SPRS scores are self-reported — and most prime contractors have no documented basis for accepting them. Under the False Claims Act, a false or unsupported compliance claim in your supply chain becomes your liability the moment you sign a contract. Here is what a defensible compliance record actually looks like, and what most primes are missing.
SPRS — the Supplier Performance Risk System — is the DoD's compliance scoreboard. Every FCI-handling subcontractor is required to self-assess against the 15 practices of FAR 52.204-21, calculate a score, and submit it to SPRS. The word "self" in "self-assessment" is doing significant work here. No auditor reviews the score before it goes in. No contracting officer validates the methodology. The system accepts what the sub reports — and that number sits in a government database next to your contract.
The problem for prime contractors is not that subs are necessarily dishonest. The problem is that most subs don't fully understand the standard, most scores have never been documented, and most primes have accepted a sub's verbal or written assurance without ever holding a piece of paper that could constitute a verification. Under the False Claims Act, that gap — between the score on file and the documentation supporting it — is where liability lives.
Understanding the system
The Supplier Performance Risk System was designed to give DoD contracting officers visibility into the cybersecurity posture of contractors across the defense industrial base. In practice, what it captures is what contractors say about themselves — unvalidated, unaudited, and accepted at face value by the system itself.
For CMMC Level 1 — which covers every subcontractor that handles Federal Contract Information — the process works like this: a sub's authorized company representative reviews the 15 practices in FAR 52.204-21, determines how many are fully implemented, applies the DoD scoring methodology, and submits the result to SPRS with an affirmation that the score is accurate. No third party reviews this. No C3PAO is required. No contracting officer validates it before it goes in.
That design puts the verification obligation on the prime contractor. DFARS 252.204-7021 requires primes to confirm that subcontractors have a current SPRS score before awarding a subcontract — and to reverify annually. The regulation does not specify what "confirm" means in documentation terms. That ambiguity is exactly where most prime compliance programs break down.
A score of 110 in SPRS looks identical whether it reflects a rigorous, documented self-assessment or a sub who checked every box without reading the standard. The score carries no inherent evidence of what produced it. The only thing that differentiates a defensible 110 from a fraudulent one is the documentation the sub retained — and the prime collected — at the time of assessment.
If a sub submits an inaccurate SPRS score — because they misunderstood a practice, skipped the assessment, or simply inflated their self-evaluation — and a prime accepts that score as verification without holding supporting documentation, the prime has certified a compliance posture to the government that has no documented basis. Under the False Claims Act, that certification travels with every invoice on that contract. The sub made the error. The prime is potentially liable for it.
What verification actually means
Most Pacific prime contractors managing a trade sub supply chain are operating with some version of the same compliance posture: they know their subs are required to have SPRS scores, they have asked about it at some point, and they have received something — an email confirmation, a verbal assurance, or a screenshot of a SPRS entry — in response. That is not a compliance record. It is a starting point.
A defensible supply chain compliance record is a documented chain of custody from the sub's self-assessment through the prime's verification and into the contract file. The following table shows the difference between what most primes hold and what a compliance record actually requires.
| Documentation Element | What Most Primes Have | What a Defensible Record Requires |
|---|---|---|
| SPRS score confirmation | Verbal or email assurance from sub Unverified |
Dated copy of sub's SPRS entry with score, assessment date, and affirming official |
| Assessment methodology | None — score accepted at face value No basis on file |
Sub's completed self-assessment workbook, practice by practice, with notes on implementation status |
| System Security Plan | Unknown — never requested Not collected |
Sub's current SSP confirming the scope, boundaries, and controls in place at time of assessment |
| Executive affirmation | Not collected No signature |
Signed confirmation form from sub's authorized representative attesting to accuracy of score |
| Prime verification date | Unknown — no record kept No timestamp |
Dated entry in prime's sub compliance tracker showing when score was verified and by whom |
| Annual re-verification | Not tracked — happens informally if at all No process |
Scheduled re-verification at 10–11 months, new documentation cycle, updated tracker entry |
| Flow-down clause confirmation | Included in subcontract boilerplate — not confirmed as current May reference deleted clauses |
Subcontract language confirmed against current DFARS 252.204-7021; sub acknowledges obligation in writing |
The gap between columns two and three is the prime's FCA exposure. Every element in column three costs almost nothing to collect — it requires a process, not a budget. The cost of not having it, if a DOJ inquiry or contracting officer audit arrives, is not recoverable.
