Penn State will pay $1.25 million to resolve allegations brought forward in a whistleblower’s lawsuit that the university failed to comply with cybersecurity requirements on 15 contracts involving the Department of Defense and NASA.
Matthew Decker, the former chief information officer for Penn State’s Applied Research Laboratory, will receive $250,000 to settle the whistleblower case he filed in 2022, according to the U.S. Attorney’s Office for the Eastern District of Pennsylvania.
Decker and the Justice Department alleged that between 2018 and 2023, Penn State submitted cybersecurity assessments to the Department of Defense that showed it had not implemented certain required cybersecurity controls, but misrepresented when they would be implemented and did not pursue a plan of corrective action.
Those alleged failures, according to the DOJ, violated the False Claims Act.
The settlement is not an admission of wrongdoing, Penn State wrote in a statement to StateCollege.com on Wednesday, adding that “the university wishes to avoid costly and distracting litigation and to address any concerns our government sponsors may have related to this matter.”
“There is no suggestion by our research sponsors that any of the non-classified information that has been the subject of this matter was ever compromised,” Penn State wrote. ”Rather, the government’s concerns — following its thorough investigation — primarily focus on the documentation related to implementing specific controls for handling data and information.”
Penn State also wrote that it “values its relationships with its research sponsors and takes seriously its cybersecurity obligations.”
“The University has devoted significant resources to complying with its obligations — and to continuously improving and enhancing its cybersecurity measures,” according to the statement. ”Most recently, Penn State proactively adopted additional cybersecurity policies and systems to meet anticipated future obligations across the global research landscape.”
Resolution of the case involved the office of U.S. Attorney Jacqueline C. Romero, the Justice Department’s Civil Division, NASA and myriad agencies within the Department of Defense.
“Safeguarding sensitive NASA and DoD data is crucial to ensuring that it does not fall into the hands of our adversaries or bad actors,” NASA Assistant Inspector General for Investigations Robert Steinau said in a statement. “The University’s inability to adequately address known deficiencies not only put sensitive information at risk but also undermined the integrity of our government’s cybersecurity efforts. We remain committed to holding entities accountable when they fail to meet critical security standards, as demonstrated by this case.”
Penn State annually receives hundreds of millions of dollars in federal research contracts. In 2022-23, the most recent data available, the university received $762 million in federal research funding, including $286 million from the Department of the Navy, an increase of 30% over the previous year.
