In recent years, the U.S. Department of Justice has ramped up its examination of cybersecurity compliance among federal contractors, with a particular focus on academic institutions. At the same time, the Department of Defense ("DoD") just announced $43 million of awards to 112 researchers at academic institutions across the country to "fund equipment and instrumentation to accelerate basic research in such DoD-priority areas as quantum computing, photonics, human performance, autonomy, and the design, development, and characterization of novel materials." The award of these contracts, however, comes with inherent risk as the academic institutions must adhere to various DoD and related regulations.
Two prominent cases have emerged involving Georgia Institute of Technology ("Georgia Tech") and Pennsylvania State University ("Penn State"). Both institutions have faced civil investigations and claims under the False Claims Act (FCA) concerning their compliance with cybersecurity requirements. These cases underscore the attention that universities must give to cybersecurity compliance when contracting to perform research with federal agencies.
Georgia Tech's FCA Suit
Georgia Tech, one of the nation's leading scientific research institutions, currently finds itself at the center of a lawsuit over its alleged failures to comply with U.S. Department of Defense (DOD) cybersecurity standards.
In the suit, federal officials accuse Georgia Tech of not adhering to DOD cybersecurity standards in its research contracts. Specifically, the suit focuses on contracts with the Astrolavos Lab, which, in fact, involved research in cybersecurity. The lawsuit also alleges that university researchers failed to implement adequate anti-malware protections and that when internal whistleblowers raised concerns, Astrolavos leaders ignored them.
Georgia Tech has firmly contested these allegations, filing a motion to dismiss the case. The university argues that the cybersecurity standards cited by the government did not apply to its contracts as they were for "fundamental research." According to Georgia Tech, fundamental research is explicitly excluded from handling sensitive "covered defense information" (CDI), and hence, the stringent cybersecurity requirements were not applicable.
In a statement to Law360, Georgia Tech's attorneys said, "The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself publicized Georgia Tech's groundbreaking research findings. In fact, in this case, there was no breach of information, and no data leaked."
The lawsuit was filed in August 2024 and remains pending.
Penn State's Settlement Agreement
As the case against one major institution ramps up, another has come to a close.
In October 2024, Penn State agreed to a $1.25 million settlement to resolve allegations of non-compliance with cybersecurity requirements for defense and NASA contracts. The allegations were brought forward by a former chief information officer at Penn State's Applied Research Laboratory, under the whistleblower provisions of the FCA.
The suit claimed that between 2018 and 2023, Penn State failed to implement necessary cybersecurity measures required by NASA and the Department of Defense and didn't develop appropriate plans to correct deficiencies.
Penn State emphasized that the settlement was not an admission of wrongdoing but rather a measure to avoid protracted litigation and address concerns of federal sponsors. The university maintained that no government information had been compromised and reiterated its commitment to enhancing its cybersecurity posture.
The former CIO-whistleblower was awarded $250,000 as part of the settlement.
Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department's Civil Division, said, "Universities that receive federal funding must take their cybersecurity obligations seriously, We will continue our efforts under the department's Civil Cyber-Fraud Initiative to hold contractors accountable when they fail to honor cybersecurity requirements designed to protect government information."
Risks of an FCA Claim & An Increase in DOJ Cybersecurity Enforcement
The actions against Penn State and Georgia Tech reflect the Department of Justice's increased focus on fraud related to the cybersecurity. This increased focus comes as federal agencies find themselves at risk of cyberattack not only from criminals, but also hostile foreign states.
The actions against Penn State and Georgia Tech reflect the Department of Justice's increased focus on fraud related to the cybersecurity. This increased focus comes as federal agencies find themselves at risk of cyberattack not only from criminals, but also hostile foreign states.
In October 2021, Deputy U.S. Attorney General Lisa Monaco launched the DOJ's Civil Cyber-Fraud Initiative. The initiative combines resources from a number of DOJ teams to "hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."
Monaco said at the time, "For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report....We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk."
Implications and Moving Forward
The settlements and ongoing litigations serve as a clarion call for academic and research institutions to prioritize cybersecurity and foster a culture of transparency and accountability. As the DOJ continues to ramp up its Civil Cyber Fraud Initiative, universities and contractors must take proactive steps to mitigate risks and safeguard sensitive information.
To better comply with cybersecurity standards and avoid potential legal issues, institutions can take several proactive measures:
- Conduct Regular Audits and Assessments: Conduct comprehensive cybersecurity audits and assessments to identify vulnerabilities and ensure compliance with current standards.
- Require Coordination and Assign Accountability: Ensure your research teams understand their cybersecurity obligations and coordinate with your Information Security teams.
- Provide Security Trainings: Require personnel to complete periodic cybersecurity trainings on the institution's policies and procedures and cybersecurity awareness for the evolving threat landscape and how to spot a potential cybersecurity threat.
- Update Security Policies: Regularly review and update cybersecurity policies to reflect changes in federal requirements and evolving threats.
- Invest in Advanced Security Technologies: Utilize advanced security technologies such as encryption, intrusion detection systems, and secure access controls to protect sensitive information.
- Establish Incident Response Plans: Develop and maintain incident response plans to quickly address and mitigate the impact of cybersecurity breaches and conduct tabletop exercises to walk through a mock cybersecurity incident and response process.
- Investigate Internal Complaints: Review and follow the institution's internal claims process and ensure that whistleblowers are protected from potential retaliation.
The scrutiny faced by Georgia Tech and Penn State highlights the evolving landscape of cybersecurity compliance in federal contracting. These cases illustrate the potential legal and financial ramifications of non-compliance and emphasize the need for robust cybersecurity frameworks within academic institutions when engaged in federal research.
Academic institutions performing research with Department of Defense agencies will need to pay particularly close attention to the recently published Final Rule for the Cybersecurity Maturity Model Certification (CMMC) program, which introduces a third-party assessment and certification process to verify compliance with cybersecurity practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.