The Department of Justice recently announced a landmark Penn State cybersecurity fraud settlement, with the university agreeing to pay $1.25 million to resolve False Claims Act allegations. This October 2024 settlement, which awarded the whistleblower $250,000, highlights two critical compliance failures common throughout the defense contracting industry: misrepresentation of cybersecurity self-assessments and use of non-compliant cloud services.
A Significant Step in Cybersecurity Enforcement
This settlement marks a major milestone in the Department of Justice’s Civil Cyber-Fraud Initiative, demonstrating the program’s effectiveness in combating cybersecurity fraud through qui tam whistleblower actions. Unlike other cases involving self-disclosure, this case was the result of a whistleblower-initiated qui tam action. The DOJ’s substantial 20% award for the relator demonstrates the initiative’s commitment to rewarding and protecting insiders who expose cybersecurity fraud.
The Penn State violations involved 15 separate DoD and NASA contracts awarded and performed between 2018 and 2023. The whistleblower, Matthew Decker, served as Penn State’s Chief Information Officer for the Applied Research Laboratory, making his insider perspective crucial to the case’s success.
Critical Compliance Failures Revealed
The settlement exposed significant violations in both cybersecurity self-assessment reporting and cloud service provider requirements. DoD contractors are required to perform internal assessments of their cybersecurity controls and to post the assessment results on DoD’s Supplier Performance Risk System (SPRS). DoD set a deadline of November 2020 for Penn State and other defense contractors to post their initial cybersecurity assessment scores on SPRS. The government alleged that Penn State:
- Posted inaccurate self-assessment scores to SPRS;
- Knowingly misstated plan of action timelines for implementation of required cybersecurity controls; and
- Failed to follow through on promised remediation of identified gaps in its cybersecurity controls.
The government’s investigation also uncovered significant cloud service provider violations. Penn State used an external cloud service provider that failed to meet FedRAMP baseline requirements. This violation extends beyond mere technical non-compliance—it represents a fundamental failure to protect sensitive government information.
Looking Ahead: Opportunities for Whistleblowers
This settlement should alert contractors and potential whistleblowers across the Defense Industrial Base to a new era of government enforcement of cybersecurity requirements. Many DoD contractors may face similar compliance issues with:
- Use of non-FedRAMP certified cloud services;
- Failing to implement required NIST SP 800-171 controls;
- Posting inaccurate cybersecurity assessment scores on SPRS; or
- Misstating the dates by which they would remediate identified gaps in their cybersecurity controls.
Potential whistleblowers, especially those working in IT or cybersecurity roles, could have new opportunities to identify and report non-compliance. As the Department of Justice announced three years ago, DOJ is encouraging whistleblowers to file qui tam suits under the False Claims Act to assist in identifying and ending fraudulent cybersecurity practices involving government contractors. Whistleblowers will play a crucial role in protecting sensitive government information. Whistleblowers will also ensure the proper use of taxpayer funds and maintain the integrity of the government contracting process
For those working in cybersecurity or IT roles at government contractors, identifying potential violations will be crucial. Potential whistleblowers may pay particular attention to SPRS assessment records, especially claims about implementation timelines and plan of action completion dates.
Companies handling sensitive government information must evaluate their compliance with both SPRS self-assessment requirements and FedRAMP standards. Those discovering violations should consider their reporting obligations carefully, particularly given the DOJ’s demonstrated commitment to rewarding whistleblowers who come forward with evidence of cybersecurity fraud.
How Whistleblower Law Collaborative Can Help
At Whistleblower Law Collaborative LLC, our experienced qui tam whistleblower attorneys are dedicated to fighting cybersecurity fraud and protecting courageous whistleblowers.
If you have information about potential cybersecurity violations or false claims, contact us for a confidential, no-obligation consultation. Our attorneys are former federal prosecutors with experience safeguarding sensitive government information.
With our expertise and commitment, we can help you navigate the complex process of blowing the whistle and work to hold wrongdoers accountable. Together, we can make a difference in the fight against fraud.
This summary is being provided to alert potential whistleblowers to current priorities in the government’s enforcement of the False Claims Act. The relator in the Penn State matter was represented by our esteemed colleagues Julie Bracker and Darth Newman. To learn more about the many successful False Claims Act cases handled by the Whistleblower Law Collaborative, please visit the Our Successes.