Penn State fined $1.25 million for failing to meet cyber requirements in federal contracts
Penn State University has been fined $1.25 million for failing to comply with cybersecurity requirements laid out in its contracts with federal agencies.
The fine pertains to 15 different contracts between the school and the Department of Defense and National Aeronautics and Space Administration (NASA).
The school was accused of failing to implement cybersecurity controls between 2018 and 2023, and after acknowledging the issues it allegedly subsequently failed to develop or implement any plans to correct the issues.
The DOJ said Penn State admitted its cybersecurity failings in assessment filings and pledged to fix them but “misrepresented the dates by which it would implement them and did not pursue plans of action to do so.”
Principal Deputy Assistant Attorney General Brian Boynton said universities receiving federal funding must take their cybersecurity obligations seriously and said as head of the Justice Department’s Civil Division he would continue to go after schools that “fail to honor cybersecurity requirements designed to protect government information.”
In addition to the other cybersecurity failures, the school did not use an external cloud service provider that met the Defense Department’s security requirements for covered defense information.
“As our cyber adversaries become increasingly sophisticated, the importance of cybersecurity in safeguarding Department of Defense research, development and acquisitions information cannot be overstated,” said Greg Gross, special agent in charge of the Naval Criminal Investigative Service Economic Crimes Field Office.
The settlement is the result of a lawsuit that was filed under the whistleblower provisions of the False Claims Act, which allows people to file suits on behalf of the federal government when they know an institution has submitted false claims as part of applications for government funding.
Matthew Decker, the former chief information officer for Penn State’s Applied Research Laboratory, will receive a $250,000 share of the settlement amount as the whistleblower.
The settlement allows the school to neither admit nor deny the charges against it. A Penn State spokesperson told Recorded Future News that it has now “proactively adopted additional cybersecurity policies and systems to meet anticipated future obligations across the global research landscape.”
“There is no suggestion by our research sponsors that any of the non-classified information that has been the subject of this matter was ever compromised,” they said.
“Rather, the government's concerns — following its thorough investigation — primarily focus on the documentation related to implementing specific controls for handling data and information. The University wishes to avoid costly and distracting litigation and to address any concerns our government sponsors may have related to this matter.”
Robert Steinau, the assistant inspector general for Investigations within NASA’s Office of Inspector General explained that the university put sensitive information at risk by failing to address known security deficiencies.
The settlement is part of the larger Civil Cyber-Fraud Initiative launched by Deputy Attorney General Lisa Monaco in 2021 that aims to punish organizations for not adequately protecting government data due to lackluster cybersecurity controls.
In August, the DOJ joined a similar lawsuit against Georgia Institute of Technology that involved the mishandling of federal government data and outright falsehoods submitted as part of applications for government contracts.
“Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors,” saidJacqueline C. Romero, U.S. Attorney for the Eastern District of Pennsylvania.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.