From a Perfect 110 to Negative 170: Why a Defense Contractor Paid $507,144 for a False SPRS Score

On June 18, 2026, the U.S. Department of Justice announced the first cybersecurity False Claims Act settlement of the year. LOGZONE, Inc., a logistics services provider based in Huntsville, Alabama, agreed to pay $507,144 to resolve allegations that it failed to meet the cybersecurity requirements written into two of its U.S. Navy contracts. The settlement included $253,572 in restitution and did not include an admission of liability.

For defense contractors of every size, the details matter far more than the dollar figure. This case did not begin with a breach. It began with a number.

What actually happened to LOGZONE

According to the Department of Justice, from May 2021 to March 2025 LOGZONE failed to implement controls required by NIST Special Publication 800-171, the standard that protects Controlled Unclassified Information in nonfederal systems. Its Navy contracts required the company to post a current self-assessment score to the Supplier Performance Risk System, known as SPRS.

In October 2021, LOGZONE posted a score of 110. That is a perfect score. It tells the government that every required control is fully implemented.

In 2024, the Defense Industrial Base Cybersecurity Assessment Center, known as DIBCAC, reviewed the company and found that the real score was negative 170. The SPRS scale tops out at 110 and falls all the way to negative 203, so negative 170 sits near the very bottom of the range. The government alleged that LOGZONE continued to bill on those Navy contracts for years while that gap existed.

No data breach was alleged. No CMMC assessor was involved. The entire liability came from the distance between what the company claimed and what was true.

How a "perfect" score becomes a federal fraud case

A SPRS score is not an internal metric. It is a representation made directly to the government. When a contract requires that score and the contractor submits invoices on that contract, the government can treat the score as a condition of payment. If the score was materially false, each invoice can become a false claim under the False Claims Act.

That is a serious place to be. The False Claims Act carries treble damages, meaning the government can recover up to three times its losses, plus a penalty for each individual claim. The law also contains a whistleblower provision. Current and former employees, and sometimes competitors, can file suit on the government's behalf and share in the recovery. That financial incentive is exactly why cybersecurity cases keep surfacing, and why the person who reports your inaccurate score may be someone who already works for you.

The lesson is uncomfortable but simple. A self-attested SPRS score that you cannot defend with real evidence is not a compliance checkbox. It is a False Claims Act exposure with your signature on it.

This is a pattern, not a one-off

The LOGZONE settlement is not an isolated event. It is the latest step in a multi-year enforcement campaign. The Department of Justice launched its Civil Cyber-Fraud Initiative in 2021 to use the False Claims Act against contractors that misrepresent their cybersecurity. Since then, the settlements have grown steadily and have moved down the supply chain:

• Raytheon and its successor company agreed to pay $8.4 million to resolve allegations of noncompliance with cybersecurity requirements in federal contracts.
• MORSECORP agreed to pay $4.6 million to settle cybersecurity fraud allegations.
• A California defense contractor and a private equity firm agreed to pay $1.75 million after a voluntary self-disclosure of cybersecurity violations.
• Now LOGZONE, a logistics company most people have never heard of, has paid more than half a million dollars.

The direction is unmistakable. The early cases targeted large primes. The newer cases reach small and mid-size suppliers, the exact companies that make up the majority of the Defense Industrial Base. If you assumed enforcement was only for the giants, the LOGZONE settlement is the correction.

Why self-reported scores drift so far from reality

How does a company end up reporting a 110 when the truth is negative 170? Rarely through deliberate fraud. Usually through a series of small, understandable shortcuts that add up to an indefensible number:

• The score was produced in a spreadsheet. Someone read the 110 NIST 800-171 requirements, decided each one was probably fine, and entered an optimistic total. There was no methodical assessment behind it.
• There is no real System Security Plan. The contract requires a System Security Plan that describes how Controlled Unclassified Information is actually protected. Many contractors have a template with the company name swapped in, or nothing at all.
• "We do that" is treated as proof. Saying the company uses multifactor authentication is not the same as showing the policy, the configuration, and evidence that it has been running across the environment. The SPRS methodology does not give credit for intentions.
• Gaps were never written into a Plan of Action and Milestones. Known weaknesses with no documented remediation plan do not just sit quietly. They drive the score down hard, and several controls carry heavy point deductions.
• The score was never updated. A number entered in 2021 is treated as permanent, even as the network, the staff, and the threats all change.

Every one of these is fixable. None of them is fixable by hoping no one checks.

