The Supplier Performance Risk System (SPRS) is a DoD database where contractors upload their self-assessed NIST 800-171 implementation scores. This score helps determine a contractor's eligibility to bid on and receive defense contracts that involve Controlled Unclassified Information (CUI).
Each score represents how closely a contractor complies with the 110 security requirements in NIST 800-171. Submitting a score—especially a high one—without actual compliance is a false representation made to the federal government in order to get paid or win contracts.
That’s fraud under the False Claims Act (FCA).
An SPRS submission fraud lawsuit is a type of False Claims Act case where a whistleblower alleges that a contractor knowingly submitted false cybersecurity compliance scores to SPRS, misleading the DoD and improperly obtaining contract awards.
To qualify as a whistleblower, you must show that:
The contractor was not fully compliant with NIST 800-171
The contractor knew about this noncompliance
They submitted a score anyway (or exaggerated their score) to SPRS
The score impacted the government’s decision to award or renew a contract
In a whistleblower lawsuit filed in 2024, a former senior director at Raytheon Technologies revealed that the company submitted SPRS scores that did not reflect reality. Despite warnings that its system “DarkNet” was riddled with security vulnerabilities, lacked MFA, and had system admin privileges for every user, Raytheon:
Submitted favorable SPRS scores
Kept bidding on and winning DoD contracts
Failed to report internal breaches and risks
Refused to seek a DFARS waiver or delay
Retaliated against the whistleblower for escalating concerns
Raytheon’s alleged SPRS fraud—done to preserve eligibility for multibillion-dollar contracts—may lead to massive False Claims Act penalties and whistleblower rewards.
In Decker v. University of Pennsylvania, a senior IT leader at Penn’s Applied Research Laboratory reported that university officials:
Fabricated or recycled outdated compliance documentation
Ignored CUI mismanagement and storage in unapproved cloud platforms
Continued uploading SPRS scores despite failing internal audits
Suppressed reports and neutralized internal “tiger teams” that uncovered the problems
Despite knowing that their systems failed to meet the NIST 800-171 baseline, Penn used inflated SPRS scores to maintain DoD funding—again, a potential False Claims Act violation.
Whistleblowers in SPRS fraud cases are often:
Cybersecurity professionals responsible for drafting or validating compliance reports
Compliance officers pressured to sign off on false security plans or POA&Ms
Engineers or IT staff with visibility into system vulnerabilities or breach logs
Contract officers or GovCon consultants aware of scoring misconduct
University research staff involved in DoD contract administration
If you’ve been in meetings where someone said “we can’t delay this contract—just put in a score,” you’re likely witnessing SPRS fraud. Contact a cybersecurity whistleblower attorney today.
You don’t need to be in the C-suite to blow the whistle. But you’ll want strong, documented proof such as:
Emails or Slack messages instructing someone to “just submit” or “reuse last year’s score”
Internal audit reports showing security gaps
Evidence that no valid SSP or POA&M existed when the score was submitted
Screenshots showing incorrect SPRS entries
Timeline of known vulnerabilities or breaches ignored before submission
Notes from meetings where false certifications were discussed
The stronger your proof that the organization knowingly falsified the score, the stronger your case.
Whistleblowers are entitled to a relator’s share of any funds recovered by the government:
15% to 25% if the DOJ intervenes
Up to 30% if you proceed without government intervention and win
In cases involving DoD contracts worth hundreds of millions—or billions—the potential reward can be life-changing.
If you were demoted, fired, isolated, or otherwise retaliated against for raising SPRS or NIST compliance concerns, you can pursue:
Lost wages and reinstatement
Compensatory damages
Attorneys’ fees
Emotional distress compensation
In both the Penn and Raytheon cases, whistleblowers faced retaliation—but the FCA provides powerful protections and remedies.
Filing an SPRS-related whistleblower case involves:
Gathering evidence: Secure documentation confidentially and legally.
Hiring a False Claims Act attorney: They’ll help you draft a formal complaint under seal.
Filing with the DOJ: The case is filed confidentially while the DOJ investigates.
Awaiting intervention: If the DOJ joins, the odds of recovery rise significantly.
If you know a contractor is gaming their SPRS score and putting national security at risk, take action. The government takes these violations seriously—and you can play a key role in protecting taxpayer dollars and classified data.
The Whistleblower Advocates specializes in SPRS submission fraud lawsuits. We help whistleblowers:
File anonymously and securely
Maximize their recovery
Fight retaliation
Hold defense contractors accountable
Don’t wait. You may be the only one standing between fraud and a national security breach.
We serve clients throughout the Delaware Valley including, but not limited to, those in the following localities: Pennsylvania including Berks County, Bucks County, Chester County, Delaware County, Montgomery County, and Philadelphia.
Contact Us | The Whistleblower Advocates
Privacy Policy | Terms of Service
Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.
Copyright © The Whistleblower Advocates. All Rights Reserved
