Listen to this post

The U.S. Department of Justice (DOJ) filed its first major complaint-in-intervention under the False Claims Act (FCA) premised on a government contractor’s alleged cybersecurity deficiencies since the DOJ’s Civil Cyber-Fraud Initiative was launched in 2021. Its complaint accuses the Georgia Institute of Technology (Georgia Tech) of violating cybersecurity regulations while fulfilling $31 million of federal contracts for, ironically, cybersecurity research.

The whistleblowers — current and former members of the university’s cybersecurity compliance team — filed their lawsuit under seal in July 2022. The government elected to intervene in the case in February 2024 and requested additional time to file its complaint-in-intervention.

The DOJ’s complaint accuses Georgia Tech’s Astrolavos Lab of failing to implement basic cybersecurity protections, potentially exposing sensitive defense information to cyberattacks. According to the DOJ, the lab also sent the government a fake cybersecurity assessment score, creating the false appearance that it complied with cybersecurity standards that all federal defense contractors must follow.

Specifically, the complaint-in-intervention alleges that:

  • The lab failed to develop a system security plan in a timely manner that detailed the cybersecurity controls required in the lab;
  • Once the lab developed its system security plan, it failed to include all covered equipment in the plan, including all computers and servers in the lab;
  • The lab submitted a false cybersecurity assessment score to the government, thereby misrepresenting the campus’s compliance with cybersecurity standards that all contractors who process, store, or transmit unclassified defense information must meet; and
  • The lab failed to install and run anti-virus and anti-malware software on IT equipment in the lab, which violated not only the government’s cybersecurity contracting requirements but also Georgia Tech’s own policies.

Department of Defense regulations require that federal contractors that possess controlled unclassified information (CUI) and/or controlled technical information (CTI) must implement adequate security of that information by, at a minimum, implementing the 110 controls listed in the National Institute of Standards and Technology (NIST) Special Publication 800-171, entitled “Protecting [CUI] in Nonfederal Information Systems and Organizations.” Allegedly, the government contracts at issue in this litigation incorporated these regulations by reference and the solicitation for the contract specified that these cybersecurity provisions would apply.

DOJ alleges Georgia Tech’s conduct violates the FCA pursuant to theories of fraudulent inducement and false certification. They allege that the university’s representations of compliance induced the government to enter into the contracts under false pretenses. Once entered into the contracts, the university submitted invoices to the Department of Defense that contained certifications either that the work was performed “in accordance with the agreements set forth in the application and award documents” or “in accordance with the application and award documents,” but do not mention the alleged failures to comply with federal cybersecurity rules and regulations. DOJ asserts that the lab’s cybersecurity shortcomings render these certifications false.

Government contractors should be aware that their cybersecurity compliance efforts will be under scrutiny. To mitigate the possibility of potential FCA liability for cybersecurity issues, government contractors would be well advised to make sure they are familiar with NIST’s Special Publication 800-171 and the government’s other cybersecurity rules for government contractors, adequately document their system security plans, and ensure that these plans comprehensively cover all equipment and servers that store sensitive information.