Johnny, rosin up your bow and play your fiddle hard
’Cause Hell’s broke loose in Georgia and the Devil deals the cards
And if you win, you get this shiny fiddle made of gold
But if you lose the Devil gets your soul
~ The Charlie Daniels Band

Some might say there’s little difference between dealing with the devil and being a federal contractor. And for the unwary or unprepared, that may not be far off. Federal contracting comes with a litany of “fine print” that would make “Old Scratch” proud. However, as most savvy contractors recognize, it’s all hiding in plain sight, with the devil in the details. Take, for example, the cybersecurity requirements found in the Federal Acquisition Regulations (FAR) at 52.204-21 and the Department of Defense (DoD) FAR Supplement (DFARS) at 252.204-7012, -7019, and -7020. These requirements have been the topic of countless articles, trainings, webinars, whole conferences, etc., so it is surprising while simultaneously not surprising that they form the basis of a federal False Claims Act (FCA) claim the Department of Justice (DOJ) recently filed in its complaint in intervention.

The case at issue is United States ex rel. Craig v. Georgia Tech Research Corp., et al., filed in the US District Court for the Northern District of Georgia. Notably, the case began on July 8, 2022, when Georgia Tech and its affiliate, Georgia Tech Research Corp., became the unwitting targets of a sealed whistleblower complaint. The complainants, or “relators,” were two former Georgia Tech cybersecurity compliance team members, Christopher Craig and Kyle Koza. The DOJ intervened in the lawsuit on February 20, 2024, before finally filing its complaint in intervention on August 22, 2024.

At the heart of the whistleblowers’ and DOJ’s allegations is that from May 2019 to December 2021 Georgia Tech failed to comply with cybersecurity standards required by its DoD contracts. These included:

• Not developing and implementing a system security plan (SSP) for the Astrolavos Lab until February 2020.
• Even after implementing the SSP, Astrolavos failed to properly scope the plan to cover all necessary equipment, such as laptops, desktops, and servers.
• Failing to install, update, or operate essential antivirus or anti-malware tools on its computers and networks. Instead, Georgia Tech allegedly approved the lab’s refusal to implement these cybersecurity measures, citing the demands of a professor heading the lab, referred to as akin to a “star quarterback,” who resisted complying with these requirements.

Finally, as if jumping up on a hickory stump, the amended complaint alleges that the lab submitted false cybersecurity assessment scores into the Supplier Performance Risk System (SPRS) in order to be perceived as meeting the requirements of DFARS 252-204-7019 and -7020 in December 2020. The SPRS score submitted—a 98, for those wondering—was viewed as false by the DOJ because the score was for a “fictitious” or “virtual” environment and did not apply to any actual research environment or covered contracting system. The DOJ highlighted that the purportedly fraudulent SPRS submission was crucial and a “condition of [DoD] contract award.”

And if you’d care to take a dare, I’ll make a bet with you
Now you play a pretty good fiddle, boy, but give the Devil his due
I’ll bet a fiddle o’ gold against your soul ’cause I think I’m better than you

So, while Georgia Tech and its team find themselves in a precarious situation, where exactly is the “fiddle o’ gold” in the lessons we can glean from United States ex rel. Craig so far?

1. It may be too late. We hate to be the bearer of bad news, but with this case pending and under investigation (as are all FCA cases before unsealing) for the past two years, there’s a near 100 percent chance that this isn’t the only case out there. Announced as part of the DOJ’s broader effort under its Civil Cyber-Fraud Initiative, the complaint demonstrates the means by which the DOJ intends to hold contractors accountable for deficient cybersecurity practices capable of putting US information and systems at risk.
   • Bet to avoid regret: Check whether your company is uncertain about how well it meets its cybersecurity obligations. Make sure you can back up and justify your SPRS score and that it was developed systematically using the requirements and processes available through the National Institute of Standards and Technology’s Special Publication 800-171A.

