MORSE Corp, a defense contractor based in Cambridge, Massachusetts, has agreed to pay $4.6 million to resolve allegations of violating federal cybersecurity standards. The settlement, reached with the U.S. government, stems from the company’s failure to meet National Institute of Standards and Technology (NIST) security requirements. MORSE, which has contracts with the U.S. Army and Air Force, was found to have used a third-party provider to host emails without ensuring its compliance with federal cybersecurity protocols.
The Department of Justice noted that this failure created significant vulnerabilities in the company’s network, increasing the risk of unauthorized access to controlled defense information.
MORSE’s failure to develop a comprehensive plan for managing its information systems was also highlighted. This plan would have outlined critical security measures, system boundaries, and relationships to other systems. As a result, the company’s lack of attention to cybersecurity posed a substantial threat to national security and defense operations.
In addition to the third-party provider issue, MORSE was found to have overstated its cybersecurity posture in its self-assessment. A 2021 internal evaluation gave the company a score of 104, indicating that it met most security requirements. However, an external audit conducted in 2022 revealed a much lower score of -142, indicating serious deficiencies in cybersecurity measures.
The audit also revealed that MORSE failed to comply with 78% of NIST standards, which should have been addressed before submitting their score to regulators.
The settlement with MORSE is part of a larger trend of increased enforcement of cybersecurity compliance among federal contractors. This case follows other recent settlements, such as a February 2025 $11 million fine imposed on a military healthcare contractor for similar failures. Additionally, organizations like Penn State University and Georgia Institute of Technology have faced penalties for not meeting security standards. These actions highlight the growing focus on enforcing cybersecurity requirements across sectors that are integral to U.S. national security and federal operations.
Reference:
