News of the False Claims lawsuit against Pennsylvania State University reached the CMMC landscape in August of 2023, when the 2022 legal filing became public. It is important to note that at the time of this writing, the suit is not a criminal one, and the Department of Justice is not named as the plaintiff. Rather, it has been filed by the United States of America, ex. rel. Matthew Decker, Penn State’s Applied Research Laboratory (ARL) CIO since 2015. His filing alleges that the university has been in violation of the False Claims Act since December 31, 2017, when self-attestation of compliance with DFARS 7012 became federal regulation for defense contractors. DFARS 7012 requires contractors who process, handle, or store Controlled Unclassified Information (CUI) to implement the 110 requirements detailed in NIST 800-171.
This case has the potential to become a major example of how alleged False Claims Act violations will be addressed in the coming years. In an era where the Department of Justice’s (DOJ’s) Civil Cyber Fraud Initiative gains momentum, Cybersecurity Maturity Model Certification (CMMC) looms on the horizon, and contractors work to manage unprecedentedly complex and stringent cybersecurity requirements, it is sure to be closely watched by the Defense Industrial Base (DIB). Additional federal cyber regulations, like the Secure Software Development Framework (SSDF), promise to add further pressure on many government contractors to alter their information security architecture.
In a large university setting, barriers to compliance are exponentially compounded. The stakes of the False Claims Act can also be much higher. So, what can we learn from the case so far? And how can Organizations Seeking Certification (OSCs) — particularly those with campus-like segmentation and oversight — use this knowledge to reduce the risk to their organization?
1. Listen to your experts…
…especially when they’re concerned about a federal requirement. IT employees, CIOs, and CISOs are increasingly fluent in complex, highly technical, and constantly evolving specifics of information security. In the federal contracting space, a CIO’s cautionary advice can run the risk of sounding dogmatic. The particular mix of technical obfuscation, fluid regulatory timelines, and urgency at play can lead executive leadership to feel uneasy about accepting the severity of their CIO’s concerns. In some cases, it can be tempting to suspect that your IT department can simply “make it work”, or that a straightforward solution was missed due to a failure to see the forest for the trees.
However, we encourage C-Suites not only to listen to the concerns of their expert(s) but to proactively ask them difficult questions. Beyond this, it is imperative not to shy away from their answers.
In the example of Penn State, Decker began to move the school’s Applied Research Laboratory towards compliance with 7012 in 2015. Having made progress by the end of the year, he was reportedly approached to support the university's “...84 separate IT organizations across twenty-four campuses…” in becoming compliant, at which time he was appointed Interim Vice Provost and CIO of Penn State. The filing claims:
During his eight months as interim CIO, [Decker] met several times with Penn State constituents, including Research, to discuss compliance requirements. As part of those conversations, he suggested Penn State begin assessing environments, especially within the College of Engineering, which housed the most projects requiring DFARS compliance outside of ARL.
The filing is unclear on whether these environmental assessments were conducted. However, it does state that Decker was removed from his university-at-large CIO position in 2016, and continued work as CIO for Penn State’s ARL.
In 2019, Decker was invited by the school's new Interim CISO, Richard Sparrow, to join a compliance working group. There, he again claims to have expressed concerns about the cyber architecture working to satisfy 171’s requirements, especially in the case of Research projects. By this time, Decker had achieved real compliance for Penn State’s Applied Research Laboratory (ARL), which was independently evaluated by NAVSEA. This demonstrates that Decker had a real in-depth knowledge of federal regulatory standards. His concerns for the university at this point were serious:
It did not appear to [Decker] that the requirements for 7012 had ever been fully understood…Around this time, [Decker] discovered that Penn State’s registration within SPRS for a specific project showed missing records for SPRS entries…As [Decker] later discovered…personnel simply uploaded template documents to “solve” the missing records problem.
SPRS scores, or Supplier Performance Risk System scores, result from self-assessment against NIST 800-171’s 110 basic security requirements for a given project. The implications of a subpar score could become serious in the future, but they were not in 2019, when the scores were allegedly falsified. Some new contracts require a minimum SPRS score, and some prime contractors are asking for this information already from their subs. But imperfect scores for the projects at hand were likely not a threat to Research’s bottom line at the time. This kind of misconception is common among defense contractors. It is also an example of why the standard is so confusing to laypeople.
Penn State’s senior leadership almost certainly had a limited understanding of Decker’s concerns. This is not unexpected, as 7012’s requirements demand unusually specific expertise to comprehend. It is unclear in the filing whether confusion, fear of repercussion, or something else inspired the acting CISO to allegedly doctor SPRS scores with blank documentation while simultaneously insisting that the projects were compliant.
In 2020, the filing states that Decker again proposed a “...‘CUI Center of Excellence’ be established so that stakeholders and experts could better understand the requirements, gaps, and capabilities within the campuses, and advise Penn State Research.” This request was denied on the grounds that Research was, according to Sparrow, “already compliant.”
Looking at this example we encourage OSCs, and particularly large operations like state schools, not to shy away from an imperfect SPRS score. In addition, it is critical to listen deeply to your information security experts — especially the ones with less-than-exciting news. Ask them hard questions about complying with federal standards, with the foundational understanding that honest answers are likely to be convoluted.
Rewarding honesty from your CIOs, CISOs, and IT departments paves a path to success. Shooting the messenger has always raised the likelihood that the hard news you need to hear won’t make it to your desk. However, when it comes to 7012, and especially CMMC, the stakes have hardly ever been higher.
