MORSE Corp, a defense contractor based in Cambridge, Massachusetts, has agreed to pay $4.6 million to settle allegations of non-compliance with cybersecurity requirements in its contracts with the U.S. Army and Air Force. The U.S. Department of Justice (DOJ) announced that the company violated the False Claims Act by submitting false claims for payment while failing to adhere to mandated cybersecurity standards.
Between January 2018 and September 2022, MORSE utilized a third-party email hosting service without ensuring it met the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline security requirements. This oversight left sensitive government information vulnerable to cyber threats. Additionally, from January 2018 to February 2023, MORSE did not fully implement all required cybersecurity controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. These controls are essential for protecting controlled defense information from potential exploitation or exfiltration.
Furthermore, from January 2018 to January 2021, MORSE lacked a consolidated written system security plan detailing system boundaries, operational environments, and implementation of security requirements. In January 2021, the company reported a compliance score of 104 to the Department of Defense (DoD). However, a third-party assessment in July 2022 revealed an actual score of -142, indicating significant non-compliance. MORSE did not update this score in the DoD reporting system until June 2023, after being served with a subpoena concerning its cybersecurity practices.
The settlement underscores the DOJ’s commitment to enforcing cybersecurity standards among federal contractors. U.S. Attorney Leah B. Foley emphasized the importance of protecting sensitive government information from cyber threats and ensuring that contractors adhere to their commitments. Special Agent in Charge William W. Richards of the Air Force Office of Special Investigations highlighted the devastating consequences of failing to implement cybersecurity requirements, noting that such failures leave sensitive DoD data vulnerable to malicious actors.
This case highlights the critical importance of stringent cybersecurity practices and accurate compliance reporting within the defense industry. It serves as a cautionary example for contractors about the potential legal and financial repercussions of failing to adhere to mandated cybersecurity protocols.