A Massachusetts-based defense contractor, MORSECORP Inc. (MORSE), has agreed to pay $4.6 million to settle allegations that it failed to comply with cybersecurity requirements while working on contracts for the U.S. Army and Air Force.
The case, centered around violations of the False Claims Act, highlights growing concerns about data security in federal contracts.
What Went Wrong? A Breakdown of the Allegations
Between January 2018 and September 2022, MORSE allegedly failed to uphold crucial cybersecurity measures outlined in its government contracts.
The company admitted to several critical lapses, including:
- Using a third-party email host that did not meet federal cybersecurity standards.
- Failing to fully implement required security controls under the National Institute of Standards and Technology (NIST) guidelines.
- Not having a comprehensive system security plan for covered information systems.
- Submitting an inaccurate cybersecurity compliance score to the Department of Defense (DoD) in 2021.
A third-party cybersecurity consultant later discovered that MORSE’s actual compliance score was significantly lower than what it had reported.
The company did not correct this discrepancy until three months after receiving a government subpoena regarding its cybersecurity practices.
Government Response: Holding Contractors Accountable
Government officials made it clear that cybersecurity failures will not be tolerated when it comes to safeguarding sensitive defense information.
U.S. Attorney Leah B. Foley for the District of Massachusetts emphasized the importance of contractor compliance:
“Federal contractors must fulfill their obligations to protect sensitive government information from cyber threats.”
Special agents from the Army Criminal Investigation Division, the Air Force Office of Special Investigations, and the Defense Criminal Investigative Service (DCIS) also underscored the risks posed by cybersecurity failures.
They reiterated that failing to meet these standards puts critical defense data at risk and could have serious national security consequences.
Whistleblower Plays a Key Role in Exposing Violations
The case was brought forward under the False Claims Act’s whistleblower provisions, which allow private citizens to report fraudulent activity on behalf of the government.
In this instance, the whistleblower, identified as Berich, will receive $851,000 from the settlement for their role in uncovering the violations.
A Coordinated Effort to Enforce Cybersecurity Compliance
This settlement was the result of extensive collaboration between various government entities, including the U.S. Attorney’s Office, the DoD’s investigative units, and the Department of Justice.
The case was handled by Brian LaMacchia, Chief of the Affirmative Civil Enforcement Unit, along with Assistant U.S. Attorney Julien Mundele and DOJ Senior Trial Counsel Christopher Terranova.
The Bigger Picture: Cybersecurity in Government Contracts
This case serves as a stark reminder of the importance of cybersecurity in federal contracts.
With growing cyber threats targeting government systems, strict compliance with security protocols is more critical than ever.
The government has made it clear that companies failing to meet these obligations will be held accountable.
As cybersecurity regulations continue to evolve, contractors working with government agencies must stay vigilant, ensuring they meet all necessary security measures—or risk facing serious financial and legal consequences.