The Department of Justice (DOJ) implemented an initiative to pursue cybersecurity fraud in 2021 (see our article on DOJ Initiative on Cyber Security Incident Reporting), and it is apparently working.
Morse Corporation’s False Claims Act Settlement
On March 26, 2025, Morse Corporation entered into a settlement agreement with the United States to pay $4.6 million for violating the False Claims Act (FCA) on Air Force and Army Contracts. The DFARS clauses 252.204-7008, 252.204-7012, 252.204-7019, and 252.204-7020 were included in its government contracts.
DFARS Cybersecurity Requirements for Contractors
As we all know, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements require contractors to:
- Implement the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171,
- Have a system security plan,
- Upload the score in the Supplier Performance Risk System (SPRS),
- And ensure all the controls are fully implemented.
In addition, Morse used an external provider for its emails from 2018-2023, for which the provider is required to be approved by the Federal Risk and Authorization Management Program (FedRAMP).
Compliance Failures Identified at Morse Corporation
In 2021, Morse submitted its NIST score of 104 in the SPRS system. NIST scores range from -203 to 110, with 110 being the highest. In 2022, an outside consultant informed Morse that its score was actually -142. The head of security at Morse informed senior executives of the violations of DFARS requirements, and the company failed to take steps to correct the noncompliance.
Qui Tam Suit Filed by Former Employee
A Qui Tam suit was filed (yes, by a former employee), asserting that the company failed to update its current NIST score, have a system security plan, implement controls, and use an external email provider that was not FedRAMP-approved.
Key Takeaways
The DOJ is actively focused on cybersecurity violations, and the fact that employees can file as whistleblowers or Qui Tam suits and be paid a portion of the damages or settlement amount can be tempting for current and former employees. We have seen quite a few FCA cases result from a fired employee who reported the deficiencies to management.
Contractors need to ensure that their NIST scores are accurate in the SPRS system and updated if the score changes. A system security plan must be in place. Contractors that use external cloud service providers must ensure they are FedRAMP-approved.
Support for Cybersecurity Compliance
Redstone GCI can provide our clients with more information and guidance when working with established industry-leading partners who can assist in fulfilling numerous cybersecurity compliance requirements, including but not limited to penetration testing, incident response, security assessments, and POA&M development and resolution. Redstone GCI and our trusted partners can bring you a complete solution by ensuring cyber security policy and flow-down requirements are accomplished, including but not limited to purchasing policy requirements. We would be happy to be part of your team.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting