Georgia Tech Research Corporation has agreed to pay the United States $875,000 to resolve allegations that it violated the False Claims Act and federal common law by failing to meet cybersecurity requirements in connection with certain Air Force and Defence Advanced Research Projects Agency contracts.
GTRC contracts with government agencies, including the U.S. Department of Defence, for research performed at its affiliate, the Georgia Institute of Technology.
“When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats,” said Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division.
The settlement resolves a lawsuit against GTRC and Georgia Tech, in which the United States alleged that, until December 2021, those entities failed to install, update, or run anti-virus or anti-malware tools on desktops, laptops, servers, and networks at Georgia Tech’s Astrolavos Lab while the lab conducted sensitive cyber-defence research for the DoD. The United States also alleged that, until at least February 2020, there was no system security plan in place for the Astrolavos Lab to outline the cybersecurity controls required by GTRC’s contracts.
Finally, the United States alleged that in December 2020, GTRC and Georgia Tech submitted a false summary-level cybersecurity assessment score to DoD, which supposedly applied campus-wide.
That summary level score of 98 was allegedly false because (1) there was no campus-wide IT system at Georgia Tech and (2) the score was premised on a “fictitious” or “virtual” environment and did not apply to any actual covered contracting system at Georgia Tech that would process, store or transmit covered defence information.
The United States alleged that the submission of a cybersecurity assessment score was a condition of contract award for GTRC’s DoD contracts. The obligation to implement security controls specified in National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) to protect certain DoD information has been in effect for DoD contracts, subcontracts, and similar contractual instruments since 2017. It will continue under the Cybersecurity Maturity Model Certification (CMMC) program that DoD recently finalised.
The CMMC program further bolsters the assessment requirements applicable to DoD contractors and subcontractors.
The settlement announced on September 30 stems from a complaint filed by Christopher Craig and Kyle Koza, former members of Georgia Tech’s Cybersecurity Team, under the qui tam or whistleblower provisions of the False Claims Act, which permit private persons to bring a lawsuit on behalf of the government and to share in any recovery.
The act also permits the government to intervene and take over the lawsuit, as it did in this case, as to certain allegations. The United States intervened in the qui tam suit and filed its complaint in August 2024. The settlement in this case provides for Craig and Koza to receive $201,250 as their share of the recovery.
Defence contractors’ adherence to their cybersecurity obligations is essential to safeguarding sensitive government information from malicious actors, said U.S. Attorney Theodore S. Hertzberg for the Northern District of Georgia. He explained that contractors who fail to implement required cybersecurity controls, “provide false information to the government, and otherwise fail to fulfil their cybersecurity obligations will be held accountable”.
