INSIGHTS // SPRS

The $507K LOGZONE Settlement: Your SPRS Score Is Now False Claims Act Evidence

BY POLICYCORTEX TEAM·PUB Jul 1, 2026· 9 MIN· SPRS False Claims Act LOGZONE CMMC NIST 800-171 DFARS 7019 enforcement

On June 18, 2026, DOJ settled with a defense contractor whose self-reported SPRS score of 110 turned out to be -170. Here's what the LOGZONE case means for every contractor affirming a score before the November 2026 CMMC deadline.

A Score of 110, an Assessment of -170

On June 18, 2026, the Department of Justice announced that LOGZONE Inc., a Huntsville, Alabama defense contractor, agreed to pay $507,144 to resolve False Claims Act allegations tied to its cybersecurity self-assessments on Navy contracts.

The core facts are brutal in their simplicity:

  • In October 2021, LOGZONE self-reported a perfect NIST SP 800-171 score of 110 to the Supplier Performance Risk System (SPRS).
  • In 2024, DoD's own assessors at DIBCAC examined the same environment and scored it negative 170 — the floor of the scoring scale is -203.
  • The gap between what the company affirmed and what was actually true became the basis of a False Claims Act case.

No breach was required. No CUI had to be exfiltrated. The score itself was the false claim, because contract eligibility and payment flowed from it.

If your organization has a number sitting in SPRS right now, this case is about you.

Why This Settlement Matters More Than Its Size

Half a million dollars is small by FCA standards — Raytheon and Nightwing paid $8.4 million in 2025 over related cybersecurity allegations. What makes LOGZONE significant is the pattern it confirms:

  1. DOJ's Civil Cyber-Fraud Initiative is working through the DIB. Since 2021, DOJ has treated cybersecurity misrepresentations as fraud. LOGZONE shows they will pursue mid-size and small contractors, not just primes.
  2. DIBCAC assessments create the evidence. The government does not need a whistleblower to find the gap between your affirmation and your reality. A routine DIBCAC medium or high assessment produces a government-documented delta against your self-reported score.
  3. The math of exposure is asymmetric. LOGZONE's contracts were modest. Treble damages plus per-claim penalties under the FCA can dwarf the value of the underlying contract — and the settlement follows the company's principals around in future responsibility determinations.
CaseYearAmountThe false claim
Aerojet Rocketdyne2022$9.0MMisrepresented 800-171 compliance
Penn State2024$1.25MNon-compliant DFARS 7012 controls
Raytheon / Nightwing2025$8.4MCybersecurity requirement failures
LOGZONE2026$507KInflated SPRS self-assessment score

The Uncomfortable Question: Is Your SPRS Score Defensible?

Most SPRS scores in the DIB were entered years ago, under deadline pressure, by someone interpreting 110 controls generously. Industry assessors report the same pattern over and over: companies that self-scored 100+ arrive at their first gap assessment and discover their defensible score is somewhere between -50 and +50.

The scoring methodology makes optimism expensive. A perfect score is 110, but individual controls are weighted 1, 3, or 5 points — and you subtract for each unimplemented control. Miss multifactor authentication (5 points), FIPS-validated encryption (up to 5), and a handful of audit and access controls, and a "mostly compliant" environment lands deep in negative territory. That is how a company that believed it deserved 110 can be assessed at -170.

Three questions determine whether your current score would survive scrutiny:

  1. Can you produce evidence for every control you claimed? Not a policy document — artifacts. Screenshots, configurations, logs, access reviews. If a DIBCAC assessor asked tomorrow, could you show it?
  2. Was your score calculated against the official DoD Assessment Methodology, with the correct point deductions, or was it a checklist exercise?
  3. Has your environment changed since the score was entered? New cloud accounts, new MSP, new SaaS tools — every change since your affirmation is drift between what SPRS says and what is true.

CMMC Phase 2 Raises the Stakes in November

This is not a legacy problem that CMMC will make obsolete. It is the opposite.

When CMMC Phase 2 begins on November 10, 2026, Level 2 C3PAO certification becomes a condition of award in new solicitations involving CUI. But the certification framework keeps the affirmation mechanism: a senior company official must affirm continuing compliance in SPRS annually, and after every significant change.

That affirmation is a signed federal representation. LOGZONE tells you exactly how DOJ views a signed representation that does not match reality. Under CMMC, the affirmation is:

  • Named — a specific senior official signs it, personally.
  • Recurring — annually, not once. Every year is a fresh claim.
  • Checkable — your C3PAO assessment results, DIBCAC reviews, and incident reports all create a paper trail the affirmation can be compared against.

Contractors racing to certify before the deadline face a specific trap: certifying on an environment held together with temporary fixes, then affirming annually while the environment drifts back. The certificate is a snapshot; the affirmation is a promise that the snapshot is still true. FCA liability lives in that gap.

What To Do Now: The Honest-Score Playbook

1. Re-score yourself against the DoD Assessment Methodology — this quarter. Use the official scoring template with the actual point weights. If your realistic score is materially lower than what SPRS currently shows, updating SPRS is the risk-reducing move. A corrected score with a documented POA&M is defensible; a stale inflated score is not.

2. Build the evidence trail before you need it. For every control you claim, know where the artifact lives. If evidence collection is manual, it will decay — this is the single most common gap C3PAOs report. Our free CMMC Level 2 readiness assessment walks through the control families where evidence gaps cluster.

3. Treat every affirmation like the legal document it is. The senior official signing the SPRS affirmation should see a real compliance report before signing — not a verbal "we're good" from IT. If your affirming official can't get continuous visibility into control status, that is an organizational gap, not just a technical one.

4. Close the drift problem structurally. Point-in-time compliance plus annual affirmations is a liability machine unless something holds the environment in a compliant state between assessments. This is exactly the problem PolicyCortex was built for: continuous control monitoring mapped to all 110 NIST 800-171 controls, autonomous remediation when configurations drift, and an evidence trail generated as changes happen — so the state you affirmed is the state you're actually in. The 30-day CMMC pilot produces a defensible baseline score and a C3PAO-ready evidence bundle in one engagement.

The Timeline Pressure Is Real

There are roughly four months until Phase 2 begins. C3PAO wait times are running 6–9 months. If the LOGZONE settlement prompts you to re-examine your SPRS score — and it should — the follow-on question is whether your remediation-to-assessment timeline still closes before your contracts require certification.

Run your dates through our CMMC deadline work-back calculator to see when each milestone must land, and read our breakdown of the C3PAO backlog math for the full scheduling picture.

The era of the aspirational SPRS score ended on June 18, 2026. The contractors who treat their score as a legal representation — and build the machinery to keep it true — are the ones who will still be bidding in 2027.

READY TO AUTOMATE?

Replace 4 tools with one platform.

See how PolicyCortex consolidates compliance, security, AI governance, and cost — autonomously.

SYS: ONLINE
FOCUSCMMC L2 / L3
BUILD0aed52
CMMC DEADLINET-d
©2026 POLICYCORTEX, INC.