Despite a change in administrations, the government’s vigilance and enforcement of cybersecurity requirements have not missed a beat. On March 14, 2025, MORSECORP, Inc. of Cambridge, MA resolved allegations that it had submitted false claims to the government under contracts with the Departments of the Army and the Air Force. Pursuant to a settlement with the Department of Justice, MORSECORP “admitted, acknowledged, and accepted responsibility” for failing to ensure that a third-party company that hosted MORSECORP’s emails met security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) moderate baseline and that this third-party complied with cybersecurity requirements under DFARS 252.204-7012(c)-(g). MORSECORP also admitted that it did not fully implement all cybersecurity controls in NIST SP 800-171, some of which, absent implementation, could have led to the exfiltration of controlled defense information. Additionally, MORSECORP did not have the required written system security plans for its covered information systems.
MORSECORP’s Compliance History
In January 2021, MORSECORP entered a summary-level assessment score of 104 into the Supplier Performance Risk System (SPRS) as to its implementation of the security controls of NIST SP 800-171. Assessment scores can range from a low of -203 to a high of 110. In May 2022, MORSECORP engaged an outside cybersecurity consultant to perform a gap analysis of the company’s cybersecurity implementation. The consultant scored MORSECORP’s system -142 and proposed dozens of plans and milestones for the company to comply with NIST SP 800-171. Despite this, MORSECORP did not update its compliance score in SPRS for nearly a year, until June 15, 2023, when the company submitted a third-party score of 57. This was three months after the DOJ had served a subpoena on the company its cybersecurity practices. Notably, there was no indication that any protected information was compromised due to the company’s deficient cybersecurity.
Admission of Responsibility
Based on the above-described conduct, the government asserted that between January 2021 and the end of February 2023, claims for payment under Army and Air Force contracts were false or fraudulent. MORSECORP ultimately agreed to pay $4.6 million to resolve the allegations brought forward by the company’s head of security and facility security officer under the qui tam provisions of the False Claims Act.
Lessons from the Enforcement
This is yet another reminder that cybersecurity remains a paramount concern to the government and that it remains committed to ensuring contractors comply with the cybersecurity obligations.
