On August 22, 2024, the United States intervened in a whistleblower suit against the Georgia Institute of Technology, initially filed by current and former members of Georgia Tech’s cybersecurity team, alleging that Georgia Tech intentionally misrepresented its compliance with cybersecurity requirements in connection with certain Department of Defense (DoD) contracts.
The complaint filed against Georgia Tech is only the beginning of the government’s increasing enforcement against contractors that have substandard cybersecurity. Universities, in particular, need to closely examine their cybersecurity posture. Indeed, the complaint explains that “[s]ince at least 2011, the FBI has warned that universities are prime targets for cyberattacks by foreign adversaries. As the FBI has explained, ‘foreign intelligence services and non-state actors use U.S. colleges and universities to further their intelligence and operational needs.’”
The bottom line is that all government contractors required to implement cybersecurity controls must ensure they are properly implemented, documented and disclosed – educational institutions should not expect more lenient treatment.
How Did We Get Here?
The Relevant Law and Regulations
The False Claims Act (FCA) states that a person is liable to the U.S. government if the person:
(A) knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval; [or]
(B) knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim ….[1]
To encourage whistleblowers to come forward with inside information about fraud, the FCA allows whistleblowers to file qui tamlawsuits on behalf of the government and receive a share of any recovery.
DoD regulations define adequate security as “implement[ing], at a minimum … the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, ‘Protecting Controlled Unclassified Information [(CUI)] in Nonfederal Information Systems and Organizations’” that is “in effect at the time the solicitation is issued ….”[2]
In turn, DoD contractors are only eligible to receive a contract if they have provided their Supplier Performance Risk System (SPRS) score within the past three years. An SPRS score is a summary-level score that shows the contractor’s compliance with the 110 controls of NIST SP 800-171 for each covered contractor information system that is relevant to the offer, contract, task order or delivery order. Contractors also must “develop, document, and periodically update system security plans [(SSPs)] that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”
The Whistleblower Complaint
On July 8, 2022, two former senior members of Georgia Tech’s cybersecurity compliance team filed a qui tam lawsuit under the FCA’s whistleblower provisions. Like all qui tam lawsuits, it was filed under seal to allow the Department of Justice to investigate the claims and determine whether the United States would intervene in the litigation.
The Government’s Decision to Intervene
On August 22, the government filed its own complaint after intervening in the whistleblowers’ lawsuit. The government’s unsealed complaint alleges sweeping and willful FCA violations, which Georgia Tech committed by failing to meet its contractual cybersecurity obligations. For more than a decade, DoD regulations have mandated that “[c]ontractors and subcontractors” provide “adequate security” on their “covered contractor information systems” to protect CUI, including controlled technical information, present on those systems (collectively, Covered Defense Information).[3]
We highlight four allegations in the complaint that all contractors should take note of. First, it alleges that Georgia Tech recklessly failed for multiple years to provide adequate security for covered contracting systems by knowingly failing to develop, document, implement, and periodically update system security plans.
Second, it alleges that Georgia Tech researchers working on federal contracts found compliance with the cybersecurity controls “burdensome” and pushed back on attempts to implement even basic cybersecurity controls. For example, the government alleges that Georgia Tech failed to implement minimal antivirus and incident detection tools – some of the more basic minimum controls required by NIST 800-177.
Third, the complaint alleges that Georgia Tech failed to conduct required security assessments and report those assessment results to DoD, as required by its contractual commitments. According to the complaint, in addition to not having a system security plan in place until February 2020, Georgia Tech had taken no action to implement, assess, or monitor the required NIST Security Controls for the lab, much less put in place any required plans of action to address deficiencies. The complaint alleges that Georgia Tech did not attempt to perform these required security assessments and reports, until more than three years after beginning work on DoD contracts.
Finally, the complaint alleges that, once Georgia Tech performed a security assessment subsequent to February 2020, Georgia Tech intentionally, knowingly and/or negligently submitted false assessment scores to DoD to obtain and retain DoD contracts by submitting scores based not on Georgia Tech’s actual controls, but instead on a “model” for how a lab at Georgia Tech could comply with most of the NIST SP 800-171 controls by implementing certain solutions that were available at Georgia Tech.” The purpose of this SSP model was just to show what an SSP could look like if everyone on campus used Georgia Tech’s standard solutions and everything were implemented in the way specified in the SSP. Similarly, the complaint alleges that the summary-level score provided by Georgia Tech was for the fictitious campuswide IT system covered in the SSP, intentionally misleading the DoD to believe that the score applied to the entire campus and, at a minimum, to the IT systems intended to process, store and transmit Controlled Defense Information. In other words, the complaint claims that the SSP as well as the SPRS were works of fiction.
These allegations lead to some important takeaways for universities. First, they should carefully consider they scope their SSPs and SPRS scores, ensuring that they include the contracting systems that process, store and transmit Covered Defense Information while excluding systems that are out of scope and out of compliance. Although it may seem obvious, universities must also ensure they assess systems as they exist, not aspirational systems that may be implemented in the future. Finally, this complaint highlights the unique challenges universities may encounter as they attempt to achieve compliance across a sprawling landscape of bespoke and decentralized networks. The complaint describes hundreds of different IT systems across Georgia Tech’s campus that were all operating independently, including at least one in virtually every research lab—a situation that is more common at educational institutions that promote collaboration and experimentation. As risk increases with the government’s CMMC initiative and increased scrutiny of universities’ compliance efforts, institutions should consider whether centralized standards and management are now a practical necessity.
Expanded Cybersecurity Obligations for Higher Education Coming Soon
Although the Georgia Tech lawsuit focuses on failures to meet DoD contractual and regulatory obligations, colleges and universities without DoD contracts should still heed the lessons from the complaint. Soon, universities’ cybersecurity obligations to protect CUI will not be tied solely to the universities’ status as a defense contractor but will be substantially broader. The Department of Education (DOE) recently announced that it anticipates releasing a proposed rule in October requiring schools to implement NIST SP 800-171 controls to protect CUI, which includes certain personally identifiable information, sensitive personally identifiable information, and other information that schools routinely process, store and transmit.
[1] 31 U.S.C. §§ 3729(a)(1)(A)-(B).
[2] “Defense Federal Acquisition Regulation Supplement” (DFARS) 252.204-7012(b)(2).
[3] DFARS 204.7302(a)(1); DFARS 252.204-7012.
[View source.]
