When it comes to cybersecurity requirements in DoD contracts, the department of defense is sending the message that size offers no protection from federal scrutiny. That’s the key lesson from the Department of Justice’s (DOJ) False Claims Act (FCA) case against Morse, a small defense contractor with only $3 million in DoD contracts in 2018. Despite its modest footprint, Morse faced a high-profile investigation which ultimately led to the company paying a $4.6 million settlement in 2025 for fraudulently attesting to cybersecurity standards beginning in 2018. It is clear that any organization handling Controlled Unclassified Information (CUI) is expected to meet the same compliance standards as major defense contractors.
Key Compliance Milestones
What Went Wrong at Morse
01
Chronic Noncompliance: Between 2018 and 2023, Morse failed to implement required NIST SP 800-171 controls which were obligations embedded in their DoD contracts. These lapses exposed sensitive systems to potential exploitation.
02
Use of Non-Compliant Third-Party Services: Morse also relied on a third-party email provider without verifying FedRAMP Moderate-equivalent compliance, resulting in another red flag under the Cyber Civil Fraud Initiative.
03
Falsified Self-Assessment Score: In January 2021, Morse submitted a self-assessment score of 104 out of 110 to SPRS, suggesting near-total compliance. In reality, an external consultant later calculated their score at a -142 out of 110. Worse, the company failed to correct the score until served a subpoena in 2023.
04
Post-Fact Remediation Didn’t Erase Liability: While Morse eventually remediated and achieved a perfect SPRS score by spring 2024, their earlier misrepresentation stood. Under the law, remediation after the fact does not undo a false claim.
Enforcement and Consequences
To resolve the allegations under the False Claims Act, Morse agreed to a $4.6 million settlement with the Department of Justice in March of 2025. The case originated from a whistleblower complaint filed by an employee who resigned after uncovering the compliance failures. Under the FCA’s qui tam provisions, the whistleblower received 18 percent of the recovery, approximately $852,000, along with an additional $198,000 to cover legal fees.
What this Means for Contractors
Morse’s small size did not shield it from a multimillion-dollar penalty. The case affirms that the scale of a contract does not mitigate the obligation to comply with federal cybersecurity requirements. Even if you later achieve full compliance, knowingly submitting false information creates lasting legal and financial exposure. Leadership teams must ensure cybersecurity claims are accurate, supported, and regularly updated. In the current regulatory environment, misrepresenting compliance isn’t just a risk, it’s grounds for legal action.
This is especially critical for small companies, where a single employee may have broad visibility into compliance activities. Under the False Claims Act, whistleblowers are legally protected and can receive up to 30% of any government recovery. In Morse’s case, the former employee who exposed the violations was awarded over $1 million. The government has made it clear: if your organization mishandles CUI or misrepresents its cybersecurity posture, someone inside the company may be both willing and financially motivated to report it.
.avif)
.webp)
.png)
.webp){kind=icon}
.avif)
