Pennsylvania State University (Penn State) has recently reached a settlement agreement to pay $1.25m in response to allegations of failing to meet federal cybersecurity requirements linked to contracts with the Department of Defense (DoD) and NASA.

The settlement stems from claims that the university did not adequately implement crucial cybersecurity controls across 15 contracts or subcontracts between the years 2018 and 2023.

The Whistleblower’s Allegations and Compliance Shortcomings

The initial allegations were raised by Matthew Decker, a former chief information officer of Penn State’s Applied Research Laboratory, who filed a whistleblower lawsuit under the False Claims Act.

Decker alleged that Penn State failed to adhere to Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity standards, which are mandatory for federal contractors handling sensitive information.

Specifically, the university was accused of not implementing security measures in accordance with NIST Special Publication 800-171, a framework designed to protect government data.

According to the US government, Penn State not only fell short of meeting these standards but also misrepresented its efforts to address security vulnerabilities. The settlement highlights the university’s failure to adequately document or execute corrective actions to rectify weaknesses as required by their contracts.

Furthermore, it was reported that Penn State utilized a cloud service provider that did not meet the DoD’s security specifications.

Significance and Accountability in Cybersecurity

As part of the settlement, Decker will receive a $250,000 reward for his role in exposing the violations, and Penn State will cover $150,000 in legal fees for Decker’s legal representation.

This case serves as a reminder of the increasing emphasis on holding organizations accountable for protecting sensitive information. Federal officials stress the importance of universities and contractors taking their cybersecurity responsibilities seriously, as breaches could jeopardize critical defense and research data.

Assistant Inspector General for Investigations Robert Steinau of NASA’s Office of Inspector General (NASA-OIG) remarked, “The University’s failure to address known deficiencies not only placed sensitive information at risk but also undermined the integrity of our government’s cybersecurity efforts.”

He added, “We are committed to holding entities accountable for falling short of crucial security standards, as illustrated by this case.”

This case is part of the Justice Department’s broader Civil Cyber-Fraud Initiative, which aims to hold entities responsible for failing to meet cybersecurity obligations in federal contracts.

The settlement comes in the wake of a lawsuit filed by the US government against the Georgia Institute of Technology (Georgia Tech) and its affiliate Georgia Tech Research Corporation (GTRC) for alleged cybersecurity breaches.

Image credit: Kristopher Kettner / Shutterstock.com