     Suppose you think there’s a problem with how that score came into being (dart board, bad night at bowling, etc.). In that case, a mandatory disclosure may be necessary. If your score changes because of system updates, alterations, or that type of issue, then update your score as and when appropriate. The goal is accuracy and completeness, not perfection. Make sure you can explain what you’ve done and how.

2. Your IT/IS team matters. Beyond an application and enforcement based on contractual cybersecurity regulations, can you guess a common element between United States ex rel. Craig and United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings, Inc., 381 F. Supp. 3d 1240 (E.D. Cal. 2019)? If you guessed that the relators were the respective company’s information technology (IT)/information security (IS) team members—Yahtzee! The whistleblowers were team members likely frustrated with the requirements and implementation of the contractual requirements. Or in FCA speak, people with “knowledge.”
   • Bet to avoid regret: Most company IT and IS teams are understaffed and underappreciated, even more so for contractors now implementing the litany of DoD cybersecurity requirements. They need a seat at the table and the support necessary to do what the DoD requires of them by way of your company. Failing to provide that type of support and understanding could risk creating a whistleblower incubator—a practice we suggest avoiding. Chief intelligence officers (CIOs) and IT teams are ground zero for a host of compliance obligations. One only needs to examine the now-dismissed fraud charges levied against the SolarWinds CIO by the Securities and Exchange Commission. While he avoided the fire, they still threw him in the oven. The lesson here is that with heads on blocks, fingers will point.

Training is key here, and ensuring that everyone is fiddlin’ from the same sheet of music is critical. When a federal contractor (or subcontractor) can properly identify, define, and arrive at a common understanding of its cybersecurity obligations, the company will better be able to move uniformly toward meeting those obligations without the risk of creating whistleblowers. Divergent understandings or misunderstandings in a confusing and dynamic area like this are ripe picking for a whistleblower suit.

3. Create a Compliance Culture. While compliance costs may not make money, they can help keep it. The complaint clearly discusses compliance’s impact on the DOJ’s intervention. It describes Georgia Tech as creating a “culture of somebody up the line is going to overturn me, so I might as well go ahead and ignore the policy.” The phrase reflects the DOJ’s belief that among employees, particularly those responsible for cybersecurity compliance, higher management would undermine or reverse any enforcement action they took. It cultivated a “why bother?” mentality regarding enforcing cybersecurity policies or regulations and an atmosphere where rules were not consistently enforced and exceptions were made, particularly for “star researchers” who brought in significant funding or contracts.
   • Bet to avoid regret: Compliance in the arena of federal contracts has to be a top-down priority. The enforcement activities underway by the DOJ in areas like cybersecurity, collusion, supply chain, domestic preferences—and the newly announced Corporate Whistleblower Awards Pilot Program (described here)—are not issues with which to trifle. In fact, a devil-may-care attitude toward compliance may be the very action (or inaction) necessary to summon the DOJ to your doorstep.

     Building a recognized culture of compliance and ensuring that individuals can say something if they see something is critical for federal contractors in this era of enhanced enforcement. As stated above, ensuring that the entire enterprise shares a current, accurate, and complete understanding of (1) your company’s contractual obligations and (2) your company’s efforts in meeting those obligations is paramount to being a successful contractor capable of staying well away from the DOJ’s prying eyes.

The Devil opened up his case and he said, “I’ll start this show”
And fire flew from his fingertips as he rosined up his bow
And he pulled the bow across the strings and it made an evil hiss
And then a band of demons joined in and it sounded something like this

While idle hands may be the devil’s workshop, idle compliance is the devil’s playground. Cybersecurity regulations, in one form or another, have been haunting federal contracts for more than a decade. It is, therefore, no surprise that the DOJ has set its sights on emphasizing accountability in cybersecurity practices among government contractors. Contractors must recognize and fully embrace whom they are up against if they choose to avoid compliance and come to terms with the fact that there may be hell to pay if they choose to avoid it.

[View source.]