--- title: "What’s a 280-Point Difference Between Friends?" description: "Key quote: On October 13, 2021, LOGZONE submitted to DoD in SPRS a perfect self assessment score of 110 for its implementation of NIST SP 800-171 security controls. On February 2, 2024, the Defense..." url: https://kaynemcgladrey.com/blog/whats-a-280-point-difference-between-friends/ date: 2026-06-23 modified: 2026-06-23 author: "Kayne" image: https://kaynemcgladrey.com/wp-content/uploads/2026/06/Flag-of-the-US-Department-of-Justice.webp categories: ["Blog"] type: post lang: en --- # What’s a 280-Point Difference Between Friends? ![Logzone inc. executed settlement agreement 2026 06 17](https://kaynemcgladrey.com/wp-content/uploads/2026/06/logzone_inc._executed_settlement_agreement_2026-06-17_1-1024x222.webp) **Key quote**: > On October 13, 2021, LOGZONE submitted to DoD in SPRS a perfect self assessment score of 110 for its implementation of NIST SP 800-171 security controls. On February 2, 2024, the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) of the Defense Contract Management Agency (“DCMA”) completed a Medium Assessment of LOGZONE’s implementation of NIST SP 800-171 security controls, which resulted in LOGZONE receiving a score of -170, at the low end of the possible score range. **Why it matters**: The recent [LOGZONE settlement](https://www.justice.gov/opa/media/1446716/dl) shows us why we can’t have nice things in the Defense Industrial Base. They posted a perfect SPRS score of 110. Three years later, when DIBCAC showed up for a [medium confidence audit](https://www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171dod-assessment-requirements.), they docked 280 points off that initial self-assessment. Although we’ve dealt with comically inaccurate self-assessments for years, like Brian Markus’ fiasco when Aerojet Rocketdyne was [less than 30% compliant under 800-171](https://storage.courtlistener.com/recap/gov.uscourts.caed.287464/gov.uscourts.caed.287464.237.0.pdf), this might be a prelude to a more assertive enforcement strategy as part of the [Task Force to Eliminate Fraud](https://www.congress.gov/crs_external_products/IF/PDF/IF13229/IF13229.1.pdf). And [LOGZONE](https://www.logzoneinc.com/about-us/) is a veteran-owned small business, so it looks like company size continues to be irrelevant under the False Claims Act. Between May 5, 2021, and March 8, 2025, LOGZONE billed the Navy $682,193.37 for logistics work while allegedly operating on systems that hadn’t passed basic compliance checks. And the government’s not having it; demanding $507,144 in civil penalties, split almost exactly in half between restitution and what amounts to a fine for lying about security posture. That $253,572 restitution payment represents the government taking back money earned for three years under false pretenses. The rest serves as a penalty for submitting invoices despite knowing DFARS clause 252.204-7012 wasn’t being met. The DOJ explicitly tied this case to the new Task Force to Eliminate Fraud and the National Fraud Enforcement Division, signaling a shift from passive audits to active litigation. Vice Admiral Stephen Tedford [backed the move](https://www.justice.gov/opa/pr/alabama-defense-contractor-agrees-pay-507144-resolve-false-claims-act-liability-relating) by stating these provisions are critical for national security. When the agency responsible for doing the assessments teams up with the Fraud Section to sue government contractors, the era of “hope-based” cybersecurity is over. And this is likely going to accelerate with CMMC, so if you’re working with CUI, plan for being audited at a future date. The DOJ didn’t go lightly either because of the company’s size. LOGZONE isn’t a sprawling defense contractor. They’re a Huntsville-based provider serving the Naval Oceanographic Command Property Management Program at Stennis Space Center. Controls for smaller contractors tend to be disproportionally expensive, and when margins are thin, contractors might choose to accept the risks of a future enforcement action in favor of revenue. This settlement might cause contractors to re-consider how they’re thinking about that risk. It leaves both criminal liability and debarment rights wide open in [Paragraph 3](https://www.justice.gov/opa/media/1446716/dl), meaning that the government can exclude LOGZONE from future contracts. Paying the half-million gets them off the hook for the civil FCA claims, but it doesn’t buy a free pass if the feds decide to dig deeper into fraud or breach of contract, and it might depress LOGZONE’s future revenues. After all, there probably aren’t many contracting officers who will look at this and say, “well, I’m sure that’s a one-off, here’s another nine figure contract!” As usual, checkbox compliance isn’t security, and if you’re working with the Federal government, if you claim you’re compliant, you better actually be compliant before you send an invoice. If the DIBCAC finds a -170 score later, those invoices aren’t just void; they’re evidence of fraud. Expect more like this in the future.