Defense Contractor Settles Cybersecurity Fraud Allegations with $4.6 Million Payment

Key Takeaways

• Settlement Amount: MORSE Corp will pay $4.6 million to resolve allegations of cybersecurity fraud related to its contracts with the U.S. Army and Air Force.
• Cybersecurity Failures: The company failed to comply with critical cybersecurity requirements, including NIST and FedRAMP standards, leaving sensitive defense data vulnerable.
• False Claims: MORSE Corp submitted false payment claims to the government, knowing it had not met the contractual cybersecurity obligations.
• Third-Party Risk: The company outsourced email hosting to a third-party provider that did not meet security requirements, contributing to the breach.
• Whistleblower Involvement: The settlement follows a whistleblower lawsuit, with the whistleblower set to receive an $851,000 reward from the settlement amount.

Deep Dive

MORSE Corp, a defense contractor based in Cambridge, Massachusetts, has agreed to pay $4.6 million to settle allegations related to cybersecurity failures in its contracts with the U.S. Army and Air Force. The settlement comes after claims that the company submitted false payment requests despite knowing it had not met the necessary cybersecurity standards required by these contracts.

Between 2018 and 2023, MORSE Corp fell short in securing sensitive defense data, putting both taxpayer dollars and national security at risk. The case highlights the ongoing challenges in ensuring that federal contractors uphold their cybersecurity obligations, especially when it comes to protecting highly sensitive government information.

Between 2018 and 2022, MORSE Corp made a key decision to outsource email hosting to a third-party company. The issue? The third-party provider wasn’t held to the same cybersecurity standards mandated by the government. The company failed to ensure that the provider met Federal Risk and Authorization Management Program (FedRAMP) security requirements, as well as the Department of Defense's stringent cyber incident reporting standards.

But the cybersecurity issues didn’t stop there. MORSE Corp was also obligated to implement security controls under the National Institute of Standards and Technology’s (NIST) Special Publication 800-171. These are vital safeguards meant to protect defense-related information from hackers. However, the company didn’t follow through on these measures, leaving sensitive data vulnerable to potential attacks.

In addition to failing to implement these crucial security controls, MORSE Corp lacked a written system security plan for its covered information systems from January 2018 to January 2021, another contract violation. This plan would have detailed how its systems were protected and how they interacted with other systems, something that was missing during that time.

The situation worsened in 2021, when MORSE Corp submitted a cybersecurity score of 104 to the Department of Defense, a score that appeared nearly perfect. However, a third-party cybersecurity consultant found that the company’s actual score was a shocking -142. Despite this, MORSE Corp did not update the DoD system until June 2023, long after a government subpoena was issued demanding more transparency about the company's cybersecurity practices.

What Officials Are Saying

U.S. Attorney Leah B. Foley from the District of Massachusetts stressed the importance of contractors meeting their obligations. “Federal contractors must follow through on their responsibility to protect sensitive information from cyber threats. We will continue to hold them accountable to make sure that the government and taxpayers get what they paid for,” she said.

Keith K. Kelly, Special Agent in Charge of the Army Criminal Investigation Division, pointed to the broader impact on national defense.

“The Army’s operational readiness depends on secure information systems, and we’re committed to holding companies accountable who don’t meet their obligations,” he explained.

William W. Richards, Special Agent in Charge of the Air Force Office of Special Investigations (AFOSI), echoed those concerns, emphasizing the high stakes of cybersecurity failures, “Leaving sensitive data vulnerable to cyber threats can have devastating consequences, and we will continue to combat fraud and ensure data is properly safeguarded.”

Patrick J. Hegarty, Special Agent in Charge of the Defense Criminal Investigative Service (DCIS), also weighed in, highlighting the risk posed to national security programs. “Failing to comply with DoD specifications puts critical information and programs at risk,” he said.

The Role of the Whistleblower

The settlement follows a lawsuit filed under the False Claims Act by a whistleblower, who alerted authorities to the company’s failure to meet cybersecurity standards. As a result of the settlement, the whistleblower will receive a reward of $851,000 from the total recovery.

MORSE Corp’s settlement is a strong reminder of how serious cybersecurity compliance is in the world of defense contracting. The penalties are steep, and the consequences of non-compliance can go beyond financial losses, affecting national security, contractor reputation, and trust with government partners. As the government continues to enforce stringent cybersecurity standards, this settlement serves as a cautionary tale for any contractor working with sensitive defense information.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.