MORSECORP Inc., a defense contractor based in Cambridge, Massachusetts, has agreed to pay $4.6 million to settle allegations that it violated cybersecurity rules under its contracts with the U.S. Army and Air Force. The U.S. government accused MORSECORP of submitting false claims while failing to follow security requirements meant to protect sensitive military information.
Between January 2018 and September 2022, MORSECORP used a third-party company to manage its emails but did not ensure that this company met government cybersecurity standards. These standards, required under federal contracts, are designed to protect classified and sensitive information from cyber threats. Additionally, the company did not meet the Department of Defense’s (DoD) strict guidelines for reporting cyber incidents, handling malicious software, and preserving important data in case of cyberattacks.
The contracts also required MORSECORP to implement all cybersecurity controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. However, from January 2018 to February 2023, the company failed to put in place several of these essential controls. Some of the missing security measures could have made it easier for hackers to steal confidential defense information. Others were meant to protect the integrity of the company’s computer networks but were also ignored.
Elizabeth Conrad Accused of Identity Theft and Financial Fraud
False Cybersecurity Scores and Delayed Reporting
One of the biggest issues in this case was MORSECORP’s misleading cybersecurity reports. U.S. government contracts required the company to submit a score based on how well it followed security rules. In January 2021, MORSECORP told the Department of Defense that it had a cybersecurity compliance score of 104. Since the scoring system ranges from -203 to 110, this score suggested that MORSECORP had nearly perfect security measures in place.
However, in July 2022, an independent cybersecurity consultant reviewed MORSECORP’s security compliance and found that its actual score was -142. This meant the company was nowhere near meeting the required cybersecurity standards. Despite learning about the huge gap in its security compliance, MORSECORP did not correct the false score in the DoD’s reporting system until June 2023. This correction only happened three months after the U.S. government had already launched an investigation into the company’s cybersecurity practices.
MORSECORP also failed to create proper security plans for its systems. From January 2018 to January 2021, the company did not have a complete written plan describing how it managed cybersecurity protections. Federal contracts required such plans to explain the system’s security setup, how sensitive data was protected, and how the company handled risks. Without this documentation, it was difficult for the government to verify whether MORSECORP was following the necessary security measures.
Government Takes Action Against Cybersecurity Fraud
The U.S. government has made it clear that federal contractors must take cybersecurity seriously. Defense contractors handle highly sensitive information that, if exposed, could threaten national security. That is why the Department of Justice (DOJ), the U.S. Army, and the U.S. Air Force worked together to hold MORSECORP accountable.
Fraud Scheme Exposed as Minnesota Jury Finds Leader Guilty
U.S. Attorney Leah B. Foley for the District of Massachusetts emphasized the importance of protecting government information from cyber threats. She stated that contractors must follow security rules to ensure taxpayers receive what they paid for.
As part of the investigation, the Department of the Army Criminal Investigation Division, led by Special Agent in Charge Keith K. Kelly, the Air Force Office of Special Investigations, headed by Special Agent in Charge William W. Richards, and the Defense Criminal Investigative Service (DCIS), led by Special Agent in Charge Patrick J. Hegarty, joined forces to uncover the company’s cybersecurity failures.
The case was brought under the False Claims Act, which allows private individuals to report fraud on behalf of the government. A whistleblower who helped expose MORSECORP’s misconduct will receive $851,000 as part of the settlement.
The legal team handling the case included Brian LaMacchia, Chief of the Affirmative Civil Enforcement Unit, Assistant U.S. Attorney Julien Mundele, and DOJ Senior Trial Counsel Christopher Terranova.
With this settlement, the government has sent a strong message to other defense contractors: failing to meet cybersecurity standards will have serious financial and legal consequences. While MORSECORP has not admitted to criminal wrongdoing, the company has taken responsibility for its cybersecurity failures and agreed to pay the multimillion-dollar settlement to resolve the case.