The United States brings this complaint-in-intervention against Defendants [Georgia Tech and the Georgia Tech Research Corporation] to recover the damages that the United States has suffered, the ill-gotten gains to Defendants, and the applicable penalties, because of Defendants’ systematic noncompliance with federal cybersecurity regulations and false statements to DOD.
Dept. of Justice Civil Case 1:22-cv-02698-JPB filed August 22, 2024
The original False Claims Act complaint against Georgia Tech was filed by whistleblowers (an employee and former employee of Georgia Tech) in July 2022. In a first for False Claims Act cases, and in recognition of the merits of this case, DoJ announced in April 2024 that it had decided to further investigate and litigate the case. DoJ released its own complaint on August 22, 2024.
The government’s intervention is a loud warning to all universities and defense contractors who handle sensitive government information that they need to comply with federal cybersecurity regulations to protect that information. DoJ launched its Civil Cyber-Fraud Initiative (CCFI) in 2021 with the aim of using the False Claims Act to pursue cybersecurity related fraud by government contractors. In FY2023 alone, the government received more than $500 million in settlements and judgments from fraud related to DoD contracts.
The financial stakes in this case are huge. Between fiscal years 2019 and 2022 (the period under DoJ investigation) the Georgia Tech Research Corporation (GTRC) entered into more than $1.6 billion in government contracts, primarily with the federal government and specifically with DoD. And in the most recent fiscal year, FY 2024, DoD awarded Georgia Tech (via GTRC) contracts worth $2.3 billion, the second-highest amount of any university.
The case against Georgia Tech is remarkably straightforward. Any defense contractor that handles CUI has a DFARS 252.204-7012 clause in its contract that mandates compliance with the 110 security controls in NIST SP 800-171, which was developed to protect CUI. Contractors are currently permitted to self-assess their compliance with NIST SP 800-171, although that will change under the CMMC (Cybersecurity Maturity Model Certification) program that will begin to appear in DoD contracts in early 2025. At that point, contractors handling CUI will need to undergo 3rd party assessments.
During the years under investigation, Georgia Tech was required to self-assess and, starting in late 2020, to submit its NIST SP 800-171 self-assessment scores to the DoD’s Supplier Performance Risk System (SPRS). Hence the scores are called SPRS scores.
The heart of DoJ’s case against Georgia Tech is its submission of false SPRS scores. Indeed, the first five of the case’s eight counts center on false claims, false records or statements, fraud, and negligent misrepresentation.
The first, fundamental requirement for assessing NIST SP 800-171 compliance is to develop a System Security Plan (SSP). The need for an SSP is so basic that early versions of NIST SP 800-171 identified it as something the federal government expected to be routinely done without even having to specify it.
And yet, the specific research lab under investigation at Georgia Tech, the Astrolaves Lab—which, ironically, was doing cybersecurity related research for DoD—didn’t have an SSP until 2020. Therefore, it could not have produced a legitimate SPRS score. Instead, Georgia Tech’s GRC team was directed to come up with a score that applied to an overarching IT system on the Georgia Tech campus. The score they produced was high, 98 out of 110, and ensured that Georgia Tech would continue to receive DoD contract payments. But as GRC witnesses testified, there is no one overarching IT system; rather, there are “hundreds of different” IT systems across Georgia Tech’s campus and “all are operating independently.” The GRC team that submitted the false score said it was based on a “kind of fictitious environment” that they created and then scored like they would any other environment with an SSP.
The remaining three of the eight counts against Georgia Tech point to consequences: unjust enrichment on the part of Georgia Tech, payment by mistake on the part of the United States, and breach of contract. DoJ wraps up its case with numerous demands for financial recompense, including three times the amount of damages to the United States, return of all the amounts “paid by mistake,” plus interest, costs and expenses, civil penalties as permitted by law, and all “further relief as may be just and proper.” In other words: enormous sums.
