The Department of Justice recently announced that Georgia Tech Research Corporation (GTRC) has agreed to pay $875,000 to resolve allegations that it violated the False Claims Act by failing to meet required cybersecurity standards in connection with contracts with the U.S. Air Force and the Defense Advanced Research Projects Agency (DARPA).
In light of this development, government contractors would be well advised to review their cybersecurity programs, ensure the accuracy of their self-assessments, and prepare for heightened oversight under the Cybersecurity Maturity Model Certification (CMMC) program.
Alleged Failures and Misrepresentations
GTRC manages sponsored research agreements on behalf of the Georgia Institute of Technology (Georgia Tech), including research contracts with the U.S. Department of Defense (DoD). According to the government, GTRC and Georgia Tech failed to implement critical cybersecurity controls while conducting sensitive cyber-defense research, misrepresented their compliance posture, and submitted false information to DoD regarding their cybersecurity readiness.
Specifically, the government alleged that until December 2021, GTRC and Georgia Tech:
- Failed to install, update, or run required anti-virus or anti-malware tools on desktops, laptops, servers, and networks at Georgia Tech’s Astrolavos Lab.
- Did not have a system security plan in place until at least February 2020, despite contractual requirements to maintain one.
- Submitted a false cybersecurity assessment score of 98 in December 2020, representing that the university had a campus-wide IT system compliant with DoD standards. In reality, the score was based on a “fictitious” or “virtual” environment and did not reflect actual systems used to process covered defense information.
According to the government, these alleged misrepresentations were material because providing an accurate cybersecurity assessment score was a condition of the contract award for GTRC’s DoD contracts.
DOJ and DoD Emphasize Contractor Cybersecurity Obligations
As part of the announced settlement, senior government officials emphasized the critical importance of cybersecurity compliance in DoD contracts:
- Assistant Attorney General Brett A. Shumate stated that contractors who fail to meet cybersecurity standards “leave sensitive government information vulnerable to malicious actors and cyber threats.”
- U.S. Attorney Theodore S. Hertzberg for the Northern District of Georgia warned that defense contractors “who fail to implement required cybersecurity controls, provide false information to the government, and otherwise fail to fulfill their cybersecurity obligations will be held accountable.”
- Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity for DoD, noted that this case should remind contractors to prioritize compliance with NIST SP 800-171 and the CMMC program.
Qui Tam Whistleblowers Receive Share of Recovery
The settlement resolves claims brought under the False Claims Act’s qui tam provisions by Christopher Craig and Kyle Koza, former members of Georgia Tech’s cybersecurity team. The United States intervened in the lawsuit and filed its own complaint in August 2024. Under the settlement, the relators will receive $201,250 as their share of the recovery.
Key Takeaways for Government Contractors
This settlement underscores several important points for government contractors and subcontractors to consider:
- Cybersecurity can be a contractual obligation – Not meeting requirements under NIST SP 800-171 or misrepresenting compliance can lead to False Claims Act liability, among other things.
- Assessment scores matter – Submitting inaccurate or misleading cybersecurity scores, even at a summary level, may expose contractors to government enforcement actions.
- Whistleblowers are watching – Employees with knowledge of cybersecurity deficiencies may bring False Claims Act suits, and DOJ has shown its willingness to intervene in these cases.
- CMMC is the next step – DoD’s CMMC program will further strengthen assessment and certification requirements, increasing potential liability for contractors that fail to comply.
Conclusion
As enforcement actions like this one make clear, cybersecurity is no longer just an IT issue — it is a core compliance and contract performance obligation. Accordingly, federal contractors should review their cybersecurity programs, ensure the accuracy of their self-assessments, and prepare for heightened oversight under CMMC.
