Pennsylvania State University (Penn State) has agreed to pay $1.25m to resolve allegations of failing to meet federal cybersecurity requirements tied to contracts with the Department of Defense (DoD) and NASA.
The settlement follows claims that the university did not implement necessary cybersecurity controls across 15 contracts or subcontracts between 2018 and 2023.
Whistleblower Allegations and Compliance Failures
The allegations were initially raised by Matthew Decker, former chief information officer of Penn State’s Applied Research Laboratory, through a whistleblower lawsuit filed under the False Claims Act.
Decker alleged that Penn State did not comply with Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity standards, which are required for federal contractors handling sensitive information.
Specifically, the university was accused of failing to implement security measures in line with NIST Special Publication 800-171, a set of guidelines intended to safeguard government data.
According to the US government, Penn State not only failed to meet these standards but also misrepresented its efforts to address security deficiencies. The settlement claims the university did not properly document or execute corrective actions to remedy vulnerabilities, as contractually required.
Additionally, it allegedly used a cloud service provider that did not meet DoD security specifications.
Implications and Accountability in Cybersecurity
As part of the agreement, Decker will receive $250,000 as a reward for his role in bringing the violations to light. Penn State will also cover $150,000 in legal fees for Decker’s counsel.
This settlement underscores the growing focus on holding institutions accountable for safeguarding sensitive information. Federal officials emphasized that universities and contractors must take their cybersecurity responsibilities seriously, as lapses could expose critical defense and research data to bad actors.
“The University’s inability to adequately address known deficiencies not only put sensitive information at risk but also undermined the integrity of our government’s cybersecurity efforts,” commented assistant inspector general for investigations Robert Steinau of NASA’s Office of Inspector General (NASA-OIG).
“We remain committed to holding entities accountable when they fail to meet critical security standards, as demonstrated by this case.”
This case is part of the Justice Department’s broader Civil Cyber-Fraud Initiative, which seeks to hold entities accountable for failing to meet cybersecurity obligations on federal contracts.
The settlement comes months after the US government filed a lawsuit against the Georgia Institute of Technology (Georgia Tech) and its affiliate Georgia Tech Research Corporation (GTRC) for alleged cybersecurity violations.
Image credit: Kristopher Kettner / Shutterstock.com