Finally, DoJ concludes with a “demand for jury trial.” Georgia Tech is facing down not only massive financial repercussions, but also the severe reputational damage that accompanies a case characterized by fraud and willful disregard of our nation’s national security.
The signals that DoD and DoJ are sending to universities researchers and all defense contractors couldn’t be more clear: According to the DoD, its cybersecurity requirements are “necessary to address threats to the U.S. economy and national security from ongoing malicious cyber activities, which included the theft of hundreds of billions of dollars of U.S. intellectual property.” DoJ notes in its complaint that these threats are not theoretical, “particularly at the nation’s top research universities. Since at least 2011, the FBI has warned that universities are prime targets for cyberattacks by foreign adversaries.”
DoD has been strengthening cybersecurity requirements for the last decade, and enforcement has been ramping up for several years—including via DoD’s forthcoming CMMC program and DoJ’s active Civil Cyber-Fraud Initiative.
With regard to filing SPRS scores specifically, the DoD’s tack is that CMMC will require that SPRS scores be signed off by a university or company executive, who will be held accountable for the validity of the score. Currently, any employee can sign off on the NIST SP 800-171 self-assessment score; that most often falls to IT staff. This new approach is akin to the responsibility corporate leaders in the financial realm had to take on when the Sarbanes- Oxley Act was adopted nearly 20 years ago in response to a string of highly visible financial scandals. Given how effective Sarbanes-Oxley has been in improving the accuracy of financial reporting, that model is now being followed by the DoD.
In short, it’s a new day for compliance with federal cybersecurity regulations. Any higher education institution or organization that fails to meet these regulations is taking on serious financial and reputational risks—and, going forward, will be ineligible to do work for the DoD.
PreVeil’s encrypted email and file sharing solution helps over 1,200 organizations- including more than a dozen leading public & private universities– meet DFARS, CMMC, and ITAR compliance.
PreVeil’s proven solution has been used by over a dozen contractors to achieve perfect 110 scores in tough DoD NIST SP 800-171 audits. PreVeil supports 102 of the 110 NIST 800-171 controls, and meets FedRAMP Baseline Moderate Equivalent, DFARS 252.204-7012 (c)-(g), and FIPS 140-2 standards.
PreVeil Drive allows users to encrypt, store, and share their files containing CUI and PreVeil Email allows users to securely send and receive emails using their existing email address.
PreVeil’s low-cost, all-inclusive licenses allow free 3rd party communication, and result in 75% cost savings vs GCC High.
The effectiveness of PreVeil’s security, compliance documentation, and support is proven by real-world successes.
Virginia Tech’s Applied Research Center used PreVeil to increase its Supplier Performance Risk System (SPRS) score by over 80 points—and so is in an excellent position for an assessment of NIST SP 800-171. They said:
PreVeil has proven to be an easy to implement, cost effective, all-encompassing solution, allowing for the secure storage and sharing of CUI. PreVeil has top-notch customer service and support; submitted issues are addressed quickly and followed through to resolution.
More than a dozen defense contractors and C3PAOs have used PreVeil to achieve perfect scores in JSVA assessments. A JSVA is a Joint Surveillance Voluntary Assessment of NIST SP 800-171 compliance, conducted by a C3PAO and DIBCAC. JSVA results will be directly transferable to CMMC Level 2 when CMMC is finalized. One example is a 300-employee defense contractor. Their VP of operations said:
When it comes to speed to compliance and cost, PreVeil is undoubtedly the right decision. We got it done on time and on budget, saving $200,000 compared to GCC High… If you care about being on time, GCC High is a much bigger risk than PreVeil.
Today, more than 1,200 companies use PreVeil to secure their data and simplify compliance with DFARS 7012, NIST SP 800-171, ITAR regulations, and CMMC —including more than a dozen leading educational institutions.
Learn more
The post DoJ Files Complaint Against Georgia Tech Under False Claims Act appeared first on PreVeil.
*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Seth Steinman. Read the original post at: https://www.preveil.com/blog/doj-complaint-georgia-tech-false-claims-act/