In recent weeks, there has been a significant increase in cyber-related False Claims Act (FCA) activity. This surge in activity signals that contractors and universities should brace for additional scrutiny and potential whistleblower claims in this area.

One notable example is a qui tam lawsuit against Penn State University, which was unsealed on September 1, 2023. The lawsuit alleges non-compliance with Department of Defense (DoD) cybersecurity obligations. Specifically, it is claimed that Penn State University failed to provide “adequate security” for Covered Defense Information (CDI), as contractually required by the DFARS 252.204-7012 clause.

Under this clause, “adequate security” is defined as implementing all 110 controls outlined in NIST SP 800-171. Federal regulations require DoD contractors to conduct a self-assessment of compliance with these controls and report a compliance score in DoD’s Supplier Performance Risk System (SPRS).

The lawsuit alleges that Penn State falsified at least 20 documents related to its NIST SP 800-171 self-assessment and other self-attestations. Despite never reaching DFARS compliance, the university had been falsely attesting to compliance since January 1, 2018.

Furthermore, the lawsuit alleges sensitive information was put at risk when the university migrated some of its data to a commercial cloud-storage service. The relator in the case served as the interim Chief Information Officer at Penn State’s Applied Research Laboratory in 2015 and was a part of a team assigned to evaluate Penn State University’s compliance in early 2022.

Implications

These cases suggest that the number of enforcement actions and publicity associated with previously-sealed qui tam cases will continue to increase. They also signal that contractors and universities should brace for additional scrutiny in this area.

In light of these developments, it is crucial for organizations to examine their cybersecurity practices and ensure they are in compliance with all relevant regulations. This includes conducting regular self-assessments of compliance with controls such as those outlined in NIST SP 800-171.

Moreover, organizations must be transparent about their cybersecurity practices. Falsifying documents or attesting to compliance without actually meeting the necessary standards can lead to serious consequences, as seen in the Penn State case. Failure to comply with these standards can result in significant legal and financial consequences.