US defense contractor cops to sloppy security, settles after infosec lead blows whistle

A US defense contractor will cough up $4.6 million to settle complaints it failed to meet cybersecurity requirements on military contracts and knowingly submitted false claims for payment.

Massachusetts-based MORSE Corp admitted [PDF] to a series of cybersecurity failures in its dealings with the US Army and Air Force. The issues came to light after the company's former head of security brought a whistleblower lawsuit against the corporation on behalf of the government under the False Claims Act.

MORSE's cybersecurity lapses were numerous, according to federal prosecutors, and ranged from missteps in cloud security to fudged compliance scores. 

As early as 2018, the biz – which develops guidance and navigation tech for military vehicles – used a third-party provider to host its email without ensuring the vendor met the FedRAMP Moderate baseline, as required, say prosecutors. Additionally, the contractor failed to confirm the email provider followed Pentagon rules for incident reporting, malware handling, forensic access, and media preservation, we're told.

On top of that, MORSE, which also wins contracts like this $67M one last year for "data and software engineering" support for the US Army, neglected to fully implement all required NIST cybersecurity control rules, including measures that "if not implemented, could lead to significant exploitation of the network or exfiltration of controlled defense information," per the Feds.

And between 2018 and early 2021, the company had no comprehensive written security plans for its systems, despite contract requirements to document system boundaries, configurations, and external connections, prosecutors added. 

Even more damning was how MORSE handled its cybersecurity self-assessment scores, as the Feds tell it.

According to the settlement, Department of Defense contractors are required to report scores for their implementation of NIST Special Publication 800-171 - a framework for safeguarding sensitive data - on a scale from a catastrophic -203 to a perfect 110. In January 2021, MORSE submitted a score of 104 to the DoD via its Supplier Performance Risk System (SPRS).

But in May 2022, MORSE hired a third-party cybersecurity consultant to double-check its posture, and the results weren't just a little off, it's said. "On July 27, 2022, the third-party cybersecurity consultant notified MORSE of its summary level score of -142 for its implementation of NIST SP 800-171 security controls," the settlement revealed. It's understood the consultant told MORSE it had only implemented 22 percent of the required controls. 

However, the outfit didn't update its SPRS score until June 2023 — several months after it had been served a federal subpoena over concerns about its IT security, we're told.

As part of the settlement, MORSE is handing back $4.6 million to the Feds, and $851,000 of that is going to the ex-employee who blew the whistle. Specifically, the biz was accused of making false claims for payment, in that it took government funding while not being up to par.

"Becoming a whistleblower was not an easy decision and one I only took when I felt I had no remaining option to protect sensitive government information," the whistleblower said in a statement through his lawyers.

"The Department of Justice should be commended for acting promptly to investigate and put an end to practices that placed sensitive government information and data at risk of loss or compromise." 

One wonders if this will affect MORSE's future dealings with Uncle Sam.

A spokesperson for MORSE told us in a statement: "MORSE Corp did not engage in cybersecurity fraud; this settlement was a resolution of historic false claims act allegations."

They went on:

..... -- / -- .. --. .... - / .--- ..- ... - / -... . / .- / -.-. --- ... - / --- ..-. / -.. --- .. -. --. / -... ..- ... .. -. . ... ... .-.-.- ®