Penn State Settlement for Cybersecurity Noncompliance

This document is a client alert detailing the settlement between the Department of Justice (DOJ) and Pennsylvania State University (Penn State) regarding allegations of noncompliance with cybersecurity requirements mandated by the Department of Defense (DoD) and NASA. On October 22, 2024, it was announced that Penn State would pay $1.25 million to resolve these allegations, which stemmed from claims that the university provided false self-attestations of compliance with cybersecurity obligations in its contracts. The allegations were based on the Defense Federal Acquisition Regulation Supplement (DFARS) clauses, which require contractors to implement adequate security measures for covered contractor information systems. The alert highlights that this settlement is significant as it does not involve any allegations of a cybersecurity incident or breach, marking a distinct focus on documentation and compliance processes. The document outlines the implications of the settlement for contractors regarding their cybersecurity posture and the importance of maintaining accurate plans of action and milestones (POA&Ms).