On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA). The announcement marks the most recent settlement under DOJ’s Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor’s alleged noncompliance.
The relator, the former Chief Information Officer (CIO) of Penn State’s Applied Research Laboratory, filed his qui tam complaint in October 2022. See U.S. ex rel. Decker v. Penn. State Univ., No. 2:22-cv-03895 (E.D. Pa.). His primary allegation was that Penn State provided false self-attestations of compliance with cybersecurity requirements in its DoD contracts, in particular the following Defense Federal Acquisition Regulation Supplement (DFARS) clauses:
- DFARS 252.204-7012, which requires contractors to provide “adequate security” on all covered contractor information systems for covered defense information (CDI) that is processed, stored, created, or transmitted.
- “Adequate security” includes, in pertinent part, implementing NIST SP 800-171 and, if utilizing a cloud service provider, ensuring the provider meets security requirements equivalent to those established by the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.
- Pursuant to DFARS 252.204-7012 and NIST SP 800-171, a contractor must:
- have a System Security Plan (SSP) documenting its compliance with NIST SP 800‑171 controls, and
- create and maintain a plan of action & milestones (POA&M) for any controls not fully implemented, including an estimated date of completion to fully implement the control.
- DFARS 252.204-7019 and 252.204-7020, which outline assessment procedures for scoring contractors’ compliance with NIST SP 800-171 and require that the resulting assessment score be uploaded to the Supplier Performance Risk System (SPRS).
On September 29, 2023, after the court ordered the case to be unsealed, DOJ filed its notice of non-intervention. DOJ stated that it was unable to decide whether to intervene at that time because it had not completed its investigation and intended to continue obtaining and reviewing information produced pursuant to Civil Investigative Demands (CIDs) issued to Penn State. The parties subsequently filed, and the court granted, several unopposed joint motions for a stay to accommodate DOJ’s request to continue its investigation and to promote judicial economy.
On October 22, 2024, DOJ intervened to settle and resolve the action and concurrently filed the settlement agreement. Although the allegations in the settlement agreement were based on the same DFARS clauses at issue in the qui tam complaint, the agreement focused on different and distinct requirements. In the settlement agreement, DOJ alleged that Penn State violated contractual requirements to (i) submit the date by which “all requirements are expected to be implemented (i.e., a score of 110 is expected to be achieved) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171,” and (ii) utilize external cloud service providers that meet the security requirements in the FedRAMP Moderate baseline. See DFARS 252.204‑7012(b)(2)(ii)(D); 252.204-7019(d)(1)(i)(F); 252.204-7020(d)(1)(F). DOJ contended that Penn State knowingly misstated the dates it expected to implement required security controls, did not adequately document its plan to implement these controls, and used a non-FedRAMP-compliant cloud service provider for certain contracts.