Former CIO accuses Penn State of faking cybersecurity compliance

Now-NASA boffin not impressed

Last October, Pennsylvania State University (Penn State) was sued by a former chief information officer for allegedly falsifying government security compliance reports.

The lawsuit [PDF], recently unsealed, is a qui tam complaint (in Latin "who as well,") meaning it was filed on behalf of the US government by former CIO Matthew Decker, who claims his former employer defrauded the government under the False Claims Act.

In November 2015, Decker, presently chief data and information officer at NASA's Jet Propulsion Laboratory, was appointed CIO and director of Information Technology Services at the University’s Applied Research Lab (ARL), which does work for the US Navy.

This was several months after an attack attributed to hackers in China breached Penn State's College of Engineering and College of Liberal Arts. Decker was brought in to ensure ARL complied with federal defense rules for IT security, specifically DFARS 252.204-7012 and DFARS 252.204-7019, and NIST 800-171.

In January 2016, Decker was appointed interim Vice Provost for Information Technology at Penn State until such time as the university appointed a permanent replacement for that position. While in that dual role position, he participated in compliance discussions for Penn State's implementation of WorkDay, an enterprise resource planning solution (ERP).

The lawsuit says that while Decker was involved in that university-wide ERP project, the project dealt earnestly with compliance obligations. But Decker claims that after leaving his interim position, he discovered that Penn State had disregarded some of his recommendations that may have left controlled unclassified information (CUI) exposed.

In August 2020, Penn State announced the end of its contract with Box, a FedRamp certified (DFARS 252.204-7012) storage service, citing cost considerations. In its place, it adopted Microsoft Office 365 OneDrive, which is not compliant with government requirements for storing CUI.

Decker's lawsuit recounts efforts he allegedly made since the adoption of OneDrive to bring Penn State's systems into compliance, but he claims that didn't happen. Following a meeting in June 2022, he recounts "Penn State had never reached actual DFARS compliance and thus had been falsely attesting to compliance since January 1, 2018."

According to the first amended complaint, "Although Penn State has provided self-attestations of compliance to [the US Department of Defense] as required since December 31, 2017, these were false."

Tell us, are you being honest?

NIST 800-171, initially published in June 2015 and intermittently revised since then, includes more than 100 requirements. Defense contractors are required to submit a System Security Plan (SSP) as part of NIST compliance.

But determining compliance is left to contractors – there's no certification body or official audit procedure. As described in the lawsuit, contractors have to self-assess and self-attest to compliance and score themselves for success using a point-based system based on the requirements.

These scores are supposed to be submitted to the Defense Department's Supplier Performance Risk System (SPRS) prior to the award or renewal of a contract. But as alleged in the complaint, these scores were simply made up.

"No SSPs had been produced; rather than specific systems or research compute space owners, the records referred only generically to colleges or institutes; no proper, DFARS 7020 risk assessment had been performed; and the risk assessments that had been uploaded were merely templates in order to 'check the box…'" the court documents state.

The complaint concludes, "Penn State has no SSPs. Penn State’s SPRS entries are falsified. There are dozens of projects where Penn State has attested compliance but never met it. To this day Penn State does not appear to be working toward compliance."

If the government chooses to intervene and take over the case before the September 29 deadline [PDF] set by the judge, the "relator" bringing the claim may share in funds recovered from a successful prosecution. And if the government does not intervene, the "relator" may still pursue the case.

In an emailed statement, a spokesperson for the university did not dispute the lawsuit's claims, citing a policy of not commenting on pending litigation, but insisted that the university takes compliance requirements seriously.

"Penn State is dedicated to compliance and takes its compliance obligations, including its cybersecurity obligations under federal government contracts very seriously," the spokesperson said.

"The university has allocated significant resources to maintain compliance with these and other federal requirements. Penn State has worked and continues to work cooperatively and collaboratively with the government to address any questions. The University typically does not comment on pending litigation and will address these allegations at the appropriate time." ®

Send us news

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets

Top Ukrainian cyber officials fired after allegedly pocketing kickbacks from govt IT deals

Duo probed over alleged $2M embezzlement plot

Watchdog claims retaliation from military after questioning cushy federal IT contracts

IT-AAC had a hand in scrutinizing JEDI, now faces probe for challenging $300M+ single-source deals

Microsoft's bug bounty turns 10. Are these kinds of rewards making code more secure?

Katie Moussouris, who pioneered Redmond's program, says folks are focusing on the wrong thing

Robocar tech biz sues Nvidia, claims stolen code shared in Teams meeting blunder

Two companies both online when slide was viewed at presentation

Three quarters of software engineers face retaliation for whistleblowing

Staff afraid to raise alarm when they see negligence, discrimination and more

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks

Third-party data breach affecting Canadian government could involve data from 1999

Any govt staffers who used relocation services over past 24 years could be at risk

AMD SEV OMG: Trusted execution in VMs undone by bad hypervisors' cache meddling

Let's do the CacheWarp again

AWS previews AppFabric for productivity – pitched as AI-powered glue between apps

Park user data in Amazon's servers for ML-generated insights and actions – yea or nay for you?

Microsoft pushes Azure Government Cloud as homefront defender

All your national security are belong to us!