Penn State falsified Dept. of Defense compliance, former CIO claims in lawsuit
A former chief information officer at the Pennsylvania State University has filed a lawsuit against the university claiming it did not properly protect sensitive government information and that it falsified security records it sent to the U.S. Department of Defense.
The suit was filed by Matthew Decker, who served as CIO for Penn State’s Applied Research Laboratory from 2015 to 2023 and concurrently worked as the university’s interim vice provost and CIO in 2016. He originally filed suit in October 2022, but it was only unsealed and made public this past August.
According to the filing, Decker discovered that some records were missing for entries submitted to the Department of Defense’s Supplier Performance Risk System after his time as Penn State’s interim CIO concluded in 2016. When Decker alerted the interim chief information security officer at the time of the issue, template documents had been uploaded to “solve” the problem, the filing claims.
“The risk assessment scores, artifacts and incomplete records entered into SPRS were knowingly false and were added merely to ‘check the box’ so that there would be no ‘missing’ records,” the lawsuit states.
To be compliant with the Defense Federal Acquisition Regulation Supplement, contractors like Penn State must provide “adequate security” for covered defense information that is processed, stored, created or transmitted on its internal information systems. This information is considered “controlled unclassified information” and may include “technical data, patents or information relating to the manufacture or acquisition of goods and services.”
Defense contractors must also show assessments of their compliance to the National Institute of Standards and Technology. Contractors conduct self-assessments on a point-based system and there is no certification or audit procedure in place to determine if NIST requirements are met.
In April 2022, Decker was tapped to lead a “tiger team” of nine people to evaluate Penn State’s compliance. Later that spring, Decker determined that Penn State “had never reached actual DFARS compliance and thus had been falsely attesting to compliance since January 1, 2018,” according to the filing.
The university asked Decker to lead a second “tiger team” to further investigate the compliance issues in August 2022. He prepared a template to profile and assess each of Penn State’s contracts and struggled to find “pertinent data,” according to the filing. While working with this team, Decker discovered that “all 20 records submitted to the SPRS system had been falsified,” the suit states.
About 10 days after the second team was assembled, an associate CIO of research and IT, “who was complicit in much of the existing problems,” was added to the team and replaced Decker as leader, the lawsuit alleges.
“The university has allocated significant resources to maintain compliance with these and other federal requirements,” Penn State spokesperson Wyatt Dubois said in a statement to Penn State’s campus newspaper. “Penn State has worked and continues to work cooperatively and collaboratively with the government to address any questions.”