The Justice Department is suing Georgia Tech University and an affiliated company, alleging they failed to meet cybersecurity standards required to win Pentagon contracts.

The U.S. government had previously joined a whistleblower lawsuit brought by current and former members of Georgia Tech’s cybersecurity team, and on Thursday the Justice Department filed another lawsuit on behalf of the Department of Defense, the Air Force and the Defense Advanced Research Projects Agency.

In its complaint, the Justice Department cites the False Claims Act – a Civil War-era law designed to combat shady contractors – which has been used in cyber cases since 2022 as part of the Civil Cyber-Fraud Initiative.

“Specifically, the lawsuit alleges that the Astrolavos Lab at Georgia Tech failed to develop and implement a system security plan required by the Department of Defense cybersecurity regulations that specified the cybersecurity controls Georgia Tech was required to implement at the lab until at least February 2020,” a press release summarizing the complaint states. “Even when the Astrolavos Lab finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly expand that plan to include all covered laptops, desktops, and servers.”

According to the lawsuit, the lab did not install anti-malware software on the devices and the university and its partner company provided false cybersecurity assessment results to the Pentagon.

A Georgia Tech spokesperson said the complaint “misrepresents Georgia Tech’s culture of innovation and integrity,” and that the school was “disappointed” by the Justice Department’s maneuver and would “vigorously contest” it.

“This case has nothing to do with confidential information or protected government secrets,” said spokesman Blair Meeks. “The government told Georgia Tech that this was research that did not require cybersecurity restrictions, and the government itself has made Georgia Tech’s groundbreaking research public. In fact, there was no information breach in this case and no data was leaked.”

The two Georgia Tech whistleblowers whose names are listed as plaintiffs, Kyle Koza and Christopher Craig, first filed their lawsuit in 2022.

A whistleblower alleged that there was “no enforcement” of cybersecurity regulations at Georgia Tech for years because the university put financial gain ahead of compliance. The whistleblowers also detailed their allegations in an interview.

“Compliance with cybersecurity regulations by government contractors is critical to protecting U.S. information and systems from threats posed by malicious actors,” U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia said in a statement. “That’s why we expect contractors to adhere to cybersecurity requirements in their contracts and grants, regardless of the size or type of organization or the number of contracts involved. Our office will hold contractors accountable who ignore cybersecurity rules.”