Regulatory compliance frameworks are put in place to help protect classified or sensitive information from threat actors who would seek to exploit it and frameworks like NIST 800-171, HIPAA, FINRA, and more are put in place to hold organizations accountable for implementing strong cybersecurity polices. In these cases, failure to comply can result in dire consequences for businesses. Organizations will have to pay severe fines, be barred from future business with data providers, or in some cases face litigation as a result of failing to comply with certain regulations. A prime example of the consequences of non-compliance is the recent United States vs Georgia Tech Research Corporation. This event should be seen as a cautionary tale on the importance of compliance.
In August of 2022, a claim was filed against the Georgia Tech Institute of Technology and the Georgia Tech Research Corporation claiming they had failed to adequately comply with NIST 800-171 requirements and had chosen not to report it. This would constitute a violation of the federal False Claims Act, put in place to prevent entities from falsely claiming compliance. Georgia Tech and its research labs and divisions are subject to hundreds of contacts under the Department of Defense (DoD). The DoD requires that every contractor comply with the Defense Federal Acquisition Regulations (DFARS) 252.204-7012 which is meant to safeguard defense information and outline how cyber incidents are meant to be reported. Controlled Unclassified Information (CUI) is sensitive data stored, created, or transmitted under a federal contract that requires certain cybersecurity protections outlined in NIST SP 800-171. As a contractor of the DoD and of Lockheed Martin, Georgia Tech is required to comply with these frameworks and implement the controls outlined in them.
The plaintiffs claim that Georgia Tech failed to implement a number of the required controls outlined in NIST 800-171. The claim states that the assessors working within the Government Risk and Compliance (GRC) team, a group tasked with implementing compliance regulations at Georgia Tech, were not qualified to "determine whether a lab's practices actually complied with a given control". This represented a crucial misstep that had cascading effects on the entire organization. This led to the implementation of software and tools that were meant to protect against threats like malware, but in reality, had no relation to malware protection at all. This underscored a larger issue of assessors being pressured to twist the wording of the NIST controls to fit the current practices they had in place. When the plaintiffs brought these issues up, they were "cut out of the process as much as possible". Other violations included placing assessors in charge of "fixing" compliance issues rather than simply finding them. The claim states that this creates a conflict of interest and is in complete violation with what NIST 800-171 defines as "Separation of duties".
Additionally, it was found that the GRC did not continually monitor or audit environments that were under contract. The claim states that "this is arguably a violation of every single requirement in Section 3.3, Audit and Accountability, because all of the requirements in that section require access to system audit logs and records that allow for “monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity". While under contract, every organization has a responsibility to ensure they remain compliant the entire time and account for changes within the cybersecurity landscape.
The plaintiffs claimed that while working at Georgia Tech they were expected to take shortcuts and were pressured to make unethical choices that put confidential data at risk. When their concerns were brought forwards, they were often dismissed are isolated from projects even further.
The claim against Georgia Tech is being filed as a violation of the False Claims Act. The False Claims Act was put in place to hold entities or persons accountable for knowingly presenting false compliance claims to the government. In 2021, the Department of Justice launched the Civil Cyber-Fraud Initiative to use the False Claims Act against those who had falsified cybersecurity compliance. In the case of Georgia Tech, there are several blatant examples of violating the False Claim act.
Every organization should understand that non-compliance is a serious matter. Not only can it ruin the reputation of a business, but it may also have legal repercussions and put additional financial strain on your organization. Your business must do its due diligence to determine where they must be compliant, where sensitive data exists, and what needs to be done to protect it. For many small-medium sized businesses (SMBs) this can be challenging.
CorpInfoTech exists to help offer enterprise level IT and security solutions to SMBs. We offer security assessments and managed compliance services to help organizations achieve and maintain compliance. We are able to help businesses implement NIST 800-171 and DFARS requirements, CMMC compliance, HIPAA, and FINRA/SEC. Our managed compliance services cover a broad range of industries and are able to address your unique business needs in either a fully or co managed environment.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services, including security assessment, cybersecurity penetration tests, managed services (MSP), firewall management, and vulnerability management. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.