On August 22, 2024, the Department of Justice (DOJ) filed a complaint-in-intervention in a previously filed whistleblower suit under the qui tam provisions of the False Claims Act (FCA) against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corp. (GTRC), an affiliate of Georgie Tech, for falsely representing its compliance with Department of Defense (DoD) cybersecurity requirements. Former and current Georgia Tech cybersecurity team employees brought the initial whistleblower lawsuit.

The lawsuit alleges that Georgia Tech violated DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (clause 7012) and DFARS 252.204-7019 NIST SP 800-171 DoD Assessment Requirements (clause 7019). Clause 7012 requires contractors to provide “adequate security” for “covered contractor information systems”—unclassified information systems that process, store, or transmit controlled unclassified information or controlled technical information. At a minimum, this means complying with the 110 security controls laid out in NIST SP 800-171. For any security control not yet implemented, the contractor must have a plan of action, including an identified date, to have those controls in place. Clause 7019 requires contractors to have a current (no more than three years old) NIST 800-171 assessment score entered into the DoD’s Supplier Performance Risk System (SPRS) for each covered information system (CUI) relevant to an offer, contract, task order or delivery order. In short, the assessment is intended to reflect the state of the contractor’s compliance with all 110 security controls in NIST SP 800-171. Importantly, if implementation of NIST SP 800-171 is required, the contracting officer cannot award a contract to an offeror that has not provided a summary-level score for its relevant covered contractor information system.

DOJ’s complaint alleges that the Astrolavos research lab at Georgia Tech, which possessed nonpublic sensitive DoD information, including CUI, “failed to: (1) develop or implement a system security plan outlining how it would protect from unauthorized disclosure covered defense information in its possession; and (2) install, update, and run antivirus software on servers, desktops, and laptops in the lab which had access to nonpublic DoD information.” Additionally, the government alleges that Georgia Tech and GTRC failed to assess the covered information system that the Astrolavos lab used to process, store, or transmit CUI using DoD’s prescribed assessment methodology. The government also maintains that Georgia Tech and GTRC failed to provide an accurate summary level score for the Astrolavos lab. The score is intended to demonstrate the lab’s compliance with applicable cybersecurity regulations. Instead, Georgia Tech and GTRC gave the DoD a score for a “campus-wide” IT system; however, no such system existed. According to former employees, the score was for a “fictitious” or “virtual” environment and did not describe something that actually existed. In fact, the government alleges that the Astrolavos lab never actually calculated any score for its IT system; Georgia Tech and GTRC reported this supposed “campus-wide” score that they knew to be false even though employees had warned them that providing that score would be false and misleading.

This latest action by the government in its Civil Cyber-Fraud Initiative is yet another signal to contractors that cybersecurity is a top priority for the nation’s security. As the U.S. Attorney for the Northern District of Georgia stated in the press release announcing the DOJ’s intervention in the case, “Cybersecurity compliance by government contractors is critical in safeguarding U.S. information and systems against threats posed by malicious actors… For this reason, we expect contractors to abide by cybersecurity requirements in their contracts and grants, regardless of the size or type of the organization or the number of contracts involved. Our office will hold accountable those contractors who ignore cybersecurity rules.”

The message to contractors could not be clearer—ensure you are in compliance with applicable cybersecurity requirements; if not yet compliant, get compliant ASAP.