The federal government is suing the Georgia Institute of Technology and an affiliated research organization over allegations that they “knowingly failed to meet” cybersecurity requirements for Pentagon contracts.

The Justice Department said Thursday that it had joined a whistleblower lawsuit filed against Georgia Tech and Georgia Tech Research Corporation in 2022 and filed an “intervention complaint” against the companies.

The lawsuit was originally filed by two senior members of Georgia Tech’s cybersecurity compliance team under the False Claims Act, which the U.S. Department of Justice’s Civil Cyber-Fraud Initiative uses to target contractors who lie about their cybersecurity.

“Government contractors that do not fully implement required cybersecurity controls put the confidentiality of sensitive government information at risk,” said Brian M. Boynton, assistant attorney general and chief of the Justice Department’s Civil Division, in a statement. “The Department’s Civil Government Cyber ​​Fraud Initiative is designed to identify and hold such contractors accountable.”

In a press release, the Justice Department alleged that the institutions had committed numerous violations of the Department of Defense’s cybersecurity policies in the years leading up to the whistleblower complaint.

Among the most serious allegations was the claim that “Georgia Tech and (Georgia Tech Research Corporation) submitted a false result to the Department of Defense in its December 2020 cybersecurity assessment of the Georgia Tech campus.”

DOD contractors must submit “summary assessments reflecting the status of their compliance with applicable cybersecurity requirements for the covered contract systems used to store or access covered defense information,” according to the DOJ, which was a “contract award condition” of the university’s agreement with the Pentagon.

Although the two companies submitted a score of 98 for Georgia Tech’s campus, the lawsuit claimed that it was incorrect because the university does not have a campus-wide IT system. Moreover, the score “referred to a ‘fictitious’ or ‘virtual’ environment and did not refer to any covered contract system at Georgia Tech that could or would process, store, or transmit covered defense information.”

The lawsuit also alleged that the Astrolavos Lab at Georgia Tech previously “failed to develop and implement a systems security plan required by the Department of Defense cybersecurity regulations.” When the security document was finally implemented in February 2020, the lawsuit said the university “failed to design that plan to include all covered laptops, desktops, and servers.”

In addition, the Justice Department alleged that the Astrolavos lab did not use antivirus or antimalware programs on its devices until December 2021. The university reportedly allowed the lab to refuse to install the software at the request of its director, “in violation of both federal cybersecurity requirements and Georgia Tech’s own policies.”

In a statement, Georgia Tech called the complaint “completely without merit” and said it would “vigorously challenge it in court.”

“This case has nothing to do with confidential information or protected government secrets,” the university added. “The government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions, and the government itself made Georgia Tech’s groundbreaking research public. In fact, there was no information breach in this case and no data was leaked.”