ATLANTA, GA – Georgia Tech Research Corporation (GTRC) has agreed to pay $875,000 to resolve allegations that it violated the False Claims Act and federal common law by failing to comply with required cybersecurity standards in connection with U.S. Department of Defense contracts, the Justice Department announced today.
GTRC, which performs research through its affiliate Georgia Institute of Technology (Georgia Tech), allegedly failed to install or maintain antivirus and anti-malware protections at its Astrolavos Lab during sensitive cyber-defense research for the Air Force and Defense Advanced Research Projects Agency (DARPA). The United States also alleged GTRC had no system security plan in place until at least February 2020 and submitted a false cybersecurity assessment score to DoD in December 2020.
The inflated cybersecurity score, reported as 98, allegedly misrepresented actual conditions, including the absence of a campus-wide IT system and reliance on a fictitious environment not used in covered contract work. The cybersecurity score was required for contract eligibility under NIST SP 800-171 and is further emphasized in the newly finalized Cybersecurity Maturity Model Certification (CMMC) program.
“This conduct left sensitive government information vulnerable to malicious actors and cyber threats,” said Assistant Attorney General Brett A. Shumate. “We will continue to hold contractors accountable when they violate cybersecurity commitments.”
The allegations were originally brought under the whistleblower provisions of the False Claims Act by former Georgia Tech cybersecurity team members Christopher Craig and Kyle Koza. The federal government intervened in the case and the two whistleblowers will receive $201,250 from the settlement.
The case was investigated by the Department of Justice’s Civil Division, U.S. Attorney’s Office for the Northern District of Georgia, the Defense Criminal Investigative Service (DCIS), Air Force Office of Special Investigations (AFOSI), the Air Force Materiel Command Law Office, and DARPA.
The lawsuit is captioned United States ex rel. Craig v. Georgia Tech Research Corporation et al., No. 1:22-cv-02698 (N.D. Ga.).
