Morse Corp Inc., a defense contractor based in Massachusetts, has recently settled allegations of cybersecurity fraud under the False Claims Act by agreeing to pay $4.6 million. This settlement comes after the U.S. Department of Justice uncovered that the company had misrepresented its compliance with federal cybersecurity standards while working on contracts with the Departments of the Army and Air Force.
The case against Morse Corp began in January 2023 when Kevin Berich, a whistleblower, filed a qui tam lawsuit under the False Claims Act. The DOJ later joined the case in March 2023, accusing the company of violating Defense Federal Acquisition Regulation Supplement (DFARS) clauses that require contractors to adhere to cybersecurity standards outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171.
During the DOJ’s investigation, it was revealed that from January 2018 to September 2022, Morse Corp had used a third-party service to host its emails without ensuring compliance with the FedRAMP Moderate baseline, a crucial cybersecurity requirement for handling covered defense information. Additionally, the company failed to implement the necessary cybersecurity controls outlined in NIST SP 800-171, leaving controlled unclassified information vulnerable to unauthorized access.
The settlement agreement detailed that Morse Corp had submitted a misleading cybersecurity assessment score of 104 to the Department of Defense’s Supplier Performance Risk System (SPRS) in January 2021. However, an independent evaluation conducted in July 2022 showed a significantly lower score of -142, indicating that only 22% of the required controls had been implemented. Despite this discrepancy, Morse Corp failed to update its score until June 2023. The defense contractor also lacked a consolidated cybersecurity plan, exposing sensitive defense data to potential exploitation and unauthorized access, thus breaching its contractual obligations.
As part of the settlement, Morse Corp will pay $4.6 million, with $2.3 million allocated for restitution. The whistleblower, Kevin Berich, will receive 18.5% of the total settlement amount for bringing the case to light. The agreement also mandates Morse Corp to cover $198,616 in legal fees for Berich’s attorneys.
Special Agent William Richards of the Air Force Office of Special Investigations (AFOSI) emphasized the importance of implementing cybersecurity requirements to safeguard sensitive Department of Defense data from cyber threats and malicious actors. He reiterated the commitment to combat fraud affecting the Department of the Air Force and hold accountable those who fail to properly secure defense information.
This settlement serves as a cautionary tale for defense contractors regarding the repercussions of misrepresenting cybersecurity compliance. The DOJ stressed that cybersecurity standards are not merely procedural formalities but essential components of national security. Experts believe that this case could lead to stricter enforcement of cybersecurity regulations and increased scrutiny of defense contractors. The outcome may also encourage more whistleblowers to report non-compliance, given the significant financial incentives available under the False Claims Act.
In conclusion, the Morse Corp cybersecurity fraud settlement highlights the critical importance of adhering to cybersecurity standards in government contracts and underscores the potential consequences for companies that fail to meet these requirements. By holding accountable those who breach cybersecurity regulations, the DOJ aims to uphold the integrity and security of sensitive government information.