From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance

On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.  The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information.  The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.

Background and Allegations

GTRC, a non-profit contracting entity affiliated with the Georgia Institute of Technology (Georgia Tech), conducts research for federal agencies, including the Department of Defense (DOD).  The allegations arose from a qui tam lawsuit (captioned United States ex rel. Craig et al. v. Georgia Tech Research Corp. et al., Civil Action No. 22-cv-02698) filed by two former members of Georgia Tech’s cybersecurity team under the FCA’s whistleblower provisions.  The United States intervened in the suit in 2024.  The United States’ complaint primarily alleged that violations of the following clauses occurred at Georgia Tech’s Astrolavos Laboratory:

• • • DFARS 252.204-7012 (DFARS 7012), which requires DoD contractors to create and maintain a System Security Plan (SSP) documenting its compliance with NIST SP 800‑171 controls for information systems handling Controlled Unclassified Information (CUI); and
    • DFARS 252.204-7019 (DFARS 7019) and 252.204-7020 (DFARS 7020), which require contractors to submit to DOD a self-assessment score demonstrating their compliance with the DFARS 7012 SSP requirements.   

The government alleged that, until December 2021, GTRC and Georgia Tech knowingly failed to install, update, or run anti-virus and anti-malware tools on devices and networks involved in performing sensitive cyber-defense research for DoD as required by NIST SP 800-171.  The United States further alleged that, until at least February 2020, there was no SSP in place for the Astrolavos Lab as required by DFARS 7012.  Additionally, in December 2020, GTRC and Georgia Tech allegedly submitted a false, inflated DFARS 7019/7020 assessment score to DoD.  The government contended that this score was based on a “fictitious” or “virtual” environment and did not reflect Georgia Tech’s implementation of NIST SP 800-171 on information systems that handled CUI.  Allegedly, despite these shortcomings, GTRC falsely certified that all payments were “for appropriate purposes and in accordance with the agreements set forth in the application and award documents.”  According to the government, GTRC made this certification without disclosing that their failure to comply with federal cybersecurity rules and regulations made the certification false.

To resolve these civil allegations, GTRC agreed to pay $875,000, with $201,250 of the settlement awarded as a relator’s share to the two former Georgia Tech cybersecurity employees who filed the qui tam case.  DOJ’s press release announcing the settlement emphasized that contractors’ failure to comply with cybersecurity requirements puts sensitive government information and national security at risk and reminded contractors to prioritize compliance with DoD cybersecurity mandates, including the recently finalized Cybersecurity Maturity Model Certification (CMMC) program.

Modest Settlement Total Likely Reflects Contract Value and Effective Defenses

The settlement amount of $875,000 is significantly lower than other recent DOJ cybersecurity FCA settlements, which could be the result of the relatively modest value (~$31 million) of the contracts associated with GTRC’s alleged cybersecurity violations.  More importantly, the settlement may reflect the value of litigation as a tool for challenging DOJ’s efforts to expand the reach of the FCA to areas such as cybersecurity.  Unlike defendants in past cases, Georgia Tech did not enter into a pre-litigation settlement with DOJ, electing instead to defend against the government’s claims in court.  Notably, Georgia Tech’s 63-page motion to dismiss in October 2024 challenged the government’s ability to plead a violation of the FCA, particularly with respect to the required elements of falsity and materiality.  Specifically, the motion argued that:

• • • Falsity: There was no regulatory violation because the research that GTRC performed did not involve CUI and was not subject to DFARS 7012 and 7019.  Additionally, the government did not allege facts sufficient for a false certification claim because GTRC did not expressly certify compliance with DFARS 7012 or DFARS 7019 in connection with claims for payment and its invoices made no specific representations about the goods or services provided.
    • Materiality: DoD did not view cybersecurity compliance as the “essence of the bargain,” because it never asked GTRC about its cybersecurity controls or to “verify” its assessment score.  DoD also continued to make payments to GTRC on the contracts despite knowledge of its alleged noncompliance.

DOJ subsequently filed an opposing brief contesting these defenses.  But shortly thereafter, the matter was referred to mediation and concluded with the $875,000 settlement at the end of September.  While neither side obtained a ruling on their arguments, this posture suggests that the government’s complaint was at some risk of being found to fail to state a viable claim.

Key Takeaways

• • • Cybersecurity compliance remains a high-stakes issue for defense contractors.  DOJ continues to scrutinize not only contractor systems but also the adequacy of security controls and representations made in connection with contract awards.
    • False or misleading cybersecurity self-assessments may trigger FCA allegations.  Contractors should ensure that assessment scores and representations accurately reflect the status of covered systems and not hypothetical or virtual environments.
    • NIST SP 800-171 and CMMC are central to protecting sensitive data when contracting with DoD.  Failure to implement required security controls, maintain SSPs, or comply with assessment obligations can result in enforcement actions, even absent evidence of a breach.
    • Whistleblowers continue to drive cybersecurity enforcement.  Substantial financial incentives under the FCA’s qui tam provisions mean contractors should expect continued internal scrutiny and reporting of compliance lapses and be responsive when compliance questions are raised.
    • Legal defenses and the absence of a breach can impact the ultimate settlement amount.  While the decision to litigate or settle is ultimately fact dependent, GTRC’s aggressive strategy is reason to consider litigation as a resolution-oriented tool for defendants facing FCA liability.  Additionally, the absence of a cybersecurity incident or breach may have impacted DOJ’s ability to demonstrate actual damages, and, in turn, the monetary resolution reached by the parties.

*** Please join us for a Crowell Webinar on this topic on Wednesday, October 8, at Noon Eastern Standard Time for further discussions. ***