DOJ’s Civil-Cyber Fraud Initiative Strikes Again: DOD Contractor Settles Allegations Related to Implementation of NIST SP 800-171

The Department of Justice (DOJ) has inked its ninth cyber False Claims Act (FCA) settlement under its civil cyber-fraud initiative that was announced in 2021. At $4.6 million, this most recent settlement against DOD contractor MORSECORP, Inc. lands at just half the amount of the two $11 million settlements, which are the highest DOJ has obtained through the initiative so far. Demonstrating the risks in this area, this is also the third cyber FCA case that focuses on allegations of knowing non-compliance with cybersecurity controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and certain Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clauses common in DOD contracts.

More specifically, contractor MORSECORP admitted that it: (1) used a third-party software to host its emails without ensuring the third party met security requirements equivalent to the FedRAMP security requirements as required by DFARS 252.204-7012, (2) had not fully implemented all cybersecurity controls required by NIST SP 800-171, (3) did not have a consolidated written plan in place for each of its covered information systems related to cybersecurity, and (4) submitted a score for its implementation of the NIST SP 800-171 controls in the Department of Defense’s Supplier Performance Risk System (SPRS) that was far higher than what a third-party cybersecurity consultant later calculated for MORSECORP. And, MORSECORP did not update its SPRS score until almost a year after the consultant calculated the lower score, but even then reported a score that was higher than what the consultant had calculated.

This settlement serves as a reminder that DOD contractors with contracts that incorporate DFARS 252.242-7012 and related clauses face risks associated with any potential noncompliance with those clauses and their implementation of the NIST SP 800-171 controls. DOD contractors also face risks associated with any alleged failure to accurately report their scores for implementing the NIST SP 800-171 controls in the SPRS system. And, risks will only increase with the eventual implementation of DOD’s Cybersecurity Maturity Model Certification Program.

Stay tuned to Qui Notes for more reporting on DOJ’s civil-cyber fraud initiative as we track cyber FCA settlements.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.