Month: February 2026

Alphabet Soup: SAM, SPRS, CAGE Codes and More

Posted on by Heather E

Corporate vs. Cyber Boundaries: Why Your CAGE Codes Might Not Be Covered

In the world of Department of Defense (DoD) contracting, you often hear about SAM.gov, SPRS, and CAGE codes. While these systems are linked, a critical disconnect exists that can derail your compliance and audit certification: Your company’s legal boundaries do not automatically match your cybersecurity boundaries.

The Corporate Truth: SAM.gov

The System for Award Management (SAM.gov) is all about the money and the paperwork. Its primary goal is to tell the DoD who they are doing business with and who to pay.

  • What it tracks: Legal entities, ownership structures, physical addresses, and financial routing.
  • The Hierarchy: SAM.gov links all your CAGE codes (Commercial and Government Entity) based on ownership, creating a corporate family tree that includes your Highest Level Owner (HLO), Immediate Owners, and various subsidiaries or facilities.

The Security Checkpoint: SPRS

The Supplier Performance Risk System (SPRS) is the DoD’s central repository for contractor security assessments. SPRS pulls its foundational corporate data, including your CAGE code structure, directly from SAM.gov.

  • The Overlap: When you log into SPRS, the CAGE codes and corporate structure you see are dictated by your SAM.gov registration.
  • The Critical Difference: While SPRS knows your legal structure, it does not assume your cybersecurity setup is the same. This is where the System Security Plan (SSP) comes in.

The Ultimate Decider: Your System Security Plan (SSP)

Your SSP is the foundational document for any audit or certification (like CMMC). It is the ultimate truth regarding what systems and, more importantly, which CAGE codes are covered by your security efforts.

  • The Disconnect: You might have five CAGE codes under one corporate umbrella in SAM.gov, but if your SSP only details the IT systems used by two of those codes, your self-assessment score uploaded to SPRS and any resulting DIBCAC or CMMC certification will only apply to those two CAGE codes.
  • Compliance Action: If two separate CAGE codes use the exact same IT infrastructure, you can use the same SSP for both. When you upload your self-assessment to SPRS, you must ensure the identical SSP name, date, and score are entered for each CAGE code, even if it means logging in and entering the same data multiple times.

The Key Takeaway: The legal links in SAM.gov are necessary but not sufficient for compliance. Your cyber boundary, as defined in your SSP, is the only one that determines which of your CAGE codes are truly certified and compliant.

Questions on DFARS, CMMC certification, SPRS, or CAGE Code management? We have years of executive-level cybersecurity leadership in both government and commercial environments to companies looking to strengthen their posture, improve resilience, and grow with confidence. Our fractional CISO and other services can help untangle the alphabet soup of government and regulatory compliance.

The Legal Reality of DFARS and Implicit Certification

Posted on by Heather E

Disclaimer: We are not attorneys, and this is not legal advice.

There is a dangerous misconception that because you have not explicitly issued a statement of compliance, you are not legally bound to the NIST SP 800-171 standards required by DFARS 252.204-7012. In federal contracting, signing the contract is the certification.

  • The “Implicit Certification” Doctrine: When a company accepts a DoD contract or subcontract containing DFARS 252.204-7012, it is legally agreeing to implement the 110 security controls in NIST SP 800-171. Submitting an invoice to the government (or a prime contractor) while knowingly failing to meet these material contract requirements is considered “implicit certification.” Under the False Claims Act (31 U.S.C. §§ 3729-3733), this is categorized as fraud.
  • The DOJ Civil Cyber-Fraud Initiative: Launched in October 2021, the Department of Justice is actively using the False Claims Act to pursue defense contractors who fail to follow cybersecurity standards. The Department of Justice (DOJ) does not require an actual data breach to prosecute; the failure to implement required controls is enough.
  • Recent Enforcement Precedents: The DOJ is extracting massive settlements for the exact stance our organization is currently taking.
  • Raytheon & Successor (2024): Paid $8.4 million to resolve allegations of failing to implement NIST SP 800-171 controls required by DFARS 7012.
  • Pennsylvania State University (Oct. 2024): Paid $1.25 million for failing to adhere to cybersecurity requirements in DoD contracts.
  • Georgia Tech Research Corp. (Sept. 2025): Settled for $875,000 specifically for failing to implement anti-virus tools and a System Security Plan (SSP) as required by DFARS 7012.
  • The Whistleblower Threat: The FCA allows private citizens (qui tam relators)—including current or former IT and compliance staff—to file lawsuits on behalf of the government. Whistleblowers are entitled to up to 30% of the recovered damages, creating a massive financial incentive for employees to report leadership for ignoring DFARS 7012.

The Business Reality of Waiting for CMMC
The strategy of waiting until the CMMC clause (DFARS 252.204-7021) is physically present in an RFP or contract is functionally a decision to not be eligible for defense contracts.

  • CMMC is Already Here: The final 48 CFR CMMC rule was published in the Federal Register on September 10, 2025, and went into effect on November 10, 2025. We are currently in Phase 1 of the DoD’s rollout. Contracting officers are already mandated to insert CMMC requirements as a condition of award in new contracts. Waiting for it to appear in your specific solicitations means you are already behind the regulatory curve.  Phase 2 of the CMMC rollout, starting on November 10, 2026, officially introduces the requirement for defense contractors to pass a formal, third-party certification assessment (conducted by a C3PAO) to prove their Level 2 cybersecurity compliance as a condition of winning applicable DoD contracts.
  • The Implementation Math: Achieving CMMC Level 2 compliance is an organizational overhaul that takes an average of 12 to 18 months to complete (implementing technology, writing policies, training staff, and generating evidentiary artifacts). Standard DoD RFPs provide a 30- to 60-day response window. If you wait for an RFP to drop, you will be mathematically unable to meet the requirements in time and will be immediately disqualified from bidding.
  • Prime Contractor Supply Chain Scrubbing: Don’t rely on the DoD’s phased rollout to buy time. Prime contractors are fully liable for the compliance of their supply chain. Because a prime’s multi-million dollar certification relies on their subcontractors’ compliance, they are actively dropping non-compliant vendors today.

The Bottom Line: The era of “check-the-box” compliance is dead. Between the DOJ’s Civil Cyber-Fraud Initiative and the ticking clock of CMMC Phase 2, the window for catching up is closing. If you are waiting for a formal request to secure your environment, you aren’t just risking a fine; you are voluntarily exiting the defense industrial base. Compliance is a requirement from the moment you signed your contract. The only question left is whether you will lead the transition or be left behind in the supply chain scrub.

Moving Forward: Navigating the shift from DFARS 252.204-7012 to CMMC Level 2 is an operational marathon, not a sprint. Protect your revenue, your reputation, and your eligibility for future awards – don’t let an “implicit certification” become an explicit legal liability.

Questions on compliance or supply chain risk management? We have years of executive-level cybersecurity leadership in both government and commercial environments to companies looking to strengthen their posture, improve resilience, and grow with confidence. Our fractional CISO and other services help organizations get the guidance they need without the overhead of a full-time hire.