DOJ Sues Small DoD Contractor MORSE, Signaling CMMC Urgency for SMBs in the DIB
DOJ lawsuit against MORSE Corp highlights the urgency for SMB defense contractors to comply with CMMC and NIST SP 800-171 requirements. Learn how to avoid similar pitfalls.
In March 2025, a small defense contractor reached a $4.6 million settlement with the Department of Justice over alleged False Claims Act (FCA) violations related to cybersecurity compliance.1
It was a notable development—not because of the scale of the company, or because there was a major breach—actually, exactly the opposite––it’s because the lawsuit was against an ordinary SMB contractor: MORSE Corp. Where other recent FCA cases have made examples of large institutions like Georgia Tech, this case seems features your average small defense contractor––likely to make an example out of them for other SMB contractors, which make up about 75% of the DIB.
This case offers a detailed look at what happens when long-standing contractual obligations around cybersecurity are taken seriously by enforcement agencies—and what it looks like for SMBs when those obligations are not fully met.
The Backdrop: A Familiar Compliance Landscape
For years, defense contractors have been operating under DFARS 252.204-7012, which requires the implementation of NIST SP 800-171 when handling Controlled Unclassified Information (CUI). Since 2020, those requirements were reinforced with clauses 7019 and 7020, mandating self-assessments and score reporting into the Supplier Performance Risk System (SPRS). These clauses have been standard in DoD contracts for quite some time.
Meanwhile, in 2021, the DOJ launched the Cyber Civil Fraud Initiative, signaling an intent to use the False Claims Act to pursue misrepresentations in cybersecurity practices. That policy became the framework for this case.
The Timeline: From SPRS Score to Settlement
In January 2021, the company at the center of this case submitted an SPRS score of 104 out of 110—a strong showing on paper. Around the same time, a new head of security joined the organization. Months later, a third-party assessment painted a very different picture: a score of -142, indicating significant gaps in NIST SP 800-171 implementation.
Despite having this information, the company did not update its SPRS score. Over time, the security lead raised concerns, and when those concerns weren’t addressed, they eventually left the organization and filed a whistleblower complaint.
Roughly 60 days after the complaint, the DOJ issued a subpoena. From that point forward, the contractor began steadily improving and updating its SPRS score—first to 57, then to 82, and eventually to a perfect 110. But that timeline mattered. The government focused on the period between 2018 and 2023, when it alleged that the company received payments under contracts that required a level of cybersecurity it had not yet implemented.
The Result: Accountability, Not Catastrophe
As part of the settlement, the company acknowledged that it:
- Used a third-party email service that did not meet FedRAMP Moderate-equivalent requirements.
- Did not fully implement NIST SP 800-171 controls from 2018 to 2023.
- Lacked complete system security plans (SSPs) for its covered systems.
- Submitted an SPRS score it later found to be inaccurate, without correcting it in a timely manner.
There was no admission of fraud or intent to deceive. But there was a formal agreement to accept responsibility for the facts and to resolve the matter under the FCA framework.
Notably, the whistleblower in this case received approximately $851,000 as a share of the recovery, in line with provisions designed to encourage and protect individuals who report compliance concerns under the FCA.
Why This Matters
The challenges that led to this settlement—difficulty documenting compliance, scoring accurately, navigating cloud services, and keeping pace with growing expectations—are widespread.
This case offers a window into how those challenges can turn into legal and financial consequences when they’re not addressed. It also shows the role that internal advocates (like a head of security) can play, and the importance of treating their concerns as actionable insight rather than internal friction.
The Bigger Picture
There are a lot more cases in the pipeline. DOJ officials have indicated that the Cyber Civil Fraud Initiative is ongoing, and this settlement is one of many.
What makes this particular case so useful is how clearly it maps to the real-world experience of so many midsize and smaller contractors. According to the DoD, “In Fiscal Year (FY) 2021, small businesses made up 73 percent of all companies that did business with DoD and 77 percent of the research and development (R&D) companies. Combining that with the 100,000 estimated DIB companies, that makes MORSE Corp one of 75,000 SMB companies in the SMB. But that number is likely low. Since the DoD is limited in how far down the supply chain they can see, there may be upwards of 200,000 SMBs in the DIB. Morse Corp is a representation of a vital majority.
The takeaway? The DIB needs to get ready or expect consequences. The DOJ is taking the cybersecurity of small businesses in their supply chain seriously. This isn’t about panic—it’s about preparation. Understanding what your obligations are, documenting what’s been done (and what hasn’t), and being transparent about your progress is not just good compliance—it’s good stewardship of your role in the national defense supply chain.
If you’re working toward full implementation of NIST SP 800-171 or preparing for CMMC certification, this is a moment to review—not with alarm, but with focus.
