Georgia Tech Research Corporation Agrees to Pay $875,000 to Resolve Civil Cyber-Fraud Litigation

Georgia Tech Research Corporation (GTRC) has agreed to pay the United States $875,000 to resolve allegations that it violated the False Claims Act and federal common law by failing to meet cybersecurity requirements in connection with certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts. GTRC contracts with government agencies, including the U.S. Department of Defense (DoD), for research performed at its affiliate, the Georgia Institute of Technology (Georgia Tech).

"When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats," said Assistant Attorney General Brett A. Shumate of the Justice Department's Civil Division. "Together with DoD and other agency partners, the Department of Justice will continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable when they violate their cybersecurity commitments."

"Defense contractors' adherence to their cybersecurity obligations is essential to safeguarding sensitive government information from malicious actors," said U.S. Attorney Theodore S. Hertzberg for the Northern District of Georgia. "Contractors who fail to implement required cybersecurity controls, provide false information to the government, and otherwise fail to fulfill their cybersecurity obligations will be held accountable."'

"Failure to follow required cybersecurity requirements puts all of us at risk," said Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity, Office of the Chief Information Officer. "Those who knowingly provide deficient cybersecurity products or services, misrepresent their cybersecurity practices or protocols, or violate obligations to monitor and report cybersecurity incidents and breaches must be held accountable. Enforcement efforts like this should serve as a reminder to industry to prioritize DoD cybersecurity compliance."

"Deficiencies in cybersecurity controls pose a significant threat to our national security and jeopardize sensitive DoD programs that put our servicemembers at risk," said Special Agent in Charge Jason Sargenski of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Southeast Field Office. "As force multipliers, we place a substantial amount of trust in our contractors, and those who ignore the rules will be held accountable."

"AFOSI is committed to pursuing allegations related to the security of our information systems and neutralizing threats malicious actors pose when contractors fail to meet their contractual obligations," said Special Agent in Charge Derrell Freeman of Air Force Office of Special Investigations (AFOSI), Procurement Fraud Detachment 5.

The settlement resolves a lawsuit against GTRC and Georgia Tech where the United States alleged that until December 2021, those entities failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks at Georgia Tech's Astrolavos Lab while the lab conducted sensitive cyber-defense research for DoD. The United States also alleged that until at least February 2020, there was no system security plan in place for the Astrolavos Lab to set out the cybersecurity controls that GTRC's contracts required.

Finally, the United States alleged that in December 2020 GTRC and Georgia Tech submitted a false summary level cybersecurity assessment score to DoD which supposedly applied campus-wide. That summary level score of 98 was allegedly false because (1) there was no campus-wide IT system at Georgia Tech and (2) the score was premised on a "fictitious" or "virtual" environment and did not apply to any actual covered contracting system at Georgia Tech that would process, store or transmit covered defense information. The United States alleged the submission of a cybersecurity assessment score was a condition of contract award for GTRC's DoD contracts. The obligation to implement security controls specified in National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) to protect certain DoD information has applied to DoD contracts, subcontracts, and similar contractual instruments since 2017 and will continue under the Cybersecurity Maturity Model Certification (CMMC) program that DoD recently finalized. The CMMC program further bolsters the assessment requirements applicable to DoD contractors and subcontractors.

The settlement announced today stems from a complaint filed by Christopher Craig and Kyle Koza, former members of Georgia Tech's Cybersecurity Team, under the qui tam or whistleblower provisions of the False Claims Act, which permit private persons to bring a lawsuit on behalf of the government and to share in any recovery. The Act also permits the Government to intervene and take over the lawsuit, as it did in this case as to certain allegations. The United States intervened in the qui tam suit and filed its complaint in August 2024. The settlement in this case provides for Craig and Koza to receive $201,250 as their share of the recovery.

The investigation, litigation, and resolution in this matter was the result of a coordinated effort between the Justice Department's Civil Division, Commercial Litigation Branch, Fraud Section, the U.S. Attorney's Office for the Northern District of Georgia, DCIS, AFOSI, the Air Force Materiel Command Law Office Procurement Fraud Division, and DARPA. The matter was handled by Trial Attorney Joanna Persio of the Fraud Section and Assistant U.S. Attorneys Melanie D. Hendry and Adam D. Nugent for the Northern District of Georgia.

The lawsuit is captioned United States ex rel. Craig v. Georgia Tech Research Corporation et al., No. 1:22-cv-02698 (N.D. Ga.).

The claims resolved by the settlement are allegations only, and there has been no determination of liability.