BLUF: unless there was gross negligence (meh, just put any score in there) that they can prove, a 98 can be explained very easily.<p>To give a bit of context, the score they are talking about (98) is an entry on DISA's Supplier Performance Risk System (SPRS) score [0].<p>The score almost certainly is based on self-assessment using the NIST SP 800-171v2 (and 800-171a). This is a document that looks at 110 cybersecurity controls across 16 families. Comes out to be about 300 or so explicit items that needs to be looked at.<p>The score is from -203 (that is a minus) to 110. The scoring starts at 110, then deductions of 1, 3, or 5 points are made when a specific control audit fails.<p>This is only and only for the confidentiality of Controlled Unclassified Information(CUI).[1]<p>Because of this special carve out for just CUI, scoping what is and is not in scope is hard. I have heard audits where the auditor (DCMA DIBCAC) stated "everything is in scope", and in an elsewhere the auditor stated "only that is directly generated by the Government".<p>Not only this there is a feud amongst agencies who does what, where, and how, when it comes to cybersecurity.<p>[0] <a href="https://www.sprs.csd.disa.mil/" rel="nofollow">https://www.sprs.csd.disa.mil/</a><p>[1] <a href="https://www.archives.gov/cui/about" rel="nofollow">https://www.archives.gov/cui/about</a>