Atlanta, GA – The Georgia Tech Research Corporation (GTRC) has consented to pay $875,000 to the U.S. government to resolve allegations of non-compliance with federal cybersecurity standards in contracts with the Department of Defense (DoD), which includes the Air Force and the Defense Advanced Research Projects Agency (DARPA).
On Tuesday, the U.S. Department of Justice (DOJ) announced the civil settlement, which addresses claims that GTRC breached the False Claims Act by neglecting to implement essential cybersecurity measures, misrepresenting its security protocols, and providing inaccurate cybersecurity assessment scores to obtain government contracts.
Federal prosecutors stated that GTRC, which is linked to the Georgia Institute of Technology, allegedly failed to properly install or maintain antivirus or anti-malware software on systems utilized for sensitive cyber-defense research at Georgia Tech’s Astrolavos Lab. Furthermore, until at least February 2020, the lab did not have a system security plan that was mandated by its federal contracts.
One significant allegation made by the government was that GTRC submitted a summary cybersecurity score of 98 to the DoD in December 2020, suggesting near-total compliance with security standards. However, authorities indicated that this score was based on a fabricated or non-existent IT environment and did not accurately represent the actual condition of Georgia Tech’s systems. The submission of such a score was reportedly necessary for obtaining DoD contracts in accordance with cybersecurity guidelines set forth by the National Institute of Standards and Technology (NIST SP 800-171).
“When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats,” said Assistant Attorney General Brett A. Shumate of the DOJ’s Civil Division. “We will continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable.”
The case began with a whistleblower complaint filed by two former Georgia Tech cybersecurity team members, Christopher Craig and Kyle Koza, under the False Claims Act’s qui tam provisions. These provisions allow private citizens to report fraud on behalf of the government and share in any financial recovery. The government intervened in the case in August 2024, and Craig and Koza will receive $201,250 as part of the settlement.
Federal officials emphasized that the failure to meet cybersecurity obligations puts national security at risk. “Deficiencies in cybersecurity controls pose a significant threat to our national security and jeopardize sensitive DoD programs that put our servicemembers at risk,” said Special Agent in Charge Jason Sargenski of the Defense Criminal Investigative Service.
The case, United States ex rel. Craig v. Georgia Tech Research Corporation et al., No. 1:22-cv-02698, was filed in the U.S. District Court for the Northern District of Georgia. The government stressed that the claims settled are allegations only, and there has been no determination of liability.
