Defense Contractor MORSE to Pay $4.6M to Settle Cybersecurity Failure Allegations – Source: www.securityweek.com

Cambridge, Massachusetts-based defense contractor MORSE Corp has agreed to pay $4.6 million to settle allegations regarding its failure to comply with the government’s cybersecurity requirements.

A law firm representing a whistleblower said its client raised concerns over MORSE Corp’s cybersecurity failures in January 2023. MORSE specializes in aerospace engineering and the accusations were related to the company’s contracts with the US Army and Air Force.

The whistleblower said MORSE had not fully implemented required NIST data security controls (and inflated its assessment score), it did not have a consolidated system security plan, and was using email services that did not meet the government’s security requirements. 

The government determined that the defense contractor violated the False Claims Act and on Wednesday the Justice Department announced that a settlement has been reached, with MORSE agreeing to pay $4.6 million to resolve the allegations. 

“Federal contractors must fulfill their obligations to protect sensitive government information from cyber threats,” said US Attorney Leah B. Foley. “We will continue to hold contractors to their commitments to follow cybersecurity standards to ensure that federal agencies and taxpayers get what they paid for, and make sure that contractors who follow the rules are not at a competitive disadvantage.” 

SecurityWeek has reached out to MORSE for comment and will update this article if the company responds. 

Defense contractors are required to implement measures to ensure that sensitive information is kept safe, and all government contractors are required to disclose data breaches.

In addition, lawmakers are now hoping to pass a bill that would require federal contractors to implement vulnerability disclosure policies in order to make it easier for individuals and companies to responsibly report security holes, thus reducing the chances of malicious exploitation.  

UPDATE: MORSE provided SecurityWeek the following statement:

MORSE Corp did not engage in cybersecurity fraud; this settlement was a resolution of historic false claims act allegations. The company denies any wrongdoing and cooperated with the Department of Justice’s investigation. Through our history, we have always maintained the security of the government’s data, and significantly invested in robust systems and controls to ensure that there were no breaches of this data. MORSE Corp resolved this matter to avoid the unnecessary expense and distraction of litigation and focus on serving its customers’ needs. MORSE is compliant with all cybersecurity requirements, and has a current 3rd-party validated NIST score of 110. MORSE is currently undergoing CMMC assessment in advance of certification requirements.

Related: Penn State Settles for $1.25M Over Failure to Comply With DoD, NASA Cybersecurity Requirements

Related: Infosys to Pay $17.5 Million in Settlement Over 2023 Data Breach

Related: US Military Health Provider HNFS Pays $11M in Settlement Over Cybersecurity Failures

Related: Apple to Pay $95 Million to Settle Lawsuit Accusing Siri of Eavesdropping