Office of Public Affairs United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
pp
This is archived content from the US Department of Justice website The information here may be outdated and links may no longer function Please contact webmasterusdojgov if you have any questions about the archive site
ppThe United States joined a whistleblower suit and filed a complaintinintervention against the Georgia Institute of Technology Georgia Tech and Georgia Tech Research Corp GTRC asserting claims that those defendants knowingly failed to meet cybersecurity requirements in connection with the Department of Defense DoD contracts GTRC is an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech The whistleblower suit was initiated by current and former members of Georgia Techs Cybersecurity teamppGovernment contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information said Principal Deputy Assistant Attorney General Brian M Boynton head of the Justice Departments Civil Division The departments Civil CyberFraud Initiative was designed to identify such contractors and to hold them accountableppSpecifically the lawsuit alleges that until at least February 2020 the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan which is required by DoD cybersecurity regulations that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab Even when the Astrolavos Lab finally implemented a system security plan in February 2020 the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops desktops and serversppAdditionally the lawsuit alleges until December 2021 the Astrolavos lab failed to install update or run antivirus or antimalware tools on desktops laptops servers and networks at the lab Instead Georgia Tech approved the labs refusal to install antivirus software in violation of both federal cybersecurity requirements and Georgia Techs own policies to satisfy the demands of the professor who headed the labppThe lawsuit further alleges that in December 2020 Georgia Tech and GTRC submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems that are used to store or access covered defense information The submission of this score was a condition of contract award for Georgia Techs DoD contracts The lawsuit alleges that the summary level score of 98 for the Georgia Tech campus that Georgia Tech and GTRC reported to DoD in December 2020 was false because 1 Georgia Tech did not actually have a campuswide IT system and 2 the score was for a fictitious or virtual environment and did not apply to any covered contracting system at Georgia Tech that could or would ever process store or transmit covered defense informationppCybersecurity compliance by government contractors is critical in safeguarding US information and systems against threats posed by malicious actors said US Attorney Ryan K Buchanan for the Northern District of Georgia For this reason we expect contractors to abide by cybersecurity requirements in their contracts and grants regardless of the size or type of the organization or the number of contracts involved Our office will hold accountable those contractors who ignore cybersecurity rulesppDeficiencies in cybersecurity controls pose a significant threat not only to our national security but also to the safety of the men and women of our armed services who risk their lives daily said Special Agent in Charge Darrin K Jones of the DoDs Office of Inspector General Defense Criminal Investigative Service DCIS Southeast Field Office As force multipliers we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserveppThe whistleblower lawsuit was filed by Christopher Craig and Kyle Koza who were previously senior members of Georgia Techs cybersecurity compliance team under the qui tam or whistleblower provisions of the False Claims Act which allow private parties to file suit on behalf of the United States for false claims and to receive a share of any recovery The act permits the United States to intervene and take over responsibility for litigating these cases as it has done here A defendant who violates the act is subject to liability for three times the governments losses plus applicable penalties ppOn Oct 6 2021 Deputy Attorney General Lisa Monaco announced the departments Civil CyberFraud Initiative to hold accountable entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches Information on how to report cyber fraud can be found hereppSenior Trial Counsel Jake M Shields of the Justice Departments Civil Division and Assistant US Attorneys Adam D Nugent and Melanie D Hendry for the Northern District of Georgia are handling the matterppThe case is captioned United States ex rel Craig v Georgia Tech Research Corp et al No 122cv02698 ND Ga Investigative support is being provided by the DoD Office of Inspector General Defense Criminal Investigative Service Air Force Office of Special Investigations and Air Force Material CommandppThe claims alleged by the United States are allegations only There has been no determination of liability ppGeorgia Tech Research Corporation GTRC has agreed to pay the United States 875000 to resolve allegations that it violated the False Claims Act and federal common law by failing toppSemler Scientific Inc has agreed to pay 2975 million and its former distributor Bard Peripheral Vascular Inc and its related companies has agreed to pay 72 million to resolve allegationsppThe United States has filed a complaint under the False Claims Act in a lawsuit against Local Initiative Health Authority for Inland Empire Health Plan doing business as Inland EmpireppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
pp
This is archived content from the US Department of Justice website The information here may be outdated and links may no longer function Please contact webmasterusdojgov if you have any questions about the archive site
