Government Contractor Settles FCA Case Over Cybersecurity Maturity Model Certification Violations

Skadden Publication / Cybersecurity and Data Privacy Update

William E. Ridgway David A. Simon Tatiana O. Sullivan Lisa Marie Rechden

On March 26, 2025, the Department of Justice (DOJ) entered into a settlement agreement with MORSECORP, Inc. (MORSE), resolving False Claims Act (FCA) allegations that MORSE submitted false claims for payment under Department of Defense (DOD) contracts between January 1, 2018, and February 28, 2023.

MORSE’s payments were conditioned, in part, on its compliance under the Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC) requirements, along with other related compliance matters for protecting controlled unclassified information (CUI).

During this time, the DOJ stated, MORSE submitted basic assessment scores in the Supplier Performance Risk System (SPRS) describing its cybersecurity policies and procedures that it knew to be incorrect and failed to update the positive score when a lower, failing score was obtained through a subsequent third-party assessment.

The settlement:

  • Signals that the Trump administration will likely continue to pursue cases against government contractors involving alleged cybersecurity misrepresentations and false statements.
  • Underscores the need to post accurate assessment scores in the SPRS.

Companies with government contracts that involve access to CUI should consider assessing — and taking steps to implement controls that may help mitigate against — potential FCA liability for cybersecurity-related fraud. For example, companies should contemplate:

  • Evaluating the accuracy of any representations regarding the cybersecurity of products and services.
  • Retaining contemporaneous documentation that supports the accuracy of representations.
  • Staying abreast of cybersecurity regulatory developments and ensuring that company policies and procedures continue to meet regulatory requirements and industry best practices.
  • Adopting whistleblower best practices, including a reporting structure that facilitates the reporting of potential cybersecurity gaps and failures within the company.

Background

MORSE’s contracts with the DOD granted it access to “controlled defense information,” or unclassified sensitive information from the DOD. To protect this information against unauthorized disclosure, the contracts incorporated certain cybersecurity requirements under DFARS 252.204-7008, 252.204-7012, 252.204-7019 and 252.204-7020 and the CMMC (together, the DOD Cybersecurity Requirements).

In relevant part, the DOD Cybersecurity Requirements mandate that a contractor:

  • implement all 110 controls identified in the National Institute of Standards and Technology (NIST) SP 800-171, along with a System Security Plan (SSP) detailing its compliance with those controls; or
  • develop a plan of action and milestones (POA&Ms) detailing how it plans to come into compliance; and
  • accurately report its score, out of 110 controls, in SPRS.

MORSE submitted a basic assessment score of 104 on January 21, 2021, which MORSE knew to be inaccurate at the time of submission. Later in 2022, MORSE engaged a third party to conduct a gap analysis. According to that analysis, only about 22% of the NIST controls had been implemented, meaning the reported 104 score was false. MORSE did not correct its SPRS score until a year later, in mid-2023.

MORSE also lacked an SSP and did not flow down any mandatory cybersecurity requirements to the third-party software company it engaged to provide email hosting services for the DOD contracts.

FCA Claims and Settlement

The DOJ’s claims were premised on MORSE’s two central admissions:

  • MORSE failed to provide adequate security on all of its covered information systems, as shown in its failure to put safeguards in place for third-party technology vendors; fully implement all mandatory cybersecurity controls; and maintain a consolidated written plan for its covered information system “describing system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems,” as required by NIST SP 800-171.
  • MORSE failed to update its basic assessment score in SPRS after receiving a much lower score from the third-party gap analysis, and despite knowing that the initial score was false.

MORSE agreed to pay the United States $4.6 million, plus interest, as part of the settlement.

Implications

Although the Trump administration did not immediately signal whether it would continue to pursue FCA investigations and enforcement under the Civil Cyber-Fraud Initiative, which the DOJ launched in October 2021,1 this settlement suggests that such matters may remain an enforcement priority.

The settlement also highlights the FCA risk that lies with SPRS scores, particularly if the DOJ identifies evidence suggesting that the company knew its score to be inaccurate. Government contractors should consider whether any internal or third-party assessments of their compliance with NIST 800-171 align with and support the score it has on file in SPRS.

_______________

1 See our related client alerts DOJ Enters First Intervention in Cybersecurity Qui Tam (September 6, 2024), How Defense Contractors Can Prepare Now for CMMC Implementation (August 12, 2024) and Cyber Fraud Alleged by Former CIO for Purported Noncompliance With DoD Cyber Requirements (October 30, 2023).

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP