MORSECORP, Inc. has agreed to pay $4.6 million, plus interest, to resolve allegations that it made false representations concerning compliance with required cybersecurity controls for safeguarding sensitive government information. This settlement is particularly notable because it represents the first major False Claims Act settlement with a defense contractor based on failures to implement required cybersecurity controls.
MORSECORP d/b/a MORSE (Mission Oriented Rapid Solution Engineering), which is based in Cambridge, Massachusetts, is a defense contractor in the U.S. National Security Ecosystem. MORSE performed multiple contracts for the Department of the Army and the Department of the Air Force, among other government customers.
The case was brought by our client in January 2023 based on his concerns that MORSECORP had not fully implemented cybersecurity controls required under NIST SP 800-171 for protecting sensitive government data and information. Our client was also concerned that MORSECORP did not have a consolidated system security plan and that MORSECORP was using third-party cloud-based services that did not meet the relevant Federal security requirements. In addition, our client was concerned that MORSECORP had posted improperly inflated SPRS assessment scores with the Defense Department for its internal cybersecurity practices and policies.
Our client brought the MORSECORP cybersecurity failures to the attention of the government by filing a cybersecurity qui tam complaint under the False Claims Act. Under the False Claims Act, a private citizen (known as a “relator”) who suspects or knows of fraud against the government can act as a whistleblower and file a sealed complaint on behalf of the government. If the case is successful, the relator is entitled to a share – between 15% and 30% – of the government’s recovery.
The government investigated the allegations brought to light by our client and, on March 17, 2025, filed a notice of its intention to intervene against MORSECORP for the purpose of settlement. The Department of Justice further described the case and the $4.6 million settlement on March 25, 2025.
Federal contractors must fulfill their obligations to protect sensitive government information from cyber threats, We will continue to hold contractors to their commitments to follow cybersecurity standards to ensure that federal agencies and taxpayers get what they paid for, and make sure that contractors who follow the rules are not at a competitive disadvantage.
— United States Attorney Leah B. Foley.
Protecting the integrity of Department of Defense (DoD) procurement activities is a top priority for the DoD Office of Inspector General’s Defense Criminal Investigative Service (DCIS). Failing to comply with DoD contract specifications and cybersecurity requirements puts DoD information and programs at risk. We will continue to work with our law enforcement partners and the Department of Justice to investigate allegations of false claims on DoD contracts.
— Special Agent in Charge Patrick J. Hegarty, DCIS Northeast Field Office
Our client expresses his admiration for, and appreciation of, the outstanding efforts of the Commercial Litigation Branch of the U.S. Department of Justice, the U.S Attorney’s Office for the District of Massachusetts, and the relevant investigating agencies for conducting a thorough and prompt investigation which led to the settlement announced yesterday.
In uniform and out, protecting the national security of the United States has been the focus of my professional career. Becoming a whistleblower was not an easy decision and one I only took when I felt I had no remaining option to protect sensitive government information. The Department of Justice should be commended for acting promptly to investigate and put an end to practices that placed sensitive government information and data at risk of loss or compromise.
–WLC Client
Whistleblower Law Collaborative commends the outstanding efforts of their client and the government prosecutors. Attorney Bruce C. Judge praised his client’s willingness to stand his ground on protecting sensitive government information. Mr. Judge also cited his client’s courage in coming forward without regard to the professional and personal risks that can attach to being a whistleblower. Mr. Judge continued,
[O]ur client drew on his extensive knowledge of the applicable cybersecurity requirements and was able to identify numerous cybersecurity gaps clearly and persuasively to government prosecutors and agents.
This settlement marks an important milestone in the government’s long-running efforts to bring about cybersecurity compliance in the Defense Industrial Base. After many years of issuing warnings and relying on self-certifications, the MORSECORP settlement sends a clear signal that government contractors who fail to implement required cybersecurity controls can expect to face significant financial penalties. It also signals that individuals who bring cybersecurity violations to the government’s attention can receive a share of the government’s ultimate recoveries.
In 2021, the Department of Justice launched its Civil Cyber-Fraud Initiative aimed at federal contractors who fail to comply with government cybersecurity requirements. In addition, the initiative targets contractors who fail to report breaches or other cybersecurity incidents.
We expect the Department of Justice, the Department of Defense, NASA, and other government agencies to continue to investigate and prosecute matters involving failure to implement required cybersecurity controls to safeguard sensitive government information and data.