|
Getting your Trinity Audio player ready... |
DOJ Cybersecurity Crackdowns & FCA Liability Signal a New Era of Enforcement
As the cybersecurity threat landscape continues to escalate, government contractors—especially those working with the Department of Defense (DOD)—are finding themselves under increasing scrutiny. In a landmark development, the U.S. Department of Justice (DOJ) recently announced a $4.6 million False Claims Act (FCA) settlement with a defense contractor, MORSECORP, Inc. (MORSE), for failing to comply with DOD-mandated cybersecurity requirements.
This case is not just another compliance story—it’s a wake-up call for every organization in the Defense Industrial Base (DIB) and beyond. It’s also a strong signal that non-compliance with DFARS and NIST 800-171 is no longer just a technical failure—it can trigger serious civil liability, damage to reputation, and significant financial penalties.
In this blog post, we’ll break down the MORSE case, explain the cybersecurity regulations involved, and provide actionable steps contractors can take to avoid becoming the DOJ’s next target.
Why Cybersecurity Non-Compliance Now Comes With a $4.6M Price Tag
The Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, empowers the DOJ to use the False Claims Act to pursue contractors who knowingly misrepresent their cybersecurity posture while seeking government payments. In short, if a contractor falsely certifies that they’re compliant with DOD cybersecurity rules, and then invoices the government, they may be liable under the FCA.
That’s exactly what happened with MORSE.
According to the DOJ’s press release, MORSE:
- Used a third-party email provider that did not meet FedRAMP or DFARS 252.204-7012(c)-(g) requirements.
- Failed to implement all of the NIST SP 800-171 controls required under its contracts.
- Lacked formal, written cybersecurity plans for the covered contractor systems.
- Misrepresented its cybersecurity readiness by posting an inaccurate SPRS score (104) to the Supplier Performance Risk System—while a third-party consultant assessed the true score as -142.
Worse yet, MORSE failed to update its inaccurate score for nearly a year—even after discovering the discrepancy. The company only corrected the SPRS entry three months after being notified of a DOJ investigation.
This case highlights a powerful message: Cybersecurity enforcement is real, and it’s here to stay.
Understanding the Cybersecurity Rules That Contractors Must Follow
To make sense of the MORSE case, contractors must first understand the key frameworks and regulations they are required to comply with when working with the DOD:
1. DFARS 252.204-7012 and 252.204-7008
These clauses appear in most DOD contracts and require contractors to protect Controlled Unclassified Information (CUI) on their internal information systems. Among the core mandates:
- Implement security requirements specified in NIST Special Publication 800-171.
- Report cyber incidents within 72 hours to the DOD.
- Use only cloud service providers that are FedRAMP Moderate or High authorized.
- Flow down these requirements to subcontractors.
Failure to comply with these clauses constitutes non-performance under the contract, and as the MORSE case shows, may also violate the False Claims Act.
2. NIST SP 800-171
This is the technical backbone of DOD cybersecurity expectations. NIST 800-171 outlines 110 controls across 14 control families, covering areas such as:
- Access control
- Audit and accountability
- Configuration management
- Incident response
- System integrity
Organizations must not only implement these controls but also document their progress via a System Security Plan (SSP) and a Plan of Actions and Milestones (POA&M) if gaps exist.
3. Supplier Performance Risk System (SPRS)
Contractors must submit their NIST 800-171 self-assessment scores to SPRS. The score ranges from -203 (non-compliant) to 110 (fully compliant). False or misleading entries in SPRS are considered material misrepresentations, as they can affect contract awards and government oversight decisions.
What Makes the MORSE Case So Significant?
The settlement is not just a one-off penalty—it represents a broad trend of government enforcement under the DOJ Civil Cyber-Fraud Initiative, and it’s likely just the tip of the iceberg.
1. Public Acknowledgement of Failures
MORSE admitted to failures that many contractors are guilty of but have not yet been penalized for—like outsourcing email to non-FedRAMP providers or delaying updates to SPRS scores. The DOJ is clearly stating that ignorance, negligence, or delay is no longer an acceptable excuse.
2. Reliance on Third Parties is Not a Defense
Even though MORSE relied on a third-party cloud provider, the company was still held liable for ensuring compliance. This aligns with DOD’s clear position: Contractors are responsible for the cybersecurity of their entire ecosystem—including subcontractors and service providers.
