Photo of Nkechi KanuPhoto of Brian Tully McLaughlinPhoto of Jacob HarrisonPhoto of Jennie Wang VonCannonPhoto of Stephen M. Byers

On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA).  The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.

The relator, the former Chief Information Officer (CIO) of Penn State’s Applied Research Laboratory, filed his qui tam complaint in October 2022.  See U.S. ex rel. Decker v. Penn. State Univ., No. 2:22-cv-03895 (E.D. Pa.).  His primary allegation was that Penn State provided false self-attestations of compliance with cybersecurity requirements in its DoD contracts, in particular the following Defense Federal Acquisition Regulation Supplement (DFARS) clauses:

  • DFARS 252.204-7012, which requires contractors to provide “adequate security” on all covered contractor information systems for covered defense information (CDI) that is processed, stored, created, or transmitted.
    • “Adequate security” includes, in pertinent part, implementing NIST SP 800-171 and, if utilizing a cloud service provider, ensuring the provider meets security requirements equivalent to those established by the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.
    • Pursuant to DFARS 252.204-7012 and NIST SP 800-171, a contractor must:
      1. have a System Security Plan (SSP) documenting its compliance with NIST SP 800‑171 controls, and
      2. create and maintain a plan of action & milestones (POA&M) for any controls not fully implemented, including an estimated date of completion to fully implement the control.
    • DFARS 252.204-7019 and 252.204-7020, which outline assessment procedures for scoring contractors’ compliance with NIST SP 800-171 and require that the resulting assessment score be uploaded to the Supplier Performance Risk System (SPRS).

On September 29, 2023, after the court ordered the case to be unsealed, DOJ filed its notice of non-intervention.  DOJ stated that it was unable to decide whether to intervene at that time because it had not completed its investigation and intended to continue obtaining and reviewing information produced pursuant to Civil Investigative Demands (CIDs) issued to Penn State.  The parties subsequently filed, and the court granted, several unopposed joint motions for a stay to accommodate DOJ’s request to continue its investigation and to promote judicial economy. 

On October 22, 2024, DOJ intervened to settle and resolve the action and concurrently filed the settlement agreement.  Although the allegations in the settlement agreement were based on the same DFARS clauses at issue in the qui tam complaint, the agreement focused on different and distinct requirements.  In the settlement agreement, DOJ alleged that Penn State violated contractual requirements to (i) submit the date by which “all requirements are expected to be implemented (i.e., a score of 110 is expected to be achieved) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171,” and (ii) utilize external cloud service providers that meet the security requirements in the FedRAMP Moderate baseline.  See DFARS 252.204‑7012(b)(2)(ii)(D); 252.204-7019(d)(1)(i)(F); 252.204-7020(d)(1)(F).  DOJ contended that Penn State knowingly misstated the dates it expected to implement required security controls, did not adequately document its plan to implement these controls, and used a non-FedRAMP-compliant cloud service provider for certain contracts.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Photo of Brian Tully McLaughlin Brian Tully McLaughlin

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a…

Brian Tully McLaughlin is a partner in the Government Contracts Group in Washington, D.C. and co-chair of the False Claims Act Practice. Tully’s practice focuses on False Claims Act investigations and litigation, particularly trial and appellate work, as well as litigation of a variety of complex claims, disputes, and recovery matters. Tully’s False Claims Act experience spans procurement fraud, healthcare fraud, defense industry fraud, and more. He conducts internal investigations and represents clients in government investigations who are facing fraud or False Claims Act allegations. Tully has successfully litigated False Claims Act cases through trial and appeal, both those brought by whistleblowers / qui tam relators and the Department of Justice alike. He also focuses on affirmative claims recovery matters, analyzing potential claims and changes, counseling clients, and representing government contractors, including subcontractors, in claims and disputes proceedings before administrative boards of contract appeals and the Court of Federal Claims, as well as in international arbitration. His claims recovery experience includes unprecedented damages and fee awards. Tully has appeared and tried cases before judges and juries in federal district courts, state courts, and administrative boards of contract appeals, and he has argued successful appeals before the D.C. Circuit, the Federal Circuit, and the Fourth and Seventh Circuits.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Photo of Jennie Wang VonCannon Jennie Wang VonCannon

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory…

Jennie VonCannon is a trial lawyer with a proven track record of success in both the courtroom and the boardroom — with extensive experience in white collar defense and cybersecurity matters. Jennie helps clients in crisis with internal investigations, law enforcement and regulatory inquiries and subpoenas, and cybersecurity and privacy incidents. Her impeccable judgment has been honed over 11 years as a federal prosecutor, culminating in her selection to serve with distinction as the deputy chief of the Cyber and Intellectual Property Crimes Section of the National Security Division of the U.S. Attorney’s Office for the Central District of California.

Photo of Stephen M. Byers Stephen M. Byers

Stephen M. Byers is a partner in the firm’s White Collar & Regulatory Enforcement Group and serves on the group’s steering committee. He is also a member of the firm’s Government Contracts Group and E-Discovery & Information Management Group. Mr. Byers’s practice involves…

Stephen M. Byers is a partner in the firm’s White Collar & Regulatory Enforcement Group and serves on the group’s steering committee. He is also a member of the firm’s Government Contracts Group and E-Discovery & Information Management Group. Mr. Byers’s practice involves counseling and representation of corporate and individual clients in all phases of white collar criminal and related civil matters, including: internal corporate investigations; federal grand jury, inspector general, civil enforcement and congressional investigations; and trials and appeals.

Mr. Byers’s practice focuses on matters involving procurement fraud, health care fraud and abuse, trade secrets theft, foreign bribery, computer crimes and cybersecurity, and antitrust conspiracies. He has extensive experience with the federal False Claims Act and qui tam litigation, the Foreign Corrupt Practices Act, the Economic Espionage Act, and the Computer Fraud and Abuse Act. In addition to defense of government investigations and prosecutions, Mr. Byers has represented corporate victims of trade secrets theft, cybercrime, and other offenses. For example, he represented a Fortune 100 U.S. company in parallel civil and criminal proceedings that resulted in a $275 million criminal restitution order against a foreign competitor upon its conviction for trade secrets theft.