Skip to main content
Case Law

$4.6M and a 246-Point Swing: The MORSECORP Cybersecurity False Claims Act Settlement

MORSECORP Inc., a Cambridge, Massachusetts defense contractor, agreed to pay $4.6 million to resolve False Claims Act allegations that it failed to meet NIST SP 800-171 and system security plan requirements on Army and Air Force contracts, and misreported its SPRS score for nearly a year after learning the real number.

Brandon Hancock, J.D., CMMC-RPPublished March 26, 2025Updated July 1, 20266 min read

On March 26, 2025, the Justice Department announced a $4.6 million False Claims Act settlement with MORSECORP Inc., a Cambridge, Massachusetts defense contractor — one of the larger Civil Cyber-Fraud Initiative recoveries to date, and one where the contractor admitted the underlying facts rather than merely resolving allegations.

MORSECORP Inc. (MORSE) has agreed to pay $4.6 million to resolve False Claims Act liability for failing to comply with cybersecurity requirements in its contracts with the Departments of the Army and Air Force. The settlement resolves a whistleblower suit, United States ex rel. Berich v. MORSECORP Inc. et al., No. 23-cv-10130 (D. Mass.), and stands out because MORSE did not simply settle and move on — it admitted, acknowledged, and accepted responsibility for a specific set of facts. (A civil settlement still is not a judicial finding of liability; admitted facts and legal liability are not the same thing.)

What the Government Alleged — and MORSE Admitted

According to the Justice Department, MORSE's cybersecurity failures spanned several years and several distinct requirements:

  • Unsecured email hosting (January 2018–September 2022). MORSE used a third-party company to host its email without requiring that the vendor meet security standards equivalent to the FedRAMP Moderate baseline, and without ensuring the vendor complied with DoD's requirements for cyber incident reporting, malicious software handling, and media preservation for forensic analysis.
  • Incomplete NIST SP 800-171 implementation (January 2018–February 2023). MORSE's contracts required full implementation of the NIST SP 800-171 security controls. MORSE had not fully implemented them — including controls the government said could otherwise prevent "significant exploitation of the network or exfiltration of controlled defense information."
  • No consolidated system security plan (January 2018–January 2021). Despite the contracts' SSP requirement, MORSE had no single written plan describing its covered systems' boundaries, operating environment, and how security requirements were actually implemented.
  • A self-reported score that didn't hold up. In January 2021, MORSE submitted a Supplier Performance Risk System (SPRS) score of 104 — near the top of the -203-to-110 scoring range. In July 2022, a third-party cybersecurity consultant told MORSE its actual score was -142, a swing of 246 points on the same systems. MORSE did not correct its SPRS entry until June 2023 — three months after the government served it with a subpoena.

Why the Timeline Is the Real Story

The LOGZONE settlement earlier this month showed a gap between a self-reported score and a later government assessment. MORSE shows something arguably worse: MORSE's own consultant told it the real number, and MORSE sat on that information for nearly a year, updating SPRS only after a federal subpoena arrived. Under the False Claims Act, a stale or inflated self-assessment is a risk the moment it supports a claim for payment — but knowingly leaving a false score in place after learning the truth compounds that exposure considerably.

A Pattern, Not an Outlier

MORSE joins a growing list of Civil Cyber-Fraud Initiative resolutions built on the same core theory — a contractor's cybersecurity representations didn't match its actual environment — including the $11.3M Guidehouse and Nan McKay settlement, the DOJ's Georgia Tech suit over a false SPRS score, and the more recent LOGZONE Navy settlement. The whistleblower in the MORSE case received an $851,000 share of the recovery — a reminder that these cases are frequently brought by insiders, not discovered by government audit alone.

What Contractors Should Do Now

  • Treat a consultant's or assessor's finding as a clock, not a suggestion. Once you know your real score, update SPRS promptly — waiting invites exactly the "knew and sat on it" theory DOJ used here.
  • Cover your full environment, including third-party-hosted systems. MORSE's exposure started with an email vendor that didn't meet the required baseline — a reminder that your security requirements travel with your data, not just your own servers.
  • Keep a single, current system security plan. A patchwork of outdated or missing SSP documentation is itself evidence of noncompliance, independent of your control implementation.
  • Assume whistleblowers are watching your SPRS number. Employees and consultants who see the gap between your posted score and your actual environment are potential qui tam relators.

Key Takeaways

  • MORSECORP will pay $4.6 million to resolve FCA allegations tied to Army and Air Force contract cybersecurity failures from 2018 to 2023, including unsecured third-party email hosting and incomplete NIST SP 800-171 implementation.
  • MORSE self-reported an SPRS score of 104 in January 2021; a third-party consultant found the true score was -142 in July 2022 — and MORSE didn't correct it until June 2023, after a federal subpoena.
  • The whistleblower received an $851,000 share, underscoring that insiders — not just government audits — are a primary enforcement trigger for inflated cybersecurity self-assessments.

To understand how the number at the center of this case is calculated, read how the SPRS score actually works; for the broader enforcement landscape, see Enforcement & Penalties; and confirm what your own contracts require with Find My Requirements.

Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?