What We Can Learn from Penn State’s Compliance Conundrum 

Author: Randy Griffith, Senior Security Consultant, CISO Global

Penn State University is in hot water again for legal and compliance violations. This time, the activities in question are related to the university’s claim to be compliant under NIST SP 800-171, as required by Executive Order 13556 (2019). As a contractor and partner of the U.S. Government, Penn State is required to implement a minimum set of security controls around Controlled Unclassified Information (CUI) it collects, creates, or handles as part of its partnership with the government. CUI data has very specific requirements around its handling and protection. United States of America ex rel. Matthew Decker vs. Pennsylvania State University alleges that the university’s claims to be compliant were false, supported by claims that they failed to protect CUI appropriately, which constitutes a violation under the False Claims Act.  

As defined in the case brief, CUI is data that is “owned or created by the government that is sensitive, but not classified, such as technical data, patents, or information related to the manufacture or acquisition of goods and services.” Universities regularly apply to become partners of the U.S. Government in technology and data science, building, testing, and documenting solutions that assist with functions of the government. This could be military or civilian in nature. While these projects may not be considered “top secret”, they are certainly required to be secured. So, any contractor wishing to partner with the government in this way must meet federal regulators’ expectations for protecting the associated information, which amounts to trade secrets.  

The National Institute of Standards and Technology (NIST) Special Publication 800-171 outlines the minimal requirements that need to be met, so it’s not like Penn State didn’t know what was required of them. The way regulation works is that once a standard is created, it’s incumbent upon organizations that are under compliance to do the research around what needs to be done, invest the time and money needed to ensure they’ve done it, then provide evidence that demonstrates their compliance. This typically involves getting a gap assessment, which is an evaluation performed by an audit and compliance expert detailing the difference between where an organization is currently, and what they are expected to be doing in order to be compliant. In a gap assessment report, there would be a prioritized list of next steps that need to be taken. For example, Organization X might need to become  Cyber Maturity Model Certification (CMMC) compliant. They will typically have a gap assessment performed, then use the assessment report as a roadmap, ticking off items one at a time. At the end of this process, they will have a full audit performed which they will either pass or fail. Auditors will dig into documentation, perform interviews, review written policies, and more as part of this process. Falsifying any documentation or steps would not only be a compliance failure but could put an organization’s entire program at risk.  

As a compliance professional, I see the U.S. Government’s act of holding Penn State accountable here as part of a larger effort from Uncle Sam and the Justice Department to hold contractors and subcontractors accountable for cybersecurity they have agreed to put in place. It’s time for America to embrace the realities of stricter regulation. As a concept, self-regulation and relying on personal or corporate conscience to meet expectations, thereby skipping the need for regulators and hefty punishments, sounds wonderful. In that ideal world, everyone does what they are supposed to. However, most of us know that many people won’t do what they need to…until they have to.  

Many organizations have the rollout and enforcement of the General Data Protection Regulation (GDPR) in the European Union a lot like armchair quarterbacks. When the GDPR was released, smug corporate executives said they’d rather just quit doing business in the EU than to meet compliance. Yet, many have done the work to comply as EU regulators have made examples out of Facebook, Google, and other companies found to be in violation of GDPR requirements and have been slapped with millions in fines. What the United States of America ex rel. Matthew Decker vs. Pennsylvania State University signals is that it’s time to do away with the perception that U.S. organizations can operate like it’s the Wild West and continue in relative safety. For example, some organizations have stalled on taking steps to meet compliance under the federal CMMC 2.0, waiting to see if there will actually be any teeth behind the outlined requirements.  

I guess my question to organizations that want to continue down the same road and only meet compliance requirements when they start seeing fines doled out is, how many more Penn States do you need to see in order to commit? And why are you waiting for compliance requirements to take steps that will make you more secure? These frameworks are designed to ensure a minimum level of maturity in your cybersecurity program. Why would you only want to meet the minimum? Why not create a robust program that will protect you from data theft, ransomware, and other attack types, and find yourself compliant by default. At CISO Global, we help organizations take a risk-based approach to compliance, maturing their security programs with steps that will also help them demonstrate compliance. It’s the fastest, most cost-effective way to keep yourself from losing profits to thieves and paying fines to regulators. 

If you have compliance requirements such as CMMC 2.0, GLBA, FedRAMP, or other frameworks and you aren’t certain you are complaint with these requirements, allow CISO to put your mind at ease.  We have training for CMMC and other requirements as well as a team of advisory experts who can help your organization become and remain compliant regardless of the framework. For us cybersecurity is a culture, not a product. 

 Contact us.