PHILADELPHIA. – United States Attorney Jacqueline C. Romero announced that The Pennsylvania State University (Penn State) has agreed to pay $1,250,000 to resolve allegations that it violated the False Claims Act by failing to comply with cybersecurity requirements in 15 contracts or subcontracts involving the Department of Defense (DoD) or National Aeronautics and Space Administration (NASA).
The settlement resolves allegations that, between 2018 and 2023, Penn State failed to implement cybersecurity controls that were contractually required by DoD and NASA and did not adequately develop and implement plans of action to correct deficiencies it identified. DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems used to store or access covered defense information. The United States alleged that Penn State submitted cybersecurity assessment scores to DoD that reflected it had not implemented certain controls, but misrepresented the dates by which it would implement them and did not pursue plans of action to do so. The United States also alleged that in performing certain of the contracts and subcontracts Penn State did not use an external cloud service provider that met DoD’s security requirements for covered defense information.
“Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors,” said U.S. Attorney Romero. “When they fail to meet their cybersecurity obligations, we and our law enforcement partners will use every available tool to remedy the situation.”
“As our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated,” said Special Agent in Charge Greg Gross, Naval Criminal Investigative Service Economic Crimes Field Office. “NCIS, along with our federal partners, are committed to investigating entities who fail to implement contractual requirements designed to protect Department of the Navy critical information.”
“Protecting the integrity of Department of Defense (DoD) procurement activities is a top priority for the DoD Office of Inspector General’s Defense Criminal Investigative Service (DCIS),” stated Special Agent in Charge Patrick J. Hegarty, DCIS Northeast Field Office. “Failing to comply with DoD contract specifications and cybersecurity requirements puts DoD information and programs at risk. We will continue to work with our law enforcement partners and the Department of Justice to investigate allegations of false claims on DoD contracts.”
“Safeguarding sensitive NASA and DoD data is crucial to ensuring that it does not fall into the hands of our adversaries or bad actors,” said Assistant Inspector General for Investigations Robert Steinau of NASA. “The University’s inability to adequately address known deficiencies not only put sensitive information at risk but also undermined the integrity of our government’s cybersecurity efforts. We remain committed to holding entities accountable when they fail to meet critical security standards, as demonstrated by this case.”
On October 6, 2021, Deputy Attorney General Lisa Monaco announced the department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents. Information on how to report cyberfraud can be found here.
The settlement resolves a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that a defendant has submitted false claims for government funds and receive a share of any recovery. The settlement in this case provides for the whistleblower, Matthew Decker, former Chief Information Officer for Penn State’s Applied Research Laboratory, to receive a $250,000 share of the settlement amount. The qui tam case is captioned U.S. ex rel. Decker v. Pennsylvania State University., No. 2:22-cv-03895 (E.D Pa.).
The resolution obtained in this matter was the result of a coordinated effort between the United States Attorney’s Office for the Eastern District of Pennsylvania and the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, with assistance from NCIS, NASA-OIG, Department of Defense Office of Inspector General, Defense Criminal Investigative Service, Army Criminal Investigation Division, Naval Audit Service, the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center, and the Air Force Material Command.
The matter was handled in the U.S. Attorney’s Office for the Eastern District of Pennsylvania by Assistant U.S. Attorneys Rebecca S. Melley and Peter Carr and Auditor Dawn Wiggins.
The claims resolved by the settlement are allegations only and there has been no determination of liability.
