In August 2024, the Department of Justice (DOJ) filed its first False Claims Act (FCA) lawsuit under its Civil Cyber-Fraud Initiative, intervening in a case against the Georgia Tech Research Corporation (GTRC) and Georgia Institute of Technology (GA Tech). The case centers on allegations that these contractors failed to meet cybersecurity requirements in connection with their Department of Defense (DoD) contracts. Originally filed in July 2022, the lawsuit highlights failures to comply with the National Institute of Standards and Technology (NIST) cybersecurity controls, particularly those outlined in Special Publication 800-171.
The DOJ’s complaint-in-intervention points to multiple instances of noncompliance at GA Tech’s Astrolavos Lab, including insufficient System Security Plans, inadequate antivirus software, and inaccurate self-assessment scores. These failures are said to jeopardize national security by exposing sensitive government information to cyber threats.
This case underscores the importance of cybersecurity compliance for defense contractors and subcontractors. As cybersecurity is increasingly viewed as critical to national defense, violations of related requirements are seen as materially affecting payment decisions on government contracts. The DOJ’s intervention signals a growing emphasis on holding contractors accountable for cybersecurity lapses, in line with the Department of Defense’s ongoing rulemaking to strengthen contractor cybersecurity verification processes.