This brings us to our next possible take-away.
2. Reporting truthfully will serve your organization in the long run…
…in a way the mere appearance of success will not. As discussed above, Penn State’s Interim CISO is accused of falsifying SPRS scores, and even going so far as to knowingly submit blank template documentation as evidence. In the wake of the lawsuit, the appearance of compliance did not benefit the school’s reputation — or the interim CISO’s, or anyone’s — as much as the appearance of disingenuity had the potential to damage it.
The same attitude can often apply to reporting serious hacks, in and outside of the DIB. “If I look like I had information stolen, I must appear less capable of protecting it.” However, it is in the DoD’s, the contractor’s, and the American public’s best interest not to sweep these things under the rug. The DoD’s goals become extremely difficult to attain if the industrial base does not communicate reliably.
This fact is, in part, why the Cybersecurity Maturity Model Certification (CMMC) framework is being rolled out. Many contractors have either 1) inadvertently misunderstood, or 2) delayed implementing the complex, expensive requirements in 171. Given this, self-reported SPRS scores are often imperfect reflections of an organization’s compliance. CMMC requires third-party verification of compliance with 7012 whenever CUI is present. In other words, existing regulations aren’t being executed to standard, so regulatory architecture has been introduced to move the Defense Industrial Base (DIB) toward the necessary information security practices.
This is also part of why the DoJ created the Civil Cyber Fraud Initiative, a task force designed to locate and prosecute egregious violations of the False Claims Act.
But what can we learn from the Penn State case in this context? If the DOJ has not yet publicly involved itself with the case, and the DoD understands most contractors are struggling to implement the requirements in 171, why has this particular institution come under such public scrutiny?
Possibly because Penn State is alleged to have falsified more than the mere letter of their SPRS score. According to Decker, key employees failed to satisfy one of the most basic requirements in good faith:
In June 2022, [Decker] had a conversation…regarding compliance, which revealed that Penn State was working on their first Systems Security Plan (SSP). [In the same month] the first tiger team finished gathering contract information and compliance artifacts. The process showed that Penn State had never reached actual DFARS compliance and thus had been falsely attesting to compliance since January 1, 2018. Specifically, the tiger team determined that Penn State had never reached DFARS compliance in any of the investigated projects…
SSPs are a foundational requirement of 7012. Without one, an organization cannot be considered compliant.
This portion of Decker’s lawsuit claims that a specially appointed task force or “tiger team” — of which Decker was a part — uncovered and reported a serious degree of noncompliance to Penn State’s Senior Vice President of Research. According to the filing, the VP’s response was an attempt to delegitimize the tiger team’s report. The gap was not reflected in Penn State’s SPRS scores when noncompliance had been made clear, and the tiger team’s report was allegedly withheld from the school’s Ethics and Compliance lead.
The described absence of an SSP in 2022, paired with detailed whistleblower testimony, is likely why the Penn State lawsuit was among the first to roll out with some support from the U.S. government. However, it is again worth mentioning that the Department of Justice is not listed as the plaintiff. Decker is. As he tells it, more time was spent by Penn State’s senior leadership attempting to skirt requirements than to move toward compliance. The filing suggests this was especially true after it had been made clear to Research that they were in direct violation of the False Claims Act.
The message here for OSCs is plain; the risk of legal retaliation is highest for organizations which actively obscure the truth about compliance. Good faith, imperfect efforts toward compliance help to limit the risk of prosecution, and are infinitely more likely to result in success than efforts to merely appear compliant.
Good faith efforts, while absolutely necessary for compliance, are not the only possible means of avoiding a lawsuit.
3. Expert consultants mitigate crucial information security risks, compliance risks…
...and legal risks. Part of the circumstances which made the lawsuit against Penn State possible is the lack of qualified, third-party expertise. An hour with an expert consultant could have easily confirmed Decker’s concerns about compliance at any point in this process. Hiring a CCA or a C3PAO to inform their compliance efforts in the long term would have certainly streamlined them.
But beyond this, an expert would have offered a layer of legal protection to Penn State. If a certified person had explicitly told the VP of Research that the projects in question were compliant, then the university would have had someone to point to and say — hey, don't ask me, ask that guy, he said I was in the clear.
In order to truly be “in the clear,” though, something else must be taken into account. Time.
4. Don’t wait to start.
It is in your best interests to start now. DFARS 7012 is incredibly challenging and expensive to comply with. This is especially so for large, multifaceted organizations. The advent of CMMC in 2025 promises to become the most stringent standard ever imposed on the DIB — and by nature requires someone well-versed in the standard to check to confirm your compliance.
Given the breadth of the university’s physical and logical architecture, it is crucial to understand that the challenges faced by Penn State were and are enormous. If Decker’s timeline is to be believed, should the school have moved on his suggestions in 2016, they may not have been able to achieve perfect SPRS scores for all of their projects by 2023.
However, they would have had the potential to be among the few large schools truly prepared for the CMMC rollout in 2025. The addition of a qualified, third-party consultant would have made this even more likely.
The potential lessons to be gleaned from this case promise to shift as the civil suit evolves. However, today, it emphasizes the fact that an OSC’s resources are best spent working toward compliance now, that expert consultants are worth considering, and that ultimately, getting better is more important than appearing perfect.