The U.S. Department of Justice (DOJ) took a significant step forward in its Civil Cyber-Fraud Initiative, filing an expansive complaint-in-intervention against the Georgia Institute of Technology and related entities, alleging that Georgia Tech violated the federal False Claims Act by misrepresenting its compliance with cybersecurity requirements applicable to defense contracts. The DOJ’s intervention breaks new ground on several fronts because it’s the first time the DOJ has intervened in a cybersecurity qui tam other than for the purpose of settlement, and the first time the DOJ has prosecuted a False Claims Act case based on noncompliance with NIST 800-171—a robust set of cybersecurity standards used in federal contracting.
The Expansion of a First-of-Its-Kind Cyber Qui Tam
The Georgia Tech case was initially filed as a qui tam in July 2022 by two information security employees at Georgia Tech who alleged that the university failed to comply with various cybersecurity controls under NIST 800-171 but nonetheless self-certified compliance with the standard to obtain contracts with the Department of Defense (DoD) and the Defense Advanced Research Projects Agency (DARPA).
Following the government’s intervention in February, the government filed a far more expansive complaint-in-intervention on August 22, alleging that Georgia Tech and a particular research lab failed to meet several NIST 800-171 requirements, including (1) creating an overall “system security plan” to govern cybersecurity compliance; (2) installing, using, and updating antivirus software on covered systems; and (3) performing assessments of the systems the lab used.
The government also alleged that while Georgia Tech was required to provide self-assessments to the DoD of the environment containing “Controlled Unclassified Information,” Georgia Tech instead reported assessments to the DoD based on a “fictitious” environment and not for the research lab at issue. The government further alleged that because Georgia Tech did not have a system security plan for the lab in question for several years, any self-assessments undertaken by the university during that time would have been noncompliant with NIST in any event.
Notably, the Georgia Tech case did not originate from a security incident, breach, or compromise of DoD or DARPA data that the government might have claimed damage from. Nonetheless, the government asserts that it was damaged by what it says were Georgia Tech’s false statements and certifications, which the government says devalued or rendered worthless the services that Georgia Tech provided under the defense contracts at issue.
A New Theory for the Relators’ Bar
The Georgia Tech case has a predecessor in U.S. ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895, in which the same relators’ counsel filed a similar qui tam on behalf of another IT employee whistleblower against Penn State University based on its alleged noncompliance with NIST 800-171 and related representations that the university allegedly made. Notably, the DOJ declined to intervene in that matter in September 2023. Recent filings suggest that the Penn State case will settle in the near term.
The Decker and Georgia Tech cases suggest that the relators’ bar has discovered a new avenue for federal contracting qui tam actions, which have historically made up only a small fraction of the qui tam cases filed each year. What makes the Georgia Tech case particularly interesting is its use of NIST 800-171 as the underlying standard on which the alleged representations of compliance were made. NIST 800-171 is a set of 110 different cybersecurity controls that range from relatively narrow controls to broad and ambiguous requirements that leave room for interpretation and discretion. The government’s decision to base its theory of falsity on cybersecurity standards as broad as NIST 800-171—where even the concept of “compliance” with the standards is ambiguous—has potentially significant ramifications for compliance risk analyses in this area. The government’s theory will be tested as the Georgia Tech case develops, but what is clear today is that the relators’ bar has a green light to pursue these types of cases.
Implications for Federal Contractors
The Georgia Tech case underscores the importance of having an appropriately resourced and sophisticated cybersecurity function for federal contractors and companies who store and process regulated data. As cybersecurity requirements in areas such as federal contracting and health care become more complex, it is important for covered entities to ensure that personnel are aware of applicable regulations (such as NIST) and the steps necessary to meet their requirements. As the Georgia Tech case suggests, it can be particularly important for a company to ensure that this awareness is shared not only by its compliance and IT teams but by the business itself. Companies should also be certain that they maintain an effective means for employees to report compliance concerns internally and with confidentiality.
The Expansion of a First-of-Its-Kind Cyber Qui Tam
The Georgia Tech case was initially filed as a qui tam in July 2022 by two information security employees at Georgia Tech who alleged that the university failed to comply with various cybersecurity controls under NIST 800-171 but nonetheless self-certified compliance with the standard to obtain contracts with the Department of Defense (DoD) and the Defense Advanced Research Projects Agency (DARPA).
Following the government’s intervention in February, the government filed a far more expansive complaint-in-intervention on August 22, alleging that Georgia Tech and a particular research lab failed to meet several NIST 800-171 requirements, including (1) creating an overall “system security plan” to govern cybersecurity compliance; (2) installing, using, and updating antivirus software on covered systems; and (3) performing assessments of the systems the lab used.
The government also alleged that while Georgia Tech was required to provide self-assessments to the DoD of the environment containing “Controlled Unclassified Information,” Georgia Tech instead reported assessments to the DoD based on a “fictitious” environment and not for the research lab at issue. The government further alleged that because Georgia Tech did not have a system security plan for the lab in question for several years, any self-assessments undertaken by the university during that time would have been noncompliant with NIST in any event.
Notably, the Georgia Tech case did not originate from a security incident, breach, or compromise of DoD or DARPA data that the government might have claimed damage from. Nonetheless, the government asserts that it was damaged by what it says were Georgia Tech’s false statements and certifications, which the government says devalued or rendered worthless the services that Georgia Tech provided under the defense contracts at issue.
A New Theory for the Relators’ Bar
The Georgia Tech case has a predecessor in U.S. ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895, in which the same relators’ counsel filed a similar qui tam on behalf of another IT employee whistleblower against Penn State University based on its alleged noncompliance with NIST 800-171 and related representations that the university allegedly made. Notably, the DOJ declined to intervene in that matter in September 2023. Recent filings suggest that the Penn State case will settle in the near term.
The Decker and Georgia Tech cases suggest that the relators’ bar has discovered a new avenue for federal contracting qui tam actions, which have historically made up only a small fraction of the qui tam cases filed each year. What makes the Georgia Tech case particularly interesting is its use of NIST 800-171 as the underlying standard on which the alleged representations of compliance were made. NIST 800-171 is a set of 110 different cybersecurity controls that range from relatively narrow controls to broad and ambiguous requirements that leave room for interpretation and discretion. The government’s decision to base its theory of falsity on cybersecurity standards as broad as NIST 800-171—where even the concept of “compliance” with the standards is ambiguous—has potentially significant ramifications for compliance risk analyses in this area. The government’s theory will be tested as the Georgia Tech case develops, but what is clear today is that the relators’ bar has a green light to pursue these types of cases.
Implications for Federal Contractors
The Georgia Tech case underscores the importance of having an appropriately resourced and sophisticated cybersecurity function for federal contractors and companies who store and process regulated data. As cybersecurity requirements in areas such as federal contracting and health care become more complex, it is important for covered entities to ensure that personnel are aware of applicable regulations (such as NIST) and the steps necessary to meet their requirements. As the Georgia Tech case suggests, it can be particularly important for a company to ensure that this awareness is shared not only by its compliance and IT teams but by the business itself. Companies should also be certain that they maintain an effective means for employees to report compliance concerns internally and with confidentiality.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Cybersecurity Team or one of the attorneys on our False Claims Act Team or Education Team.