Penn State University has agreed to pay $1.25 million to the Department of Justice (DoJ) to settle allegations of failing to comply with cybersecurity requirements in contracts with the federal government. The settlement stems from a whistleblower lawsuit filed by a former university official, highlighting significant lapses in the university's cybersecurity practices.
Key Takeaways
Penn State will pay $1.25 million to settle cybersecurity compliance allegations.
The case was initiated by whistleblower Matthew Decker, former CIO of the Applied Research Laboratory.
The university did not admit wrongdoing but aims to avoid costly litigation.
Background of the Case
The allegations against Penn State emerged from a lawsuit filed by Matthew Decker, who served as the chief information officer for the university's Applied Research Laboratory. Decker claimed that between 2018 and 2023, the university failed to implement necessary cybersecurity controls required by contracts with the Department of Defense (DoD) and NASA.
The lawsuit was filed under the False Claims Act, which allows individuals to sue on behalf of the government when they believe false claims have been made to receive government funds. Decker's whistleblower complaint alleged that Penn State misrepresented its compliance with the National Institute of Standards and Technology (NIST) cybersecurity requirements, specifically NIST SP 800-171, which governs the handling of controlled unclassified information (CUI).
Allegations of Non-Compliance
The DoJ's investigation revealed several key points regarding Penn State's alleged failures:
Failure to Implement Controls: The university did not implement required cybersecurity measures across 15 contracts involving sensitive information.
Misrepresentation: Penn State allegedly misrepresented the timeline for implementing necessary cybersecurity controls and failed to pursue corrective actions.
Inadequate Documentation: The university did not adequately document its cybersecurity practices, which is essential for compliance with federal regulations.
Use of Non-Compliant Services: Penn State reportedly switched from a compliant cloud service provider to OneDrive, which does not meet the required security standards.
Settlement Details
As part of the settlement, Penn State will pay $1.25 million, with $250,000 allocated to Decker for his role as the whistleblower. The university has stated that the settlement does not constitute an admission of guilt and emphasized its commitment to enhancing cybersecurity measures moving forward.
In a statement, Penn State expressed its desire to resolve the matter to avoid costly litigation and to address any concerns from its government sponsors. The university reiterated that there is no evidence that any non-classified information was compromised as a result of the alleged failures.
Implications for Cybersecurity in Higher Education
This case highlights the increasing scrutiny on universities and research institutions regarding their cybersecurity practices, especially when handling sensitive government data. Federal officials have stressed the importance of compliance with cybersecurity standards to protect against potential threats from adversaries.
Robert Steinau, NASA's assistant inspector general for investigations, stated that the university's inability to address known deficiencies not only jeopardized sensitive information but also undermined the integrity of government cybersecurity efforts.
As universities continue to receive substantial federal funding for research, the need for robust cybersecurity measures will only grow. This settlement serves as a reminder that institutions must take their cybersecurity obligations seriously to maintain trust and integrity in their operations.
With digital threats evolving faster than ever, cybersecurity has become a cornerstone of business resilience. Safeguarding your organization requires more than just technology—it takes a proactive, layered approach that combines advanced tools with a culture of awareness. At BetterWorld Technology, we partner with you to build security measures that adapt to today’s threat landscape. Don’t let vulnerabilities become liabilities; contact us to explore solutions that keep your business secure and resilient.
Sources
Penn State settles cybersecurity compliance case for $1.25M • The Register, The Register.
Penn State Will Pay $1.25M to Settle Cybersecurity Suit, GovTech.
Penn State Settles for $1.25M Over Cybersecurity Violations - Infosecurity Magazine, Infosecurity Magazine.
Penn State pays $1.25 million to resolve False Claims Act cybersecurity allegations | Penn State, State College News | psucollegian.com, The Daily Collegian.
Penn State to Pay $1.25M to Settle Claims It Failed to Comply With Cybersecurity Requirements on Defense Contracts | State College, PA, StateCollege.com.