On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts. The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information. The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.
GTRC, a non-profit contracting entity affiliated with the Georgia Institute of Technology (Georgia Tech), conducts research for federal agencies, including the Department of Defense (DOD). The allegations arose from a qui tam lawsuit (captioned United States ex rel. Craig et al. v. Georgia Tech Research Corp. et al., Civil Action No. 22-cv-02698) filed by two former members of Georgia Tech’s cybersecurity team under the FCA’s whistleblower provisions. The United States intervened in the suit in 2024. The United States’ complaint primarily alleged that violations of the following clauses occurred at Georgia Tech’s Astrolavos Laboratory:
On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FC...