A recent United States Department of Justice (DOJ) announcement reinforces that enforcement of cybersecurity requirements under the False Claims Act (FCA) remains an ongoing risk. According to the press release, defense contractor MORSECORP Inc. (MORSE) agreed to pay US$4.6 million to resolve a FCA matter arising from a qui tam relator’s suit alleging that MORSE failed to comply with certain U.S. Department of Defense (DOD) cybersecurity requirements. This is the most recent settlement involving DOJ cybersecurity enforcement, a topic that Foley reported on previously.
The MORSE Settlement
Qui tam relator Kevin Berich, MORSE’s Head of Security, filed an FCA complaint against MORSE and its CEO in January 2023. MORSE is a software development company that had contracts and subcontracts with the U.S. Army and Air Force. Federal regulations dictate that DOD contracts like those entered into by MORSE require implementation of cybersecurity controls outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). But Mr. Berich alleged that he witnessed MORSE continually fail to implement NIST SP 800-171 controls, including by failing to use multi-factor authentication, using non-compliant email and video call-hosting services, and using employee personal devices to access MORSE systems and transmit controlled unclassified information (CUI).
Under the FCA, a qui tam complaint is filed under seal, shared with DOJ, and not shared with the defendant so that DOJ can investigate the matter. After investigating for over two years, in March 2025, DOJ announced a settlement with MORSE and Mr. Berich for US$4.6 million. According to the announcement, MORSE admitted that it:
- Used a third-party vendor for email hosting without ensuring that vendor met the necessary security requirements.
- Failed to implement all NIST SP 800-171 controls or maintain a system security plan for its covered information systems.
- Submitted a self-assessed score of 104 to DOD for its NIST SP 800-171 implementation and continued to report that score even after an outside audit notified MORSE that it failed to implement 78 percent of the required security measures and had an actual score of -142.
Notably, the settlement does not indicate that there were any breaches or other compromises of CUI or other protected information; rather, the case appears to have been premised on the possibility that such breaches could occur as a result of MORSE’s sub-standard cybersecurity program.
The MORSE settlement demonstrates the risk of failing to prioritize cybersecurity controls, especially given that FCA qui tam suits can be filed by insiders such as the Head of Security that initiated the MORSE suit. The case also underscores DOJ’s ongoing focus on cybersecurity enforcement, which includes the 2021 Department of Justice Cyber-Fraud Initiative and appears to be continuing full-steam ahead in the current Trump administration.
Recommendations
Given those risks, defense contractors and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:
- Catalogue and monitor compliance with all government-imposed cybersecurity standards. A first step is to ensure your organization has a comprehensive list of all cybersecurity requirements and covered systems in your organization. These requirements may come not only from prime government contracts but also subcontracts, grants, or other federal programs. This includes not only ongoing knowledge of the organization’s contracts, but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards. This assessment should also consider third-party relationships, such as vendors or service providers.
- Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. As the MORSE settlement illustrates, it is critical to respond to employees’ concerns effectively.
- Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.
This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.