- with readers working within the Advertising & Public Relations, Aerospace & Defence and Banking & Credit industries
The Pennsylvania State University will pay $1.25 million to settle allegations that it violated the FCA by failing to comply with contractual obligations to implement cybersecurity controls in 15 contracts or subcontracts involving the US Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA).
The government alleged that the DoD and NASA contractually required Penn State to implement cybersecurity controls. However, between 2018 and 2023, the university failed to adequately develop mechanisms for correcting deficiencies it identified. DoD contracts require contractors to submit cybersecurity assessment scores demonstrating their compliance with cybersecurity requirements when using covered systems to store or access defense information. The government alleged that Penn State submitted scores acknowledging that it had not implemented certain controls but misrepresented the dates by which it would implement them. The government further alleged that the university ultimately did not pursue any plans of action to implement those controls. The government also claimed Penn State did not use an external cloud service provider that met the DoD's security requirements when performing certain contracts and subcontracts.
The settlement resolves a qui tam lawsuit filed by Matthew Decker, the former chief information officer for Penn State's Applied Research Laboratory. The whistleblower is slated to receive a $250,000 share of the settlement amount. The case is captioned US ex rel. Decker v. Pennsylvania State University, No. 2:22-cv-03895 (E.D. Pa.).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
