BOSTON — Cambridge-based defense contractor Morse Corp. has agreed to pay $4.6 million to resolve allegations that it failed to comply with cybersecurity requirements in its contracts with the U.S. Army and U.S. Air Force.
The settlement resolves allegations that Morse Corp. submitted fraudulent claims for payment on contracts with the Army and Air Force, and that those claims were fraudulent because Morse knew it had not complied with those contracts’ cybersecurity requirements, the U.S. Attorney said.
“Federal contractors must fulfill their obligations to protect sensitive government information from cyber threats,” U.S. Attorney Leah Foley said in a statement on Tuesday.
“We will continue to hold contractors to their commitments to follow cybersecurity standards to ensure that federal agencies and taxpayers get what they paid for, and make sure that contractors who follow the rules are not at a competitive disadvantage,” Foley said.
As part of the settlement, Morse admitted and accepted responsibility for the following, Foley said:
- From January 2018 to September 2022, Morse used a third-party company to host the company’s emails without requiring and ensuring that the third party met security requirements equivalent to the Federal Risk and Authorization Management Program Moderate baseline and complied with the Department of Defense’s requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment;
- The contracts required that Morse implement all cybersecurity controls in National Institute of Standards and Technology Special Publication (SP) 800-171, but from January 2018 to February 2023, Morse had not fully implemented all those controls, including controls that, if not implemented, could lead to significant exploitation of the network or exfiltration of controlled defense information and controls that could have a specific and confined effect on the security of the network and its data;
- From January 2018 to January 2021, despite the contracts’ system security plan requirement, Morse did not have a consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems;
- In January 2021, Morse submitted to the Department of Defense a score of 104 for its implementation of the NIST SP 800-171 security controls. That score was near the top of the possible score range from -203 to 110. In July 2022, a third-party cybersecurity consultant notified Morse that its score was actually -142. Morse did not update its score in the Department of Defense reporting system until June 2023 — three months after the United States served Morse with a subpoena concerning its cybersecurity practices.
“We are pleased with today’s settlement, which further demonstrates the resolve of the Department of the Army Criminal Investigation Division and our law enforcement partners to protect and defend the assets of the United States Army and Department of Defense,” Special Agent in Charge Keith Kelly, Department of the Army Criminal Investigation Division Fraud Field Office, said in a statement.
“We’re committed to protecting the warfighter and maintaining the Army’s operational readiness while holding those who engage in such acts accountable,” Kelly said.
“Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors,” Special Agent in Charge William Richards of the Air Force Office of Special Investigations said in a statement.
Richards said his office “alongside our investigative partners and the Department of Justice, will continue to combat fraud affecting the Department of the Air Force and hold those accountable that fail to properly safeguard sensitive defense information.”
“Protecting the integrity of Department of Defense procurement activities is a top priority for the DoD Office of Inspector General’s Defense Criminal Investigative Service,” said Special Agent in Charge Patrick Hegarty, DCIS Northeast Field Office.
“Failing to comply with DoD contract specifications and cybersecurity requirements puts DoD information and programs at risk,” Hegarty said. “We will continue to work with our law enforcement partners and the Department of Justice to investigate allegations of false claims on DoD contracts.”
The settlement resolves a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery.
The settlement in this case provides for the whistleblower to receive an $851,000 share of the settlement amount, Foley said.
This is a developing story. Check back for updates as more information becomes available.
Download the FREE Boston 25 News app for breaking news alerts.
Follow Boston 25 News on Facebook and Twitter. | Watch Boston 25 News NOW
©2025 Cox Media Group
