Source URL: https://www.theregister.com/2024/10/23/penn_state_university_doj_settlement/
Source: The Register
Title: Penn State pays DoJ $1.25M to settle cybersecurity compliance case
Feedly Summary: Fight On, State? Not this time
Pennsylvania State University has agreed to pay the Justice Department $1.25 million to settle claims of misrepresenting its cybersecurity compliance to the federal government and leaving sensitive data improperly secured. …
AI Summary and Description: Yes
Summary: Pennsylvania State University has reached a $1.25 million settlement with the Justice Department over claims of non-compliance with cybersecurity regulations, specifically NIST SP 800-171, which relates to the handling of controlled unclassified information (CUI). The case was brought forward by a whistleblower and highlights the importance of adhering to cybersecurity standards in contracts with government entities.
Detailed Description:
The case involving Pennsylvania State University (PSU) touches on critical aspects of cybersecurity compliance, particularly relating to the protection of sensitive data in contracts with federal agencies. Below are the major points of significance:
– **Settlement Overview**: PSU agreed to pay $1.25 million to settle claims regarding misrepresentation of its cybersecurity practices to the government.
– **Whistleblower Action**: The claim originated from former CIO Matthew Decker, who filed a qui tam complaint alleging the university’s failure to implement National Institute of Standards and Technology (NIST) cybersecurity requirements in contracts with the Department of Defense (DoD) and NASA.
– **NIST SP 800-171 Compliance**:
– The university was accused of failing to comply with NIST SP 800-171, which establishes guidelines for safeguarding controlled unclassified information (CUI).
– Specific allegations include the lack of adequate documentation and plans to address cybersecurity deficiencies.
– **Misrepresentation Allegations**:
– The Justice Department stated that PSU knowingly misstated implementation timelines related to all 110 security requirements outlined by NIST SP 800-171.
– The university communicated that it had not fulfilled these requirements while failing to take corrective action.
– **Contractual Issues**:
– PSU allegedly abandoned a cloud hosting contract with Box, which met NIST requirements, in favor of using OneDrive to cut costs, potentially compromising compliance with security regulations.
– **Government Response and Settlement Implications**:
– Matthew Decker, as the whistleblower, is set to receive a portion of the settlement ($250k).
– PSU maintains that the settlement is not an admission of guilt, emphasizing its ongoing efforts to enhance cybersecurity and stating that no actual harm came from the alleged violations.
– **Broader Implications for Governance**:
– This case serves as a reminder of the importance of stringent cybersecurity practices for educational institutions and other entities involved in government contracts.
– It underscores the necessity for thorough compliance with established frameworks like NIST to avoid legal pitfalls and financial penalties.
– **Advisory for Institutions**:
– Organizations should conduct regular audits of their compliance with cybersecurity regulations and adhere to contractual obligations when dealing with sensitive information.
– Emphasizing a culture of accountability and transparency can help in mitigating risks associated with non-compliance and potentially costly legal issues.
This situation reflects ongoing challenges in cybersecurity governance and highlights the crucial role that compliance with established frameworks plays in maintaining trust and security in federal contracting.