Late last week, the U.S. Department of Justice (DOJ) filed its complaint-in-intervention in a qui tam lawsuit against the Georgia Institute of Technology (Georgia Tech), alleging that the university failed to meet certain cybersecurity requirements in its performance of U.S. Department of Defense (DOD) contracts. The move is DOJ's latest under its Civil Cyber-Fraud Initiative, an effort launched in 2021 that DOJ states is intended to combat emerging cyber threats. DOJ has already entered into several settlement agreements with contractors related to alleged cybersecurity deficiencies, but this is the agency's first intervention in a case alleging fraud by a university.
The 99-page complaint alleges that Georgia Tech failed to implement contractual cybersecurity controls required by DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, under contracts with the U.S. Air Force and the Defense Advanced Research Projects Agency (DARPA) – including one contract related to the development of technology for threat actor attribution. The complaint also alleges that the university "intentionally, knowingly, and negligently" provided DOD a false campuswide summary level score under DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, rather than a score for the information technology (IT) systems where research involving covered information was actually conducted, with "the intention of inducing DoD to award and retain government contracts[.]"
The DFARS Regulations
Under DFARS -7012, a contractor must provide "adequate security" on all "covered contractor information systems." The regulation requires that contractors, at a minimum, adhere to the security controls published in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Processing Controlled Unclassified Information in Nonfederal Information Systems and Organizations, for all contractor information systems that process, store or transmit controlled unclassified information (CUI). Contractors are currently required to comply with Revision 2 of NIST SP 800-171.
DFARS -7019 requires offerors to have a current NIST SP 800-171 DoD Assessment published in DOD's Supplier Performance Risk System (SPRS) for each "relevant" covered contractor information system in order to be considered for award. DOD's NIST SP 800-171 Assessment methodology is designed to, as the name suggests, assesses a contractor's implementation of NIST SP 800-171. The methodology results in a "summary level score," which must be posted in SPRS, reflecting the status of the contractor's compliance with the 110 security controls in NIST SP 800-171 for each covered contractor information system (i.e., each information system that processes, stores or transmits CUI in performance of the contract). The purpose behind this requirement is to provide DOD components "visibility" into a contractor's strategic assessment of the security requirements.1
The Allegations
The case against Georgia Tech is based on a qui tam, or whistleblower, complaint filed by two Georgia Tech employees. Qui tam cases are filed under seal by whistleblowers, who are entitled to a portion of any recovery in return for bringing issues to light. DOJ evaluates and determines whether to take over the case, known as intervention. Intervention is an indication of the government's belief in the veracity of the underlying allegations; public intervention coupled with a complaint-in-intervention sends a significant message.
The government's complaint alleges that the university failed to provide "adequate security" on information systems processing, storing and transmitting CUI, as required by DFARS -7012, because it 1) failed to develop, document and periodically update system security plans and associated NIST SP 800-171 security controls (as required by NIST SP 800-171 control 3.12.4) and 2) failed to install, update and run antivirus and incident detection software (which the government alleges is required by NIST SP 800-171 controls 3.14.2, 3.14.4, and 3.14.5 collectively).
Further, DOJ alleges in the complaint that Georgia Tech failed to implement plans of action for security controls that were not yet implemented. DOJ's position is that "[f]or each security requirement that has not yet been implemented, contractors are required to have a plan of action for implementing the controls, along with a date by when the controls will be implemented. Contractors must also actively work to implement those plans of action in a genuine effort to implement all 110 controls." In this instance, the complaint notes that in violation of SP 800-171 control 3.12.2, Georgia Tech failed to have a plan of action, much less carry any through.
Additionally, the complaint alleges that the university failed to submit a summary level score in SPRS for the contractor information systems utilized by the particular research lab in performing the DOD contracts (the covered contractor information systems "relevant to" the contracts under DFARS -7019) and instead "intentionally, knowingly, and negligently" submitted an enterprise summary level score for the entire Georgia Tech campus, intended to mislead DOD. According to the complaint, there is no campuswide IT system at the university, and the summary level score provided "applied to no actual IT system at Georgia Tech," much less the particular research lab or any other environment performing the DOD contracts. Key to the complaint were allegations that Georgia Tech employees knew the reported score was misleading.
No Security Breach, No Big Deal? Wrong.
The complaint makes no allegation that a cyber incident2 involving CUI occurred and, according to statements published by Law360, according to the university, "in this case, there was no breach of information, and no data leaked."
So, if there was no actual or potential breach of the university's covered information systems and no misuse of government CUI then, you may be asking, what is the big deal?
According to the complaint, the "big deal" is that the university made alleged false statements about its cybersecurity. The False Claims Act, 31 U.S.C. §§ 3729–3733, imposes liability on any person who "knowingly presents, or causes to be presented, a false or fraudulent claim" to the government, or who "knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim."3 A "claim" is defined as any demand for money or property made directly to the government or to a contractor.4
False Claims Act (FCA) liability centers around the submission of a "false" or "fraudulent" claim to the government, but the statute itself does not define what makes a claim false or fraudulent. Under the judicially developed "implied certification" theory of liability, a contractor has submitted a false claim where it presents an invoice to the government for services or goods provided but knowingly fails to disclose a material violation of a statutory, regulator or contractual requirement – such as a failure to provide "adequate security" on covered contractor information systems per DFARS -7012. The implied certification theory is premised on the notion that every time a contractor submits an invoice to the government, it is impliedly certifying compliance with all federal rules that are material to the government's decision to pay that invoice.
In the Georgia Tech complaint, the government's position is that the federal cybersecurity regulations, including DFARS -7012 and DFARS -7019, are material contract terms. Thus, because the university submitted invoices to the government for its work under the Air Force and DARPA contracts, while not complying with these material contractual terms, the university has, in the government's view, violated the FCA.
A Word to the Wary
In one sense, the government's intervention in the Georgia Tech case is not surprising. DOJ has been aggressively pursuing cases of civil cyber-fraud, reporting several settlements in fiscal year 2023 as a result of the initiative, as well as two settlements announced in May and June 2024.
Further, the intervention comes only a week after DOD issued a proposed DFARS rule to implement its Cybersecurity Maturity Model Certification (CMMC) program – a program designed to verify contractors' compliance with federal cybersecurity controls.
The complaint, though, is the first time a university has been the target of the government's civil cyber-fraud initiative and the most comprehensive complaint alleging cybersecurity deficiencies against any contractor. The message to universities, research institutions and other government contractors is clear: The government takes very seriously contractors' compliance with cybersecurity requirements and will use the tools at its disposal to enforce them.
For more information on CMMC, DOJ's Civil Cyber-Fraud Initiative, the FCA, university or research cybersecurity, or any of the issues raised above, please contact the authors.
Notes
1 In a protest, the U.S. Government Accountability Office previously confirmed the requirement to post a score when the clause was present. See American Fuel Cell & Coated Fabrics Company, B-420551 (June, 2, 2022).
2 DFARS -7012(a) defines "cyber incident" as "actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein."
3 31 U.S.C. § 3729(a)(1)(A)–(B).
4 See 31 U.S.C. § 3729(b)(2).