On Tuesday, October 22, 2024, Pennsylvania State University (“Penn State”) reached a settlement with the Department of Justice (“DoJ”), agreeing to pay the US Government (“USG”) $1.25M for alleged cybersecurity compliance violations under the False Claims Act (“FCA”). This settlement follows a qui tam action filed by a whistleblower and former employee of Penn State’s Applied Research Laboratory. The settlement agreement provides some additional insight into the priorities of DoJ’s Civil Cyber Fraud Initiative (“CFI”) and the types of cybersecurity issues of interest to the Department. It also highlights the extent to which DoJ is focusing on the full range of cybersecurity compliance obligations that exist in a company’s contract in enforcement actions.
DoJ’s Civil Cyber-Fraud Initiative
On October 6, 2021, following a series of ransomware and other cyberattacks on government contractors and other public and private entities, DoJ announced the CFI. We covered the CFI as it was first announced in more detail here, and in a comprehensive separately published article here. As explained by Deputy Attorney General Lisa Monaco and other DoJ officials, DoJ is using the civil FCA to pursue government contractors and grantees that fail to comply with mandatory cyber incident reporting requirements and other regulatory or contractual cybersecurity requirements. Moreover, depending on the facts, DoJ Criminal likely will be interested in some of these cases.
About the Settlement
On October 5, 2022, a relator – the former chief information officer for Penn State’s Applied Research Laboratory – filed a qui tam action in the United States District Court of the Eastern District of Pennsylvania. The relator alleged in an amended complaint from 2023 that he discovered and raised non-compliance issues, which Penn State management did not address, and that Penn State falsified compliance documentation. On October 23, 2024, DoJ formally intervened and notified the court that it reached a settlement agreement with Penn State. The settlement agreement alleges that Penn State violated the FCA by failing to implement adequate safeguards and to meet cybersecurity requirements set forth under National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” As set forth in the settlement agreement, these issues related to fifteen contracts and subcontracts involving the Department of Defense (“DoD”) and the National Aeronautics and Space Administration (“NASA”) between January 2018 and November 2023.
Specifically, the settlement agreement alleges that, where each of the fifteen contracts involved the processing, storing, or transmission of Controlled Defense Information, Penn State allegedly failed to comply with the following:
- Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7008 and 252.204-7012 (“DFARS 7012”) requirements that DoD contractors and subcontractors adequately safeguard all covered contractor information systems under NIST SP 800-171;
- DFARS 7012 requirement that any external cloud service provider (“CSP”) used by a DoD contractor or subcontractor to “store, process, or transmit covered defense information” meet safeguard requirements equivalent to those established under the Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline;
- DFARS 252.204-7019 and 252.204-7020 requirements that DoD contractors and subcontractors post summary level scores of a current NIST SP 800-171 DoD assessment to the Supplier Performance Risk System (“SPRS”) and provide a timeline by which “all requirements are expected to be implemented… based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171”; and
- NASA Federal Acquisition Regulation Supplement (“NFS”) 1852.204-76 requirement that NASA contractors and subcontractors provide security for unclassified information technology resources as set forth in NASA’s Applicable Documents List, which for Penn State required compliance with NIST SP 800-171 for certain unclassified information.
Although Penn State submitted cybersecurity assessment scores to DoD through SPRS showing it had not implemented some required controls as mandated under DFARS 252.204-7019(d) and 252.204-7020(d), the settlement agreement alleges that Penn State misrepresented the timelines for implementing the required controls and failed to show that it adequately documented and pursued plans of action to obtain compliance. Additionally, the settlement agreement alleges that for some contracts, Penn State failed to use an external CSP compliant with FedRAMP Moderate baseline requirements.
Key Takeaways
Defense contractors and subcontractors should take note– this and other recent publicly announced settlements demonstrate the resources that DoJ is dedicating to this particular area of fraud. In addition to these public settlements, there are likely numerous investigations and qui tam actions yet to be announced and/or resolved. Contractors and subcontractors should consider making compliance with all aspects of applicable cybersecurity requirements a priority and should work closely with their information security professionals and business leadership, as appropriate, to ensure employees are empowered to raise non-compliance concerns and contractors and subcontractors are meeting their contractual obligations.
A common theme across the recent publicly announced settlements has been the presence of a whistleblower. Given the technical complexity of these matters, DoJ signaled at the time it rolled out the initiative that it would welcome and need qui tam relators to identify some of these non-compliances. Thus, contractors and subcontractors should work with and empower their information security professionals to identify possible challenges to meeting their contractual requirements and understand the certifications they are making both to the government directly (in SPRS) and to higher-tier contractors. As US Attorney Jacqueline Romero noted about the settlement with Penn State, “Federal contractors who store or access covered defense information must take required steps to protect that sensitive information from bad actors… When they fail to meet their cybersecurity obligations, we and our law enforcement partners will use every available tool to remedy the situation.”
Additionally, as the USG seeks to make its supply chain more resilient, contractors and subcontractors should familiarize themselves with new cybersecurity regimes rules such as DoD’s Cybersecurity Maturity Model Certification (“CMMC”) Program, which we most recently discussed here. These new requirements are often accompanied by corresponding certification that must be executed by senior executives, who will need assurances of compliance before they sign. As threat actors evolve and the risks to government data on contractor systems increase, the USG inevitably will seek to strengthen the requirements it imposes on its contractors. Contractors and subcontractors need to be purposeful in how they approach and document their compliance and be aware of the increased enforcement activities from DoJ and client agencies.