Defense contractor MORSECORP Inc. has agreed to pay $4.6 million to resolve allegations of cybersecurity fraud involving false claims about its compliance with federal cybersecurity standards. The settlement, announced by the U.S. Department of Justice (DOJ), stems from a False Claims Act investigation into the company’s failure to meet required cybersecurity protocols while handling sensitive government contracts.
Background of the Case
The DOJ alleged that MORSECORP knowingly misrepresented its adherence to NIST SP 800-171 controls, a mandatory framework for protecting Controlled Unclassified Information (CUI). Investigators found that the company failed to implement adequate security measures, including multi-factor authentication (MFA) and proper encryption, despite certifying compliance. This lapse potentially exposed sensitive defense-related data to unauthorized access.
Implications for Defense Contractors
The settlement underscores the U.S. government’s increasing scrutiny of cybersecurity compliance among contractors. Recent updates to the Cybersecurity Maturity Model Certification (CMMC) program highlight stricter enforcement, with penalties ranging from fines to contract disqualification. Experts warn that similar cases may rise as federal agencies prioritize supply-chain security, particularly in sectors handling national security data.
Company Response and Remediation
MORSECORP has not admitted liability but stated it “cooperated fully” with the investigation and has since enhanced its cybersecurity posture. The company cited investments in third-party audits and employee training as part of its corrective actions. However, critics argue that proactive compliance—rather than post-breach remediation—should be the industry standard.
Broader Industry Impact
This case follows a trend of high-profile settlements, including a 2022 Boeing settlement over similar allegations. Analysts suggest contractors should prioritize continuous monitoring and independent assessments to avoid legal and reputational risks. The DOJ’s Civil Cyber-Fraud Initiative, launched in 2021, continues to target organizations that neglect cybersecurity obligations while accepting government funds.
