DOJ’s Complaint-in-Intervention in Cybersecurity Provides Key Indicators on How DOJ Intends to Ensure Compliance with Cybersecurity Regulations

Last week, the Department of Justice (“DOJ”) filed a complaint-in-intervention in an ongoing lawsuit against the Georgia Institute of Technology and Georgia Tech Research Corporation (collectively, “Georgia Tech”), alleging that Georgia Tech knowingly failed to meet cybersecurity requirements for Department of Defense (“DOD”) contracts. The original whistleblower suit, filed in 2022, claimed that Georgia Tech submitted false self-attestations of compliance with National Institute of Standards and Technology (“NIST”) cybersecurity guidelines. DOJ then intervened in April 2024, indicating DOJ’s enhanced focus on litigating cybersecurity-related False Claims Act (“FCA”) cases. With DOJ having filed its detailed complaint-in-intervention,¹ government contractors should closely observe the DOJ’s actions as an indication of how the federal government plans to enforce federal cybersecurity regulations and hold companies accountable.

The Georgia Tech Case Demonstrates the FCA Risks That Government Contractors Face

In April 2024, DOJ intervened in a landmark False Claims Act (“FCA”) case. The FCA is the government's primary civil tool for enforcing against alleged fraud related to federal funds.² Entities that do business with the government can be held liable for submitting false or fraudulent claims, facing significant penalties as a result.³ Often FCA cases are initiated by private individuals, or “relators,” who act as whistleblowers under the qui tam provision of the FCA and share in any recovery.⁴ DOJ's decision to take over this case underscores its belief in the validity of the allegations and signals a commitment to enforcing compliance with cybersecurity regulations, such as those set by NIST.

In the original 2022 complaint, two whistleblowers alleged that Georgia Tech submitted false self-attestations of NIST compliance to the DOD. They claimed that Georgia Tech relied upon unqualified, internal assessors to determine whether its laboratory practices were NIST compliant, and that these assessors failed to compile sufficient evidence to prove compliance.⁵ The complaint also asserted that because the teams and individuals charged with determining NIST compliance were also tasked with fixing the problems they identified, they faced a conflict of interest that resulted in prioritizing simply getting attestations on file so funding would be paid rather than ensuring Georgia Tech actually met NIST requirements.⁶

As O’Melveny previously noted, contractors face an increased risk of FCA claims alleging false certifications when submitting claims for payment where program requirements lack clarity. Ambiguous NIST provisions provide an opportunity for FCA relators or the government to assert that a contractor has misinterpreted the standards and, therefore, falsely certified compliance in violation of the FCA. Companies subject to federal cybersecurity requirements should therefore make implementing rigorous compliance procedures a priority to avoid potentially running afoul of the FCA. DOJ’s intervention in the Georgia Tech case is a clear signal that DOJ intends to focus on these areas of compliance going forward. 

DOJ’s Complaint-in-Intervention Provides Guidelines and Warnings to Government Contractors 

DOJ’s complaint-in-intervention provides key insights into DOJ’s priorities in litigating cybersecurity-related FCA cases because it details how DOJ believes Georgia Tech failed to meet cybersecurity compliance obligations and defrauded the government. Broadly, DOJ emphasizes that Georgia Tech failed on several key fronts: 

• Submitting inaccurate self-assessment scores with respect to NIST compliance: DOJ contends that Georgia Tech submitted a “fictitious” self-assessment score for the campus as a whole instead of evaluating individual contractors or laboratories. DOJ also alleges that Georgia Tech knew this score did not reflect actual compliance from contractors.⁷
• Deferring to employees who pushed back against cybersecurity requirements: DOJ accuses Georgia Tech of choosing to accommodate “star quarterback” researchers whose high-profile projects pulled in significant government funding. Georgia Tech allegedly deferred to these researchers’ demands instead of enforcing requirements.⁸
• Knowingly permitting contractor noncompliance with security requirements: DOJ alleges that Georgia Tech knew a contractor was operating without a system security plan or antivirus software in violation of NIST and other requirements. DOJ contends that Georgia Tech knew that failing to meet these requirements violated Georgia Tech’s contracts with the government.⁹ 

In the complaint, DOJ emphasizes that Georgia Tech knowingly submitted an inaccurate self-assessment score regarding NIST compliance in order to maintain eligibility for DOD contracts; that staff had been trained and were aware of the compliance requirements; and that Georgia Tech chose to accommodate its “star quarterback” researchers whose labs pulled in government funding when these researchers “push[ed] back against compliance with federal cybersecurity rules.”¹⁰

