Defense contractor to pay $4.6 million over third-party provider’s security weakness

A technology company based in Cambridge, Massachusetts, is the latest defense contractor to reach a settlement with the U.S. government for failing to meet federal cybersecurity requirements. 

MORSE Corp agreed to pay $4.6 million to resolve allegations that it violated the False Claims Act — an 1863 law that created civil penalties for misrepresenting the quality of services provided to the government. The company, which has contracts with the U.S. Army and Air Force, was founded by alumni from the Massachusetts Institute of Technology and specializes in software and hardware with a national security focus. 

According to the Department of Justice, the company used a third-party provider to host emails without ensuring that it met security requirements laid out by the National Institute of Standards and Technology. 

MORSE’s failure to implement cybersecurity measures “could lead to significant exploitation of the network or exfiltration of controlled defense information,” the settlement agreement said. 

The company also did not produce a written plan for all of its information systems “describing system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”

According to the settlement, MORSE conducted a required assessment of its cyber posture in 2021 that overstated its protections, giving itself a score of 104 on a range of -210 to 110. 

An auditor hired the next year by the company gave MORSE a score of -142 and found that it was failing to comply with 78% of the NIST’s standards. The company did not submit a revised score to regulators for nearly a year, until after investigators had issued it a subpoena. As part of the settlement, MORSE acknowledged its failures to meet federal cyber standards.

Cyber-related enforcement of the False Claims Act has accelerated recently. A federal contractor that supports the military’s healthcare system agreed to pay an $11 million fine in February, and last year both Penn State University and Georgia Institute of Technology were fined for failing to adhere to security standards.

In June 2024, the DOJ reached an $11.3 million agreement with the contractors Guidehouse Inc. and Nan McKay and Associates for failing to properly test the cybersecurity of a financial assistance system in New York during the COVID-19 pandemic.