3. Enforcement is Now Backed by Whistleblowers
The DOJ’s cyber-fraud cases often rely on information from internal whistleblowers via the FCA’s qui tam provisions, which allow insiders to report violations and share in any recovered funds. If your cybersecurity house isn’t in order, your own employees may turn into government witnesses.
Is Your Company at Risk? 10 Questions Every DOD Contractor Must Ask
If your company handles DOD contracts or Controlled Unclassified Information (CUI), you need to assess your cybersecurity posture today. Ask yourself:
- Have we implemented all 110 controls from NIST 800-171?
- Is our System Security Plan (SSP) current and thorough?
- Do we maintain an up-to-date Plan of Action and Milestones (POA&M)?
- Are our subcontractors and cloud providers FedRAMP authorized?
- Have we submitted an accurate SPRS score—and updated it regularly?
- Do we have documentation to back up our SPRS claims?
- Have we trained staff on DFARS and CUI handling procedures?
- Are we monitoring for cyber incidents and reporting within 72 hours?
- Have we undergone a third-party gap assessment?
- Are we proactively preparing for CMMC Level 2 certification?
If you answered “no” or “not sure” to any of the above, your company may be vulnerable to DOJ enforcement, contractual penalties, or debarment.
How to Protect Your Company: Steps to Achieve and Maintain Compliance
Navigating the DOD’s evolving cybersecurity requirements can be complex, but there are clear actions contractors can take to stay on the right side of the law.
Step 1: Conduct a Gap Assessment
Start with a comprehensive NIST 800-171 assessment, either internally or via a qualified third-party provider. Identify where your controls fall short and quantify your current compliance score.
Step 2: Update Your System Security Plan (SSP)
Your SSP is your cybersecurity blueprint. It should include:
- An inventory of covered systems
- Implementation status of each NIST control
- Roles and responsibilities
- Security architecture and configurations
Outdated or vague SSPs are a red flag during audits or investigations.
Step 3: Maintain a Realistic POA&M
A Plan of Action and Milestones is not a weakness—it’s a sign of awareness and progress. But it must be specific, time-bound, and updated frequently.
Step 4: Vet Third-Party Providers
Do not assume your cloud service provider or MSP is compliant. Request FedRAMP authorization documents and flow down DFARS clauses in all contracts. Document your due diligence.
Step 5: Monitor and Update SPRS Scores
Log into the Supplier Performance Risk System (SPRS) and make sure your current score accurately reflects your environment. Update immediately if circumstances change—waiting until the DOJ calls is too late.
Step 6: Prepare for CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is on the horizon. Most defense contractors will need CMMC Level 2, which aligns closely with full NIST 800-171 implementation.
Prepare now by:
- Performing pre-assessments
- Working with a Registered Practitioner Organization (RPO)
- Building a culture of continuous compliance
Why Now Is the Time to Act
With the launch of the Civil Cyber-Fraud Initiative and increasing reliance on digital infrastructure, the federal government is no longer treating cybersecurity lapses as harmless missteps. They are legal violations, potentially triggering multi-million-dollar FCA settlements, contract suspensions, and long-term reputational harm.
MORSE is not an isolated case. It’s a cautionary tale that every government contractor should learn from.
How ComplianceArmor Can Help
At ComplianceArmor.com, we specialize in helping government contractors achieve, maintain, and document cybersecurity compliance.
Our solutions include:
- NIST 800-171 Gap Assessments
- DFARS-Compliant Policy Templates
- SPRS Submission Support
- CMMC Level 2 Readiness Tools
- AI-powered Compliance Advisors
- Evidence Collection & Audit Readiness Dashboards
Don’t wait for the DOJ to come knocking. Let us help you harden your systems, validate your claims, and sleep better at night.
Final Thoughts: Complacency Is the Real Cyber Threat
Cybersecurity compliance is no longer optional. For defense contractors, it’s a legal, financial, and operational necessity. The DOJ’s action against MORSE sets a precedent—and if your systems, suppliers, or scorecards fall short, you could be next.
Now is the time to get proactive, build a resilient compliance program, and protect your contract, your reputation, and your future.
Ready to Take Action?
Visit ComplianceArmor.com to download our free DFARS/NIST 800-171 Compliance Checklist, book a CMMC Readiness Consultation, or speak with one of our experts.
Protect Your Contract. Shield Your Business. Stay Compliant.