DOJ targets invoices Georgia Tech submitted for work done on two particular contracts by an allegedly noncompliant contractor from May 2019 to mid-2024.¹¹ DOD Contractors must self-attest that they have conducted a points-based self-assessment regarding their implementation of NIST requirements, including the “basic” requirement of a system security plan.¹² But according to DOJ, Georgia Tech submitted a score that failed to account for a contractor, Astrolavos Lab, that had no system security plan, that failed to systematically install, update, or run antivirus software on its devices, and that should not have been eligible for any DOD contracts.¹³ Instead of calculating scores for individual contractor systems as required under DOD regulations, DOJ alleges that Georgia Tech assessed a “fictitious” overall environment to submit a score that “did not apply to the Georgia Tech campus-at-large,” but ensured that Georgia Tech would be “eligible” for DOD contracts.¹⁴

Because contractors often must certify that they comply with federal requirements, FCA suits often focus on whether a defendant contractor’s certification was knowingly false. Here, DOJ alleges that Georgia Tech understood the federal cybersecurity requirements, including the NIST requirements, and that violating them could lead to FCA exposure.¹⁵ Specifically, DOJ alleges that Georgia Tech knew of the unmet requirement for a system security plan and permitted the noncompliant contractor to rely on Georgia Tech’s firewall and pursue other “mitigating measures” even though the installation of antivirus software was a requirement under NIST and applicable federal cybersecurity regulations.¹⁶

DOJ also alleges that the individual who oversaw government contracting at Georgia Tech was aware that “invoicing the government” while noncompliant with NIST requirements “would be interpreted as a false claim”; that staff were trained on and understood the NIST requirements; and that staff understood that failing to meet these requirements could result in contract termination and the loss of government contracts.¹⁷ DOJ also emphasizes that while Georgia Tech suspended payments on a particular contract involving Astrolavos Lab upon being informed by Relators of the noncompliance, Georgia Tech never informed DOD of the compliance problem.¹⁸

Considerations for Mitigating FCA Compliance Risk in the Wake of DOJ’s Georgia Tech Complaint

Although DOJ’s 99-page complaint-in-intervention may seem daunting, contractors can extract valuable insights on how to avoid similar pitfalls. To prevent such errors, contractors should examine their current compliance training and handbooks to identify opportunities for improving education and communication regarding the reporting of potential compliance issues. The DOJ's allegations suggest that multiple employees were aware of compliance failures but faced resistance when attempting to raise these concerns. Consequently, contractors should consider offering multiple channels for employees to report issues related to testing or verification processes.

Having a system in place that continuously vets and assesses procedures, and modifies them if necessary, also helps demonstrate a contractor’s commitment to complying with NIST requirements. Here, DOJ alleges that Georgia Tech chose to permit a noncompliant contractor to refuse to install antivirus software and to create a false overall self-assessment score for the Georgia Tech campus despite being fully capable to individually assess particular laboratories, systems, or projects. Contractors should have systems dynamic enough to flag and react to potential areas of trouble so they do not snowball to become systemic compliance problems. 

¹In the context of the FCA, a complaint-in-intervention is a document filed by the Department of Justice (DOJ) to join an existing whistleblower lawsuit. This action allows the DOJ to assert its own claims on behalf of the government.
²Press Release, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, (Oct. 6, 2021) available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
³31 USC. § 3729.
⁴31 USC. § 3730; Press Release, False Claims Act Settlements and Judgments Exceed $2.68 Billion in Fiscal Year 2023, DOJ (Feb. 22, 2024), available at https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-268-billion-fiscal-year-2023.
⁵Complaint, 31, 37, United States ex rel. Desai v. Georgia Tech Research Corporation, Case No. 1:22‐cv‐02698‐JPB (N.D. Ga. July 8, 2022).
⁶Compl. 41‐42.
⁷United States’ Complaint-in-Intervention, 248, 295-97, 299-303, 308-313 (filed on August 22, 2024).
⁸United States’ Complaint-in-Intervention, 8-12, 189, 232.
⁹United States’ Complaint-in-Intervention, 37, 152-57, 175, 224-232.
¹⁰United States’ Complaint-in-Intervention, 8-12, 232, 248, 295-97, 299-303, 308-313.
¹¹United States’ Complaint-in-Intervention, 283-289.
¹²United States’ Complaint-in-Intervention, 72-82.
¹³United States’ Complaint-in-Intervention, 152-57, 175.
¹⁴United States’ Complaint-in-Intervention, 72-73, 208-210, 310-312.
¹⁵United States’ Complaint-in-Intervention, 248-255.
¹⁶United States’ Complaint-in-Intervention, 86-88, 155-164, 184-90.
¹⁷United States’ Complaint-in-Intervention, 37, 224-232. 
¹⁸United States’ Complaint-in-Intervention, 191-197.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Sid Mody, an O’Melveny partner licensed to practice law in Texas; Amanda M. Santella, an O’Melveny partner licensed to practice law in the District of Columbia and Maryland; Benjamin D. Singer, an O’Melveny partner licensed to practice law in the District of Columbia and New York; and Carly Gibbs, an O’Melveny counsel licensed to practice law in the District of Columbia and California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2024 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, 1301 Avenue of the Americas, Suite 1700, New York, NY, 10019, T: +1 212 326 2000.