This post is also available in:
עברית (Hebrew)
MORSE Corp, a prominent contractor for the U.S. Department of Defense (DoD), has agreed to pay $4.5 million to settle allegations of failing to meet required cybersecurity standards on military contracts. The settlement, announced last week, comes after the company was found to have violated the False Claims Act by falsely claiming compliance with stringent security protocols tied to its contracts with the U.S. Army and U.S. Air Force.
Between January 2018 and February 2023, MORSE failed to fully implement the security controls mandated by the government, specifically the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 guidelines. These lapses left its network vulnerable to cyber threats, potentially exposing sensitive defense information to exploitation. The U.S. Justice Department highlighted that the company’s negligence could have jeopardized critical military data, increasing the risk of malicious cyberattacks.
The case uncovered several significant shortcomings in MORSE’s cybersecurity practices. Notably, from 2018 to 2022, the company used an external email hosting provider without ensuring compliance with DoD security requirements. Additionally, an internal cybersecurity assessment submitted by MORSE in early 2021 falsely reported a near-perfect security score of 104 out of 110, when a subsequent third-party audit revealed an actual score of -142. This discrepancy went uncorrected until June 2023, after a federal investigation was launched.
Furthermore, MORSE did not have a comprehensive cybersecurity plan for its systems until 2021, and its email network did not comply with basic requirements for incident reporting and software protection, further exposing vulnerabilities in its operations.
The settlement underscores the increasing federal focus on ensuring compliance with cybersecurity standards in defense contracts. The rise of cyber threats targeting military systems has heightened the need for robust safeguards across contractor networks. As part of the agreement, MORSE has accepted responsibility for the violations, and the whistleblower who exposed the fraud will receive $851,000 from the settlement.
This case serves as a stark reminder of the critical need for contractors to meet cybersecurity standards in order to protect sensitive military and defense-related data.
