$4.6M warning shot: DOJ ramps up CMMC enforcement on defense contractors

When the U.S. Department of Justice (DOJ) announced a $4.6 million False Claims Act (FCA) settlement with defense contractor MORSECORP Inc. (MORSE) it sent a message to the Defense Industrial Base (DIB): cybersecurity noncompliance will be pursued.

“This case is almost a roadmap of what not to do,” says Jack Walbran, longtime defense industry contract expert and Of Counsel with international law firm BCLP. “They admitted they took contracts with cybersecurity requirements, didn’t comply for years, then self-scored inaccurately to obtain contracts and didn’t correct their score even when they learned it was much lower.”

The MORSE settlement, from a whistleblower lawsuit in 2025, was announced by the U.S. Attorney for the District of Massachusetts, demonstrates how failing to follow long-standing cybersecurity requirements can lead to costly legal exposure and potentially lasting reputational damage. For DIB contractors, the case serves as a wakeup call. Compliance isn’t just a box to check. It’s a legal, financial, and operational imperative.

Three-pronged enforcement exposure

For companies handling sensitive government data – whether directly for the Department of Defense (DOD) or further down the subcontractor chain – the risk of FCA liability now comes from three directions.

“First, if you suffer a major breach after failing to use promised protective tools, you’re in trouble,” Walbran explains.

Second, since 2020, contractors have had to self-report their cybersecurity scores to be considered for new contracts. DOD and others have found many of these scores were, at best, overly optimistic. Now, with third-party checks on the horizon, primes are asking for real scores, and third-party assessments are surfacing significant past errors.

“Practically speaking, the third pressure point may be the most dangerous: insider whistleblowers – typically knowledgeable employees,” Walbran adds.

Under the FCA’s qui tam provisions, whistleblowers can file lawsuits on behalf of the government and receive a share of any settlement. In the MORSE case, the whistleblower received $851,000.

False claims, real consequences

The FCA, around since the Civil War, has been adapted over the years to counter modern risks. Today, the DOJ has put cybersecurity squarely in its crosshairs.

Legal exposure is vast: If a company falsely certifies compliance to win a defense contract, damages can be up to triple all contract payments. On top of that, penalties can reach up to $28,000 per claim.

As Walbran puts it, “That’s your biggest civil risk – procuring a contract through misrepresentation. Knowing violations exist carries a criminal risk as well.”

In the case of MORSE, the DOJ laid out multiple points of failure, including the use of a non-compliant third-party cloud email host from 2018 to 2022, significantly incomplete NIST 800-171 cybersecurity controls from 2018 to 2023, and reporting inaccurate cybersecurity compliance scores to the DOD – not corrected in a timely manner after a third-party assessment flagged the error.

“As alleged, these weren’t close calls,” Walbran says. “They were clear violations of known requirements.”

Wake-up call for defense contractors

Charlie Sciuto is the CISO and CTO for SSE Inc. He works with contractors in the DIB daily and says the risk many companies face isn’t always defiance, it’s uncertainty.

“There’s a big knowledge gap out there,” Sciuto explains. “Companies don’t know where they stand because they haven’t gone through a proper gap assessment, and with CMMC going live, that’s going to get even more serious.”

SSE is a Registered Provider Organization (RPO) – a designation established by the DOD to help companies prepare for the Cybersecurity Maturity Model Certification (CMMC) assessments. RPOs, accredited by the Cyber AB, provide services such as gap assessments, remediation, policy development, and continuous monitoring. While RPOs can’t issue certifications, they’re often the most practical and cost-effective way to get compliant for the upcoming third-party certification assessments and stay compliant as required.

Cyber lapses, FCA lawsuits, and CMMC

CMMC is the new framework for cybersecurity compliance across the DIB. It’s designed to move companies handling Controlled Unclassified Information (CUI) from self-attestation to independent, third-party verification.

Under CMMC 2.0, some will continue to self-assess, particularly those handling Federal Contract Information (FCI). Many, however, will be required to undergo certification through a Certified Third-Party Assessor Organization (C3PAO). Company expectation is clear: contractors must verifiably implement required controls and maintain continuous compliance.

“With CMMC, you’re not just representing compliance once,” Sciuto adds. “You will be committing to continual monitoring and then affirming continuous compliance annually.”

Companies need to take cybersecurity seriously. Their representations, to a prime or the government, are binding commitments.

How companies fall out of compliance

Even companies with strong intentions can fall out of compliance through seemingly routine changes to operations or technology. Walbran outlined a few common triggers:

• Expanding physical or network boundaries (e.g., acquiring a new facility or company)
• Shifting from on-premise to cloud infrastructure
• Introducing new cybersecurity tools, vendors, or systems without evaluating cybersecurity compliance

Morse settlement is a roadmap for DIB

Based on the DOJ’s release of the MORSE settlement, SSE put together a list of four common pitfalls that must be avoided:

1. Using Non-Compliant Third Parties: Contractors must ensure vendors (especially cloud and email providers) meet required standards, including the Federal Risk and Authorization Management Program Moderate (FedRAMP Moderate) security standard for cloud services.
2. Failure to Implement NIST SP 800-171 Controls: Partial or delayed implementation of these controls is no longer acceptable.
3. Lack of a Written System Security Plan (SSP): A complete SSP that describes system boundaries, environments, and connections is mandatory.
4. Inaccurate or Outdated Compliance Reporting: Self-assessments must reflect the current cybersecurity state and be updated as conditions change.

“Since 2017, many DIB contractors reportedly treated cybersecurity as a paperwork requirement. The MORSE settlement makes it clear those days are over,” Sciuto concludes.

With DOJ enforcement rising, whistleblowers increasingly informed and motivated, and CMMC closing the loop to verify compliance, companies in the DIB face a new standard of accountability. For those who underestimate the risk, a $4.6 million warning shot has been fired.