Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
You’ve heard of finding a needle in a haystack, but how about locating government contracting secrets in a sea of university records?
According to a freshly unsealed whistleblower complaint, that’s exactly what Pennsylvania State University has failed to do. A former chief information officer in the school’s Navy-affiliated Applied Research Laboratory alleged that the school falsely claimed compliance with Department of Defense cybersecurity regulations since 2018, including by submitting falsified or irrelevant compliance scores and keeping sloppy records.
“Penn State has, at best, inconsistently sprinkled in some small levels of cybersecurity best practices,” whistleblower Matthew Decker’s complaint says. “There is no chance that comprehensive protection or compliance can be truthfully attested.”
Federal regulations known as DFARS call for government contractors like Penn State to “provide ‘adequate security’ for covered defense information” like patents, manufacturing information, and other technical data that’s “sensitive, but not classified,” according to the lawsuit.
Under the National Institute of Standards and Technology’s guidelines, contractors meet this benchmark when they control access to sensitive information, properly configure and routinely audit IT systems, and maintain incident response capabilities, among other checklist items.
Compliance, however, is on the honor system: Contractors must self-certify that they meet the laundry list of requirements, adding or subtracting points from an overall compliance score. The lawsuit asserts that Penn State flouted the requirements while certifying compliance using blanket statements.
For example, the suit says administrators transferred covered data to Microsoft Office 365 OneDrive when it wasn’t authorized to do so, and uploaded template documents to fill in missing DOD records gaps.
While Decker—hired in the aftermath of a 2015 cybersecurity attack to manage contracting compliance obligations— believed administration officials understood their responsibilities, the suit said he later discovered “that Penn State disregarded some of his suggestions concerning NIST compliance.”
Following an internal investigation in 2022, Decker “determined that Penn State had never reached actual DFARS compliance and thus had been falsely attesting to compliance since January 1, 2018,” the complaint said.
According to the lawsuit, Penn State still has research projects for which they’ve attested security compliance, but can’t identify or locate the protected information the school is charged with managing.
In an email to IT Brew, Penn State spokeswoman Lisa M. Powers said the school doesn’t comment on pending litigation. However, she noted that the university takes its government contracting obligations “very seriously.”
“Penn State has worked and continues to work cooperatively and collaboratively with the government to address any questions,” Powers wrote.