FORENSIC LEGIBILITY EXAMINER
CASE 130|SECURE DOCUMENTATION & CREDENTIALING|2026-07-28|DISPOSITION: SPRS CYBERSECURITY ASSESSMENT SCORE SUBMITTED AS CERTIFYING COMPLIANCE OF THE ACTUAL RESEARCH ENVIRONMENT; THE SCORE WAS PRODUCED FOR A FABRICATED VIRTUAL SYSTEM THAT DID NOT EXIST — THE RELYING PARTY EVALUATED A CREDENTIAL WHOSE EVIDENTIARY BOUNDARY WAS NOT THE ENVIRONMENT UNDER CONTRACT|ARCHIVE →

Cybersecurity Assessment Credential Authority Failure Through SPRS Score Submitted for a Fabricated IT Environment Rather Than the Actual Assessed System — Georgia Tech Research Corporation, 2025

The SPRS cybersecurity assessment score is a compliance credential. It certifies that the contractor's IT environment meets the security controls specified in NIST SP 800-171 — the condition of contract award for DoD contractors handling controlled unclassified information. Georgia Tech Research Corporation submitted a score of 98 out of 110 for a fabricated virtual campus-wide IT environment. The Astrolavos Lab — the actual research environment under contract, conducting cybersecurity research for DARPA and the Air Force — had no System Security Plan until 2020, three years after contracting began, and did not run required antivirus software. Witnesses described the submitted score as based on a "kind of fictitious environment." DoD awarded contracts on the credential. The environment the credential certified did not correspond to the environment the contracts covered. GTRC paid $875,000 to resolve FCA allegations in September 2025.
Failure classification: SPRS Score Submitted for Fabricated Virtual Environment Rather Than Actual Assessed Research System; Credential Certified Compliance Condition for an Environment the Relying Party Never Evaluated; DoD Awarded Contracts on Certification Whose Evidentiary Boundary Did Not Correspond to the Environment Under Contract
Credentialing entity:
Georgia Tech Research Corporation (GTRC) — non-profit contracting affiliate of the Georgia Institute of Technology; conducts sponsored research under DoD contracts including Air Force and DARPA; awarded more than $1.6 billion in government contracts FY2019–FY2022; $2.3 billion in DoD contracts in FY2024 alone, second-highest of any university
Credential:
SPRS (Supplier Performance Risk System) score — self-assessed compliance score under NIST SP 800-171; required condition of DoD contract award for contractors handling controlled unclassified information; score of 98 out of 110 submitted for a fabricated virtual campus-wide IT environment, not the Astrolavos Lab research environment under contract
Failure condition:
Astrolavos Lab — the actual environment under contract — had no System Security Plan until 2020, three years after contracting began; antivirus software not installed, updated, or run; witnesses described the SPRS submission as based on a "kind of fictitious environment"; no one overarching IT system exists across Georgia Tech — "hundreds of different" systems operate independently
Organizational context:
High-profile researchers bringing in substantial federal funding were described as "star quarterbacks" permitted to ignore cybersecurity requirements they found burdensome; senior leadership did not want to discourage participation in lucrative federal research contracts; compliance was subordinated to contract revenue
Settlement:
$875,000; September 30, 2025; DOJ Civil Cyber-Fraud Initiative, fourteenth settlement; qui tam filed 2022 by former Georgia Tech cybersecurity team members Christopher Craig and Kyle Koza; $437,500 is restitution; double damages rather than treble, reflecting settlement discount and litigation risk to government
Enforcement context:
No data breach alleged or required for FCA liability; government need only show reckless disregard of truth or falsity of representations; CMMC program will require third-party assessment and executive sign-off on SPRS scores, replacing self-certification architecture that produced this case

Context

DoD contractors handling controlled unclassified information are required to implement the 110 security controls specified in NIST SP 800-171. Beginning in late 2020, contractors were required to self-assess their compliance and submit the resulting score to the Supplier Performance Risk System — a DoD database that contracting officers consult when evaluating contract awards. The SPRS score is a condition of contract award. It certifies that the contractor's IT environment meets the required security controls. The relying party — DoD — evaluates the credential, not the environment.

Georgia Tech Research Corporation conducted research under Air Force and DARPA contracts at the Astrolavos Lab — a facility conducting cybersecurity research, including research intended to identify cyber threat actors and limit cyberattacks. The Lab did not develop a System Security Plan until 2020, three years after contracting began. It did not run required antivirus software. When GTRC was required to submit an SPRS score, the GRC team was directed to produce a score for a campus-wide virtual IT environment rather than the Astrolavos Lab. The score submitted was 98 out of 110 — a high-compliance result for an environment that did not exist.

Trigger

Two former members of Georgia Tech's Cybersecurity Team — Christopher Craig and Kyle Koza — filed a qui tam complaint in 2022. DOJ intervened in 2024, filing a complaint-in-intervention alleging three failures: no antivirus software at the Astrolavos Lab, no System Security Plan for the first three years of contracting, and a false SPRS score submitted for a fabricated virtual environment. GTRC filed a 63-page motion to dismiss in October 2024, arguing the research did not involve controlled unclassified information and challenging the government's ability to establish falsity and materiality. The case was referred to mediation and settled on September 30, 2025 for $875,000 — the fourteenth settlement under DOJ's Civil Cyber-Fraud Initiative.

The settlement amount is significantly lower than other Civil Cyber-Fraud Initiative resolutions, reflecting both the relatively modest contract value at issue and the genuine litigation risk the government faced on materiality. No data breach was alleged or occurred. The FCA violation arose from the false representation in the credential — the SPRS score — not from any demonstrated harm to the information the credential was designed to protect.

