On March 26, 2025, the Department of Justice (DOJ) announced that defense contractor MORSECORP Inc. (MORSE) will pay $4.6 million to settle allegations that MORSE violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements and subsequently submitting false or fraudulent claims for payment in its contracts with the Departments of the Army and Air Force. This is the first FCA settlement that is based on a defense contractor’s failure to reevaluate and promptly update its self-assessment score in the Supplier Performance Risk System (SPRS) after a third-party assessment resulted in a lower score.

The settlement resolves allegations in United States ex rel. Berich v. MORSECORP, Inc., et al., No. 23-cv-10130-GAO (D. Mass.), which was initiated by MORSE’s head of security and facility security officer. In the qui tam complaint, the relator alleged that MORSE did not satisfy the requirements of Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7008, 252.204-7012, 252.204-7019 and 252.204-7020 made false statements concerning cybersecurity practices and policies and provided the government with false cybersecurity assessment information to induce the award of government contracts and payments thereunder. DFARS clauses 252.204-7008 and 252.204-7012 generally require that Department of Defense (DoD) contractors provide “adequate security” on all covered contractor information systems by implementing National Institute of Standards and Technology (NIST) Special Publication 800-171 and that contractors use external cloud service providers that meet security requirements established by the Federal Risk and Authorization Management Program (FedRAMP). DFARS clauses 252.204-7019 and 252.204-7020 require DoD contractors to submit summary level scores based on NIST SP 800-171 assessments in SPRS. These scores can range from -203 to 110.

The relator, who was familiar with MORSE’s information systems and cybersecurity practices and procedures, alleged that within weeks of arriving at MORSE, he witnessed multiple violations of DFARS cybersecurity requirements and raised concerns with several senior executives, including the COO and CEO. After allegedly disregarding those concerns on multiple occasions, MORSE eventually agreed to retain an outside auditor to evaluate the company’s cybersecurity compliance. However, the relator alleged that the company failed to take any steps to remediate its non-compliances or post an accurate cybersecurity assessment score after receipt of a detailed report confirming that Morse was out of compliance with 78% of the cybersecurity controls required by NIST SP 800-171.

As part of the settlement, MORSE admitted, acknowledged, and accepted responsibly for the following facts, which allegedly violated the cybersecurity requirements in the DFARS:

First, MORSE used a third-party service for email hosting that did not meet security requirements equivalent to the FedRAMP Moderate baseline and the requirements set forth in DFARS 252.204-7012(c)-(g). (DOJ’s $1.25 million settlement with Pennsylvania State University in October 2024 included similar allegations.) 

Second, MORSE did not fully implement the 110 security controls in NIST SP 800-171.

Third, MORSE did not have a consolidated written plan, otherwise known as a systems security plan (SSP), for each of its covered information systems, describing system boundaries and documenting compliance with the NIST SP 800-171 controls.

Fourth, MORSE failed to update its SPRS score in a timely manner after third-party consultants notified the company that its SPRS score was significantly lower than reported. Specifically, in 2021, MORSE submitted a SPRS score of 104, which represents almost perfect compliance and full implementation of the NIST SP 800-171 security controls. However, in July 2022, MORSE engaged a third-party cybersecurity consultant to perform a gap analysis of its control implementation, which resulted in a summary-level score of -142. MORSE did not update its score until June 2023, three months after the government served MORSE with a subpoena concerning its cybersecurity practices.

Key Takeaways

1. While there is no express requirement to reevaluate and update a SPRS score upon receipt of third-party assessment results, significant differences between a self-assessed and third-party score should not be ignored. Failing to maintain accurate information in SPRS remains a key area of FCA liability risk.
2. Contractors who did not update their information in SPRS after engaging in CMMC-preparedness, readiness assessments, or other gap analysis projects that resulted in a lower SPRS score than originally reported, and subsequently received contract awards that included the relevant DFARS clauses, should consider whether a proactive disclosure is warranted.
3. Contractors should also consider whether to conduct third-party cybersecurity assessments under attorney-client privilege to minimize the risk of assessment findings being used against the contractor in a government investigation or litigation.
4. Companies should be mindful of their compliance with all contractual provisions relating to cybersecurity, which may include the traditional implementation of security controls, generating documentation that summarizes control implementation, and the use of compliant cloud service providers.
5. Contractors should take concerns about their cybersecurity compliance from all personnel seriously and ensure that employees feel heard. This settlement resolves the seventh Civil Cyber-Fraud Initiative (CCFI) action brought under the qui tam provisions of the FCA, highlighting DOJ’s continued reliance on whistleblowers and relators to pursue recoveries under this initiative.