The Department of Justice announced on September 30, 2025, that Georgia Tech Research Corporation has agreed to pay $875,000 to resolve allegations that it violated the False Claims Act by failing to meet federal cybersecurity requirements. The settlement highlights the continuing risks government contractors face under DOJ's Civil Cyber-Fraud Initiative—and underscores that no actual data breach is required to trigger liability.
What Happened at Georgia Tech
Georgia Tech Research Corporation manages sponsored research for the Georgia Institute of Technology, including contracts with the Department of Defense. Two former members of Georgia Tech's cybersecurity team filed a qui tam lawsuit in 2022. DOJ intervened in 2024 and alleged three critical failures:
First, GTRC failed to install, update, or run required antivirus and anti-malware tools on computers and networks at Georgia Tech's Astrolavos Lab. The lab conducted sensitive cyber-defense research under contracts with the Air Force and the Defense Advanced Research Projects Agency.
Second, GTRC did not maintain a system security plan until at least February 2020, despite contractual requirements to have one in place.
Third, GTRC submitted a cybersecurity assessment score of 98 to the Department of Defense in December 2020. The government alleged this score represented compliance with DoD cybersecurity standards. But the score was based on what the government called a "fictitious" or "virtual" environment—not the actual systems processing covered defense information.
These alleged violations related to approximately $31 million in DoD contracts. DOJ sought damages and penalties totaling as much as $28 million.
The Legal Framework
The case turned on the Defense Federal Acquisition Regulation Supplement, which requires contractors handling controlled unclassified information to implement security controls specified in National Institute of Standards and Technology Special Publication 800-171. These requirements have applied to DoD contracts since 2017.
The government pursued this case under the implied certification theory of False Claims Act liability. Under that theory, when a contractor submits invoices for payment, the contractor implicitly certifies compliance with material contract terms. If the contractor is not actually complying with those terms, the payment claims are false.
The government argued that cybersecurity compliance was a material contract term. Providing an accurate cybersecurity assessment score was a condition of contract award for GTRC's DoD contracts.
Georgia Tech Fought Back—and That Matters
Unlike defendants in most recent cybersecurity FCA cases, Georgia Tech did not immediately settle. Instead, it filed a 63-page motion to dismiss in October 2024, raising two significant challenges to the government's case.
On falsity, Georgia Tech argued that the research it performed did not involve controlled unclassified information and thus was not subject to the DFARS requirements. The motion also challenged whether the government adequately pleaded a false certification claim, noting that GTRC did not expressly certify compliance with the specific DFARS provisions when submitting invoices.
On materiality, Georgia Tech argued that DoD did not view cybersecurity compliance as the "essence of the bargain." DoD never asked GTRC to verify its assessment score. More tellingly, DoD continued making payments on the contracts even after learning of the alleged noncompliance.
DOJ filed an opposition brief contesting these defenses. But shortly after that briefing, the case went to mediation and settled for $875,000. Neither side obtained a ruling on its arguments.
The settlement amount is significantly lower than other recent DOJ cybersecurity FCA settlements. While this partly reflects the relatively modest contract value, it may also reflect that the government's complaint faced real risk of dismissal. By choosing to litigate rather than settle early, Georgia Tech may have secured better resolution terms.
Practical Implications for Defense Counsel
This settlement offers several lessons for defending government contractors.
No breach required. The government need not prove an actual data breach or compromise of information. The FCA violation arises from noncompliance with contractual cybersecurity requirements, even if no harm occurred. The government must show only that the defendant acted with reckless disregard of the truth or falsity of its representations.
Whistleblowers drive enforcement. This case, like many cybersecurity FCA actions, began with a qui tam lawsuit by employees with inside knowledge of cybersecurity practices. Former IT and cybersecurity employees represent a substantial litigation risk. Organizations should carefully manage relationships with these employees and address cybersecurity concerns they raise.
Implied certification liability is broad. Contractors who submit invoices for payment implicitly certify compliance with material contract terms—even without express certification language in the invoices themselves. When cybersecurity requirements are conditions of contract award or relate to national security, courts are likely to find them material.
Litigation can produce better outcomes. The settlement amount suggests that aggressive defense of falsity and materiality elements can pay dividends. Early case dismissal motions may put pressure on the government to settle for lower amounts, particularly when the contractor can credibly argue that the work did not involve the type of information the regulations were designed to protect.
