A U.S. defence contractor, MORSE Corp, has agreed to pay $4.6 million to settle allegations of failing to meet cyber security requirements in its military contracts and knowingly submitting false claims for payment.
Based in Massachusetts, MORSE Corp specializes in developing guidance and navigation technology for military vehicles. The company’s cyber security shortcomings were brought to light through a whistleblower lawsuit filed by its former head of security under the False Claims Act.
Federal prosecutors outlined several cybersecurity failures by MORSE, including:
- Cloud Security Missteps: Since 2018, MORSE utilized a third-party email hosting provider without ensuring the vendor met the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline, as required by their contracts. Additionally, the contractor failed to confirm the email provider adhered to Pentagon rules for incident reporting, malware handling, forensic access, and media preservation.
- Non-Compliance with NIST Standards: MORSE neglected to fully implement all required National Institute of Standards and Technology (NIST) cybersecurity controls, including measures critical to preventing network exploitation or the exfiltration of controlled defence information.
- Inaccurate Compliance Reporting: In January 2021, MORSE reported a compliance score of 104 out of 110 for its implementation of NIST Special Publication 800-171 security controls. However, a third-party cybersecurity consultant later assessed the company’s score at -142, indicating significant non-compliance.
As part of the settlement, MORSE will pay $4.6 million but does not admit liability. The resolution underscores the government’s commitment to enforcing cybersecurity standards among defence contractors to protect sensitive military information.
This case highlights the critical importance of stringent cybersecurity practices and accurate compliance reporting within the defence industry. It serves as a cautionary tale for contractors about the potential legal and financial repercussions of failing to adhere to mandated cybersecurity protocols.