How to make your SPRS score defensible

The fix is not exotic, and it is the same work that CMMC Level 2 already requires. If you do this honestly, you remove the False Claims Act exposure and you prepare for certification at the same time:

• Run an accurate self-assessment. Score honestly against all 110 NIST 800-171 requirements using the official scoring methodology, not a gut feel.
• Write a real System Security Plan. Describe how Controlled Unclassified Information is actually stored, processed, and transmitted in your environment, and how each control is implemented.
• Build a Plan of Action and Milestones. Document every gap with an owner and a realistic completion date.
• Keep evidence for every implemented control. Policies, procedures, screenshots, configurations, and logs, so that any control marked as met can be defended in a review.
• Post a score that reflects reality, and update it. When you close a gap or change your environment, refresh the SPRS score so it stays true.

The standard you should hold yourself to is this. If DIBCAC walked in tomorrow, would your score hold up? For many small and mid-size contractors the honest answer today is no, and that is precisely the pattern the Department of Justice just penalized.

The faster path: scope a compliant enclave

The reason many contractors avoid this work is fear of cost and disruption. They imagine rebuilding their entire network to satisfy 110 controls. There is a better way, and it is the approach we use at Petronella Technology Group.

Instead of trying to bring every laptop, server, and application into scope, we scope your Controlled Unclassified Information into a compliant enclave. The CUI lives and moves inside that protected boundary, which means most of your everyday environment stays out of scope. That single decision shrinks the assessment, lowers the cost, and shortens the timeline.

Inside that boundary, we use ComplianceArmor, our compliance automation platform, to generate assessor-ready policies, procedures, System Security Plans, and Plans of Action and Milestones on private artificial intelligence. Your sensitive information never leaves your network and never touches a public AI tool. What used to take months of manual writing becomes a guided, evidence-backed process. From there we bring your SPRS score to an accurate number you can stand behind and prepare you for an independent CMMC Level 2 assessment, which is performed by a certified third-party assessment organization, not by us.

What to do this week

You do not need to solve everything at once. You need to stop carrying an indefensible number. Three steps move you off the LOGZONE path quickly:

1. Find your current SPRS score and the date it was entered. If no one can explain how it was calculated, treat it as a risk, not a record.
2. Ask whether it would survive a review. Walk through our CMMC compliance checklist against your real environment and evidence.
3. Get a readiness assessment. A focused CMMC readiness assessment tells you the true gap between your reported score and a defensible one, and what it takes to close it.

If you want the full picture of how the standard fits together, our guide to CMMC walks through the levels, the timeline, and what your contracts will require.

Frequently asked questions

What is a SPRS score?

A SPRS score is a NIST SP 800-171 self-assessment score that defense contractors post to the Supplier Performance Risk System. It ranges from a maximum of 110 down to negative 203, and many Department of Defense contracts require a current score as a condition of award and payment.

Can a wrong SPRS score really trigger a False Claims Act case?

Yes. When a contract requires a SPRS score and the contractor bills on that contract, the government can treat the score as a condition of payment. A materially false score can turn every invoice into a false claim, which exposes the company to treble damages and whistleblower suits under the False Claims Act.

What is DIBCAC?

The Defense Industrial Base Cybersecurity Assessment Center is the Department of Defense organization that conducts higher-confidence assessments of a contractor's NIST 800-171 implementation. A DIBCAC review can produce a very different score than an optimistic self-assessment, as the LOGZONE case showed.

We have not had a breach. Are we still exposed?

Yes. The LOGZONE settlement did not involve a breach. The liability came from the inaccurate score and the years of billing on contracts that required it. The False Claims Act is about the false representation, not about whether an attacker got in.

How long does it take to fix our score?

It depends on your environment and how far your real posture sits from your reported number. An enclave approach with strong documentation automation shortens the path considerably. The honest first step is a readiness assessment so you are working from facts rather than guesses.

Get a straight answer on your score

The LOGZONE settlement is a reminder that the cost of an inaccurate score is no longer theoretical. Half a million dollars is far more than the cost of getting it right the first time. Petronella Technology Group, Inc. is a CMMC Registered Provider Organization, RPO-1449, with a team of CMMC Registered Practitioners who help defense contractors close the gap between a self-reported score and a defensible one.

If you are not certain your SPRS score would survive a DIBCAC review, schedule a readiness call with our team at book.petronella.ai/craig, or call Penny, our assistant, at 919-348-4912.