ARTICLE
21 April 2025

Key Takeaways From DOJ's Continued Cybersecurity Enforcement

BB
Bass, Berry & Sims

Contributor

Bass, Berry & Sims logo
Bass, Berry & Sims is a national law firm with nearly 350 attorneys dedicated to delivering exceptional service to numerous publicly traded companies and Fortune 500 businesses in significant litigation and investigations, complex business transactions, and international regulatory matters. For more than 100 years, our people have served as true partners to clients, working seamlessly across substantive practice disciplines, industries and geographies to deliver highly-effective legal advice and innovative, business-focused solutions. For more information, visit www.bassberry.com.
Explore Firm Details
On March 25, the U.S. Department of Justice (DOJ) announced a $4.6 million settlement with MORSECORP, Inc. (MORSE) over its alleged failures...
United States Technology
Denise M. Barnes and Taylor M. Sample

On March 25, the U.S. Department of Justice (DOJ) announced a $4.6 million settlement with MORSECORP, Inc. (MORSE) over its alleged failures to satisfy cybersecurity requirements for federal defense contractors.

Qui Tam Complaint

The case began in January 2023, when MORSE'S Head of Security and Facility Security Officer filed a qui tamcomplaint under the False Claims Act alleging that MORSE and its CEO fraudulently induced the federal government to award contracts worth tens of millions of dollars by making false representations about its cybersecurity compliance. According to the complaint, MORSE's senior executives knew of the "chronic failure" to comply with the Department of Defense (DoD)'s cybersecurity requirements, but chose not to devote resources to achieve compliance, which gave MORSE a competitive advantage over those who did expend such resources. The alleged compliance failures also rendered MORSE ineligible to perform the required work.

Alleged Compliance Failures

The complaint alleged several categories of cybersecurity compliance failures under MORSE's DoD contracts, including:

  1. Use of Non-Compliant Third-Party Services. The complaint alleged MORSE used a third-party company to host its emails without ensuring that the third party met security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) baseline. MORSE also allegedly used non-compliant cloud data storage services for records containing controlled unclassified information (CUI) and conducted video calls discussing CUI on a non-compliant video call hosting service.
  2. Failure to Implement Cybersecurity Controls. The complaint alleged that MORSE failed to implement several "basic" cybersecurity controls, including controls from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 for the protection of CUI relating to access, audit and accountability, identification and authentication, system and information integrity, configuration management, security assessment, system and communications protection, and incident response.
  3. Lack of Consolidated Written Plans. The complaint alleged that MORSE did not have a consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  4. Provision of Vulnerable and Unsecure Software. The complaint alleged that MORSE failed to develop, implement, or employ software development techniques to promote effective information security. The company incorporated existing software programs from multiple open sources without regard to security vulnerabilities, resulting in the sale and supply of vulnerable and unsecure software to the DoD.

False Claims and Statements

While the False Claims Act is often referred to as the government's best and most utilized tool for combatting fraud and abuse, it is not "an all-purpose antifraud statute, or a vehicle for punishing garden variety breaches or contract or regulatory violations" See Universal Health Serv. United States, 579 U.S. 176, 194 (2016). The defendant must knowingly submit a false claim or make a false statement to the government for payment. The complaint alleged several ways that MORSE made false claims or statements to the government:

  1. False Representations in Contract Bids. The complaint alleged that MORSE made repeated false representations to the DoD concerning its compliance with cybersecurity requirements, including claims of compliance with NIST SP 800-171 and other DFARS clauses, to fraudulently induce the government to award contracts.
  2. False Statements to Prime Contractors. The complaint alleged that MORSE made false statements to prime contractors about its internal cybersecurity measures and compliance with DoD assessment requirements, which caused prime contractors to submit false and fraudulent claims and records to the federal government.
  3. Submission of False Cybersecurity Assessment Scores. The complaint alleged that MORSE submitted false cybersecurity assessment scores to the DoD's Supplier Performance Risk System (SPRS), and that, after learning of the inaccuracy from a third-party cybersecurity consultant, MORSE delayed updating its score in the SPRS, continuing to mislead the DoD about its cybersecurity compliance.

Settlement

On March 14, the parties entered a Settlement Agreement resolving the qui tam case. Under the terms of the settlement, MORSE agreed to pay $4.6 million to resolve the allegations of violating the False Claims Act. The settlement included admissions of responsibility for MORSE's (1) use of the unsecure third-party email hosting, (2) failure to implement NIST SP 800-171 cybersecurity controls, (3) lack of consolidated written system security plans, and (4) failure to update and correct is self-assessment score until after receiving a subpoena from the United States. Under the settlement agreement, the relator received 18.5% of the settlement amount plus expenses, attorneys' fees, and costs.

Key Takeaways

This settlement offers a few key takeaways:

  1. Respond to Internal Concerns. Often, whistleblowers raise issues outside of the company in the form of a qui tam complaint after they have already raised issues internally and those concerns were seemingly ignored. When concerns are raised internally, it is always worthwhile to provide some assurance to the employee that his or her concerns are being addressed. Here, the complaint alleges that within a short time of working at MORSE, the whistleblower witnessed multiple cybersecurity violations and raised concerns with the COO and CEO. After allegedly disregarding those concerns, MORSE eventually retained an independent outside auditor to evaluate the company's cybersecurity compliance. But despite retaining the auditor, the company allegedly failed to take any steps to remediate or inform the government of an accurate cybersecurity assessment score based on the outside auditor's findings. Even if the independent review had not supported the whistleblower's concerns or the company disagreed with the report's findings, providing an update to a concerned employee at the end of an investigation often ensures that the employee feels that she has a voice and that it is valued.
  2. Don't Bury Your Head in the Sand. This settlement emphasizes that the government considers a knowing failure to disclose accurate information to be the same as making a false statement. According to the government, MORSE was liable under the False Claims Act not just for submitting the initial inaccurate self-assessment, but also for failing to timely update its score after receiving the independent auditor's report. This is a reminder to any company making certifications of compliance to the government of the need to timely update its submissions or make self-disclosures where appropriate to the extent it learns new information that might affect a prior representation to the government.
  3. Consider Cooperation with the Government. Often, companies ask whether they may take advantage of the benefits of significant cooperation credit or self-disclosure after being contacted by the DOJ or served with a CID or subpoena. This settlement demonstrates that, although self-disclosure is not an option once the government has notified the company of its investigation, in some instances, cooperation can still prove fruitful. Here, MORSE made various admissions and accepted responsibility as it relates to the conduct included in the Settlement Agreement. Although MORSE appears to have paid double the restitution amount of $2.3 million (which is reasonable under the circumstances), the qui tam complaint identified more than $100 million in potentially problematic contracts where MORSE was the sub- or prime contractor. Arguably, MORSE and the DOJ reached a more amicable resolution because MORSE was willing to admit and take responsibility for at least some of the alleged conduct (although admittedly we do not have visibility into their settlement discussions). Under the right circumstances, cooperation can allow for greater collaboration between the government and the company—companies can more credibly shape the damages and liability discussion.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Denise M. Barnes
Denise M. Barnes
Photo of Taylor M. Sample
Taylor M. Sample
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More