MORSECORP Inc. (MORSE), of Cambridge, Massachusetts, has agreed to pay $4.6 million to resolve allegations that MORSE violated the False Claims Act by failing to comply with cybersecurity requirements in its contracts with the Departments of the Army and Air Force.
The settlement resolves allegations that MORSE submitted false or fraudulent claims for payment on contracts with the Departments of the Army and Air Force, and that those claims were false or fraudulent because Morse knew it had not complied with those contracts’ cybersecurity requirements. As part of the settlement, MORSE admitted, acknowledged and accepted responsibility for the following facts:
- From January 2018 to September 2022, MORSE used a third-party company to host MORSE’s emails without requiring and ensuring that the third party met security requirements equivalent to the Federal Risk and Authorization Management Program Moderate baseline and complied with the Department of Defense’s requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment;
- The contracts required that MORSE implement all cybersecurity controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, but from January 2018 to February 2023, MORSE had not fully implemented all those controls, including controls that, if not implemented, could lead to significant exploitation of the network or exfiltration of controlled defense information and controls that could have a specific and confined effect on the security of the network and its data;
- From January 2018 to January 2021, despite the contracts’ system security plan requirement, MORSE did not have a consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems;
- In January 2021, MORSE submitted to the Department of Defense a score of 104 for its implementation of the NIST SP 800-171 security controls. That score was near the top of the possible score range from -203 to 110. In July 2022, a third-party cybersecurity consultant notified MORSE that its score was actually -142. MORSE did not update its score in the Department of Defense reporting system until June 2023 – three months after the United States served MORSE with a subpoena concerning its cybersecurity practices.
“Federal contractors must fulfill their obligations to protect sensitive government information from cyber threats,” said U.S. Attorney Leah B. Foley for the District of Massachusetts. “We will continue to hold contractors to their commitments to follow cybersecurity standards to ensure that federal agencies and taxpayers get what they paid for, and make sure that contractors who follow the rules are not at a competitive disadvantage.”
“We are pleased with today’s settlement, which further demonstrates the resolve of the Department of the Army Criminal Investigation Division and our law enforcement partners to protect and defend the assets of the United States Army and Department of Defense,” said Special Agent in Charge Keith K. Kelly of the Department of the Army Criminal Investigation Division Fraud Field Office. “We’re committed to protecting the warfighter and maintaining the Army’s operational readiness while holding those who engage in such acts accountable.”
“Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors,” said Special Agent in Charge William W. Richards of the Air Force Office of Special Investigations (AFOSI). “AFOSI, alongside our investigative partners and the Department of Justice, will continue to combat fraud affecting the Department of the Air Force and hold those accountable that fail to properly safeguard sensitive defense information.”
“Protecting the integrity of Department of Defense (DoD) procurement activities is a top priority for the DoD Office of Inspector General’s Defense Criminal Investigative Service (DCIS),” said Special Agent in Charge Patrick J. Hegarty of the DCIS Northeast Field Office. “Failing to comply with DoD contract specifications and cybersecurity requirements puts DoD information and programs at risk. We will continue to work with our law enforcement partners and the Department of Justice to investigate allegations of false claims on DoD contracts.”
The settlement resolves a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery. The settlement in this case provides for the whistleblower to receive an $851,000 share of the settlement amount. The qui tam case is captioned United States ex rel. Berich v. MORSECORP Inc. et al., No. 23-cv-10130 (D. Mass.).
The settlement announced today was the result of a coordinated effort between the U.S. Attorney’s Office for the District of Massachusetts, the Civil Division’s Commercial Litigation Branch, Fraud Section, with assistance from the Department of the Army Criminal Investigation Division’s Fraud Field Office, the Air Force Office of Special Investigations, DCIS and the General Services Administration Office of Inspector General. The matter was handled by Brian LaMacchia, Chief of the Affirmative Civil Enforcement Unit, Assistant U.S. Attorney Julien Mundele in the U.S. Attorney’s Office and DOJ Senior Trial Counsel Christopher Terranova.