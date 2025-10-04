The MORSECORP settlement shows that cybersecurity lapses are now legal and financial liabilities — not just technical ones.

When the Justice Department announced a $4.6 million False Claims Act (FCA) settlement with defense contractor MORSECORP, Inc. (MORSE) this spring, it sent a clear message to the defense industrial base: Cybersecurity noncompliance will be pursued.

According to Jack Walbran, a longtime defense industry contract expert and of counsel with international law firm BCLP, the MORSE case is almost a roadmap of what not to do. He summarized the case by stating that the company admitted to taking on contracts that had cybersecurity requirements but did not comply for years. It self-scored inaccurately to obtain contracts and then did not correct those scores after learning that it had scored much lower.

The MORSE settlement, which stemmed from a whistleblower lawsuit and was announced by the U.S. Attorney for the District of Massachusetts in March, demonstrates how failing to follow long-standing cybersecurity requirements can lead to costly legal exposure and potentially lasting reputational damage. For DIB contractors, the case serves as a wakeup call. Compliance isn’t just a box to check. It’s a legal, financial and operational imperative.

Three-pronged enforcement exposure

For companies that handle sensitive government data, whether directly for the Defense Department or further down the subcontractor chain, the risk of FCA liability now comes from three directions.

First, if you suffer a major breach after failing to use promised protective tools, you are in trouble. Second, since 2020, contractors have had to self-report their cybersecurity scores to be considered for new contracts. DoD and others have found that many of these scores were, at best, overly optimistic. Now, with third-party checks on the horizon, primes are asking for real scores and third-party assessments are surfacing significant past errors.

Practically speaking, the third pressure point may be the most dangerous: insider whistleblowers – typically knowledgeable employees.

Under the FCA’s qui tam provisions, whistleblowers can file lawsuits on behalf of the government and receive a share of any settlement. In the MORSE case, the whistleblower received $851,000.

False claims, real consequences

The FCA has been around since the Civil War, but it’s been adapted over the years to counter modern risks. Today, DOJ has put cybersecurity squarely in its crosshairs.

The legal exposure is vast: If a company falsely certifies compliance to win a defense contract, damages can be up to triple all contract payments. On top of that, penalties can reach up to $28,000 per claim.

That is your biggest civil risk — procuring a contract through misrepresentation. Knowing violations exist carries a criminal risk as well.

In the case of MORSE, DOJ laid out multiple points of failure, including the use of a non-compliant third-party cloud email host from 2018-2022, significantly incomplete National Institute of Standards and Technology Special Publication 800-171 cybersecurity controls from 2018-2023 and reporting inaccurate cybersecurity compliance scores to the DoD — which were not corrected in a timely manner after a third-party assessment flagged the error.

As alleged, these were not close calls. They were clear violations of known requirements, and now they are very clearly enforced.

Wake-up call for defense contractors

The risk many companies face isn’t always defiance; it’s uncertainty. There is often a significant knowledge gap, and companies do not always know where they stand because they have not gone through a proper gap assessment. With Cybersecurity Maturity Model Certification going live, that is going to become more serious.

CMMC is the new framework for cybersecurity compliance across the DIB. It’s designed to move companies from self-attestation to independent, third-party verification, particularly for those handling controlled unclassified information (CUI).

Under CMMC 2.0, some companies will continue to self-assess, particularly those handling federal contract information. Many, however, will be required to undergo certification through a certified third-party assessor organization. Either way, the expectation is clear: Contractors must verifiably implement required controls and maintain continuous compliance.

With CMMC, a company is not just representing compliance once. Instead, it will be committing to continual monitoring and then affirming continuous compliance annually. This means that companies need to take cybersecurity seriously. Their representations, whether to a prime or to the government, are binding commitments.

How companies fall out of compliance without realizing it

Even companies with strong intentions can fall out of compliance through seemingly routine changes to operations or technology. Walbran outlined a few common triggers:

● Expanding physical or network boundaries (e.g., acquiring a new facility or company)

● Shifting from on-premise to cloud infrastructure

● Introducing new cybersecurity tools, vendors or systems without evaluating cybersecurity compliance

Companies can fall out of compliance by accident. For example, changing the scope or architecture of a network by moving part of it to the cloud would mean that the system no longer matches what was third-party certified.

MORSE settlement is a roadmap for DIB

The lessons learned from the DOJ’s MORSE settlement provide a practical checklist for compliance-minded organizations.

1. Using non-compliant third parties: Contractors must ensure vendors, especially cloud and email providers, meet required standards, including the Federal Risk and Authorization Management Program moderate (FedRAMP Moderate) security standard for cloud services.

2. Failure to implement NIST SP 800-171 controls: Partial or delayed implementation of these controls is no longer acceptable.

3. Lack of a written system security plan (SSP): A complete SSP that describes system boundaries, environments and connections is mandatory.

4. Inaccurate or outdated compliance reporting: Self-assessments must reflect the current cybersecurity state and be updated as conditions change.

For too long, many DIB contractors reportedly treated cybersecurity as a paperwork requirement. The MORSE settlement makes it clear that those days are over. With DOJ enforcement rising, whistleblowers increasingly informed and motivated, and CMMC closing the loop to verify compliance, companies in the DIB face a new standard of accountability.

For those who underestimate the risk, a $4.6 million warning shot has been fired.

Charlie Sciuto is the chief information security officer and chief technology officer for SSE, Inc.

