The Department of Justice (DOJ) recently reached a $4.6 million civil False Claims Act (FCA) settlement with MORSECORP, Inc. (MORSE) arising out of allegations that the company failed to comply with Department of Defense (DOD) cybersecurity requirements included in its government contracts. The Government had argued that MORSE violated the FCA by submitting claims for payment under its contracts despite knowing that the company was not in compliance with its cybersecurity obligations.
The DOJ’s settlement with MORSE is the latest in a series of enforcement actions under the DOJ’s Civil Cyber-Fraud Initiative. Since October 2021, DOJ has been focused on cybersecurity-related enforcement through the FCA, with some investigations and settlements targeting DOD contractors. Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 and 252.204-7012 require DoD contractors/subcontractors to maintain adequate security on all covered contractor information systems, which at a minimum includes implementing the standards specified in NIST SP 800-171. These clauses also require contractors to make sure third-party data storage providers (i.e., cloud services, etc.) meet Federal Risk and Authorization Management Program (FedRAMP) and DFARS 252.204-7012(c)-(g) cybersecurity requirements. Contractors/subcontractors must also post summary level scores of current NIST SP 800-171 DoD assessments to the Supplier Performance Risk System (SPRS), which has a score range of -203 to 110.
Here, MORSE notably made several admissions as part of the settlement. MORSE admitted that it used a third-party company to host its emails without requiring or ensuring that the company met FedRAMP and DFARS 252.204-7012(c)-(g) cybersecurity requirements. Additionally, MORSE did not fully implement the NIST SP 800-171 cybersecurity controls. MORSE also lacked a consolidated written plan for each of its covered systems related to cybersecurity infrastructure. Finally, MORSE submitted a score of 104 to SPRS. A third-party cybersecurity consultant later assigned it a much lower score of -142, which MORSE failed to update in SPRS for almost a year. MORSE finally updated its score three months after it learned that DOJ was investigating MORSE’s cybersecurity practices.
DOJ’s attention to protecting sensitive government information as well as personal data privacy under federal contracts will continue as cyber-attacks increase in frequency and sophistication. The settlement shows that DOD contractors should remain vigilant in ensuring that they comply with the cybersecurity requirements in their contracts, including confirming compliance by third-party vendors used in supporting their work.
[View source.]
