Morse Corp Inc., a Massachusetts-based defense contractor, has agreed to pay $4.6 million to resolve allegations of cybersecurity fraud under the False Claims Act. The U.S. Department of Justice announced the settlement, claiming that the company misrepresented its compliance with federal cybersecurity standards while working on contracts with the Departments of the Army and Air Force.
Morse Corp Allegations and Legal Proceedings
The case began in January 2023 when a whistleblower, Kevin Berich, filed a qui tam lawsuit against Morse Corp under the False Claims Act. The DOJ joined the case in March 2023, accusing the company of violating the Defense Federal Acquisition Regulation Supplement (DFARS) clauses. These regulations mandate that contractors adhere to the cybersecurity standards outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171.
The DOJ’s investigation revealed that from January 2018 to September 2022, Morse Corp used a third-party service to host its emails without ensuring compliance with the FedRAMP Moderate baseline—a critical cybersecurity requirement for handling covered defense information. The company also failed to implement the required cybersecurity controls from NIST SP 800-171, which protect controlled unclassified information from unauthorized access.
Misrepresentation of Cybersecurity Compliance
According to the settlement agreement, Morse Corp submitted a misleading score of 104 on its cybersecurity assessment to the Department of Defense’s Supplier Performance Risk System (SPRS) in January 2021. However, an independent evaluation in July 2022 revealed a significantly lower score of -142, indicating that the company had only implemented 22% of the required controls. Despite this discovery, Morse Corp failed to update its score until June 2023.
The settlement document also detailed that the defense contractor lacked a consolidated cybersecurity plan outlining system boundaries, operational environments, and connections to other networks. These oversights exposed sensitive defense data to potential exploitation and unauthorized access, violating its contractual obligations.
Also Read: US Department of Defense Contractor Targeted by Donut Ransomware
Financial Penalties and Whistleblower Award
As part of the settlement, Morse Corp will pay $4.6 million, including $2.3 million as restitution. The whistleblower, Kevin Berich, will receive 18.5% of the total settlement amount for bringing the case to light. The agreement also requires Morse Corp to cover $198,616 in legal fees for Berich’s attorneys.
“Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors,” said Special Agent William Richards of the Air Force Office of Special Investigations (AFOSI). “(We) will continue to combat fraud affecting the Department of the Air Force and hold those accountable that fail to properly safeguard sensitive defense information.”
Implications for Defense Contractors
The settlement serves as a warning to defense contractors about the consequences of misrepresenting cybersecurity compliance. The DOJ emphasized that ensuring cybersecurity standards is not a procedural formality but a critical element of national security.
Experts suggest that the case could lead to stricter enforcement of cybersecurity regulations and increased scrutiny of defense contractors. The outcome may prompt more whistleblowers to report non-compliance, given the significant financial incentives under the False Claims Act.
