DOJ suit claims Georgia Tech knowingly failed to meet cyber standards
The DOJ has intervened in a whistleblower lawsuit against Georgia Tech for allegedly submitting false cybersecurity scores to the DOD and failing to meet required cybersecurity standards. Georgia Tech denies the claims.
Read original article
The U.S. Department of Justice (DOJ) has intervened in a whistleblower lawsuit against the Georgia Institute of Technology and the Georgia Tech Research Corporation, alleging that they knowingly failed to meet cybersecurity standards required for Department of Defense (DOD) contracts. The lawsuit, originally filed in 2022 by two senior staffers from Georgia Tech's cybersecurity compliance team, claims that the institutions submitted a false cybersecurity assessment score to the DOD in December 2020. The DOJ asserts that Georgia Tech reported a compliance score of 98, which was misleading as it did not reflect a real IT system capable of processing sensitive defense information. Additionally, the lawsuit alleges that the Astrolavos Lab at Georgia Tech failed to develop a required system security plan and did not implement necessary antivirus measures until late 2021. Georgia Tech has denied the allegations, stating that the complaint is unfounded and that there was no breach of confidential information. The university plans to contest the lawsuit vigorously in court.
- DOJ has joined a whistleblower lawsuit against Georgia Tech for cybersecurity compliance failures.
- Allegations include submitting false cybersecurity assessment scores to the DOD.
- The lawsuit claims Georgia Tech lacked a proper IT system for defense information processing.
- Georgia Tech asserts the complaint is baseless and plans to dispute it in court.
- The case highlights the DOJ's focus on enforcing cybersecurity standards among government contractors.
Related
CrowdStrike sued by shareholders over global outage
CrowdStrike faces a shareholder lawsuit after a software update outage affected 8.5 million Windows computers, causing a 32% share price drop and $25 billion loss. Delta Air Lines seeks compensation.
Chipmaker Nvidia reportedly under DOJ antitrust investigation
Nvidia is under investigation by the U.S. DOJ for alleged antitrust violations in the AI chip sector, focusing on market dominance, customer threats, and product bundling practices.
CrowdStrike Hits Back in Heated Spat with Delta over Global Tech Outage
CrowdStrike and Delta Air Lines are in a legal dispute following a technology outage that led to 5,000 flight cancellations and $500 million in losses for Delta, prompting an investigation.
LLM and Bug Finding: Insights from a $2M Winning Team in the White House's AIxCC
Team Atlanta, formed for DARPA's AIxCC, includes six institutions like Georgia Tech and Samsung Research. They focus on AI-driven cybersecurity, adapting strategies to address vulnerabilities and enhance their Cyber Reasoning System.
US Gov Sues Georgia Institute of Technology for Cybersecurity Violations
The U.S. has sued Georgia Tech for cybersecurity violations related to DoD contracts, alleging non-compliance and false assessments. The case is part of the Civil Cyber-Fraud Initiative.
1 commentsTo give a bit of context, the score they are talking about (98) is an entry on DISA's Supplier Performance Risk System (SPRS) score [0].
The score almost certainly is based on self-assessment using the NIST SP 800-171v2 (and 800-171a). This is a document that looks at 110 cybersecurity controls across 16 families. Comes out to be about 300 or so explicit items that needs to be looked at.
The score is from -203 (that is a minus) to 110. The scoring starts at 110, then deductions of 1, 3, or 5 points are made when a specific control audit fails.
This is only and only for the confidentiality of Controlled Unclassified Information(CUI).[1]
Because of this special carve out for just CUI, scoping what is and is not in scope is hard. I have heard audits where the auditor (DCMA DIBCAC) stated "everything is in scope", and in an elsewhere the auditor stated "only that is directly generated by the Government".
Not only this there is a feud amongst agencies who does what, where, and how, when it comes to cybersecurity.
Related
CrowdStrike sued by shareholders over global outage
CrowdStrike faces a shareholder lawsuit after a software update outage affected 8.5 million Windows computers, causing a 32% share price drop and $25 billion loss. Delta Air Lines seeks compensation.
Chipmaker Nvidia reportedly under DOJ antitrust investigation
Nvidia is under investigation by the U.S. DOJ for alleged antitrust violations in the AI chip sector, focusing on market dominance, customer threats, and product bundling practices.
CrowdStrike Hits Back in Heated Spat with Delta over Global Tech Outage
CrowdStrike and Delta Air Lines are in a legal dispute following a technology outage that led to 5,000 flight cancellations and $500 million in losses for Delta, prompting an investigation.
LLM and Bug Finding: Insights from a $2M Winning Team in the White House's AIxCC
Team Atlanta, formed for DARPA's AIxCC, includes six institutions like Georgia Tech and Samsung Research. They focus on AI-driven cybersecurity, adapting strategies to address vulnerabilities and enhance their Cyber Reasoning System.
US Gov Sues Georgia Institute of Technology for Cybersecurity Violations
The U.S. has sued Georgia Tech for cybersecurity violations related to DoD contracts, alleging non-compliance and false assessments. The case is part of the Civil Cyber-Fraud Initiative.