Former CIO accuses Penn State of faking cybersecurity compliance

Last October, Pennsylvania State University (Penn State) was sued by a former chief information officer for allegedly falsifying government security compliance reports.

The lawsuit [PDF], recently unsealed, is a qui tam complaint (in Latin "who as well,") meaning it was filed on behalf of the US government by former CIO Matthew Decker, who claims his former employer defrauded the government under the False Claims Act.

In November 2015, Decker, presently chief data and information officer at NASA's Jet Propulsion Laboratory, was appointed CIO and director of Information Technology Services at the University’s Applied Research Lab (ARL), which does work for the US Navy.

This was several months after an attack attributed to hackers in China breached Penn State's College of Engineering and College of Liberal Arts. Decker was brought in to ensure ARL complied with federal defense rules for IT security, specifically DFARS 252.204-7012 and DFARS 252.204-7019, and NIST 800-171.

In January 2016, Decker was appointed interim Vice Provost for Information Technology at Penn State until such time as the university appointed a permanent replacement for that position. While in that dual role position, he participated in compliance discussions for Penn State's implementation of WorkDay, an enterprise resource planning solution (ERP).

The lawsuit says that while Decker was involved in that university-wide ERP project, the project dealt earnestly with compliance obligations. But Decker claims that after leaving his interim position, he discovered that Penn State had disregarded some of his recommendations that may have left controlled unclassified information (CUI) exposed.

In August 2020, Penn State announced the end of its contract with Box, a FedRamp certified (DFARS 252.204-7012) storage service, citing cost considerations. In its place, it adopted Microsoft Office 365 OneDrive, which is not compliant with government requirements for storing CUI.

Decker's lawsuit recounts efforts he allegedly made since the adoption of OneDrive to bring Penn State's systems into compliance, but he claims that didn't happen. Following a meeting in June 2022, he recounts "Penn State had never reached actual DFARS compliance and thus had been falsely attesting to compliance since January 1, 2018."

According to the first amended complaint, "Although Penn State has provided self-attestations of compliance to [the US Department of Defense] as required since December 31, 2017, these were false."

Tell us, are you being honest?

NIST 800-171, initially published in June 2015 and intermittently revised since then, includes more than 100 requirements. Defense contractors are required to submit a System Security Plan (SSP) as part of NIST compliance.

But determining compliance is left to contractors – there's no certification body or official audit procedure. As described in the lawsuit, contractors have to self-assess and self-attest to compliance and score themselves for success using a point-based system based on the requirements.

These scores are supposed to be submitted to the Defense Department's Supplier Performance Risk System (SPRS) prior to the award or renewal of a contract. But as alleged in the complaint, these scores were simply made up.

"No SSPs had been produced; rather than specific systems or research compute space owners, the records referred only generically to colleges or institutes; no proper, DFARS 7020 risk assessment had been performed; and the risk assessments that had been uploaded were merely templates in order to 'check the box…'" the court documents state.

The complaint concludes, "Penn State has no SSPs. Penn State’s SPRS entries are falsified. There are dozens of projects where Penn State has attested compliance but never met it. To this day Penn State does not appear to be working toward compliance."

• Defense contractor pays $9m to settle whistleblower's cybersecurity allegations
• Former DXC Technology veep accuses 'toxic' CEO Lawrie of bullying staff in lawsuit
• Rogue ADT tech spied on hundreds of customers in their homes via CCTV – including me, says teen girl
• 77% of security leaders fear we're in perpetual cyberwar from now on

If the government chooses to intervene and take over the case before the September 29 deadline [PDF] set by the judge, the "relator" bringing the claim may share in funds recovered from a successful prosecution. And if the government does not intervene, the "relator" may still pursue the case.

In an emailed statement, a spokesperson for the university did not dispute the lawsuit's claims, citing a policy of not commenting on pending litigation, but insisted that the university takes compliance requirements seriously.

"Penn State is dedicated to compliance and takes its compliance obligations, including its cybersecurity obligations under federal government contracts very seriously," the spokesperson said.

"The university has allocated significant resources to maintain compliance with these and other federal requirements. Penn State has worked and continues to work cooperatively and collaboratively with the government to address any questions. The University typically does not comment on pending litigation and will address these allegations at the appropriate time." ®