Pacific market context
The typical Pacific trade subcontractor — electrical, HVAC, plumbing, welding, roofing, fencing, mechanical — is a 10-to-15-person operation. The owner is running the business, managing crews, and bidding new work. There is no IT staff. There is no compliance team. There may not be a dedicated computer beyond a shared laptop and a phone.
When that sub was told they needed a SPRS score, one of a few things happened. In the best case, they found the DoD's online resources, worked through the assessment, submitted a score to SPRS, and have a rough record of what they did. In the more common case, they submitted a score based on a partial read of the requirements, are not entirely sure what practices they said they met, and have no documented System Security Plan. In some cases, a score exists in SPRS that the current company management cannot fully explain or substantiate.
Pacific trade subs are not trying to defraud the government. They are small businesses trying to keep their contracts. The compliance failure is not bad faith — it is that no one gave them a plain-English guide, a documented process, or a clear deliverable to return to their prime. When a prime has no intake process for sub compliance documentation, the sub has no reason to produce one. The prime's program — or lack of one — sets the quality of what comes back.
This is the structural problem that CMMC Level 1 oversight is designed to address — and it is also the problem that turns an administrative compliance gap into a prime's FCA exposure. The sub's incomplete self-assessment is an internal issue for the sub. The prime's failure to collect documentation is what transforms that gap into a false certification on a government contract.
Building the record
A prime contractor's defensible supply chain compliance record is not a cybersecurity audit. It is a documentation program. Every element of it can be collected through a structured intake process that puts the work on the sub and the organization on the prime. Here is what the complete file contains.
Collecting these seven elements from every FCI-handling sub in the supply chain — before awarding a subcontract and at each annual re-verification — constitutes a defensible compliance program. Not a perfect one. Not one that eliminates all risk. But one that demonstrates documented, good-faith compliance management to any contracting officer, DCMA auditor, or DOJ investigator who asks.
If a sub's SPRS score turns out to be inaccurate, a prime who holds this documentation package has a credible defense: they followed a reasonable process, collected the required documentation, relied on the sub's signed affirmation, and maintained the record in good faith. A prime who holds nothing — or who accepted a verbal assurance — has no equivalent defense. The file is not bureaucracy. It is the argument.
Action items
1. Pull your current sub list and identify every FCI-handling subcontractor. Not every sub is in scope — only those whose work involves Federal Contract Information. This typically includes any sub performing on a DoD contract, accessing contract documents, or handling any information related to the performance of a government contract. Electrical, HVAC, plumbing, welding, roofing, fencing, and mechanical subs on NAVFAC and MILCON projects are almost universally in scope.
2. Check SPRS for each in-scope sub before your next contract award or option exercise. SPRS is publicly accessible. You can look up any registered contractor's score without their involvement. Run every in-scope sub right now. Record the score, the date, and the affirming official. Note which subs have no score on file — that is your immediate compliance gap.
3. Send a structured compliance intake packet to every sub — not a request, a packet. Do not ask your subs to "get compliant" and leave them to figure out how. Provide the self-assessment workbook, the plain-English guide, the confirmation form, and the submission instructions. The quality of what comes back depends entirely on what you send. Subs who receive a structured packet return a structured result. Subs who receive an email asking for their score return a screenshot.
4. Collect and file the seven documentation elements from every sub. The completed workbook, the SSP, the dated SPRS entry, the signed confirmation form, the flow-down acknowledgment, the re-verification calendar trigger, and the POA&M where applicable. File them by sub. Do not accept an incomplete package as verification.
5. Calendar re-verification at 10 months — not 12. CMMC requires annual re-verification. Scheduling at 10 months gives a two-month buffer to chase down subs who are slow to respond, collect updated documentation, and have the renewed compliance file in hand before the 12-month mark. A re-verification that runs to 13 or 14 months creates a gap in the compliance record — and a gap is a liability.
Pacific Cyber Compliance gives prime contractors a ready-to-run sub compliance documentation program — structured intake packet, self-assessment workbook, confirmation form, sub compliance tracker, and annual re-verification workflow. Flat fee. Unlimited subs. Pacific-based. The file that constitutes your FCA defense, ready to distribute.