There’s a quiet conversation happening right now in machine shops in Anaheim, engineering firms in Irvine, and aerospace subcontractors across Orange County, and it goes something like this: “We did the self-assessment, we submitted a score in SPRS, we’re good.” Then the speaker shrugs, the conversation moves on, and everyone goes back to work.

That confidence is the most expensive misunderstanding in the defense industrial base. Because in 2026, “we did a self-assessment” no longer means what most contractors think it means — and the gap between what was submitted to SPRS and what an actual C3PAO would find is now being measured by the Department of Justice in seven-figure False Claims Act settlements.

If you handle Controlled Unclassified Information (CUI) on any DoD contract, the math has changed. Here’s what’s actually going on, what most contractors are getting wrong, and what to do about it before November 10, 2026.

300K+
DoD contractors needing CMMC certification (DoD estimate)
~95%
of contractors handling CUI will need a C3PAO audit, not self-assessment
$4.6M
MORSE Corp FCA settlement — submitted SPRS score of 104, actual was -142
Nov 10, 2026
C3PAO certification becomes mandatory for new contracts involving CUI

The two assessments are not interchangeable

Let’s clear this up first, because the language has been muddled badly by every prime, vendor, and consultant since CMMC 2.0 was finalized.

A CMMC self-assessment is a contractor scoring its own compliance with NIST SP 800-171’s 110 controls using the DoD Assessment Methodology, then submitting that score (ranging from -203 to 110) into the Supplier Performance Risk System (SPRS). A senior official signs an annual affirmation attesting to its accuracy. Phase 1 of the CMMC rollout — which began November 10, 2025 — requires this for Level 1 and Level 2 contracts in applicable solicitations.

A C3PAO audit is a multi-day, on-site assessment conducted by Certified CMMC Assessors at a Cyber-AB-authorized third-party organization. They review documentation, interview your personnel, and test technical controls against 320 assessment objectives. They issue a Certificate of CMMC Status. The result flows from eMASS into SPRS. Starting November 10, 2026, this becomes mandatory for any new DoD contract involving CUI.

Here’s the part contractors are getting wrong: the DoD estimates that 95% of contractors handling CUI will require C3PAO certification rather than self-assessment, because most CUI categories fall under the Defense Organizational Index Grouping (controlled technical information, naval nuclear propulsion data, critical infrastructure security info, and others). If your contract has DFARS clause 252.204-7012 in it, you’re almost certainly in this group. “We’ll self-assess” is, for most of you, the wrong answer.

Your SPRS score is probably wrong (and you probably don’t know it)

Here’s the uncomfortable pattern that’s emerging as C3PAO assessments start producing real data: self-reported SPRS scores consistently overstate actual compliance with NIST 800-171. Not because contractors are lying, but because self-assessment without real expertise produces optimistic results.

Controls get marked “implemented” when they’re partially configured. Policies get checked off because they exist in a binder, not because anyone follows them. Access controls get scored favorably because the person scoring doesn’t fully understand what “least privilege” actually requires. Audit logging gets marked complete because logs exist somewhere — never mind whether they’re reviewed, retained, or correlated.

The MORSE Corp case from January 2025 made this concrete. MORSE submitted a self-assessed SPRS score of 104 (near the perfect score of 110). When the actual posture was reviewed, the real score was negative 142. They settled with the DOJ for $4.6 million. The whistleblower — a third-party consultant who saw the discrepancy — collected $851,000.

Health Net Federal Services settled for $11.25 million in 2025 for similar misrepresentations. Raytheon settled for $8.4 million. Aerojet Rocketdyne settled for $9 million back in 2022. The pattern is now well-established: the gap between what you claimed and what an assessor finds is the gap that gets you sued.

Red flag: The False Claims Act definition of “knowing” includes reckless disregard for the truth. You don’t need to have intended to mislead the government — submitting an SPRS score while being “recklessly indifferent” to its accuracy is enough. “I trusted the team” is not a legal defense. The senior official who signed the annual affirmation is personally exposed.

What most contractors are actually getting wrong

Walk into ten Orange County defense subcontractors today and you’ll see roughly the same mistakes. They’re not malicious. They’re just the natural result of treating compliance as paperwork rather than as a security program.

What contractors think What’s actually true What it costs to get wrong
“Self-assessment is enough for Level 2” ~95% of CUI handlers need C3PAO certification Loss of bid eligibility after Nov 10, 2026
“We scored a 95 in SPRS, we’re good” Self-scores routinely overstate real compliance by 40+ points FCA exposure when C3PAO finds the gap
“We have policies, so the controls are implemented” Assessors test the controls, not just the documents Failed assessment, 180-day remediation clock
“Our IT company has it covered” Generic IT support ≠ CMMC-experienced security program $30K–$150K to redo it under audit pressure
“We’ll book a C3PAO closer to the deadline” C3PAO lead times are already 3–6 months and growing Missing your contract window entirely
“Subcontractors don’t need it” Primes are dropping subs without verified scores Lost prime relationships, lost revenue
“POA&Ms cover any gaps” Score must hit 88+, only 1-point items eligible, 6 controls excluded entirely Conditional cert expires at 180 days, full cert lost

The scoping problem nobody talks about

Before the controls, before the policies, before the assessment — there’s scoping. And this is where most CMMC programs die quietly before they ever get to an audit.

