Skip to main content
govconCyber — Federal Cybersecurity Law Reference
Case Law

A False SPRS Score and a 'Fictitious' Network: The DOJ's Georgia Tech Cyber-Fraud Suit

On August 22, 2024, the Justice Department intervened in a whistleblower case alleging that Georgia Tech reported a cybersecurity score for a network that did not exist. It is one of the clearest warnings yet about what a self-reported SPRS number actually represents.

Brandon Hancock, J.D., CMMC-RPPublished August 22, 2024Updated June 8, 20266 min read

On August 22, 2024, the United States filed a complaint-in-intervention against the Georgia Institute of Technology and Georgia Tech Research Corporation (GTRC), alleging they knowingly failed to meet the cybersecurity requirements in their Department of Defense contracts. The case is a marquee example of the DOJ's Civil Cyber-Fraud Initiative — and a pointed reminder that the cybersecurity representations contractors make to the government are exactly that: representations, enforceable under the False Claims Act. (These are allegations only; there has been no determination of liability.)

What the Government Alleges

The complaint, captioned *United States ex rel. Craig v. Georgia Tech Research Corp.*, No. 1:22-cv-02698 (N.D. Ga.), centers on three failures at Georgia Tech's Astrolavos Lab:

  • No system security plan. Until at least February 2020, the lab allegedly failed to develop and implement a system security plan (SSP) — the document DoD cybersecurity rules require to lay out which controls a contractor has in place. When the lab finally adopted an SSP in February 2020, the government says it was not properly scoped to cover all the laptops, desktops, and servers it should have.
  • No antivirus. Until December 2021, the lab allegedly failed to install, update, or run anti-virus or anti-malware tools across its systems. According to the complaint, Georgia Tech approved the lab's refusal to install antivirus software — contrary to both federal requirements and Georgia Tech's own policies — to satisfy the professor who led the lab.
  • A false SPRS score. This is the allegation contractors should sit up for. In December 2020, Georgia Tech and GTRC allegedly submitted a summary-level cybersecurity score of 98 for the "Georgia Tech campus" to DoD. The government says that score was false because Georgia Tech had no campus-wide IT system, and the number described a "fictitious" or "virtual" environment that did not correspond to any system that would actually process, store, or transmit covered defense information. Submitting that score was a condition of award for the contracts.

Why the SPRS Angle Matters

DoD contractors handling Controlled Unclassified Information must self-assess against NIST SP 800-171 and post a summary score in the Supplier Performance Risk System (SPRS). Under the DoD Assessment Methodology, that score runs from 110 down to -203, and a current score is a precondition to award on covered contracts. The number is convenient precisely because it is self-reported — and that convenience is the trap.

The Georgia Tech allegations show how the government reads a score: not as a target you aspire to, but as a factual claim about a real environment. A high score attached to a system that does not exist, or that never touches covered information, is not a technicality in the government's telling — it is the misrepresentation. If your SPRS entry describes an idealized or "to-be" environment rather than the systems actually performing the contract, you may be making a false statement every time you certify it.

The Whistleblower Dimension

The case did not start with a DoD audit. It began as a *qui tam* suit filed by Christopher Craig and Kyle Koza, two former senior members of Georgia Tech's own cybersecurity compliance team. Under the False Claims Act's whistleblower provisions, insiders can sue on the government's behalf and share in any recovery — and the government can intervene, as it did here. The people most likely to know your cyber posture is overstated are the same people on your compliance team. A defendant found liable under the FCA faces treble (three times) damages plus penalties.

What Contractors Should Take Away

  • Your SSP has to be real and complete. Have one, scope it to every covered asset, and keep it current. "We'll write it later" was the first domino here.
  • Your SPRS score must describe the systems that actually do the work. Score the real environment that processes, stores, or transmits CUI/covered defense information — not a virtual ideal. Document how you reached the number.
  • Don't let a program or a personality override controls. Antivirus was allegedly skipped to placate a lab head. Exceptions granted for convenience become exhibits in a complaint.
  • Treat your compliance team as the early-warning system it is. Address their concerns internally; they have standing to escalate externally.

Key Takeaways

  • The DOJ's intervention against Georgia Tech and GTRC alleges a missing/under-scoped system security plan, a years-long failure to run antivirus, and a false SPRS score of 98 for a "fictitious" network — submitted as a condition of contract award.
  • The case underscores that a self-reported SPRS score is a representation to DoD, enforceable under the False Claims Act, with treble damages on the line.
  • It was brought by internal cybersecurity-team whistleblowers under the *qui tam* provisions — a reminder that overstated compliance is most visible to your own people.

For the broader enforcement landscape, see Enforcement & Penalties and our overview of the DOJ's Civil Cyber-Fraud Initiative; to understand the number at the center of this case, read how the SPRS score actually works; and confirm what applies to your contracts with Find My Requirements.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Case LawThe DOJ's Civil Cyber-Fraud Initiative: Enforcement Cases and What They MeanDOJ's cyber-fraud enforcement is surging. Recent False Claims Act settlements show the real risk is the false certification.May 6, 2026 · 7 min readCase LawHacking the Hackers' Vendor: WhatsApp v. NSO Group and the CFAA's ReachA messaging company sued the world's most notorious spyware vendor under a 1986 anti-hacking law — and won a nine-figure jury verdict. The case shows the CFAA reaching across borders to a commercial exploit developer.May 6, 2025 · 6 min readCase LawThree State AGs, One $4.5M Breach Settlement: The Enzo Biochem LessonNew York, New Jersey, and Connecticut jointly settled with Enzo Biochem for $4.5M over a ransomware breach — a reminder that state AGs enforce 'reasonable security.'August 30, 2024 · 6 min read