The United States government is bringing legal action against Penn State University under the False Claims Act, saying the university lied or misled about its adherence to government cybersecurity protocols when contracting with the federal government.
The suit is being brought on behalf of Matthew Decker, chief information officer at a Penn State research laboratory who also served briefly as interim vice provost and CIO for the university in 2016. Decker’s claims and testimony about the university’s malfeasance form the basis of the lawsuit.
Like all defense contractors, Penn State receives and generates as part of its work what is known as controlled unclassified information — data which falls below the threshold of official government secrets, but must nonetheless be managed by contractors in highly specified ways to prevent malicious parties from using them to piece together gaps in government security or programs.
The most common way for contractors to demonstrate that they are handling such information responsibly is through adherence to federal standards created by the National Institute for Standards and Technology (NIST). These include 22 detailed requirements for protecting controlled unclassified information that span digital and physical protections, as well as audits, risk assessments and proper security configurations.