Penn State pays DoJ $1.25M to settle cybersecurity compliance case

Pennsylvania State University has agreed to pay the Justice Department $1.25 million to settle claims of misrepresenting its cybersecurity compliance to the federal government and leaving sensitive data improperly secured. 

The settlement order between the DoJ and Penn State resolves allegations from a court case filed two years ago by a former university CIO who blew the whistle on the matter. Filing a case on behalf of the government (known as a qui tam complaint), Matthew Decker alleged that his former employer never implemented National Institute of Standards and Technology (NIST) cybersecurity requirements specified in contracts it had with the Pentagon and NASA. 

According to court documents, the DoJ took over the case to settle the matter, and its allegations are the same as Decker's. 

The DoJ contends in its settlement agreement that Penn State failed to comply with NIST SP 800-171, which outlines requirements for how non-government entities have to store controlled unclassified information (CUI). Fifteen contracts between Penn State, the DoD, and NASA involved "collection, development, receipt, transmission, use or storing" of such info for the agencies, necessitating compliance with the NIST regulation. 

"Penn State did not implement certain NIST SP 800-171 security requirements, and did not adequately document, develop and implement plans of action designed to correct deficiencies," the DoJ alleged. 

The settlement also contends that Penn State told the government in late 2020 that it hadn't implemented all the requirements, but it never took steps to resolve the matter.

"Penn State also allegedly knowingly misstated … the dates by which it expected to implement all 110 of NIST SP 800-171's requirements for those systems and failed to pursue plans of action for their implementation," the DoJ said. 

• Penn State University network sacked by China malware blitz
• US sues Georgia Tech over alleged cybersecurity failings as a Pentagon contractor
• Ransomware the final nail in coffin for small university
• Stanford University failed to detect ransomware intruders for 4 months

In addition, the government argued (as did Decker) that Penn State abandoned its contract with government-compliant cloud host Box in favor of OneDrive, which doesn't meet NIST's CUI security requirements, to save money - hopefully more than $1.25 million. 

As Decker brought the original action, he's eligible for a piece of the settlement pie, with the DoJ indicating he'll be getting $250k of the settlement. 

Penn State (known where this vulture is from as the other original land grant university) expressed to The Register that the settlement wasn't any admission of guilt on its part, and reiterated what it told us when we reported the Decker complaint in 2023 that it has significant resources devoted to complying with its obligations and enhancing cybersecurity.

As is often the publicly stated case with settlements like these, Penn State just wants to put the past behind it. 

"The University wishes to avoid costly and distracting litigation and to address any concerns our government sponsors may have related to this matter," a PSU spokesperson told us, along with being sure we knew this alleged security failing never actually amounted to any real-world harm.

"There is no suggestion by our research sponsors that any of the non-classified information that has been the subject of this matter was ever compromised," the spokesperson said. ®