Failure Condition

The SPRS score is a self-certification credential. The contractor assesses its own environment against the NIST SP 800-171 controls, produces a score, and submits it to a DoD database. The relying party — the contracting officer — consults the database at contract award. The credential certifies the compliance condition of the contractor's IT environment. The contracting officer does not evaluate the environment. The credential resolves that question in the contractor's favor.

The structural failure in this case is not that the score was inaccurate — it is that the score certified a compliance condition for an environment that was not the environment under contract. The credential's evidentiary boundary did not correspond to the system the credential was required to certify. GTRC's GRC team produced a score for a fabricated virtual campus-wide system. The Astrolavos Lab — the actual research environment, the system handling the information the credential was designed to protect — was not assessed. It had no System Security Plan. It did not run antivirus software. The score of 98 out of 110 certified compliance for a system that witnesses described as "fictitious." DoD awarded contracts on that certification.

The self-certification architecture is the enabling condition. When the entity submitting the credential also determines what the credential certifies, the correspondence between the credential and the environment it is required to represent is not evaluable at the point of reliance. The contracting officer receives the score. The score resolves the compliance question. The environment that produced the score is not the environment the score was required to assess. The relying party evaluated a credential whose evidentiary boundary did not correspond to the system under contract.

Observed Response

The $875,000 settlement resolved the FCA allegations without an admission of wrongdoing. The Civil Cyber-Fraud Initiative continues to pursue cybersecurity self-certification failures across defense contractors. The CMMC program — now finalized and beginning to appear in DoD contracts — will require third-party assessment and executive sign-off on SPRS scores, replacing the self-certification architecture that produced this case. The structural correction CMMC imposes is the separation of the assessment function from the entity with the financial interest in the assessment's outcome — the same independence condition the self-certification model did not require.

The remediation is architectural. CMMC does not require the credential to encode the evidentiary boundary of the assessment in a form evaluable at the point of contract award. It requires that a third party perform the assessment. The credential still certifies a compliance condition whose correspondence to the actual environment is not verifiable from the credential at the point of reliance. The assessment is separated from the contractor. The credential remains a self-contained assertion.

Analytical Findings

  • The SPRS score is a self-certification compliance credential — the contractor assesses its own environment, produces a score, and submits it to a DoD database consulted at contract award; the relying party evaluates the credential, not the environment; the credential resolves the compliance question in the contractor's favor at the point of reliance
  • GTRC submitted a score of 98 out of 110 for a fabricated virtual campus-wide IT environment; the Astrolavos Lab — the actual research environment under contract — had no System Security Plan for the first three years of contracting and did not run required antivirus software; witnesses described the submission as based on a "kind of fictitious environment"; the credential's evidentiary boundary did not correspond to the system the credential was required to certify
  • The organizational context documented in the complaint is structurally significant: high-profile researchers were permitted to ignore cybersecurity requirements because leadership did not want to discourage participation in lucrative federal contracts; the compliance credential was subordinated to contract revenue; the self-certification architecture provided no mechanism by which the relying party could evaluate whether the compliance condition was present at the point of award
  • No data breach was alleged or required for FCA liability; the violation arose from the false representation in the credential — the SPRS score — not from demonstrated harm; the credential authorized continued contract award; the condition it certified was not the condition of the environment under contract
  • The CMMC remediation — third-party assessment and executive sign-off replacing self-certification — separates the assessment function from the entity with the financial interest in the outcome; it does not require the credential to encode the evidentiary boundary of the assessment in a form evaluable at the point of contract award; the correspondence condition is assessed independently but not encoded in the credential surface available to the relying party at reliance
  • A cybersecurity compliance credential that encodes the evidentiary boundary of the assessment — the specific system assessed, the controls evaluated, the date of assessment, and the correspondence between the assessed environment and the environment under contract — in a form evaluable at the point of contract award makes the compliance condition demonstrable without requiring the relying party to trust the submitting entity or the assessor; a fabricated environment fails at the point of credential generation, before it reaches the relying party
References
  1. 1. U.S. Department of Justice, Georgia Tech Research Corporation Agrees to Pay $875,000 to Resolve Civil Cyber-Fraud Litigation; September 30, 2025; fourteenth Civil Cyber-Fraud Initiative settlement; qui tam relators Christopher Craig and Kyle Koza.
  2. 2. DOJ Complaint-in-Intervention; three alleged failures: no antivirus software at Astrolavos Lab, no System Security Plan for three years, false SPRS score submitted for fabricated virtual campus-wide environment scoring 98/110.
  3. 3. Arnold & Porter, School's Back in Session: Georgia Tech Settles Cyber FCA Allegations for $875,000; "star quarterback" organizational context; witnesses quoted on fictitious environment; October 2025.
  4. 4. PreVeil, DOJ Files Complaint Against Georgia Tech Under False Claims Act; GRC team described score as based on "kind of fictitious environment"; "hundreds of different" IT systems across campus, all operating independently; October 2025.
  5. 5. CMMC program finalized; third-party assessment and executive sign-off to replace self-certification architecture; structural remediation separates assessment function from contractor financial interest; correspondence condition not encoded in credential surface.
  6. 6. DFARS 252.204-7012; NIST SP 800-171; 110 security controls applicable to DoD contractors handling controlled unclassified information since 2017; SPRS self-assessment submission required beginning late 2020.