MORSECORP Inc. Settles Cybersecurity Fraud Case for $4.6 Million

MORSECORP Inc., a defence contractor based in Cambridge, Massachusetts, has agreed to pay $4.6 million to settle allegations that it knowingly failed to comply with mandatory cybersecurity requirements in its contracts with the US Departments of the Army and Air Force. The settlement sheds light on increasing government scrutiny over cybersecurity practices and the rising legal risks for federal contractors who fail to meet compliance obligations.

Between January 2018 and September 2022, MORSECORP outsourced email hosting to a third party without ensuring compliance with the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline—a core requirement for handling sensitive government data. Compounding this breach, MORSE also failed to implement critical cybersecurity controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, a foundational framework for securing controlled unclassified information.

Despite contractually binding obligations, the company neglected to maintain required system security plans from 2018 to 2021. Most strikingly, MORSE self-reported a misleadingly high cybersecurity score of 104 out of 110 to the Department of Defense in January 2021. A later third-party assessment in July 2022 revealed the actual score to be -142. Yet the company did not update this figure until June 2023—three months after receiving a federal subpoena.

This enforcement action was led by the Department of Justice (DOJ), alongside the Department of the Army Criminal Investigation Division, the Air Force Office of Special Investigations, and the Defense Criminal Investigative Service (DCIS). Officials underscored the critical importance of cybersecurity compliance in safeguarding sensitive defence data and ensuring operational readiness.

“We will continue to hold contractors to their commitments,” said US Attorney Leah B. Foley, highlighting the government's focus on ensuring taxpayers receive the protection they have paid for.

The case originated from a whistleblower under the False Claims Act’s qui tam provisions. The whistleblower is set to receive $851,000 as part of the recovery. This outcome is a stark reminder of the reputational and financial damage that can arise from cybersecurity non-compliance, as well as the power of whistleblowers in enforcing accountability.

For the wider defence and contractor community, this settlement is a cautionary tale. It underscores the necessity of maintaining robust cybersecurity frameworks and transparent, timely reporting. In an era of escalating cyber threats and heightened regulatory expectations, cutting corners on compliance is no longer a risk worth taking.

Read the press release here.