The U.S. government has stepped in to intervene in a whistleblower lawsuit against the Georgia Institute of Technology and the Georgia Tech Research Corporation, accusing them of failing to meet cybersecurity standards mandated for Department of Defense (DoD) contractors. The lawsuit was initiated by Christopher Craig and Kyle Koza, former senior members of Georgia Tech’s cybersecurity compliance team, who allege that the defendants submitted false summary-level cybersecurity scores to secure contracts with the DoD. These claims assert that Georgia Tech and GTRC neglected to implement critical cybersecurity controls as outlined by the National Institute of Standards and Technology (NIST) and misled the DoD about their compliance with these requirements.
According to the whistleblowers’ complaint, Georgia Tech and its affiliate did not enforce federal cybersecurity regulations regarding DoD contracts since at least 2019. Instead, they reportedly prioritized the interests of researchers who had secured significant government contracts over compliance with federal cybersecurity mandates. The whistleblower lawsuit highlights that even a system security plan established in 2020 failed to encompass all necessary systems and was not updated as required by existing regulations, which raises concerns about the integrity of cybersecurity measures within the organization.
The complaint further details that from May 2019 to December 2021, no security applications were installed or maintained on the systems and networks of the Astrolavos Lab at Georgia Tech, contravening both federal requirements and internal policies. This negligence in maintaining cybersecurity standards raises serious implications not only for the organization but also for national security, considering the sensitive nature of the information handled by these systems. The Department of Justice emphasized that the defendants were contractually obligated to implement robust cybersecurity measures in connection with their agreements with the DoD.
In December 2020, the lawsuit alleges that Georgia Tech submitted a fraudulent cybersecurity assessment score of 98, which inaccurately reflected compliance status concerning systems that store or access covered defense information. This score was purportedly based on a fictitious environment not linked to Georgia Tech’s research activities and misrepresented the actual cybersecurity posture of their contracting systems. The U.S. government is now taking responsibility for litigating the whistleblower case, which could lead to significant penalties for Georgia Tech and GTRC under the qui tam provision of the False Claims Act, holding them accountable for the alleged violations and the potential financial damages incurred by the government.
Reference:
