This case stems from a whistleblower lawsuit filed under the False Claims Act, which empowers private citizens to report fraudulent claims against the government.
The Pennsylvania State University (Penn State), based in University Park, has agreed to a substantial settlement of $1.25 million to resolve serious allegations regarding its cybersecurity practices. The university was accused of violating the False Claims Act by failing to meet cybersecurity requirements in fifteen contracts with the Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA).
The settlement addresses claims that between 2018 and 2023, Penn State did not implement necessary cybersecurity controls mandated by the DoD and NASA. Investigators found that the university not only failed to correct identified deficiencies but also submitted misleading cybersecurity assessment scores to the DoD, indicating compliance when it had not met the required standards. Additionally, Penn State was alleged to have not utilized an approved external cloud service provider that complies with DoD security regulations for sensitive defense information.
“Universities that receive federal funding must take their cybersecurity obligations seriously,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue our efforts under the department’s Civil Cyber-Fraud Initiative to hold contractors accountable when they fail to honor cybersecurity requirements designed to protect government information.”
This case stems from a whistleblower lawsuit filed under the False Claims Act, which empowers private citizens to report fraudulent claims against the government. Matthew Decker, the former chief information officer of Penn State’s Applied Research Laboratory, will receive $250,000 from the settlement for his role in exposing these issues.
“Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors,” said U.S. Jacqueline C. Romero for the Eastern District of Pennsylvania. “When they fail to meet their cybersecurity obligations, we and our law enforcement partners will use every available tool to remedy the situation.”
The resolution of this case highlights the ongoing efforts of the U.S. government to enforce cybersecurity compliance among contractors, particularly following the launch of the Civil Cyber-Fraud Initiative by Deputy Attorney General Lisa Monaco in October 2021. This initiative aims to hold accountable those who compromise sensitive information through deficient cybersecurity practices or misrepresentation.
The successful settlement was achieved through a collaborative investigation involving various federal agencies, including the U.S. Attorney’s Office for the Eastern District of Pennsylvania and the Defense Contract Management Agency’s Cybersecurity Assessment Center.
“Safeguarding sensitive NASA and DoD data is crucial to ensuring that it does not fall into the hands of our adversaries or bad actors,” said Assistant Inspector General for Investigations Robert Steinau of NASA’s Office of Inspector General (NASA-OIG). “The University’s inability to adequately address known deficiencies not only put sensitive information at risk but also undermined the integrity of our government’s cybersecurity efforts. We remain committed to holding entities accountable when they fail to meet critical security standards, as demonstrated by this case.”
DISCLAIMER
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of The Steven Wick Blog. Any content provided by our bloggers or authors are of their opinion and are not intended to malign any religion, ethnic group, club, organization, company, individual or anyone or anything.
