On October 22, the Department of Justice announced that Pennsylvania State University will pay $1.25 million to settle a False Claims Act ("FCA") lawsuit accusing it of failing to comply with cybersecurity requirements for defense and NASA contracts. The settlement resolves allegations, brought by an internal whistleblower, that Penn State failed to meet the Department of Defense's ("DOD") cybersecurity requirements for contractor information systems and for the use of external cloud service providers, as well as NASA's requirements mandating that unclassified information technology resources be secured.
Contractors that work with DOD (including major research institutions) should keep apprised of the long-awaited final rule for the Cybersecurity Maturity Model Certification ("CMMC") program, which was published in October and outlines mandatory cybersecurity standards contractors must meet before they can bid on most DOD contracts. The CMMC rule will become effective via 32 C.F.R. Part 170 on December 16, 2024, and through future updates to the Defense Federal Acquisition Regulations Supplement ("DFARS"). The rule is an important next step in the evolution of cybersecurity requirements for contractors participating in various ways in the DOD supply chain, as it includes third-party verification requirements for many contractors.
Many of the requirements outlined for contractors in the CMMC final rule—such as compliance with NIST SP 800-171 to protect controlled unclassified information ("CUI")—led to the allegations at issue in the Penn State case. The Department of Justice contended that the university failed to meet contractual cybersecurity requirements on 15 different DOD and NASA contracts and subcontracts between 2018 and 2023. Both agencies mandated compliance with 110 specified cybersecurity standards from NIST SP 800-171, but the lawsuit alleged that Penn State failed to meet these requirements—and knowingly misrepresented the dates by which it would post its summary compliance scores with those standards.
The chief information officer of Penn State's Applied Research Laboratory served as the whistleblower who filed the initial case against Penn State in October 2022. The complaint was unsealed in September 2023, when the government declined to intervene in the case. Following the government's non-intervention notice to the court, the case was stayed at parties' request, and it appeared likely a settlement would be reached.
As the Penn State case moved toward the settlement announced in October, another university decided to fight False Claims Act allegations brought against it for similar cybersecurity allegations. On October 21, the Georgia Institute of Technology ("Georgia Tech") filed a motion to dismiss in a pending FCA lawsuit. The case, which we have previously covered in detail in Enforcement Insider, began in July 2022 when two whistleblowers (senior members of Georgia Tech's cybersecurity division) filed an FCA action against Georgia Tech and the Georgia Tech Research Corp., alleging that both defendants failed to follow proper protocols for processing and storing CUI in connection with a DOD contract. For the first time in a cybersecurity FCA case, the government intervened. In its 99-page, detailed complaint, the government alleged Georgia Tech submitted a false cybersecurity assessment score to the DOD in December 2020, providing a score for a false information technology system, instead of supplying an accurate score.
Georgia Tech's motion to dismiss asserts that it did not fail to comply with DOD cybersecurity standards. Instead, according to the filing, the cybersecurity requirements relating to securing CUI did not apply to its research contracts because it undertook "fundamental research"—science and engineering work shared with the scientific community—which cannot be categorized as controlled information. Georgia Tech also referred to cybersecurity rules as "ever-evolving" and argued that certain security requirements were not in place at the time the relevant contract award was executed.
As cybersecurity requirements continue to "evolve," contractors should recognize the emerging need for increased vigilance in maintaining compliance with cybersecurity requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.