“Scoping” means: which systems, networks, people, and physical locations actually touch CUI? If your finance team puts a contract PDF onto the shared drive that everyone has access to, your scope just expanded to include every employee laptop, your file server, your backup system, and possibly your cloud-based document management. If a salesperson emails an engineering drawing to a customer from their personal Gmail, you’ve created a documentation problem the C3PAO will absolutely find.

Most contractors define their CMMC scope optimistically — “the engineering server and that’s it” — and then fail the assessment because the real flow of CUI through their business is wider, messier, and less documented than they thought. Honest, defensible scoping is the foundation. Get this wrong and everything else is built on sand.

What “audit-ready” actually looks like

A C3PAO showing up at your facility expects to see, in writing and demonstrably in practice: a current System Security Plan (SSP) that describes every one of the 110 controls; a Plan of Action & Milestones (POA&M) for any control not fully implemented; dated, traceable evidence for every implemented control (screenshots, logs, configuration files, training records); a documented incident response plan with evidence of actual exercises; multi-factor authentication enforced on every account that touches CUI, with no exceptions; encrypted backups tested against ransomware scenarios; and audit logs retained, reviewed, and correlated — not just generated and forgotten.

The assessor will pick controls and ask you to demonstrate them. “Show me where you enforce password complexity. Show me the last quarterly access review for the engineering share. Show me the training records for the three people who handle CUI most often. Show me what happened the last time you detected a phishing email.” If the answer involves a lot of looking around, you’re going to have a long week.

This is why a real CMMC compliance program for Orange County defense contractors looks nothing like “we bought antivirus and wrote a policy.” It looks like an ongoing security operation with documentation as a byproduct of how the business actually runs.

Key takeaway: C3PAO lead times are already running 3–6 months and growing. Most contractors need 6–12 months to actually implement the 110 controls. Math: contractors who haven’t started by Q1 2026 are unlikely to make the November 10, 2026 deadline for new CUI contracts — full stop. The C3PAO backlog is going to get worse before it gets better.

The new “two-dataset” problem

Here’s the structural shift that’s catching contractors off-guard. Until now, the government only had one cybersecurity dataset on you: what you self-reported in SPRS. After November 10, 2025 — and especially as C3PAO audits scale up through 2026–2028 — the government will have two datasets: your historical self-scores, and independently validated C3PAO results.

The DOJ’s Civil Cyber-Fraud Initiative is already explicit that comparing these two will be a primary investigation trigger. If you submitted a 95 in SPRS for three years and the C3PAO comes back at 40, that gap doesn’t just mean a failed audit — it means the DOJ has a measurable, documented allegation that you misrepresented your security posture across multiple contract awards.

And FCA penalties are not theoretical. They include treble damages (three times the contract value), per-claim penalties currently exceeding $13,000 to $27,000 per false claim, and the whistleblower provisions that pay informants 15–30% of the recovery. The MORSE whistleblower made $851,000. Defense contractors are not immune to that math, and neither are their employees.

What Orange County contractors should actually do, in order

If you’re a defense subcontractor, prime, or supplier anywhere in Orange County — Anaheim, Irvine, Fullerton, Santa Ana — and you handle CUI under DFARS 252.204-7012, the realistic playbook for the next twelve months looks like this:

  • Scope first. Document every system, person, and process that touches CUI. Then question that documentation. The honest scope is almost always bigger than the first draft.
  • Get a real gap assessment. Not from the consultant trying to sell you their tool stack — from someone whose answer to “what’s our score” is allowed to be embarrassing. A defensible low score is infinitely better than a fictional high one.
  • Fix your SPRS submission if it’s wrong. Correcting an overstated score is uncomfortable. It is dramatically less uncomfortable than a qui tam suit.
  • Build a real remediation plan with dates. The 110 controls can’t be implemented in a quarter. Most contractors need 6–12 months of focused work, especially around logging, access control, and incident response.
  • Book your C3PAO 8–12 weeks before you need the certification. Earlier if you can. The backlog is real.
  • Make sure your IT provider can actually do this work. A help desk and a firewall is not a CMMC program. You need a partner who has done this before, has documented evidence of doing it before, and understands what an assessor will look for.

The contractors who treat CMMC as a real security program — not paperwork to satisfy a clause — will be the ones still winning bids in 2027. The ones who keep treating it as a checkbox will discover that the checkbox is now load-bearing, and that the floor underneath it is gone.

Find out where your CMMC posture actually stands — before a C3PAO does.

Intelecis has been helping Orange County defense contractors close the gap between SPRS scores and audit reality since well before CMMC 2.0. NSA-Accredited, with documented experience across NIST 800-171 and DFARS 252.204-7012. Book a free CMMC readiness assessment and we’ll show you, in writing, exactly where you stand.

Get Your Free CMMC Assessment →

📞 949-266-2088 · Fullerton, CA · NSA-Accredited · Serving OC since 2010

Related reading:
CMMC Compliance Services for OC Defense Contractors
Cybersecurity Services for Orange County Businesses
What Happens to Your DoD Contract If You Fail CMMC
Managed IT Services in Orange County
Schedule Your CMMC Readiness Assessment