Full Report
Morse Corp Inc., a Massachusetts-based defense contractor, has agreed to pay $4.6 million to resolve allegations of cybersecurity fraud under the False Claims Act. The U.S. Department of Justice announced the settlement, claiming that the company misrepresented its compliance with federal cybersecurity standards while working on contracts with the Departments of the Army and Air Force. Morse Corp Allegations and Legal Proceedings The case began in January 2023 when a whistleblower, Kevin Berich, filed a qui tam lawsuit against Morse Corp under the False Claims Act. The DOJ joined the case in March 2023, accusing the company of violating the Defense Federal Acquisition Regulation Supplement (DFARS) clauses. These regulations mandate that contractors adhere to the cybersecurity standards outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. The DOJ's investigation revealed that from January 2018 to September 2022, Morse Corp used a third-party service to host its emails without ensuring compliance with the FedRAMP Moderate baseline—a critical cybersecurity requirement for handling covered defense information. The company also failed to implement the required cybersecurity controls from NIST SP 800-171, which protect controlled unclassified information from unauthorized access. Misrepresentation of Cybersecurity Compliance According to the settlement agreement, Morse Corp submitted a misleading score of 104 on its cybersecurity assessment to the Department of Defense’s Supplier Performance Risk System (SPRS) in January 2021. However, an independent evaluation in July 2022 revealed a significantly lower score of -142, indicating that the company had only implemented 22% of the required controls. Despite this discovery, Morse Corp failed to update its score until June 2023. The settlement document also detailed that the defense contractor lacked a consolidated cybersecurity plan outlining system boundaries, operational environments, and connections to other networks. These oversights exposed sensitive defense data to potential exploitation and unauthorized access, violating its contractual obligations. Also Read: US Department of Defense Contractor Targeted by Donut Ransomware Financial Penalties and Whistleblower Award As part of the settlement, Morse Corp will pay $4.6 million, including $2.3 million as restitution. The whistleblower, Kevin Berich, will receive 18.5% of the total settlement amount for bringing the case to light. The agreement also requires Morse Corp to cover $198,616 in legal fees for Berich’s attorneys. “Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors,” said Special Agent William Richards of the Air Force Office of Special Investigations (AFOSI). “(We) will continue to combat fraud affecting the Department of the Air Force and hold those accountable that fail to properly safeguard sensitive defense information.” Implications for Defense Contractors The settlement serves as a warning to defense contractors about the consequences of misrepresenting cybersecurity compliance. The DOJ emphasized that ensuring cybersecurity standards is not a procedural formality but a critical element of national security. Experts suggest that the case could lead to stricter enforcement of cybersecurity regulations and increased scrutiny of defense contractors. The outcome may prompt more whistleblowers to report non-compliance, given the significant financial incentives under the False Claims Act.
Analysis Summary
# Incident Report: Cybersecurity Fraud Allegations Settlement by Defense Contractor Morse Corp
## Executive Summary
Defense contractor Morse Corp settled allegations of cybersecurity fraud amounting to \$4.6 million, including \$2.3 million in restitution, for failing to implement required cybersecurity measures. This failure left sensitive Department of Defense (DoD) data potentially exposed to unauthorized access and exploitation, violating contractual obligations. The settlement highlights the critical importance of cybersecurity compliance for national security and suggests increased scrutiny for defense contractors.
## Incident Details
- **Discovery Date:** Not explicitly stated (Implied discovery led to the settlement agreement date).
- **Incident Date:** Not explicitly stated (The failure to meet compliance standards was ongoing).
- **Affected Organization:** Morse Corp
- **Sector:** Defense Contracting / Government Services
- **Geography:** Not explicitly stated
## Timeline of Events
### Initial Access
- **Date/Time:** Not applicable (Incident relates to ongoing compliance failure, not a single breach event).
- **Vector:** Failure to implement required cybersecurity measures necessary to protect sensitive DoD data.
- **Details:** Deficiencies in cybersecurity posture exposed sensitive defense data to potential exploitation.
### Lateral Movement
- Not applicable/Not detailed in the description (Focus is on compliance failure, not adversary TTPs leading to compromise).
### Data Exfiltration/Impact
- **What was stolen or damaged:** Sensitive defense data was exposed to potential exploitation and unauthorized access, leading to contractual violations.
### Detection & Response
- **How it was discovered:** The issue was brought to light by a whistleblower (Kevin Berich) under the False Claims Act.
- **Response actions taken:** Negotiation and signing of a settlement agreement resulting in financial penalties and restitution.
## Attack Methodology
- **Initial Access:** N/A (The 'attack' was the failure to secure systems as required by contract).
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** Potential unauthorized access/exploitation due to weak security controls.
- **Impact:** Contractual violations and exposure of sensitive DoD information.
## Impact Assessment
- **Financial:** \$4.6 million settlement, including \$2.3 million in restitution and \$198,616 in legal fees for the whistleblower's attorneys.
- **Data Breach:** Sensitive defense data was exposed to potential exploitation.
- **Operational:** Not detailed, but compliance failure necessitates significant internal remediation.
- **Reputational:** Negative scrutiny from the Department of Justice (DOJ) and Air Force Office of Special Investigations (AFOSI).
## Indicators of Compromise
- **Network indicators - defanged:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Demonstrable failure to meet contractual cybersecurity requirements.
## Response Actions
- **Containment measures:** Not detailed, but required implementing overdue cybersecurity requirements.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Payment of restitution and legal fees as part of the settlement.
## Lessons Learned
- Failure to implement mandatory cybersecurity requirements is treated as fraud affecting government contracts.
- Cybersecurity compliance is a critical element of national security, not just a procedural formality.
- Whistleblowers are incentivized (under the False Claims Act) to report non-compliance, leading to significant financial repercussions for contractors.
## Recommendations
- Defense contractors must rigorously adhere to all stipulated cybersecurity requirements mandated in government contracts.
- Establish clear internal auditing processes to verify and document compliance with security standards continuously.
- Review contractual obligations regularly in light of evolving national security directives concerning data protection.