The Georgia Tech case serves as yet another reminder of the importance of contractor compliance with cybersecurity requirements in federal contracts.
Takeaways
- The Government alleges that Georgia Tech failed to comply with the cybersecurity requirements of its federal contracts and that it had a culture of disregard for cybersecurity procedures.
- Among other penalties, the Government seeks to recover treble damages under the False Claims Act, as well as all payments made to Georgia Tech under contracts with cybersecurity standards, plus interest, costs and expenses.
- The case illustrates that the Government will continue to focus on contractors’ ongoing cybersecurity compliance obligations, even as it continues to roll out the Cybersecurity Maturity Model Certification (CMMC) program.
On August 22, 2024, the U.S. Department of Justice (DOJ) filed a complaint as intervenor in a False Claims Act (FCA) lawsuit filed against Georgia Tech Research Corporation and the Board of Regents of the University System of Georgia (Georgia Tech). The case was originally filed against Georgia Tech under seal in July 2022 by two whistle-blowers, its former associate director of cybersecurity and a former principal information security engineer.
The FCA is a law that imposes liability on persons and companies that defraud the U.S. Government. The DOJ often brings FCA actions against government contractors for noncompliance with government contracts that, in the DOJ’s view, amount to fraud. The FCA provides for payment of treble damages and civil penalties for each false claim—and these penalties can quickly add up.
In 2021, the DOJ announced its Civil Cyber-Fraud Initiative, which aims to use the FCA to combat cybersecurity threats by imposing penalties for government contract and grant recipients who fail to follow required cybersecurity standards. Although the DOJ has previously entered into settlements with contractors under this initiative, this is the first FCA case under this initiative in which the DOJ has publicly intervened. In addition to the FCA claims, the DOJ’s complaint against Georgia Tech brings claims of common law fraud, negligent misrepresentation, unjust enrichment, payment by mistake and breach of contract claims.
The contracts at issue in the case were awarded to Georgia Tech’s Astrolavos Lab for research on cybersecurity issues. The DOJ complaint alleges that Georgia Tech violated cybersecurity standards found in Defense Federal Acquisition Regulation Supplement (DFARS) section 204.7302, and the contract clauses found in DFARS section 252.204-7008, 252.204-7012, 252.204-7019, 252.204-7020 and Federal Acquisition Regulation (FAR) section 52.204-21. At a high level, these clauses require contractors to implement the security controls found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 rev.2, to establish a system security plan (SSP) and plan of actions and milestones (POAM) addressing these NIST requirements, and to perform a self-assessment against the NIST requirements and post the resulting score on the Supplier Performance Risk Management System (SPRS), among other things.
The DOJ complaint alleges that there was no enforcement of the relevant cybersecurity standards with implicit, and sometimes explicit, approval from senior leadership, to accommodate high-profile researchers who brought in large sums of Government funding and found cybersecurity compliance too burdensome. More particularly, the complaint alleges that Georgia Tech failed to develop a SSP and created and shared with the Government an inaccurate NIST self-assessment score. The complaint also alleges that Georgia Tech failed to install and run antivirus software on servers and personal computers with access to nonpublic Government information.
This case against Georgia Tech is in its early stages, and it is not clear whether the Government will be able to substantiate its allegations. Nevertheless, this case shows that the Government takes cybersecurity compliance seriously, and that contractors must do the same. Since the relevant cybersecurity standards were first implemented in 2016, the Department of Defense and other Government agencies have often taken a cooperative approach to promoting compliance, which may have misled some contractors into believing that the Government will not enforce these cybersecurity standards with legal action. The case against Georgia Tech should dispel that misimpression.
Observers who have been monitoring the cybersecurity enforcement landscape will likely appreciate that this case is not the first cybersecurity FCA action the DOJ has taken against government contractors, even if it is the first time the agency has intervened in a qui tam case. Last year, for example, we saw the DOJ reach a $4 million settlement with Verizon Business Network Services LLC to resolve claims that the company failed to meet cybersecurity requirements when performing its government contracts. More cases may be on the horizon. The Georgia Tech case and these earlier actions should serve as a reminder to contractors that the Government is focused on ongoing cybersecurity compliance issues, even though the Cybersecurity Maturity Model Certification (CMMC) program is still being finalized. Furthermore, this heightened enforcement activity suggests that that the Government may use all the tools at its disposal—including suspension or debarment actions—to pursue contractors who fail to comply with required cybersecurity standards, which could have devastating consequences for any government contractor.
[View source.]
