The United States has accused Georgia Tech Research Corporation, Georgia Institute of Technology, and Georgia Tech Research Institute (collectively, “Georgia Tech”) of violating NIST 800-171 for failing to protect controlled unclassified information. ) intervened in a lawsuit under the False Claims Act. (CUI). The allegations were brought by two whistleblowers, Christopher Craig, a current Georgia Tech employee, and Kyle Koza, a Georgia Tech alumnus and former employee, who were reported to the Department of Justice. provide valuable original information to and, as a result, intervene in the problem. Please read the complaint.
Georgia Tech is a party to many Department of Defense contracts, and these contracts are subject to National Institute of Standards and Technology (NIST) compliance. These types of federal contractors are allowed access to certain Department of Defense information, but must put in place “appropriate security” measures to protect the information stored within them. The information at the center of the lawsuit is CUI, which relates to unclassified information created or owned by the Department of Defense, such as patent information, certain types of classified government data, and information about the manufacturing and purchasing of goods and services. be. An “adequate” security protocol for a CUI is defined as, at a minimum, an implementation of NIST Special Publication 800-171, which defines how to protect his CUI in non-federal systems. The contractor self-reports that his systems and employees comply with his NIST measures and how his IT network, hardware, software, and security procedures all comply with NIST 800-171. You must provide a detailed System Security Plan (SSP). If NIST requirements are not met, contractors are obligated to develop a Plan of Action and Milestones (POA&M) and set timelines and steps to achieve full compliance.
In June 2017, Georgia Tech sent a memo to all departments involved in CUI to report NIST 800-171 countermeasures and meet federal security standards and a deadline of December 2017 to bring all procedures into compliance. I showed my awareness about the 31st day of the month. In September 2017, Georgia Tech received guidance from NIST on how to implement NIST standards. Nevertheless, Georgia Tech intentionally failed to align its policies and procedures with compliance guidelines in several respects.
The person responsible for determining whether the laboratory's operations were compliant with NIST 800-171 was not qualified to evaluate or report on it, and therefore cannot produce an accurate report to the Department of Defense. was. NIST 800-171 states that organizations that handle CUI must train personnel to perform such tasks. Additionally, evaluators were determined by system administrators rather than randomly sampling system configurations as evidence of compliance as required. This evidence is often not sufficient to prove compliance. Additionally, employees tasked with ensuring compliance were also tasked with resolving issues they identified as creating conflicts of interest and violating NIST 800-171. Certain departments also circumvented malware requirements, compromised government data, and even violated NIST 800-171.
As of July 2018, Koza had identified issues with the process to ensure compliance, and by 2021, his boss, Craig, was aware of them. Both officials raised concerns with his superiors and he was fired. In 2022, Craig received a poor performance review for trying to figure out his NIST violation. Shortly after, Koza was forced to resign from Georgia Tech permanently. The complaint alleges that Georgia Tech not only caused false claims to be submitted for government payments, but also retaliated against employees who tried to stop the illegal activity, violating the False Claims Act on multiple fronts. It is said that there was a violation.
This US intervention highlights the efforts of the Department of Justice's Civilian Cyber Fraud Initiative, which allows whistleblowers to play an expanded and important role in the government's cybersecurity strategy. The Department of Justice says it is critical to ensure that businesses, including government contractors and grant recipients, follow rules to protect taxpayer dollars and protect sensitive government data. That's what I think. This initiative seeks to hold contractors and grant recipients accountable for putting U.S. information and its systems at risk in three different areas:
- knowingly providing a defective cybersecurity product or service;
- knowingly misrepresenting cybersecurity practices or protocols;
- or knowingly violate your obligations to monitor and report cybersecurity incidents or breaches.
