Introducing the Georgia Tech Whistleblowers.

In this episode, the whistleblowers explain how they tried to stop Georgia Tech from allegedly LYING to the government about their NIST 800171 compliance and what they have faced since they blew the whistle!

Whistleblower attorney Julie Bracker also shares what could come next and how much Georgia Tech may have to pay out!

Here are a few highlights from this episode:

Hear directly from the whistleblowers in this False Claims Act case
Details on the "Fictitious" NIST 800171 SPRS Score
How much money Georgia Tech might have to pay
Recommendations to universities
Advice for other whistleblowers

Both of the whistleblowers have a long history with Georgia Tech and truly care for the institution.

Christopher Craig has worked at Georgia Tech for more than 20 years. He was the Associate Director of Cybersecurity where he managed all central cyber security personnel and built the GRC team until Georgia Tech demoted him to an Enterprise Security Architect.

Kyle Koza worked at Georgia Tech for more than 15 years until he left his role as a Principal Information Security Engineer in 2022. He got his bachelor’s and master's degrees from Georgia Tech and also cowrote and still teaches a security incident response master's degree course at the university.

I thought Christopher's recommendation (24:37) for universities to centralize their labs was excellent!

How can a university expect to maintain its NIST / CMMC compliance if multiple labs are built and managed by different teams who may not even be familiar with the NIST 800171 security controls?

I also loved hearing Chris tell us about the support he has received from the cyber community (38:00)! Who in cyber doesn't want to do the right thing? I would like to think those with bad intent are an extremely small percentage.

Special thanks to Christopher and Kyle for sharing their stories with us, and to Julie Bracker for coordinating this interview!

Follow Julie on LinkedIn:   / juliekeetonbracker  

Bracker & Marcus LLC Website: https://www.fcacounsel.com/



Thanks to our sponsor Vanta!

Want to save time filling out security questionnaires?

Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy



Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!

Online GRC Training: https://grcacademy.io/courses/?utm_so...

00:00 Beginning
00:32 How the guests fit into this story
02:00 Timeline of the False Claims Act lawsuit
04:20 How the whistleblowers learned there were problems
07:09 Difference between Georgia Tech and Georgia Tech Research Corporation
08:01 How Georgia Tech is organizationally structured
11:40 The technical issues in the lab
13:26 The "Fictitious" NIST 800171 SPRS score
16:41 Trying to address the problems internally
18:59 Pushback from the CISO
21:18 Personal and professional impacts from blowing the whistle
23:25 Lessons learned for universities
27:47 DoJ's investigation after they intervened
30:19 Did DoJ agree with the whistleblower complaint?
31:20 How much money Georgia Tech might have to pay
34:03 Whistleblower involvement after DoJ intervention
35:48 Advice for future whistleblowers
40:49 Conclusion