Pennsylvania State University has agreed to pay the Justice Department $1.25 million to settle claims of misrepresenting its cybersecurity compliance to the federal government and leaving sensitive data improperly secured.  The settlement order between the DoJ and Penn State resolves allegations from a court case filed two years ago by a former university CIO who blew the whistle on the matter. Filing a case on behalf of the government (known as a qui tam complaint), Matthew Decker alleged that his former employer never implemented National Institute of Standards and Technology (NIST) cybersecurity requirements specified in contracts it had with the Pentagon and NASA.  According to court documents, the DoJ took over the case to settle the matter, and its allegations are the same as Decker’s.  The DoJ contends in its settlement agreement that Penn State failed to comply with NIST SP 800-171, which outlines requirements for how non-government entities have to store controlled unclassified information (CUI).

Source: The Register