ARTICLE
12 November 2024

Allegations Of A Litany Of Lyin': Penn State Settles Claims Of Cybersecurity Noncompliance

CM
Crowell & Moring LLP

Contributor

Our founders aspired to create a different kind of law firm when they launched Crowell & Moring in 1979. From those bold beginnings, our mission has been to provide our clients with the best services of any law firm in the world through a spirit of trust, respect, cooperation, collaboration, and a commitment to giving back to the communities around us.
This settlement underscores the growing focus on subcontractors and is a reminder that DOJ will continue to hold all contractors—whether direct or indirect—accountable for their cybersecurity posture.
United States Technology

What You Need to Know

Key takeaway #1

This settlement underscores the growing focus on subcontractors and is a reminder that DOJ will continue to hold all contractors—whether direct or indirect—accountable for their cybersecurity posture. See Another One: It Pays to Consult the DOJ under the Civil Cyber Fraud Initiative | Crowell & Moring LLP. Notably, the allegations here arose under 15 contracts and subcontracts supporting DoD, with a majority being subcontracts.

Key takeaway #2

DOJ is evaluating all cybersecurity requirements under the relevant contractual obligations. While the allegations are in line with one of the categories of focus for FCA enforcement under the Civil Cyber-Fraud Initiative, e., entities that knowingly misrepresent their cybersecurity practices and protocols, this is the first settlement that focuses on failing to adequately document and pursue POA&Ms and the cloud service provider requirements—illustrating the breadth of DOJ's interest in pursuing FCA liability based on noncompliance with cybersecurity requirements.

Key takeaway #3

While there is no prescribed POA&M timeline under the current framework, contractors should be mindful of the date they provide as the date of estimated completion. Failing to pursue or adequately document a POA&M is an area of risk for contractor liability.

Key takeaway #4

Unlike nearly all of the DOJ's Civil Cyber-Fraud Initiative settlements announced to date, the Penn State settlement agreement does not provide a value for—or even mention—restitution. This omission, along with the value of the settlement, leaves open the prospect that the absence of a cybersecurity incident or breach impacted DOJ's ability to demonstrate actual damages and, in turn, the monetary resolution reached by the parties.

On October 22, 2024, the Department of Justice (DOJ) announced that Pennsylvania State University (Penn State) will pay $1.25 million to resolve allegations that it violated the False Claims Act (FCA) by failing to comply with contractually mandated cybersecurity requirements by the Department of Defense (DoD) and National Aeronautics and Space Administration (NASA). The announcement marks the most recent settlement under DOJ's Civil Cyber-Fraud Initiative although, unlike prior settlements, there is no allegation of a cybersecurity incident or breach that was related to or caused by the contractor's alleged noncompliance.

The relator, the former Chief Information Officer (CIO) of Penn State's Applied Research Laboratory, filed his qui tam complaint in October 2022. See U.S. ex rel. Decker v. Penn. State Univ., No. 2:22-cv-03895 (E.D. Pa.). His primary allegation was that Penn State provided false self-attestations of compliance with cybersecurity requirements in its DoD contracts, in particular the following Defense Federal Acquisition Regulation Supplement (DFARS) clauses:

  • DFARS 252.204-7012, which requires contractors to provide "adequate security" on all covered contractor information systems for covered defense information (CDI) that is processed, stored, created, or transmitted.
    • "Adequate security" includes, in pertinent part, implementing NIST SP 800-171 and, if utilizing a cloud service provider, ensuring the provider meets security requirements equivalent to those established by the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.
    • Pursuant to DFARS 252.204-7012 and NIST SP 800-171, a contractor must:
      1. have a System Security Plan (SSP) documenting its compliance with NIST SP 800‑171 controls, and
      2. create and maintain a plan of action & milestones (POA&M) for any controls not fully implemented, including an estimated date of completion to fully implement the control.
    • DFARS 252.204-7019 and 252.204-7020, which outline assessment procedures for scoring contractors' compliance with NIST SP 800-171 and require that the resulting assessment score be uploaded to the Supplier Performance Risk System (SPRS).

On September 29, 2023, after the court ordered the case to be unsealed, DOJ filed its notice of non-intervention. DOJ stated that it was unable to decide whether to intervene at that time because it had not completed its investigation and intended to continue obtaining and reviewing information produced pursuant to Civil Investigative Demands (CIDs) issued to Penn State. The parties subsequently filed, and the court granted, several unopposed joint motions for a stay to accommodate DOJ's request to continue its investigation and to promote judicial economy.

On October 22, 2024, DOJ intervened to settle and resolve the action and concurrently filed the settlement agreement. Although the allegations in the settlement agreement were based on the same DFARS clauses at issue in the qui tam complaint, the agreement focused on different and distinct requirements. In the settlement agreement, DOJ alleged that Penn State violated contractual requirements to (i) submit the date by which "all requirements are expected to be implemented (i.e., a score of 110 is expected to be achieved) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171," and (ii) utilize external cloud service providers that meet the security requirements in the FedRAMP Moderate baseline. See DFARS 252.204‑7012(b)(2)(ii)(D); 252.204-7019(d)(1)(i)(F); 252.204-7020(d)(1)(F). DOJ contended that Penn State knowingly misstated the dates it expected to implement required security controls, did not adequately document its plan to implement these controls, and used a non-FedRAMP-compliant cloud service provider for certain contracts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Technology Law and Digital Law

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More