On March 26, 2025, the United States Department of Justice (DOJ) announced that it had reached an agreement with MORSECORP Inc. (MORSE) to settle alleged violations of the False Claims Act (FCA), specifically regarding MORSE’s cybersecurity program. The DOJ and MORSE—a government contractor that provides services to both the Departments of the Army and Air Force—agreed to a settlement of $4.6 million, with 18.5% (equating to $851,000) of the settlement agreement being provided to the qui tam relator (i.e., the whistleblower who brought the FCA case).
The DOJ contended that MORSE’s submission of claims for payment to the Departments of the Army and Air Force between January 1, 2018 and February 28, 2023 were false or fraudulent because MORSE violated a number of contractual and regulatory requirements. Specifically, MORSE admitted to the following:
- MORSE failed to ensure that its third-party software-as-a-service (SaaS) email hosting provider met the FedRAMP Moderate baseline requirements, as required by DFARS 252.204-7012(c)-(g), between January 1, 2018 and September 30, 2022 (when MORSE contracted with the third-party).
- MORSE did not fully implement all cybersecurity controls in NIST SP 800-171 between January 1, 2018 and February 28, 2023.
- Between January 1, 2018 and January 21, 2021, MORSE failed to maintain a “consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems”—commonly referred to as an systems security plan or “SSP”.
- On January 21, 2021, MORSE submitted a NIST SP 800-171 summary level basic assessment score of 104 (scores can range from a high of 110 to a low of -203) for its implementation of NIST SP 800-171 security controls to the Department of Defense’s Supplier Performance Risk System (SPRS). But MORSE learned, after engaging a third-party vendor to conduct a cybersecurity gap analysis, that as of July 27, 2022, MORSE had only implemented 22% of NIST 800‑171 controls and that its summary score was in fact -142 (minus 142). MORSE did not update its score until June 14, 2023, “when it submitted in SPRS a third-party score of 57, followed by third-party scores of 82 in October 2023 and 110 in May 2024.”
The FCA, codified at 31 U.S.C. §§ 3729 – 3733, establishes penalties for any person who “knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval” by the federal government. Any person who violates the FCA may be liable for three times the government’s damages plus a penalty that is linked to inflation. The government contends that this includes—in instances where federal regulations require government contractors to meet specified cybersecurity standards—a contractor knowingly submitting a materially false attestation of compliance with governing cybersecurity standards. For example, in the MORSE case, the DOJ alleged that MORSE had submitted a summary level basic assessment score of 104, even though it knew that it did not meet enough controls to sufficiently reach that score.
The MORSE settlement demonstrates a continued trend by the DOJ to make compliance with federal cybersecurity regulations for government contractors a priority, and to use noncompliance as the basis for FCA claims. For example, on February 18, 2025, the DOJ announced that it had reached a settlement agreement with Centene Corporation (Centene) and its subsidiary Health Net, Inc. (Health Net) based on allegations under the False Claims Act. Centene and Health Net, although denying the DOJ’s allegations of failing to compliance with NIST 800-171, agreed to pay $11,253,400 to settle the allegations. Other notable examples include a September 2023 lawsuit that the DOJ filed against the Pennsylvania State University (Penn State)—which was settled in October of 2024 for a penalty of $1.25 million—for Penn State’s alleged failure to adequately safeguard DoD data. Moreover, in September of 2024, the DOJ intervened in a qui tam action against Georgia Institute of Technology (Georgia Tech), alleging that Georgia Tech had submitted false summary scores demonstrating its compliance with the NIST SP 800-171 standard.
As for the MORSE case, the United States Attorney for the District of Massachusetts Leah B. Foley affirmed that “[f]ederal contractors must fulfill their obligations to protect sensitive government information from cyber threats,” and that the DOJ “will continue to hold contractors to their commitments to follow cybersecurity standards to ensure that federal agencies and taxpayers get what they paid for, and make sure that contractors who follow the rules are not at a competitive disadvantage.”
Alston’s Privacy, Cyber, and Data Strategy and False Claims Act teams will continue to actively monitor cases in this space.
