The False Claims Act in Cybersecurity Enforcement: Unsealed Complaint Signals Growing Use

3 minute read | September.27.2023

A recently unsealed False Claims Act qui tam complaint against Penn State is the latest in line with DOJ’s Civil Cyber-Fraud Initiative. The case is United States ex rel. Matthew Decker v. Pennsylvania State University, 22-cv-03895-PD, in the Eastern District of Pennsylvania. The whistleblower (relator)—the former Chief Information Officer of Penn State’s Applied Research Lab—alleges that Penn State submitted false certifications to the Department of Defense (DoD). The certifications concerned compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.”

The case highlights the growing use of the FCA in cybersecurity enforcement, with government contractors—including contracting universities—a prime target.

In effect since 2018, NIST 800-171 establishes standards for the protection, processing, storing, and transmitting of CUI that exists on non-federal systems. With over 100 requirements, even NIST, the body that develops the standards, acknowledges that being compliant is no easy task. It “likely involves working with a cybersecurity consultant that knows the NIST SP 800-171 requirements inside and out.”

Since 2020, defense contractors have been required to attest to compliance with NIST SP 800-171 after a lengthy self-assessment of security controls as a condition of receiving or renewing a defense contract. While useful to an organization’s security, the DoD does “not recognize 3rd party assessments or certifications.” That is, certification must be done solely by the contractor, and typically the information security officer in that organization. (Although DoD has been working for several years on developing and rolling out the Cybersecurity Maturity Model Certification 2.0, the effort has been slow and is still in the rulemaking process).

In the lawsuit against Penn State, the relator alleges that, despite certifications of compliance, the university failed to comply with a number of NIST SP 800-171 requirements. For example, in place of required risk assessments, the university allegedly provided “templates in order to ‘check the box.’” The suit also alleges Penn State officials submitted falsified documents and stored CUI in a non-compliant application, i.e., not compliant under FedRAMP. 

According to the relator, a tiger team he was a part of “determined that Penn State had never reached DFARS compliance in any of the investigated projects.”  He alleges the university was not receptive to his recommendation and the tiger team “shifted to trying to justify the lack of compliance.”     

Such allegations of certifying compliance despite obvious noncompliance can easily form the basis of an FCA action. The FCA’s expansive intentionality requirement imposes liability upon a showing that a contractor “acts in reckless disregard of the truth or falsity of the information” submitted to the federal government.  In other words, liability can be found when a person submits a claim to the federal government he or she knows or should know is false.

Still, the facts control, and the complex and undefined nature of cybersecurity compliance will help defendants like Penn State overcome weaker claims. The argument would be some version of: we did our best with a self-assessment—where’s the guidance? We’ll hopefully get a glimpse of the government’s perspective soon: the court ordered the government to make a decision by September 29, 2023, on whether it will intervene in (take over) the lawsuit. 

Either way, the case is a good reminder that having a tested DFARS/NIST compliance program in place and a documented track record of taking complaints seriously can help forestall FCA lawsuits—and help knock the unfounded ones out early.