Listen to the article
Department of Justice Settles $4.6 Million Cybersecurity Fraud Case with MORSECORP
The U.S. Department of Justice has reached a $4.6 million settlement with MORSECORP, Inc. over allegations that the defense contractor submitted false claims regarding its cybersecurity compliance on Department of Defense contracts spanning from 2018 to 2023.
According to the settlement agreement announced on March 26, 2025, MORSECORP knowingly provided incorrect cybersecurity assessment scores in the Pentagon’s Supplier Performance Risk System (SPRS) and failed to update these scores when subsequent third-party evaluations revealed significant compliance deficiencies.
The case centers on MORSECORP’s handling of controlled unclassified information (CUI) received through defense contracts. Federal regulations require contractors with access to such sensitive information to implement rigorous cybersecurity protocols under the Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC) frameworks.
“MORSECORP submitted a basic assessment score of 104 out of 110 in January 2021, despite knowing this score was inaccurate,” a Justice Department spokesperson said. When the company later commissioned a third-party gap analysis in 2022, the assessment revealed that MORSECORP had implemented only about 22% of required security controls—a significant discrepancy from its self-reported score.
Investigators found that MORSECORP waited approximately a year before correcting its score in mid-2023, during which time the company continued receiving payments on defense contracts. The DOJ also noted that MORSECORP failed to maintain a required System Security Plan and did not extend cybersecurity requirements to third-party vendors handling sensitive information.
This settlement marks one of the first major cybersecurity fraud cases resolved under the Trump administration, suggesting continued enforcement of the Civil Cyber-Fraud Initiative launched in October 2021. The initiative uses the False Claims Act to pursue government contractors who misrepresent their cybersecurity capabilities or fail to report breaches.
Defense industry analysts note that the case could have significant implications for the approximately 80,000 defense contractors currently subject to DFARS cybersecurity requirements.
“This settlement sends a clear message that the administration intends to hold contractors accountable for cybersecurity misrepresentations,” said Eleanor Richards, a cybersecurity compliance expert at Georgetown University. “Companies can’t simply check boxes on compliance forms—they need to implement and maintain these critical protections.”
The MORSECORP case highlights growing concerns about supply chain security in defense contracting. The company’s failure to enforce cybersecurity requirements on third-party vendors represents a common weakness across the defense industrial base, according to a recent report from the Government Accountability Office.
In light of the settlement, cybersecurity experts recommend that government contractors take several proactive measures: evaluate the accuracy of cybersecurity representations, maintain thorough documentation supporting compliance claims, stay current with regulatory developments, and establish robust internal reporting structures for potential security gaps.
The Pentagon has been tightening cybersecurity requirements for contractors since 2017, with the CMMC program representing the latest evolution in these efforts. Under these regulations, contractors must not only implement security controls but also regularly assess and report their compliance levels.
While MORSECORP has agreed to the financial settlement, the company did not admit liability. The contractor has reportedly implemented comprehensive cybersecurity improvements and established an enhanced compliance program in response to the investigation.
The case was initially brought to light through internal whistleblower channels, underscoring the importance of reporting mechanisms within defense contractors for identifying potential compliance issues before they escalate into federal investigations.
Fact Checker
Verify the accuracy of this article using The Disinformation Commission analysis and real-time sources.
5 Comments
Cybersecurity requirements for government contractors continue to evolve and become more stringent. Companies need to stay on top of these regulations and accurately report their compliance status. This case highlights the need for robust internal controls and auditing processes.
Absolutely. Self-reporting and honesty are essential. Cutting corners on security can have serious consequences, both legally and in terms of national security.
This is a concerning case of a defense contractor misleading the government on its cybersecurity compliance. Proper controls over CUI are critical, especially for sensitive military contracts. I hope this settlement sends a strong message about the importance of honesty and transparency in such matters.
Agreed. Contractors must be held accountable for false claims, as it undermines trust and the integrity of the procurement process.
A $4.6 million settlement is a significant penalty. While it may sting for MORSECORP, the real cost could be the damage to their reputation and future business opportunities. Maintaining a strong cybersecurity posture is not just a compliance issue, but a matter of trust with government clients.