Department of Justice Intervenes in Cybersecurity Qui Tam Action Against Georgia Tech

Kellen Dwyer, Andrew Liebler, Kimberly Kiefer Peretti, Andrew Rice
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

On Thursday, August 22, 2024, the United States Department of Justice (“DOJ”) filed a Complaint-In-Intervention in the case of United States of America ex rel. Christopher Craig and Kyle Koza, v. Georgia Tech Research Corp. and Board of Regents of the University System of Georgia (d/b/a the Georgia Institute of Technology) (United States v. Georgia Tech).  This lawsuit, which was originally filed under seal by relators Christopher Craig and Kyle Koza on July 8, 2022, concerns the cybersecurity program that Georgia Tech, acting under a federal government contract, is required to maintain for its work in federal defense research.  The DOJ’s intervention in the Georgia Tech case marks the first time that the DOJ has intervened to litigate a cybersecurity-based lawsuit under the False Claims Act, 31 U.S.C. § 3729 et seq.—commonly referred to as a qui tam action.

The DOJ alleges that Georgia Tech submitted false attestations of its compliance with the National Institute of Standards and Technology (“NIST”) Special Publication 800-171 cybersecurity standard, which is required under the Defense Federal Acquisition Regulation Supplement (“DFARS”)—a federal contractual obligation for Georgia Tech’s contracts with the Department of Defense (“DoD”) and the Defense Advanced Research Projects Agency (“DARPA”).  The DOJ alleges that Georgia Tech violated DFARS clauses 7012, 7019, and 7020, and that compliance with those clauses is material to the government’s decision to award and maintain its research contracts with Georgia Tech under the relevant federal contracts.

At a high level, under DFARS 7012, a contractor must provide “adequate security on all covered contractor information systems.” The regulation requires that, for contractors that process, store, or transmit Controlled Unclassified Information (“CUI”), those contractors must comply with the security controls established by NIST 800-171.  NIST 800-171 contains 110 security controls, divided across fourteen different categories: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.  Frequently, defense contracts executed following the promulgation of NIST 800-171 expressly require compliance with the NIST 800‑171 standard.

In practice, many of the NIST 800-171 controls are typically met through compliance with other cybersecurity requirements and best practices.  However, the standard contains various controls specific to NIST 800-171 and that are uniquely applicable to CUI and other protected information (including so-called “Controlled Technical Information”).  The breadth of NIST 800-171’s 110 different controls can make compliance with the standard burdensome for covered entities, and many of the controls are sufficiently ambiguous that meeting them is often subjective.  These realities make the government’s enforcement decision in the Georgia Tech case notable and potentially important for the compliance and risk analyses of federal contractors.

The DOJ’s Complaint-in-Intervention expands substantially on the initial whistleblower complaint and focuses on two key areas: (1) Georgia Tech’s alleged lack of a system security plan (“SSP”); and (2) the school’s submission of allegedly false summary scores relating to its self-assessments under the standard. In particular, the DOJ alleges that Georgia Tech, in violation of NIST 800-171 Control 3.12.4, obtained government contracts for a lab that did not have a security system plan (“SSP”) in place at the time it commenced work under the agreement and for several years after.  The government also alleges that Georgia Tech, in violation of DFARS 7019, submitted false NIST SP 800-171 summary scores that were “fictitious,” and for a “‘virtual’ environment that was a ‘construct’ because it was not ‘specifically associated to any active research at Georgia Tech.’”  The DOJ further alleged that Georgia Tech failed to adopt required security controls related to antivirus or incident detection software and failed to perform sufficient self-assessments or develop a Plan of Action & Milestones (“POAM”) to remediate deficient findings.

The Georgia Tech case is an important bellwether case in the DOJ’s broader cybersecurity enforcement efforts and in False Claims Act jurisprudence. It also marks a critical development for cybersecurity compliance in general, and for companies with federal contracts, in particular. We will monitor this case and others in this area closely.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Alston & Bird

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide