On September 1, 2023, the U.S. District Court for the Eastern District of Pennsylvania unsealed a qui tam False Claims Act (“FCA”) lawsuit (originally filed on October 5, 2022) alleging Penn State University failed to provide “adequate security” for Covered Defense Information, as contractually required by Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012.
DFARS requires contractors to implement cybersecurity controls, such as encrypting sensitive data, restricting access to sensitive systems, and conducting risk assessments. At a minimum, adequate security requires the implementation of NIST 800-171. And as a condition of receiving a Department of Defense (“DoD”) contract, all contractors must carry out a Basic Assessment of NIST 800-171 and submit their score to the DoD. There is no official audit procedure to determine compliance, but rather, contactors must conduct a self-assessment and make an attestation to its compliance.
The lawsuit was brought on behalf of Matthew Decker, the former Chief Information Officer for Penn State’s Applied Research Laboratory, and alleges that the University defrauded the government by falsely certifying its cybersecurity compliance. The complaint details steps taken by Decker to investigate his concerns, including the formation of a tiger team to review contract information and compliance artifacts. The tiger team process allegedly revealed that Penn State never reached DFARS compliance and had been making false compliance certifications since early 2018. The complaint alleges that the false certification concerns were repeatedly presented to leadership and ignored.
This case follows a trend of using the FCA to enforce cybersecurity provisions in government contracts. In October 2021, the Department of Justice announced its Civil Cyber-fraud Initiative and indicated it would use the FCA to pursue cybersecurity-related fraud by government contractors and grant recipients.