Penn State Settles Cybersecurity Violation Claims for $1.25m

Penn State Settles Cybersecurity Violation Claims for $1.25m

Introduction

Pennsylvania State University (Penn State) has agreed to a $1.25 million settlement to address allegations that it violated the False Claims Act by failing to meet cybersecurity requirements in 15 contracts or subcontracts with the Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA).

These allegations spanned from 2018 to 2023 and centered on Penn State's reported failure to comply with specific cybersecurity controls required by its contracts with these federal agencies, as well as its insufficient development of action plans to resolve identified deficiencies.

The DoD mandates that contractors handling sensitive defense information assess and report on their cybersecurity compliance. This process includes providing summary scores that reflect the state of cybersecurity measures on contracting systems used to store or access sensitive defense information.

According to the U.S. government, Penn State submitted cybersecurity scores that showed some required controls were unimplemented. However, the university allegedly misrepresented the deadlines by which it would implement these controls and failed to develop plans of action to address the gaps. Furthermore, it was alleged that Penn State did not use an external cloud service provider compliant with DoD’s security standards for protected defense information on some contracts.

Principal Deputy Assistant Attorney General and head of the Justice Department’s Civil Division emphasized that universities receiving federal funds must rigorously adhere to cybersecurity requirements to safeguard sensitive government data.

Under the Justice Department’s Civil Cyber-Fraud Initiative, the department is increasing efforts to hold contractors accountable when they neglect these contractual obligations, which are designed to protect sensitive government information from cyber threats.

Special Agent in Charge of the Naval Criminal Investigative Service (NCIS) Economic Crimes Field Office noted that, given the rise in cyber threats, robust cybersecurity practices are crucial for protecting the DoD’s research and procurement activities. NCIS is actively working alongside federal partners to investigate entities that fail to implement required security controls on contracts involving critical defense information.

The DoD Office of Inspector General's Defense Criminal Investigative Service (DCIS) also stressed the importance of adhering to cybersecurity specifications in defense contracts. The DCIS, with its law enforcement and DoJ partners, remains committed to investigating and addressing false claims that compromise the security of DoD data and programs.

The Assistant Inspector General for Investigations at NASA’s Office of Inspector General (NASA-OIG) highlighted the vital need to safeguard both NASA and DoD data from unauthorized access. The inability of Penn State to adequately address known security deficiencies not only put sensitive information at risk but also undermined broader cybersecurity efforts. NASA-OIG is dedicated to holding accountable any organization that fails to meet critical security standards, as illustrated by the resolution of this case.

The Civil Cyber-Fraud Initiative was launched on October 6, 2021, by the Deputy Attorney General to enforce cybersecurity accountability under the False Claims Act. This initiative focuses on prosecuting companies and individuals who compromise sensitive information by knowingly providing insufficient cybersecurity services, misrepresenting their security practices, or failing to monitor and report cybersecurity incidents as required.

This settlement resolves a lawsuit filed under the False Claims Act’s whistleblower provisions. These provisions allow private individuals to sue on behalf of the government if they believe that false claims for government funds have been made, with the opportunity for whistleblowers to receive a share of any financial recovery. In this case, a former chief information officer for Penn State’s Applied Research Laboratory, who filed the original suit, will receive $250,000 from the settlement.

The case’s resolution was achieved through a coordinated effort led by the Civil Division's Commercial Litigation Branch, Fraud Section, and the U.S. Attorney’s Office for the Eastern District of Pennsylvania. Additional support came from multiple federal agencies, including NCIS, NASA-OIG, DCIS, the Army Criminal Investigation Division, the Naval Audit Service, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center, and the Air Force Materiel Command.

This settlement underscores the federal government’s commitment to enforcing cybersecurity standards for entities handling sensitive information on behalf of the government. As cyber adversaries become increasingly sophisticated, the importance of these requirements cannot be overstated, especially for entities like universities involved in critical research and development projects funded by federal contracts.

The settlement serves as a reminder that organizations working with government agencies must uphold stringent security measures to protect sensitive information from unauthorized access and potential national security risks.