Solutions client paid $80K for GCC High — got zero policies, bad perms. **Gap to compliant: 18–24 months, $200K+.**

These aren’t outliers. CorpInfoTech assessors review 4,000+ pages pre-assessment, grilling procurement/HR — not tech. OSIbeyond requests 254 evidence items; screenshots >30 days old fail.

—

## Root Causes: Five Systematic Errors Inflating Your Score

The gap traces to misapplying the DoD Assessment Methodology. Contractors score “Met” where assessors demand “MET with evidence.”

**1. Partial Implementation = Not Met**
MFA on email? Score Met. Reality: NIST requires *all* privileged/non-privileged access. VPN, RDP, local logons excluded? Full 5-point hit. **73% failure rate per CyberSheath.**

**2. Policy Existence ≠ Enforcement**
AUP policy filed? Met. But unsigned, uncommunicated, no enforcement logs? Not Met across 60+ controls. Boeing: **”Paperwork is 60% of the game.”**

**3. Scope Creep Ignored**
CUI enclave secured? Great — but home offices, mobiles, cleaners (after-hours access) touch CUI? All in-scope. 150-employee firm scoped to 15: perfect score.

**4. MSP Over-Reliance**
“MSP handles endpoints.” But no Shared Responsibility Matrix proving DoD-grade impl? Not Met. MSPs in-scope; their gaps = yours.

**5. Methodology Mismatch**
Basic self-assess vs. Medium/High for DoD contracts. No correlated log analysis? Audit controls tank (3.3.3–3.3.5).

DIBCAC’s 117 assessments: Top failures — FIPS crypto (52%), MFA (73%), audits (top 3).

—

## The Stakes: Inflated SPRS = FCA Liability + Prime Exclusion

**No “passing” SPRS threshold exists — but accuracy does.** DFARS 252.204-7020 demands “complete and accurate” submission. +88 self-assess → C3PAO finds -30? Adverse SPRS flag + FCA exposure.

**2025 DOJ haul: $51.8M (233% YoY).** MORSECORP, Georgia Tech ($875K, fake +98), RTX ($8.4M successor liability). **979 whistleblowers filed qui tam (FY2024 record).**

Primes enforce harder: Lockheed’s Exostar CCRA reds out low-SPRS suppliers. Northrop: “No POs for non-compliant.” 47% subs hit with flow-downs (Redspin 2025).

**CMMC Timeline Impact:**
| Self-Assessed | Audited Reality | CMMC Path |
|—————|—————–|———–|
| +90–110 | +50–88 | 6–9 mo |
| +50–89 | +1–49 | 9–14 mo |
| +1–49 | -50–0 | 14–18 mo |
| Negative | <-50 | 18–24+ mo| C3PAO backlog (97 orgs, 80K need): 3–12 mo waits. Start with accurate SPRS or requalify. --- ## Closing the Gap: Your Defensible SPRS Roadmap **Step 1: Accurate Gap Assessment ($5K–20K, 2–4 weeks).** Practitioner-led, DoD methodology. Outputs: true SPRS, control heatmap, scope map. **Step 2: Quick Wins (30–60 days, +30–50 points).** MFA everywhere, EDR, training, USB block, account hygiene. **Step 3: Documentation Overhaul (4–8 weeks).** SSP/POA&M with evidence narratives. 200–500 hrs — outsource if lean. **Step 4: High-Weight Remediation (3–12 mo).** SIEM/logs (3.3.x), FIPS crypto, IR testing. Enclave for scope shrink. **Step 5: Mock Assessment ($15K–40K).** RPO simulates C3PAO. Skip = high fail risk. **Step 6: SPRS Resubmit.** Annual req'd; update post-gaps. **Pro Tip: Scope Reduction.** Map CUI flows — isolate to 10–20% assets. PreVeil enclave: 102/110 controls, $5K/yr. Total to +88: **6–12 mo, $100K–250K** (small biz). Annual maint: $30K–50K. --- ## Get Your SPRS Gap Assessed Free Inflated self-assessments cost time, money, contracts. CMMCFirst's free readiness review flags common errors, estimates your true score, timelines. [Schedule your SPRS reality check →](https://cmmcfirst.com/contact/) --- ## FAQ **What's a realistic SPRS score pre-CMMC?** +88+ signals readiness. Median audited: -20 to +40. Negatives common sans program. **Negative SPRS = CMMC death?** No — remediable. But signals 18+ mo path. Scope shrink accelerates. **MSP SPRS liability?** MSP in-scope. Their gaps deduct from yours. Demand SRM. **Update frequency?** Annual +30 days post-change. C3PAO updates SPRS directly. **FCA risk from bad SPRS?** Yes — "complete/accurate" cert. MORSECORP paid $4.6M. --- *Related reading:* - *[SPRS Score Explained](/content/blog/sprs-score-explained-defense-contractors.md)* - *[DOJ FCA CMMC Settlements](/content/blog/doj-false-claims-act-cmmc-settlements.md)* - *[CMMC Level 2 Timeline](/content/blog/timeline-to-cmmc-certification-how-long.md)*