
Despite a change in administrations, the government’s vigilance and enforcement of cybersecurity requirements have not missed a beat. On March 14, 2025, MORSECORP, Inc. of Cambridge, MA resolved allegations that it had submitted false claims to the government under contracts with the Departments of the Army and the Air Force. Pursuant to a settlement with the Department of Justice, MORSECORP “admitted, acknowledged, and accepted responsibility” for failing to ensure that a third-party company that hosted MORSECORP’s emails met security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) moderate baseline and that this third-party complied with cybersecurity requirements under DFARS 252.204-7012(c)-(g). MORSECORP also admitted that it did not fully implement all cybersecurity controls in NIST SP 800-171, some of which, absent implementation, could have led to the exfiltration of controlled defense information. Additionally, MORSECORP did not have the required written system security plans for its covered information systems.
Continue Reading Cybersecurity Enforcement: The More Things Change, The More They Stay the Same