Case: United States of America ex rel. Christopher Craig and Kyle Koza, Plaintiffs, v. Georgia Tech Research Corp. and Board of Regents of the University System of Georgia (d/b/a The Georgia Institute of Technology), Defendants.
Court: United States District Court for the Northern District of Georgia, Atlanta Division
Case No.: 1:22-cv-02698-JPB
Nature of the Case: This is a False Claims Act (FCA) lawsuit filed by the United States government against Georgia Tech Research Corporation (GTRC) and the Board of Regents of the University System of Georgia (doing business as the Georgia Institute of Technology). The complaint alleges that GTRC knowingly misrepresented its compliance with cybersecurity requirements mandated by the Department of Defense (DoD) in order to secure and maintain lucrative research contracts.
Cybersecurity as National Security: The complaint emphasizes the critical importance of cybersecurity for protecting sensitive defense technology and maintaining the United States' technological advantage. It highlights the vulnerability of research universities to cyberattacks by foreign adversaries seeking to steal intellectual property.
"Actors ranging from cyber criminals to nation-states continue to attack companies and organizations that comprise the Department’s multi-tier supply chain . . . [and] seek to steal DoD’s intellectual property to undercut the United States’ strategic and technological advantage and to benefit their own military and economic development.”
Stringent DoD Cybersecurity Regulations: The complaint details a complex web of DoD regulations, including the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST Special Publication 800-171, which impose strict cybersecurity requirements on contractors handling Controlled Unclassified Information (CUI) and Controlled Technical Information (CTI). Key requirements include:
"Adequate Security": Contractors must provide "adequate security" on their information systems that process, store, or transmit CUI.
NIST SP 800-171 Compliance: Contractors must implement the 110 security controls outlined in NIST SP 800-171 or have a plan of action to do so.
Certification of Compliance: Contractors must certify their compliance with these regulations as a condition of receiving a contract.
Submission of Summary Level Score: Contractors are required to submit a self-assessment score reflecting their level of compliance with NIST SP 800-171.
GTRC's Alleged Misrepresentations and Noncompliance: The heart of the complaint centers on allegations that GTRC, through its subsidiary Georgia Tech, made demonstrably false certifications regarding its compliance with these cybersecurity regulations, specifically regarding the Astrolavos Lab. The allegations include:
Failure to Implement System Security Plan (SSP): GTRC allegedly failed to develop and implement a system security plan for the Astrolavos Lab, a requirement for any contractor handling CUI.
"At no point did Defendants inform DoD that the Astrolavos Lab did not have a system security plan."
Failure to Implement Antivirus Software: The complaint alleges that GTRC did not adequately install, update, or run antivirus software on the lab's computers, servers, and networks, despite handling CUI.
“Garrison, the Astrolavos Lab’s head of IT, testified that as a general matter the Astrolavos Lab did not install, update, or run antivirus software on desktops, laptops, or servers at the lab.”
Submission of a False Summary Level Score: GTRC submitted a score of 98 for the entire Georgia Tech campus based on a “fictitious” or “virtual” environment that did not reflect the actual security posture of individual labs like the Astrolavos Lab.
"The enterprise-level score of 98 that Georgia Tech and GTRC submitted to DoD in December 2020 is false. It does not reflect a score for any information system used to process, store, or transmit Controlled Defense Information in connection with Defendants’ DoD contracts, including the Astrolavos Lab."
Alleged Knowledge and Materiality: The government alleges that GTRC was aware of these cybersecurity deficiencies and knowingly made false certifications to secure and maintain contracts. It argues that these misrepresentations were material because DoD relies on these certifications to ensure the protection of its sensitive information.
"[A]t the time they contracted with DoD, Defendants knew that they were not complying, and would continue not to comply, with the system security plan requirement, as well as the requirements to implement and monitor applicable security controls, as well as to put in place specific plans of action to address deficiencies."
Potential Impact: The government is seeking treble damages and civil penalties from GTRC, arguing that its actions constitute a violation of the False Claims Act. This case underscores the government's increasing focus on enforcing cybersecurity requirements for contractors handling sensitive information, particularly in the context of national security.
TopicLake Insights Publication. AI Assisted ✎