MORSECORP Inc. of Cambridge, Massachusetts, has agreed to pay $4.6 million to resolve allegations that MORSE violated the False Claims Act by failing to comply with cybersecurity requirements in its contracts with the Departments of the Army and Air Force.
The settlement resolves allegations that MORSE submitted false or fraudulent claims for payment on contracts with the Departments of the Army and Air Force and that those claims were false or fraudulent because Morse knew it had not complied with those contracts’ cybersecurity requirements.
From January 2018 to September 2022, MORSE used a third-party company to host MORSE’s emails without requiring and ensuring that the third party met security requirements equivalent to the Federal Risk and Authorization Management Program Moderate baseline and complied with the Department of Defense’s requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment.
The contracts required that MORSE implement all cybersecurity controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, but from January 2018 to February 2023, MORSE had not fully implemented all those controls, including controls that, if not implemented, could lead to significant exploitation of the network or exfiltration of controlled defense information and controls that could have a specific and confined effect on the security of the network and its data.
From January 2018 to January 2021, despite the contracts’ system security plan requirement, MORSE did not have a consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems.
In January 2021, MORSE submitted to the Department of Defense a score of 104 for its implementation of the NIST SP 800-171 security controls. That score was near the top of the possible score range from -203 to 110. In July 2022, a third-party cybersecurity consultant notified MORSE that its score was actually -142.
MORSE did not update its score in the Department of Defense reporting system until June 2023 — three months after the United States served MORSE with a subpoena concerning its cybersecurity practices.
The settlement resolves a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery.
The settlement in this case provides for the whistleblower to receive an $851,000 share of the settlement amount. The qui tam case is captioned United States ex rel. Berich v. MORSECORP Inc. et al., No. 23-cv-10130 (D. Mass.).
The settlement announced today was the result of a coordinated effort between the U.S. Attorney’s Office for the District of Massachusetts, the Civil Division’s Commercial Litigation Branch, Fraud Section, with assistance from the Department of the Army Criminal Investigation Division’s Fraud Field Office, the Air Force Office of Special Investigations, DCIS and the General Services Administration Office of Inspector General.
