Source URL: https://www.theregister.com/2025/03/26/us_defense_contractor/
Source: The Register
Title: US defense contractor cops to sloppy security, settles after infosec lead blows whistle
Feedly Summary: MORSE to pay — .. .-.. .-.. .. — -. … for failing to meet cyber-grade
A US defense contractor will cough up $4.6 million to settle complaints it failed to meet cybersecurity requirements on military contracts and knowingly submitted false claims for payment.…
AI Summary and Description: Yes
Summary: MORSE Corp, a US defense contractor, has agreed to pay $4.6 million to settle allegations of significant cybersecurity failures that contravened military contract requirements. The issues came to light via a whistleblower lawsuit, revealing lapses in cloud security and false reporting of compliance scores, especially regarding NIST cybersecurity controls.
Detailed Description: The case surrounding MORSE Corp presents critical insights into cybersecurity compliance challenges faced by defense contractors, particularly those working with government entities. The firm’s admitted lapses in cybersecurity included the following:
– **Non-compliance with Cybersecurity Requirements**: MORSE Corp is accused of failing to adhere to required cybersecurity standards, particularly those dictated by the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense’s (DoD) incident reporting rules.
– **Cloud Security Missteps**: The company utilized a third-party email service provider without confirming that it met necessary FedRAMP baselines, a serious breach of protocol given its military contracts.
– **Failure to Implement NIST Controls**: MORSE did not adequately implement the required controls from the NIST Special Publication 800-171, which is designed to protect sensitive defense information. Significant exploration of vulnerabilities was highlighted as a result of this failure.
– **Inaccurate Self-assessment Reporting**: The firm reported a self-assessment score of 104, indicating a relatively high implementation of cybersecurity controls. Contrastively, a third-party consultant later assessed MORSE’s controls and reported a dangerously low score of -142, revealing the true extent of the failures. This discrepancy was not rectified until under federal scrutiny, raising serious questions about the integrity of MORSE’s reporting practices.
– **Financial Penalties**: The settlement requires MORSE to pay $4.6 million, with a portion awarded to the whistleblower, highlighting the importance of ethical compliance and the protective role of whistleblower policies.
The implications of this case are significant for professionals in cybersecurity and compliance, particularly in the defense sector:
– **Importance of Compliance**: Organizations must adhere rigorously to established cybersecurity frameworks and be proactive in their compliance checks to safeguard sensitive information.
– **Third-party Risk Management**: The necessity of validating third-party vendors’ compliance with security standards is underscored, particularly when sensitive information or systems are outsourced.
– **Whistleblower Protections**: The case illustrates the critical role that whistleblowers play in calling out compliance lapses, as well as the protections and rewards available to encourage ethical reporting.
Overall, this incident exposes vulnerabilities in compliance environments and emphasizes the need for stringent adherence to cybersecurity regulations, especially within government contracting.