On October 22, 2024, the Department of Justice (“DOJ”) announced that Pennsylvania State University (“Penn State”) has agreed to pay $1,250,000 to settle a False Claims Act (“FCA”) case brought against the University approximately two years ago. The whistleblower in the case, former chief information officer of the Penn State Applied Research Laboratory, alleged that Penn State failed to comply with cybersecurity requirements in fifteen contracts and/or subcontracts with the Department of Defense (“DoD”) and National Aeronautics and Space Administration (“NASA”) between 2018 and 2023.

Specifically, the lawsuit (as discussed in our prior blog) contended that Penn State failed to provide “adequate security” for Covered Defense Information (“CDI”), as contractually required by the DFARS 252.204-7012 clause. Under this clause, “adequate security” is defined as (at least) implementing all 110 security controls outlined in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Moreover, federal regulations require DoD contractors to conduct a self-assessment of compliance with those 110 controls and report a compliance score (out of 110) in DoD’s Supplier Performance Risk System (“SPRS”). The lawsuit further alleged that Penn State falsified at least 20 documents related to its NIST SP 800-171 self-assessment and other self-attestations and put...

Read Full Story: https://news.google.com/rss/articles/CBMihwFBVV95cUxQbzRnZ2dTWUdRUlZVMHljQ2xT...