Georgia Tech Under Fire for Cybersecurity Non-Compliance

DOJ intervenes in a lawsuit against Georgia Tech for failing to meet cybersecurity standards.

Georgia Breach


In a striking move on February 19, 2024, the U.S. Department of Justice (DOJ) announced its intervention in a significant False Claims Act (FCA) lawsuit against Georgia Tech Research Corporation and the Georgia Institute of Technology, collectively known as Georgia Tech. The case, centered in the U.S. District Court for the Northern District of Georgia, accuses the institution of failing to meet the stringent cybersecurity requirements mandated by the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).

DFARS 252.204-7012 is a crucial clause included in all Department of Defense (DOD) contracts involving controlled unclassified information (CUI). It mandates that contractors assess their implementation of 110 security controls as specified by NIST SP 800-171. These assessments must be documented in the DOD’s Supplier Performance Risk System (SPRS) or supported by a detailed plan of action for any unmet requirements.

The whistleblower-triggered complaint alleges that Georgia Tech falsely claimed compliance with these stringent standards, prompting a rigorous two-year DOJ investigation. The intervention by the DOJ marks a significant shift in the government's stance on enforcing cybersecurity compliance among contractors, particularly those involved with national defense.

Despite the requirements being in force since December 31, 2017, a considerable number of contractors within the Defense Industrial Base are yet to fully implement the mandated controls. While the DOD has historically allowed some leeway for contractors to meet these standards, the Georgia Tech case signals a potential end to such tolerance, underscoring the serious legal and financial risks for non-compliance.

In light of this enforcement action, contractors are advised to take proactive steps to mitigate potential liabilities:

1. Third-Party Assessments: Contractors should consider hiring third parties to conduct objective assessments of their compliance with NIST SP 800-171 to avoid potential biases of internal reviews.

2. Transparent Communication: It is crucial for contractors to maintain transparent communication with the government by accurately reporting their compliance status through the SPRS. This can significantly reduce the risk of facing FCA claims.

3. Leveraging Cloud Technologies: Utilizing cloud service providers that offer environments compliant with DFARS 252.204-7012 can help contractors meet cybersecurity requirements more efficiently and with potentially lower costs.

This case is a part of the DOJ’s Civil Cyber-Fraud Initiative, reflecting a growing governmental focus on cybersecurity compliance enforcement. As this legal battle unfolds, it serves as a stark reminder to all government contractors of the increasing scrutiny and the pressing need to adhere strictly to federal cybersecurity standards.