Assessment score accuracy is critical. Submitting inflated cybersecurity assessment scores creates independent False Claims Act exposure. Contractors must ensure that self-assessment scores accurately reflect their actual systems and practices—not theoretical or planned implementations.
CMMC compliance is coming. DOJ's press release emphasized that the recently finalized Cybersecurity Maturity Model Certification program will further strengthen assessment requirements for DoD contractors and subcontractors. CMMC requires third-party assessments for contractors handling controlled unclassified information. The program will likely generate additional FCA enforcement as assessors identify gaps between contractor representations and actual practices.
What Contractors Should Do Now
Defense counsel should advise government contractor clients to take immediate steps to reduce cybersecurity FCA risk.
Conduct a comprehensive compliance audit of DFARS 252.204-7012 and NIST SP 800-171 requirements. Document actual implementation of required security controls. Identify and remediate any gaps between contractual requirements and current practices.
Review and verify cybersecurity self-assessment scores. Ensure that submitted scores reflect actual systems handling covered defense information—not planned or theoretical implementations. If past scores were inflated, consider whether voluntary disclosure is appropriate.
Implement robust internal controls around cybersecurity representations to the government. Ensure that individuals making cybersecurity certifications or submitting assessment scores have accurate, current information about actual security practices.
Prepare for CMMC assessments. Review which contracts will require CMMC certification and at what levels. Begin implementing any additional controls needed to meet certification requirements before assessments begin.
Address employee concerns about cybersecurity. Establish clear channels for employees to raise cybersecurity issues internally. Respond seriously to concerns raised by IT and cybersecurity personnel. Employees who feel their concerns are ignored may become qui tam relators.
Consider voluntary disclosure if significant compliance gaps exist. Under current DOJ policy, companies that voluntarily self-disclose, cooperate fully, and remediate timely may receive declinations or non-prosecution agreements with reduced fines. The May 2025 revisions to the Criminal Division's Corporate Enforcement Policy make the benefits of voluntary disclosure more predictable.
The Enforcement Environment
DOJ launched its Civil Cyber-Fraud Initiative in October 2021. Since then, the government has recovered millions of dollars from companies and universities across multiple cases. DOJ, DoD, and the Air Force Office of Special Investigations have all emphasized their continuing commitment to pursuing cybersecurity violations.
The government's theory is straightforward: contractors who fail to implement required cybersecurity controls while handling sensitive government information create national security risks. Pursuing these failures through the False Claims Act allows the government to recover damages without needing to prove an actual breach occurred.
In announcing the Georgia Tech settlement, Assistant Attorney General Brett A. Shumate stated that "when contractors fail to follow the required cybersecurity standards in their DoD contracts, they leave sensitive government information vulnerable to malicious actors and cyber threats." The government will "continue to pursue and litigate violations of cybersecurity requirements to hold contractors accountable."
This enforcement priority shows no signs of diminishing. Despite the current administration's stated commitment to reducing unnecessary regulatory burdens on business, the May 2025 white-collar enforcement plan specifically identified protecting national security and government programs as high-priority areas. Cybersecurity violations affecting defense contracts fall squarely within those priorities.
Bottom Line
The Georgia Tech settlement confirms that cybersecurity compliance is no longer just an IT issue—it is a core contract performance obligation with potential False Claims Act exposure. Government contractors must treat cybersecurity requirements with the same rigor they apply to other material contract terms.
The settlement also demonstrates that aggressive defense of FCA cybersecurity cases can produce favorable results. Contractors facing such allegations should carefully evaluate whether the government can prove both falsity and materiality, particularly if the work at issue did not actually involve the type of sensitive information the regulations were designed to protect.
As CMMC implementation proceeds and DOJ's Civil Cyber-Fraud Initiative continues, contractors should expect heightened scrutiny of their cybersecurity practices. Taking proactive steps now to ensure compliance—and to document that compliance—will help avoid becoming the subject of the next cybersecurity FCA enforcement action.
Under the settlement agreement, GTRC will pay $875,000 to the United States, with $437,500 deemed restitution and $201,250 going to the two whistleblowers who filed the original qui tam lawsuit.
