The Pennsylvania State University (Penn State) has agreed to pay $1.25 million to settle alleged failures to comply with cybersecurity requirements in over a dozen contracts for the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA).
In October 2022, Matthew Decker, former chief information officer (CIO) for the institution’s Applied Research Laboratory and currently the Chief Data and Information Officer at NASA’s Jet Propulsion Laboratory, filed a qui tam lawsuit against Penn State, under the whistleblower provisions of the False Claims Act.
The qui tam action alleges that Penn State, which solicits and receives research contracts from federal agencies, failed to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) clauses that require adequate security to be implemented for all contractor information systems.
The minimum requirements align with the NIST Special Publication (SP) 800-171, which also mandates that DoD contractors should submit summary level scores of compliance assessments and provide dates by which all requirements would be implemented.
Between January 2018 and November 2023, shows the settlement agreement (PDF), Penn State allegedly failed to implement certain required controls in relation to 15 federal contracts or subcontracts.
The US government, which has intervened in the lawsuit to settle the allegations, claims that Penn State failed not only to implement security requirements, but also to “adequately document, develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in the systems involved in the performance of the contracts,” the settlement agreement shows.
Furthermore, Penn State allegedly misstated the dates by which it would implement all security requirements, did not pursue their implementation, and failed to use an external cloud service provider that complied with NASA contractor requirements.
To settle the allegations, Penn State agreed to pay $1.25 million to the US government, which will then transfer $250,000 to Decker. Furthermore, Penn State agreed to pay $150,000 to Decker’s counsel for expenses, attorneys’ fees, and costs related to the lawsuit.
In August 2024, the US announced it had intervened in a whistleblower suit brought against the Georgia Institute of Technology (Georgia Tech) and Georgia Tech Research Corporation (GTRC) over similar failures.
Related: Podcast: Palo Alto Networks Talks IT/OT Convergence
Related: CISO Conversations: Julien Soriano (Box) and Chris Peake (Smartsheet)
Related: Russian Cyberspies Stole U.S. Defense Data in Attacks on Contractors
Related: Pentagon Cancels Disputed JEDI Cloud Contract With Microsoft
