On April 2025, MORSECORP Inc. (MORSE), a defense contractor headquartered in Cambridge, Massachusetts, agreed to pay $4.6 million to resolve allegations that it violated the False Claims Act by failing to meet mandatory cybersecurity compliance requirements in its contracts with the U.S. Army and Air Force.
This case highlights the critical importance of maintaining rigorous cybersecurity standards and accurate reporting in federal contracting. As the government continues to increase oversight of cybersecurity obligations, contractors are expected not only to implement required protections but to demonstrate integrity and transparency in their compliance efforts.
Summary of Allegations
According to the settlement, MORSE submitted false claims for payment under contracts that required strict adherence to cybersecurity standards, including those outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Between January 2018 and September 2022, MORSE utilized a third-party vendor to host its email services but failed to ensure that the vendor met security requirements consistent with the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. Additionally, the company did not comply with the Department of Defense’s cyber incident reporting and response protocols.
From January 2018 through February 2023, MORSE had not fully implemented the NIST SP 800-171 security controls, including those deemed critical for protecting Controlled Unclassified Information (CUI). The company also lacked the required system security plans for several years—plans that are essential for documenting system boundaries, operational environments, and the implementation of security controls.
Perhaps most notably, in January 2021, MORSE submitted a self-assessment score of 104 to the Department of Defense—just below the maximum possible score of 110. However, a third-party consultant later assessed the score as -142, revealing a substantial misrepresentation. MORSE did not correct the record until June 2023, three months after receiving a federal subpoena regarding its cybersecurity practices.
Whistleblower Involvement
The case was initiated under the whistleblower provisions of the False Claims Act, which permit private individuals to report misconduct involving government funds. The whistleblower in this case will receive an $851,000 share of the total settlement. The lawsuit, United States ex rel. Berich v. MORSECORP Inc. et al., was filed in the U.S. District Court for the District of Massachusetts.
Key Takeaways for Federal Contractors
This settlement offers a stark reminder that cybersecurity compliance is not merely a contractual formality—it is a foundational obligation. Contractors entrusted with federal data must:
-
Ensure all third-party service providers meet applicable security standards, such as those required under FedRAMP.
-
Fully implement and maintain the NIST SP 800-171 security controls.
-
Accurately report cybersecurity scores and promptly update records when discrepancies arise.
-
Maintain up-to-date, consolidated system security plans for all covered information systems.
Non-compliance can lead not only to financial penalties but also to long-term reputational damage and exclusion from future government opportunities.
As federal scrutiny around cybersecurity continues to intensify, organizations must treat compliance as a continuous, organization-wide priority—grounded in integrity, accuracy, and proactive risk management.
###
0