Georgia Tech Research Corporation Pays $875,000 to Resolve Allegations of False Claims Act Violations Over Cybersecurity Failures
The Georgia Tech Research Corporation (GTRC) has agreed to pay the United States $875,000 to resolve allegations that it violated the False Claims Act and federal common law by failing to meet cybersecurity requirements in connection with certain contracts with the Air Force and the Defense Advanced Research Projects Agency (DARPA). GTRC, which administers contracts for research conducted at the Georgia Institute of Technology (Georgia Tech), works extensively with federal agencies including the Department of Defense (DoD).
According to the Justice Department, the settlement addresses serious lapses in cybersecurity controls that were required under GTRC’s contracts. These failures exposed sensitive government information to potential threats from malicious actors, undermining the trust placed in defense contractors.
Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division emphasized the broader significance of the settlement: “When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats. Together with DoD and other agency partners, the Department of Justice will continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable when they violate their cybersecurity commitments.”
U.S. Attorney Theodore S. Hertzberg for the Northern District of Georgia echoed these concerns, stressing that contractors’ adherence to cybersecurity obligations is vital to national security. “Contractors who fail to implement required cybersecurity controls, provide false information to the government, and otherwise fail to fulfill their cybersecurity obligations will be held accountable,” Hertzberg stated.
The Office of the Chief Information Officer also underscored the risks posed by cybersecurity negligence. Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity, noted that failure to meet obligations endangers all stakeholders: “Those who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches must be held accountable. Enforcement efforts like this should serve as a reminder to industry to prioritize DoD cybersecurity compliance.”
The Defense Criminal Investigative Service (DCIS) emphasized that deficiencies in cybersecurity directly threaten national defense programs and the safety of servicemembers. “As force multipliers, we place a substantial amount of trust in our contractors, and those who ignore the rules will be held accountable,” said Jason Sargenski, Special Agent in Charge of DCIS’s Southeast Field Office. Similarly, the Air Force Office of Special Investigations (AFOSI) Procurement Fraud Detachment highlighted its commitment to investigating and neutralizing cybersecurity threats when contractors neglect their obligations.
The government’s allegations against GTRC and Georgia Tech were serious and specific. Investigators alleged that until December 2021, Georgia Tech’s Astrolavos Lab, which conducted sensitive cyber-defense research for the DoD, failed to install, update, or run anti-virus and anti-malware tools on desktops, laptops, servers, and networks. The United States also claimed that until February 2020, the Astrolavos Lab lacked a system security plan required under its contracts.
Further allegations included the submission of a false cybersecurity assessment score in December 2020. According to the complaint, GTRC and Georgia Tech submitted a summary score of 98 to the DoD, suggesting near-complete compliance with cybersecurity standards. The government alleged that this score was misleading for two reasons: first, Georgia Tech had no campus-wide IT system to which such a score could apply, and second, the score was based on a “fictitious” or “virtual” environment rather than an actual system that processed, stored, or transmitted covered defense information. Because the submission of an accurate cybersecurity assessment score was a condition for contract awards, the government alleged this amounted to a false claim.
The cybersecurity requirements at issue stem from National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), which has applied to DoD contracts and subcontracts since 2017. These requirements set specific security controls to protect sensitive defense information. The Department of Defense recently finalized the Cybersecurity Maturity Model Certification (CMMC) program, which expands and strengthens assessment requirements for contractors and subcontractors. The GTRC case illustrates the enforcement of these obligations and the potential consequences of failing to comply.
The settlement arose from a whistleblower lawsuit filed under the False Claims Act’s qui tam provisions. Former members of Georgia Tech’s cybersecurity team, Christopher Craig and Kyle Koza, filed the original complaint. The Act allows private individuals to bring lawsuits on behalf of the government and share in any financial recovery. In this case, Craig and Koza will receive $201,250 from the settlement as their share. The United States formally intervened in the lawsuit in August 2024, pursuing the most significant allegations.
The resolution of this case was the result of close cooperation among several federal entities. The Justice Department’s Civil Division, Commercial Litigation Branch, and Fraud Section worked alongside the U.S. Attorney’s Office for the Northern District of Georgia, DCIS, AFOSI, the Air Force Materiel Command Law Office Procurement Fraud Division, and DARPA. The matter was handled by Trial Attorney Joanna Persio of the Fraud Section and Assistant U.S. Attorneys Melanie D. Hendry and Adam D. Nugent for the Northern District of Georgia.
This case highlights the growing emphasis placed by the federal government on cybersecurity compliance among contractors. The message is clear: contractors entrusted with sensitive government information must take their cybersecurity obligations seriously. When they do not, they risk financial penalties, reputational damage, and exclusion from future federal contracts.
The GTRC settlement also reflects the Justice Department’s continued use of the False Claims Act to address emerging risks, including those in the cybersecurity domain. By holding contractors accountable for failing to implement required safeguards and for submitting misleading information, the government aims to protect national security and ensure that taxpayer dollars are spent responsibly.
.jpg)
.jpg)
.jpg)
