The U.S. government is ramping up its efforts to ensure that defense contractors uphold their cybersecurity obligations, with a clear message that non-compliance will not be tolerated. In a recent enforcement action, the Georgia Tech Research Corporation (GTRC) agreed to pay the United States $875,000 to resolve allegations that it violated the False Claims Act. The settlement addresses GTRC’s alleged failure to meet cybersecurity requirements in connection with contracts for the Air Force and the Defense Advanced Research Projects Agency (DARPA). This action highlights the Justice Department’s commitment to holding contractors accountable when they fail to protect sensitive government information from cyber threats.
Assistant Attorney General Brett A. Shumate emphasized that such failures leave critical government data vulnerable to malicious actors. This sentiment was echoed by U.S. Attorney Theodore S. Hertzberg, who stressed that contractors who provide false information or neglect their cybersecurity duties will face consequences. Officials from multiple agencies, including the Department of Defense Office of Inspector General and the Air Force Office of Special Investigations, all underscored the importance of cybersecurity compliance for national security. They warned that deficiencies in cybersecurity controls jeopardize sensitive programs and put servicemembers at risk, asserting that those who ignore these rules will be held accountable.
The lawsuit against GTRC and its affiliate, the Georgia Institute of Technology, alleged that until December 2021, the Astrolavos Lab failed to use essential anti-virus or anti-malware tools on its computers and networks while conducting sensitive cyber-defense research. The government also claimed that until at least February 2020, the lab lacked a required system security plan outlining the necessary cybersecurity controls. These failures directly violated contractual requirements designed to protect covered defense information.
Furthermore, the government alleged that GTRC and Georgia Tech submitted a false, campus-wide cybersecurity assessment score of 98 to the Department of Defense in December 2020. This score was allegedly fabricated and did not apply to any actual contracting system. The submission of a legitimate assessment score was a condition for contract award, and the obligation to implement specific security controls has been a requirement for DoD contracts since 2017. These requirements are now being further strengthened under the new Cybersecurity Maturity Model Certification (CMMC) program.
This settlement resulted from a lawsuit initiated by two former members of Georgia Tech’s cybersecurity team, Christopher Craig and Kyle Koza, under the False Claims Act’s whistleblower provisions. The government intervened in the case, which ultimately led to the settlement. As part of the resolution, Craig and Koza will receive $201,250 for their role in bringing the allegations to light. This collaborative effort between multiple federal agencies reinforces the government’s determination to enforce cybersecurity standards and protect vital national security information.
Reference:
