Cambridge, Massachusetts-based defense contractor MORSE Corp has agreed to pay $4.6 million to the U.S. government to resolve allegations of violating federal cybersecurity requirements. This settlement underscores the increasing scrutiny of cybersecurity practices among defense contractors, particularly those handling sensitive government data.
The Department of Justice (DOJ) announced the agreement, citing MORSE Corp’s use of a third-party provider for email hosting without ensuring compliance with National Institute of Standards and Technology (NIST) security standards. The False Claims Act, an 1863 law used in this enforcement, allows the government to pursue civil penalties for misrepresenting the quality of services provided. MORSE Corp, which holds contracts with the U.S. Army and Air Force, was founded by alumni of the Massachusetts Institute of Technology and specializes in software and hardware with a national security focus.
The DOJ stated that MORSE’s failure to implement adequate cybersecurity measures “could lead to significant exploitation of the network or exfiltration of controlled defense information.” Furthermore, the company did not maintain a written plan detailing system boundaries, operational environments, security implementation, and connections to other systems.
An assessment conducted by MORSE in 2021 claimed high cybersecurity protections, with a score of 104 on a scale of -210 to 110. However, an independent auditor the following year awarded a score of -142 and found that the company was in violation of 78% of NIST standards. The company did not correct its score for nearly a year, only doing so after receiving a subpoena from investigators.
This settlement is part of a broader trend of increased enforcement of cybersecurity regulations within the defense sector, with the DOJ actively pursuing violations of the False Claims Act related to cybersecurity. Recent enforcement actions include an $11 million fine against a federal contractor supporting the military’s healthcare system in February, as well as fines against Penn State University and Georgia Institute of Technology last year for similar failings. In June 2024, the DOJ reached an $11.3 million agreement with Guidehouse Inc. and Nan McKay and Associates for inadequate cybersecurity testing of a financial aid system during the COVID-19 pandemic.
