US Defense Department (DoD) contractor MORSE Corp will have to cough up $4.5 million as part of a settlement announced Wednesday by the feds after failing to meet even the bare minimum security controls required in its US military contracts.
According to the allegations, MORSE (Mission Oriented Rapid Solution Engineering) – which currently benefits from nearly half a dozen US defense contracts worth hundreds of millions of dollars – knowingly made false claims it was compliant with the strict security standards required of its contracts with the US Army and US Air Force, violating the False Claims Act.
The US Justice Department (DoJ) settlement said that from January 2018 to February 2023, MORSE had not fully implemented the security controls as required in the government contract's security plan based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
The lack of proper security controls left the company's network vulnerable to significant exploitation and the possible exfiltration of controlled defense information and other sensitive data, the DoJ said.
“Failure to implement cybersecurity requirements can have devastating consequences, leaving sensitive DoD data vulnerable to cyber threats and malicious actors, ” said Special Agent in Charge William W. Richards of the Air Force Office of Special Investigations (AFOSI).
Cybersecurity lapses and false claims
Of the more egregious allegations, the DoJ found between January 2018 and September 2022, MORSE used an unnamed third-party email hosting provider without ensuring it met DoD security compliance, leaving sensitive military data vulnerable to various cyber threats.
Another of the striking findings was MORSE’s inaccurate self-assessment of its cybersecurity posture.
In January 2021, the company reported a security compliance score of 104 to the DoD, out of a possible top score of 110. However, a third-party audit in July 2022 revealed the actual score was really -142.
Furthermore, MORSE did not correct the score in the DoD’s reporting system until June 2023, months after receiving a federal subpoena regarding its cybersecurity practices. To note, the lowest possible NIST SP 800-171 security rating score is -203.
The DoJ said on top of the above violations, from January 2018 to January 2021, MORSE did not have a consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
The insecure email network was additionally non-compliant with the requirements of the Federal Risk and Authorization Management Program Moderate baseline for cyber incident reporting, malicious software, media preservation and protection, forensic analysis reporting, and cyber incident damage assessment, it said.
Risk to sensitive military operations
With as tagline of “Bringing technology to the tactical edge,” the aerospace engineering-rooted firm develops leading-edge vehicle and navigation technology through algorithmic and machine learning to enhance “battlefield effectiveness for warfighters in complex situations,” according to its website.
Headquartered in Cambridge, Massachusetts, with a second location just opened in Arlington, Virginia, MORSE Corp won two massive defense technology contracts with the US Army last August.
The contracts, worth over $66.7 million and $49.9 million, respectively, were awarded to modernize the US Army’s data and software engineering capabilities and US Army advanced technology development.
An additional ongoing $45 million US Army Contract for advanced testing and evaluation of AI and machine learning algorithms, as well as a $241 million contract for developing AI build and data preparation systems for the Pentagon’s Joint Artificial Intelligence Center (JAIC), were awarded back in 2022 – all while the security deficiencies were allegedly being addressed.
“We’re committed to protecting the warfighter and maintaining the Army’s operational readiness while holding those who engage in such acts accountable,” said Special Agent in Charge Keith K. Kelly of the Department of the Army Criminal Investigation Division Fraud Field Office.
Due to the lack of compliance with the NIST framework, the DoD considered any financial payments made to the company and any bills submitted during the above timeframes fraudulent, as it said MORSE was well aware it was in violation of its contractual obligations.
Under the settlement agreement, MORSE admitted to the failings and accepted responsibility. The case highlights growing federal scrutiny over cybersecurity compliance in government contracts, particularly as cyber threats against military and defense-related networks continue to rise.
A whistleblower who alerted the DoJ to the fraud will receive an $851,000 share of the settlement amount.
Your email address will not be published. Required fields are markedmarked