The MORSECORP settlement shows that cybersecurity lapses are now legal and financial liabilities—not just technical ones.
By Greg Rankin
ST. LOUIS, Mo.—When the U.S. Department of Justice (DoJ) announced a $4.6 million False Claims Act (FCA) settlement with defense contractor MORSECORP, Inc. (MORSE) this spring, it sent a clear message to the Defense Industrial Base (DIB): Cybersecurity noncompliance will be pursued.
“This case is almost a roadmap of what not to do,” said Jack Walbran, longtime defense industry contract expert and Of Counsel with international law firm BCLP. “They admitted that they took contracts that had cybersecurity requirements, didn’t comply for years, then self-scored inaccurately to obtain contracts and didn’t correct their score even when they learned it was much lower.”
The MORSE settlement, which stemmed from a whistleblower lawsuit and was announced by the U.S. Attorney for the District of Massachusetts in March, demonstrates how failing to follow long-standing cybersecurity requirements can lead to costly legal exposure and potentially lasting reputational damage. For DIB contractors, the case serves as a wakeup call. Compliance isn’t just a box to check. It’s a legal, financial, and operational imperative.
Three-pronged enforcement exposure
For companies that handle sensitive government data, whether directly for the Department of Defense (DoD) or further down the subcontractor chain, the risk of FCA liability now comes from three directions.
“First, if you suffer a major breach after failing to use promised protective tools, you’re in trouble,” explained Walbran.
Second, since 2020, contractors have had to self-report their cybersecurity scores to be considered for new contracts. The DoD and others have found that many of these scores were, at best, overly optimistic. Now, with third-party checks on the horizon, primes are asking for real scores, and third-party assessments are surfacing significant past errors.
“Practically speaking, the third pressure point may be the most dangerous: insider whistleblowers—typically knowledgeable employees,” added Walbran.
Under the FCA’s qui tam provisions, whistleblowers can file lawsuits on behalf of the government and receive a share of any settlement. In the MORSE case, the whistleblower received $851,000.
Achieving CMMC compliance isn’t just a box to check—it’s a rigorous, time-consuming process that can take months of preparation, especially for companies seeking Level 2 certification or higher. (Image courtesy SSE Inc.)
False claims, real consequences
The FCA has been around since the Civil War, but it’s been adapted over the years to counter modern risks. Today, the DoJ has put cybersecurity squarely in its crosshairs.
The legal exposure is vast: If a company falsely certifies compliance to win a defense contract, damages can be up to triple all contract payments. On top of that, penalties can reach up to $28,000 per claim.
As Walbran put it, “That’s your biggest civil risk—procuring a contract through misrepresentation. Knowing violations exist carries a criminal risk as well.”
In the case of MORSE, the DoJ laid out multiple points of failure, including the use of a non-compliant third-party cloud email host from 2018 to 2022, significantly incomplete NIST 800-171 cybersecurity controls from 2018 to 2023, and reporting inaccurate cybersecurity compliance scores to the DoD—which were not corrected in a timely manner after a third-party assessment flagged the error.
“As alleged, these weren’t close calls,” said Walbran. “They were clear violations of known requirements, and now they are very clearly enforced.”
Wake-up call for defense contractors
Charlie Sciuto is the CISO and CTO for SSE, Inc. He works with contractors in the DIB on a daily basis and said the risk many companies face isn’t always defiance, it’s uncertainty.
“There’s a big knowledge gap out there,” explained Sciuto. “Companies don’t know where they stand because they haven’t gone through a proper gap assessment, and with CMMC going live, that’s going to get even more serious.”
SSE is a Registered Provider Organization (RPO), a designation established by the Department of Defense to help companies prepare for the Cybersecurity Maturity Model Certification (CMMC) assessments. Registered Provider Organizations, accredited by the Cyber AB, provide services like gap assessments, remediation, policy development, and continuous monitoring. Although RPOs can’t issue certifications, they are often the most practical and cost-effective way to get compliant for the upcoming third-party certification assessments and stay compliant as required.
New defense risk profile: cyber lapses, FCA lawsuits, and CMMC
Cybersecurity Maturity Model Certification is the new framework for cybersecurity compliance across the DIB. It’s designed to move companies from self-attestation to independent, third-party verification, particularly for those handling Controlled Unclassified Information (CUI).
Under CMMC 2.0, some companies will continue to self-assess, particularly those handling Federal Contract Information (FCI). Many, however, will be required to undergo certification through a Certified Third-Party Assessor Organization (C3PAO). Either way, the expectation is clear: Contractors must verifiably implement required controls and maintain continuous compliance.
“With CMMC, you’re not just representing compliance once,” added Sciuto. “You will be committing to continual monitoring and then affirming continuous compliance annually.”
This means that companies need to take cybersecurity seriously. Their representations, whether to a prime or the government, are binding commitments.
How companies fall out of compliance (without realizing it)
Even companies with strong intentions can fall out of compliance through seemingly routine changes to operations or technology. Walbran outlined a few common triggers:
- Expanding physical or network boundaries (for example, acquiring a new facility or company)
- Shifting from on-premise to cloud infrastructure
- Introducing new cybersecurity tools, vendors, or systems without evaluating cybersecurity compliance
“You can fall out of compliance by accident,” Walbran said. “You change the scope or architecture of your network, for example, move part of it to a cloud, and suddenly your system no longer matches what was third-party certified.”
MORSE settlement is a roadmap for DIB
Based on the DOJ’s release on the MORSE settlement, SSE put together a list of four common pitfalls that must be avoided:
Using non-compliant third parties: Contractors must ensure vendors (especially cloud and email providers) meet required standards, including the Federal Risk and Authorization Management Program Moderate (FedRAMP Moderate) security standard for cloud services.
Failure to implement NIST SP 800-171 controls: Partial or delayed implementation of these controls is no longer acceptable.
Lack of a written system security plan (SSP): A complete SSP that describes system boundaries, environments, and connections is mandatory.
Inaccurate or outdated compliance reporting: Self-assessments must reflect the current cybersecurity state and be updated as conditions change.
“Since 2017, many DIB contractors reportedly treated cybersecurity as a paperwork requirement. The MORSE settlement makes it clear that those days are over,” concluded Sciuto.
With DoJ enforcement rising, whistleblowers increasingly informed and motivated, and CMMC closing the loop to verify compliance, companies in the DIB face a new standard of accountability. For those who underestimate the risk, a $4.6 million warning shot has been fired.
For more information on CMMC compliance, contact SSE at www.sseinc.com, by phone: (314) 439-4700 or via email at info@sseinc.com.
Greg Rankin is a Houston-based freelance writer with more than 20 years of experience writing about cybersecurity, technology, and the defense industrial base.