US defense contractor cops to sloppy security, settles after infosec lead blows whistle

A US defense contractor will cough up $4.6 million to settle complaints it failed to meet cybersecurity requirements on military contracts and knowingly submitted false claims for payment.

Massachusetts-based MORSE Corp admitted [PDF] to a series of cybersecurity failures in its dealings with the US Army and Air Force. The issues came to light after the company's former head of security brought a whistleblower lawsuit against the corporation on behalf of the government under the False Claims Act.

MORSE's cybersecurity lapses were numerous, according to federal prosecutors, and ranged from missteps in cloud security to fudged compliance scores. 

As early as 2018, the biz – which develops guidance and navigation tech for military vehicles – used a third-party provider to host its email without ensuring the vendor met the FedRAMP Moderate baseline, as required, say prosecutors. Additionally, the contractor failed to confirm the email provider followed Pentagon rules for ...