Department of Justice's first cybersecurity intervention; FCA Qui Tam case suggests continued cyber investigation
| Your go-to guide: |
|
In July 2022, two related parties sued GTRC and GA Tech under the FCA. The complaint includes FCA violations and employment law violations based on what the parties allege was “increased retaliation” after escalating their concerns.
The parties involved are current and former employees of GA Tech's Information Technology Department. Their complaint alleges that GTRC failed to adequately implement cybersecurity controls required by “hundreds of contracts with the Department of Defense.” Specifically, officials believe that in 2017, NIST SP 800-171's 110 regulations are mandatory for all research conducted at GA Tech and its affiliated laboratories under contract with the Department of Defense. It is claimed that it has become. Stakeholders further stated that Defendants formed a team focused on auditing the implementation of controls and took initial steps to assess compliance with required controls; It is argued that it was not possible to accurately evaluate the
Stakeholders also say teams assembled to audit compliance with required cybersecurity controls are unqualified, pressured to interpret controls inconsistently, and that existing practices are insufficient. They claim that they took the word of system administrators assigned to each laboratory at face value regarding the adequacy of their controls in such a manner as to determine that they were properly managed. All amendments were implemented into the system (rather than simply being documented), and continuous monitoring of compliance throughout contract performance was not guaranteed. As a result, the parties alleged that the defendants' NIST 800-171 compliance certificate was false. Officials claim they have provided detailed reports to the administration about problems they have noticed in the implementation of cybersecurity controls, but their reports have been consistently ignored by administration officials, and those who have raised concerns have been repeatedly ignored by administration officials. He claims he suffered retaliation. Notably, the parties note that in the case of certain laboratories, even after certificates are proven to be false, contract claims and performance remain pending until compliance concerns are resolved. He claims that it continued.
In February 2024, the Department of Justice intervened in this case, joining for the first time in a cybersecurity lawsuit brought by the parties involved. The Department of Justice has until June 24, 2024 to submit a complaint against the intervention. This intervention continues the Department's focus on cybersecurity fraud and strengthens contractor compliance with cybersecurity requirements under the Department's Civilian Cyber Fraud Initiative announced by Deputy Attorney General Lisa Monaco in October 2021. It shows.
