Feds hit Penn State University with false claims lawsuit over cyber compliance

The United States government is bringing legal action against Penn State University under the False Claims Act, saying the university lied or misled about its adherence to government cybersecurity protocols when contracting with the federal government.

The suit is being brought on behalf of Matthew Decker, chief information officer at a Penn State research laboratory who also served briefly as interim vice provost and CIO for the university in 2016. Decker’s claims and testimony about the university’s malfeasance form the basis of the lawsuit.

Like all defense contractors, Penn State receives and generates as part of its work what is known as controlled unclassified information — data which falls below the threshold of official government secrets, but must nonetheless be managed by contractors in highly specified ways to prevent malicious parties from using them to piece together gaps in government security or programs.

The most common way for contractors to demonstrate that they are handling such information responsibly is through adherence to federal standards created by the National Institute for Standards and Technology (NIST). These include 22 detailed requirements for protecting controlled unclassified information that span digital and physical protections, as well as audits, risk assessments and proper security configurations.

Under new regulations being crafted by the Department of Defense, some contractors will be forced to undergo third-party assessments to validate their compliance with NIST rules, but for now organizations can essentially pinky promise to the government that they are following the rules. According to Decker and the federal government, Penn State has been falsely claiming their adherence to these standards for years.

“Although Penn State has provided self-attestations of compliance to DoD as required since December 31, 2017, these were false,” the lawsuit claims.

Penn State’s IT operations are split between dozens of different organizations, and Decker, who was tasked with bringing the Applied Research Lab under compliance, was also recruited as interim CIO for the university to help determine what might be needed to bring their other operations in line.

Decker claims that after he finished his interim role, he discovered missing records for certain university projects in the registration Supplier Performance Risk System, a database used monitor contractor performance around acquisitions and procurement. According to Decker, the university, under order from his successor, “simply uploaded template documents to “solve” the missing records problem.”

“The risk assessment scores, artifacts, and incomplete records entered into SPRS were knowingly false and were added merely to 'check the box' so that there would be no 'missing' records,” the lawsuits claimed.

In another instance in 2020, the university allegedly moved its cloud services from Box, a solution certified by FedRAMP, the federal government’s program for approving secure cloud applications in government, to a commercial version of Microsoft365 OneDrive, which was not certified.

In 2022, when several parties brought concerns that NASA contracts awarded to Penn State may be out of compliance with federal cybersecurity requirements, Penn State’s new interim CIO “took the position that Penn State Policy AD95 was based upon the NIST 800-171 standards, and therefore PSU was compliant wherever OIS had issued an Authority to Operate based off of AD95.”

Decker and the government claim the policy named by Penn State does not adhere to NIST standards around controlled unclassified information and a later review by the university found that “Penn State had never reached actual…compliance and thus had been falsely attesting to compliance since January 1, 2018.”

The lawsuit claims that “to this day, Penn State does not appear to be working toward compliance” with federal standards.

New Justice Department initiative to test cybersecurity claims in federal contracts

The Penn State lawsuit represents one of the first attempts by the government to hold contractors accountable since the Department of Justice announced last year it would stand up a new initiative dedicated to investigating false cybersecurity claims in federal contracts.

The cyber fraud initiative will aim to ”identify, pursue and deter” cyber vulnerabilities and incidents that hit companies who do business with the government or receive grant funding, under the logic that these weaknesses can and do lead to compromise of federal agency systems and networks.

Brian Boynton, then-acting assistant attorney general, said the department has tapped the Civil Division’s Fraud Section to lead the efforts and will partner with Inspectors General across different agencies to share information and collaborate on investigations into waste, fraud and abuse.

“We recognize that most companies and people who do business with the government abide by contract terms and obligations,” Boynton said in 2022. “We also recognize that cyber incidents and breaches may result even when a contractor has a robust monitoring, detection and reporting system. But when contractors or grantees knowingly fail to implement and follow required cybersecurity requirements or misrepresent their compliance with those requirements, False Claims Act enforcement is an important part of the federal response.”

An earlier case brought against defense contractor Aerojet Rocketdyne was viewed as a test-run of this legal theory, but a settlement last year limited its potential as a precedent-setter.