As we first noted a few months ago, the Department of Justice (DOJ) announced it would intervene in its first cyber-related False Claims Act (FCA) case since unveiling its Civil Cyber-Fraud Initiative (CCFI) in late 2021. Just before Labor Day, DOJ filed its complaint-in-intervention in that case, outlining its allegations against Georgia Tech and a related Georgia Tech research entity. United States ex rel. Craig v. Georgia Tech Research Corp., No. 22-cv-02698 (N.D. Ga. filed Aug. 22, 2024). DOJ alleges that Georgia Tech "failed to heed th[e] warning" that "contractors must begin viewing cybersecurity as a part of doing business, in order to protect themselves and to protect national security."
The case relates to contracts between the Georgia Tech entities and various components of the Department of Defense (DOD) going back to at least 2016. These contracts allegedly included Defense Federal Acquisition Regulation (DFARS) clause 252.204-7012, which imposes a requirement that contractor information systems that house "covered defense information" (CDI) adhere to the controls identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, as well as other cybersecurity requirements. DOJ alleges that Georgia Tech failed to comply with those standards in at least three ways: by failing to develop and implement a system security plan (SSP), failing to use antivirus software on the relevant network, and submitting an inaccurate summary score of its SP 800-171 compliance.
Broadly, DOJ's theory is that "star" researchers were allowed to ignore the cybersecurity requirements in Georgia Tech's DOD research contracts "because they found it burdensome" to comply with them, and the school's leadership did not want to discourage the researchers from participating in projects that were bringing in substantial federal funding. One of the researchers whose lab at Georgia Tech allegedly failed to adhere to the NIST SP 800-171 cybersecurity requirements is himself a cybersecurity researcher working with well-known government entities such as the Defense Advanced Research Projects Agency. That lab is a key focus of DOJ's complaint-in-intervention.
DOJ's complaint spans 99 pages and contains references to deposition testimony from several current and former Georgia Tech employees as well as internal documents, giving some indication of the scope of DOJ's pre-intervention investigation. But we'll keep things more high-level here. First, DOJ alleges that the lab failed to develop an SSP until three years after relevant contracts began, and even then did not include all relevant aspects of the network in the plan. In addition to lacking this required plan, Georgia Tech allegedly also failed to use antivirus software on the network used for the relevant contracts. This was the issue that was featured most prominently in the Relators' original complaint.
The third category of allegations relates to Georgia Tech's submission of Supplier Performance Risk System (SPRS) scores. Contractors submit these metrics to DOD to indicate each system's compliance with the 110 security controls specified in SP 800-171. The lab allegedly failed to calculate a SPRS score as required and instead submitted a score for a "virtual" campus-wide cybersecurity environment despite internal warnings that doing so could be misleading. In conclusion, DOJ alleges that Georgia Tech induced DOD agencies to enter into contracts with it for which Georgia Tech was not eligible by falsely indicating that it would comply with applicable cybersecurity regulations and that it had provided an accurate SPRS score, when neither was true.
DOJ's filing serves as a reminder that, especially with the CCFI in full swing, cyber issues can arise under any type of government contract. Many of DOJ's allegations are specific to DFARS 252.204-7012, which applies specifically to CDI. However, it also alleges that Georgia Tech violated Federal Acquisition Regulation 52.204-21, which imposes more broadly applicable cybersecurity requirements for any contractor system that processes any nonpublic government information, regardless of whether it is CDI. While this clause does not require compliance with all of NIST SP 800-171's 110 controls, it does require the use of antivirus software, describing this as a "basic safeguard" that any "prudent business person would employ."
Under the current schedule, Georgia Tech's motion to dismiss is due in October and briefing will be complete in January 2025. We will continue to monitor this case as we are also monitoring another cyber FCA suit filed against a university. As we previously reported, DOJ earlier this year had been investigating cyber FCA claims brought by the former Chief Information Officer of one of Penn State's research labs against Penn State. In a joint status report filed by the parties last month, Penn State reported that it has been cooperating with DOJ's investigation and is in settlement discussions with DOJ that are expected to conclude by early October 2024.
We here at Qui Notes will continue to monitor the progress of these and other cases brought under the CCFI and report back on any key developments. If you have any questions about the topics discussed in this post, please reach out to the authors or any members of Arnold & Porter's False Claims Act practice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.