ppThe United States joined a whistleblower suit and filed a complaintinintervention against the Georgia Institute of Technology Georgia Tech and Georgia Tech Research Corp GTRC asserting claims that those defendants knowingly failed to meet cybersecurity requirements in connection with the Department of Defense DoD contracts GTRC is an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech The whistleblower suit was initiated by current and former members of Georgia Techs Cybersecurity teamppGovernment contractors that fail to fully implement required cybersecurity controls jeopardize the confidentiality of sensitive government information said Principal Deputy Assistant Attorney General Brian M Boynton head of the Justice Departments Civil Division The departments Civil CyberFraud Initiative was designed to identify such contractors and to hold them accountableppSpecifically the lawsuit alleges that until at least February 2020 the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan which is required by DoD cybersecurity regulations that set out the cybersecurity controls that Georgia Tech was required to put in place in the lab Even when the Astrolavos Lab finally implemented a system security plan in February 2020 the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops desktops and serversppAdditionally the lawsuit alleges until December 2021 the Astrolavos lab failed to install update or run antivirus or antimalware tools on desktops laptops servers and networks at the lab Instead Georgia Tech approved the labs refusal to install antivirus software in violation of both federal cybersecurity requirements and Georgia Techs own policies to satisfy the demands of the professor who headed the labppThe lawsuit further alleges that in December 2020 Georgia Tech and GTRC submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems that are used to store or access covered defense information The submission of this score was a condition of contract award for Georgia Techs DoD contracts The lawsuit alleges that the summary level score of 98 for the Georgia Tech campus that Georgia Tech and GTRC reported to DoD in December 2020 was false because 1 Georgia Tech did not actually have a campuswide IT system and 2 the score was for a fictitious or virtual environment and did not apply to any covered contracting system at Georgia Tech that could or would ever process store or transmit covered defense informationppCybersecurity compliance by government contractors is critical in safeguarding US information and systems against threats posed by malicious actors said US Attorney Ryan K Buchanan for the Northern District of Georgia For this reason we expect contractors to abide by cybersecurity requirements in their contracts and grants regardless of the size or type of the organization or the number of contracts involved Our office will hold accountable those contractors who ignore cybersecurity rulesppDeficiencies in cybersecurity controls pose a significant threat not only to our national security but also to the safety of the men and women of our armed services who risk their lives daily said Special Agent in Charge Darrin K Jones of the DoDs Office of Inspector General Defense Criminal Investigative Service DCIS Southeast Field Office As force multipliers we place a substantial amount of trust in our contractors and expect them to meet the strict standards our service members deserveppThe whistleblower lawsuit was filed by Christopher Craig and Kyle Koza who were previously senior members of Georgia Techs cybersecurity compliance team under the qui tam or whistleblower provisions of the False Claims Act which allow private parties to file suit on behalf of the United States for false claims and to receive a share of any recovery The act permits the United States to intervene and take over responsibility for litigating these cases as it has done here A defendant who violates the act is subject to liability for three times the governments losses plus applicable penalties ppOn Oct 6 2021 Deputy Attorney General Lisa Monaco announced the departments Civil CyberFraud Initiative to hold accountable entities or individuals that put US information or systems at risk by knowingly providing deficient cybersecurity products or services knowingly misrepresenting their cybersecurity practices or protocols or knowingly violating obligations to monitor and report cybersecurity incidents and breaches Information on how to report cyber fraud can be found hereppSenior Trial Counsel Jake M Shields of the Justice Departments Civil Division and Assistant US Attorneys Adam D Nugent and Melanie D Hendry for the Northern District of Georgia are handling the matterppThe case is captioned United States ex rel Craig v Georgia Tech Research Corp et al No 122cv02698 ND Ga Investigative support is being provided by the DoD Office of Inspector General Defense Criminal Investigative Service Air Force Office of Special Investigations and Air Force Material CommandppThe claims alleged by the United States are allegations only There has been no determination of liability ppGeorgia Tech Research Corporation GTRC has agreed to pay the United States 875000 to resolve allegations that it violated the False Claims Act and federal common law by failing toppSemler Scientific Inc has agreed to pay 2975 million and its former distributor Bard Peripheral Vascular Inc and its related companies has agreed to pay 72 million to resolve allegationsppThe United States has filed a complaint under the False Claims Act in a lawsuit against Local Initiative Health Authority for Inland Empire Health Plan doing business as Inland EmpireppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
