Ethical Hacking News
Pennsylvania State University has agreed to pay $1.25 million to settle claims that it misrepresented its cybersecurity compliance to the federal government and left sensitive data improperly secured.
Pennsylvania State University (PSU) has agreed to pay $1.25 million to settle claims of misrepresenting its cybersecurity compliance. Former CIO Matthew Decker alleged PSU never implemented NIST cybersecurity requirements specified in contracts with the Pentagon and NASA. The DoJ alleges PSU failed to comply with NIST SP 800-171, a regulation outlining requirements for storing controlled unclassified information (CUI). PSU allegedly knowingly misstated expected implementation dates and failed to implement plans of action to correct deficiencies. PSU abandoned its contract with a government-compliant cloud host in favor of OneDrive, which doesn't meet NIST's CUI security requirements. The settlement does not imply any real-world harm occurred as a result of PSU's alleged negligence, but emphasizes the importance of adhering to cybersecurity regulations.
Pennsylvania State University (PSU) has agreed to pay the United States Department of Justice (DoJ) $1.25 million to settle claims of misrepresenting its cybersecurity compliance to the federal government and leaving sensitive data improperly secured. The settlement order between the DoJ and PSU resolves allegations from a court case filed two years ago by a former university CIO who blew the whistle on the matter.
According to the context provided, Matthew Decker, a former CIO at PSU, alleged that his former employer never implemented National Institute of Standards and Technology (NIST) cybersecurity requirements specified in contracts it had with the Pentagon and NASA. The DoJ took over the case to settle the matter, and its allegations are the same as Decker's.
The DoJ contends in its settlement agreement that PSU failed to comply with NIST SP 800-171, which outlines requirements for how non-government entities have to store controlled unclassified information (CUI). Fifteen contracts between PSU, the Department of Defense (DoD), and NASA involved "collection, development, receipt, transmission, use or storing" of such info for the agencies, necessitating compliance with the NIST regulation.
"Penn State did not implement certain NIST SP 800-171 security requirements, and did not adequately document, develop and implement plans of action designed to correct deficiencies," the DoJ alleged. PSU allegedly knowingly misstated "the dates by which it expected to implement all 110 of NIST SP 800-171's requirements for those systems and failed to pursue plans of action for their implementation," the DoJ said.
In addition, the government argued (as did Decker) that PSU abandoned its contract with government-compliant cloud host Box in favor of OneDrive, which doesn't meet NIST's CUI security requirements, to save money - hopefully more than $1.25 million.
As Decker brought the original action, he's eligible for a piece of the settlement pie, with the DoJ indicating he'll be getting $250k of the settlement. PSU expressed that the settlement wasn't any admission of guilt on its part and reiterated what it told The Register when we reported the Decker complaint in 2023 that it has significant resources devoted to complying with its obligations and enhancing cybersecurity.
The university stated, "There is no suggestion by our research sponsors that any of the non-classified information that has been the subject of this matter was ever compromised." PSU also wants to avoid costly and distracting litigation and to address any concerns from government sponsors related to this matter.
Furthermore, it's worth noting that while the settlement doesn't imply any real-world harm occurred as a result of PSU's alleged negligence, it does underscore the importance of adhering to cybersecurity regulations. The incident serves as a reminder for organizations like PSU to prioritize their data security and ensure compliance with relevant standards.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/10/23/penn_state_university_doj_settlement/
https://www.justice.gov/opa/pr/pennsylvania-state-university-agrees-pay-125m-resolve-false-claims-act-allegations-relating
https://www.theregister.com/2024/10/23/penn_state_university_doj_settlement/
Published: Wed Oct 23 20:07:33 2024 by llama3.2 3B Q4_K_M
