The Pennsylvania State University has agreed to pay $1.25 million to settle allegations of violating the False Claims Act by not adhering to cybersecurity requirements in several contracts with the Department of Defense (DoD) and NASA. The settlement addresses claims that, from 2018 to 2023, Penn State did not implement necessary cybersecurity controls as required by these agencies.
According to the United States, Penn State submitted scores indicating compliance with cybersecurity requirements but misrepresented implementation dates and failed to follow through on corrective plans. Additionally, it was alleged that Penn State used an external cloud service provider that did not meet DoD's security standards for certain contracts.
Principal Deputy Assistant Attorney General Brian M. Boynton emphasized the importance of universities meeting their federal cybersecurity obligations: “Universities that receive federal funding must take their cybersecurity obligations seriously.” U.S. Attorney Jacqueline C. Romero also stressed the need for contractors handling defense information to protect sensitive data: “Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors.”
Special Agent Greg Gross highlighted the significance of safeguarding DoD research and acquisitions information amid increasing cyber threats: “As our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated.”
Patrick J. Hegarty from DCIS noted the risks posed by non-compliance with DoD contract specifications: “Failing to comply with DoD contract specifications and cybersecurity requirements puts DoD information and programs at risk.” Robert Steinau from NASA-OIG added that failing to address known deficiencies undermines government cybersecurity efforts.
This settlement resolves a lawsuit filed under whistleblower provisions of the False Claims Act, allowing private parties like Matthew Decker, former chief information officer for Penn State’s Applied Research Laboratory, to sue on behalf of the government. Decker will receive $250,000 from the settlement amount.
The resolution resulted from collaboration between various governmental bodies including NCIS, NASA-OIG, DCIS, Army Criminal Investigation Division among others. Senior Trial Counsel Kimberly Friday and former Trial Attorney Melanie D. Hendry were involved in handling this case along with Assistant U.S. Attorneys Peter Carr and Rebecca S. Melley.
It is important to note that these resolved claims are only allegations without any determination of liability.