Decrypted | Insights from Virtru to Unlock New Ideas

Oversight to Insight: Learnings from the Penn State Compliance Lawsuit

Written by Shelby Imes | Sep 19, 2023 9:26:39 PM

 

Caught in the crosshairs of compliance, Penn State's recent lawsuit is more than just a headline—it's a cautionary tale for the academic world.

Very recently, R1 universities find themselves grappling with new compliance challenges as the federal government suits up and zones in on strengthening its cybersecurity posture.

So, what went wrong at Penn State, and what can other institutions glean from their missteps?

What's Happening?

According to SC Media, the U.S. government is suing Penn State University under the False Claims Act. The gov claims that Penn State misled or lied about following government cybersecurity requirements when they worked on federal contracts. The lawsuit is based on claims made by Matthew Decker, the chief information officer (a high-ranking IT official) at a Penn State research lab. He also had a temporary high-ranking IT position at Penn State in 2016.

Penn State, like many other institutions that work with the defense department, handles CUI (Controlled Unclassified Information) - sensitive data that isn't top-secret, but still needs to be managed securely. Institutions like Penn are required to prove they’re protecting controlled unclassified information by following guidelines made by the National Institute for Standards and Technology (NIST), including NIST 800-171 compliance which is a codification of cybersecurity requirements that must be followed when handling CUI.  This involves 22 specific rules that cover things like digital security, physical protection, audits, risk checks, and ensuring everything is set up securely

Right now, many organizations just have to assure the government they're following these rules. But the government and Decker say Penn State has been lying about following these rules.

What Did Penn State Do?

The lawsuit alleges that although Penn State claimed they were following the rules since December 31, 2017, they weren't. Decker claims that after he left his temporary role, he noticed missing records for some university projects. Instead of properly addressing this, the university just uploaded template documents to pretend like they had the proper records.

In 2020, Penn State changed their cloud storage service to one that wasn't approved by the federal government. In 2022, when there were concerns about Penn State's contracts with NASA, Penn State's new temporary IT head said they were compliant with NIST 800-171 security standards because of a specific university policy. But a later review showed that Penn State hadn't been compliant for a while… since January 1, 2018 to be exact.

The Bigger Picture: A Federal Crackdown on Cybersecurity

This lawsuit against Penn State is part of a bigger effort by the U.S. Department of Justice. They're trying to make sure that government contractors and subcontractors are honest about their cybersecurity efforts. For many, it feels like a shockwave of many recent attempts by the federal government to prioritize cybersecurity, evidenced by executive orders, publicized security strategies, state and local cyber grants, and tightened security requirements like CMMC 2.0, FTC Safeguards, and more. R1 institutions feel the aftershock, particularly ones that do research for federal agencies like the Department of Defense (DoD).

The government started a new effort to investigate false claims related to cybersecurity in government contracts. The goal is to find and discourage weak cybersecurity practices in companies that work with the government. It’s simple; weak practices could lead to government systems being compromised and sensitive information being exposed.

A different contractor named Aerojet Rocketdyne faced a similar lawsuit from the Department of justice in 2022, but that case ended in a $9 million settlement and ultimately dodged “example making.” A clear precedent was never set as a result.

What Can We Learn From the Penn State Debacle?

The Penn State lawsuit sends a resonating signal across the R1 university landscape: the stakes for compliance have never been higher. The heightened scrutiny from the Department of Justice underscores the baseline criticality of maintaining robust cybersecurity measures. For R1 institutions, this isn't just about averting lawsuits or penalties, but fundamentally about their core mission.

Research, often at the frontier of innovation and impacting global change, relies heavily on partnerships, funding, and collaborations with governmental entities. Non-compliance not only tarnishes reputations but can jeopardize these valuable partnerships, halting research efforts and stymieing academic progress.

It’s a watch-and-learn process. Here’s what you should be taking away from this incident, so your university doesn’t experience the same:

  1. Self-Reporting Isn't Enough: Relying on self-attestations or self-reporting can lead to complacency. Implementing third-party audits or security assessments, even before they become mandatory, can offer an objective evaluation of compliance efforts.
  2. Centralized vs. Decentralized Systems: When IT operations are spread across multiple units or departments, as in Penn State's case, it can be difficult to ensure uniform compliance. Schools should consider centralizing or closely coordinating their information systems IT infrastructure to ensure consistent cybersecurity measures across the board.
  3. Detailed Record-Keeping: The incident with missing records emphasizes the importance of maintaining thorough documentation and an auditable trail. Institutions should invest in systems or platforms that automatically log and archive critical cybersecurity activities and decisions.
  4. Beware of Quick Fixes: Instead of genuinely addressing compliance issues, looking for shortcuts (like uploading template documents) can exacerbate vulnerabilities. Schools need to prioritize genuine solutions over superficial fixes.
  5. Cloud Services and Certification: Moving to new digital solutions or platforms, like cloud storage, should always be accompanied by a thorough security and compliance review. Institutions should ensure that any service they use, especially cloud services, is compliant with federal standards or has the necessary certifications, like FedRAMP.
  6. Continuous Education and Training: Regulations and threats evolve. Continuous training for IT staff and even faculty can help in understanding and staying updated with compliance requirements. Regular drills and simulations can also be beneficial.
  7. Transparency with Stakeholders: Institutions should maintain an open line of communication with their stakeholders about their cybersecurity framework and compliance efforts. This transparency can help foster trust and enable stakeholders to identify potential areas of improvement.
  8. Review and Update Institutional Policies: In the case of Penn State, an institutional policy was cited as the basis for compliance. Schools should periodically review their internal policies to ensure they align with evolving external standards.
  9. Feedback Loops: Create mechanisms for employees and stakeholders to raise concerns about potential compliance shortfalls. This way, potential issues can be caught and addressed early.
  10. Plan for Remediation: Even with the best precautions, there might be oversights. Schools should have a clear system security plan of action to address non-compliance issues when identified, including the allocation of resources, timelines, and responsible parties.
  11. Partner with Experts: Leverage partnerships with cybersecurity experts or firms that specialize in NIST 800-171 (National Institute of Standards and Technology) and CMMC regulations to guide and evaluate compliance efforts.

What Matters Most? The Data.

Incidents like Penn State's drive home a point: data protection in top-tier institutions like R1 universities isn't optional. With a mix of student records and groundbreaking research data, the stakes are far too high.

This is where a focused, data-centric approach to security becomes a game-changer. Virtru simplifies this. Instead of a blanket approach, it zeroes in on data at the object level, ensuring it’s protected and in your control whether in a complex system or on the move. It’s like having your unstructured data on a leash, with access controls always at your disposal even when the data has left your perimeter.

What sets Virtru apart? It's the smart automation, like instantly encrypting sensitive emails, which cuts down on mistakes. And if you're watching the budget, it's a more affordable choice than options like GCC High. The transition? Easier than you'd think, with Virtru's seasoned team guiding the way. It's more than a tool—it's a partnership built to understand the unique challenges of R1 institutions.

Looking to boost your data protection and meet standards like CMMC 2.0? Reach out to our team today.