Defense Contractor Agrees to Pay $875,000 to Settle False Claims Act Allegations

Georgia Tech Research Contractor Agrees to $875,000 Settlement Over Cybersecurity Violations

The Department of Justice announced this week that Georgia Tech Research Corporation (GTRC) has agreed to pay $875,000 to settle allegations that it failed to implement required cybersecurity protocols on defense research contracts, violating the False Claims Act.

The settlement resolves claims that GTRC, which conducts research on behalf of the Georgia Institute of Technology, did not meet contractually mandated cybersecurity requirements while performing sensitive research for the Department of Defense (DoD), Air Force, and Defense Advanced Research Projects Agency (DARPA).

Federal investigators allege that GTRC and Georgia Tech neglected to maintain basic cybersecurity measures, including anti-virus and anti-malware tools, on computer equipment in the university’s Astrolavos Lab. This lab was engaged in sensitive cyber-defense research projects for the Department of Defense, making these security lapses particularly concerning to federal officials.

The government further claimed that the research organization failed to implement a required system security plan for the Astrolavos Lab, which would have specified necessary cybersecurity controls and protocols. Additionally, GTRC allegedly submitted a misleading campus-wide cybersecurity assessment score to the DoD that did not accurately represent their actual security posture.

“Failure to follow required cybersecurity requirements puts all of us at risk,” said Stacy Bostjanick, Chief Defense Industrial Base Cybersecurity at the Office of the Chief Information Officer. She emphasized that contractors providing deficient cybersecurity measures or misrepresenting their security practices must be held accountable.

The case highlights growing concerns about cybersecurity compliance among defense contractors as nation-state threat actors and cybercriminals increasingly target sensitive defense research. The Pentagon has been strengthening its contractor cybersecurity requirements in recent years through initiatives like the Cybersecurity Maturity Model Certification (CMMC) program.

The settlement stemmed from a whistleblower lawsuit filed by Christopher Craig and Kyle Koza, former members of Georgia Tech’s Cybersecurity Team. They brought the case under the qui tam provisions of the False Claims Act, which allows private citizens to file lawsuits on behalf of the government against those who defraud federal programs.

As part of the settlement, Craig and Koza will receive $201,250 as their share of the recovery, reflecting the law’s intent to incentivize insiders to report potential fraud and security violations.

“When contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats,” said Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division. He noted that the Department will continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable.

This case represents part of a broader trend of increased government enforcement of cybersecurity requirements in federal contracts. Similar actions have been brought against other contractors in recent years as federal agencies place greater emphasis on securing sensitive information, particularly in defense and intelligence-related research.

GTRC has neither admitted nor denied the allegations as part of the settlement agreement. The Justice Department emphasized that the claims resolved by the settlement are allegations only, and no determination of liability has been made.

The settlement underscores the critical importance of cybersecurity compliance for organizations working on sensitive government projects and signals that federal authorities are taking a more aggressive approach to enforcing these requirements across the defense industrial base.