Penn State to Pay $1.25M to Resolve Claims of Cybersecurity Non-Compliance

The Pennsylvania State University has agreed to pay $1,250,000 to settle claims that it violated the False Claims Act by failing to comply with cybersecurity requirements in 15 contracts involving the Department of Defense (DoD) or National Aeronautics and Space Administration (NASA).

According to US Attorney Jacqueline C. Romero announced the settlement involving allegations that, between 2018 and 2023, Penn State failed to implement cybersecurity controls required by DoD and NASA and did not adequately develop and implement plans of action to correct deficiencies it identified.

The claims resolved by the settlement are allegations only and there has been no determination of liability.

The settlement resolves a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery. The whistleblower, Matthew Decker, former Chief Information Officer for Penn State’s Applied Research Laboratory, will receive a $250,000 share of the settlement amount.

DoD requires contractors to submit summary level scores reflecting the status of their compliance with cybersecurity requirements on covered contracting systems used to store or access covered defense information. The United States alleged that Penn State submitted cybersecurity assessment scores to DoD that reflected it had not implemented certain controls, but misrepresented the dates by which it would implement them and did not pursue plans of action to do so.

The United States also alleged that in performing certain contracts and subcontracts Penn State did not use an external cloud service provider that met DoD’s security requirements for covered defense information.

“Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors,” said U.S. Attorney Romero.

“As our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated,” said Special Agent in Charge Greg Gross, Naval Criminal Investigative Service Economic Crimes Field Office.

The resolution obtained in this matter was the result of a coordinated effort that involved the US Attorney’s Office for the Eastern District of Pennsylvania, the Justice Department and the Department of Defense.