Compare this to the conversation on stackexchange yesterday where a small company CTO was worried about lying about pentesting.<p>The exact same ethical issues and commercial in entices apply in 10 person teams and 2BN grants.<p>It looks to me like we need something like professional engineer status at any given organisation that has independent and legal personal sign off<p>(ie a railway engineer can simply stop for example the 10bn pound HS2 railway project by simply not signing off one piece of paper. And the management know that. And so they have to deal with him, whoever he is.<p>The CISO of even penn state has no such leverage.<p>Edit: I think we should look first to see what balance of powers exists in an organisation - labour represented by unions? Management vs tech? sales vs everyone else ?
This local news source actually embedded the complaint [0].<p>I don't have time to go into it in detail right now, but it looks like the other comment [1] is correct that the modified headline on HN is very wrong: the $2 billion dollar contract went to the ARL and not Penn State proper. The complaint says that the ARL is "physically, logically, and operationally separated from the Penn
State campus". The CIO of the ARL is alleging that Penn State proper lied on its documents, but the $2 billion contract is not involved in the allegations.<p>[0] <a href="https://www.wtaj.com/news/local-news/lawsuit-penn-state-being-sued-for-claims-of-falsified-reports-of-cybersecurity/" rel="nofollow noreferrer">https://www.wtaj.com/news/local-news/lawsuit-penn-state-bein...</a><p>[1] <a href="https://news.ycombinator.com/item?id=37545601">https://news.ycombinator.com/item?id=37545601</a>
A bit more info here<p><a href="https://www.jdsupra.com/legalnews/recent-cyber-related-false-claims-act-5531892/" rel="nofollow noreferrer">https://www.jdsupra.com/legalnews/recent-cyber-related-false...</a><p>It mentions that “on September 1, 2023, the court unsealed a qui tam lawsuit against Penn State University” (the lawsuit being discussed here)<p>Where is it possible to see the lawsuit doc(s)?
I know there are more important parts of this story than the names of the individuals involved; but I can’t get over how the guy’s lawyer is named “Darth Newman”.
Corrected article.<p>Edit.. The original article has several errors. This article is much more accurate.<p><a href="https://www.psucollegian.com/news/campus/penn-state-whistleblower-alleges-university-did-not-protect-sensitive-government-information-pass-compliance-requirements/article_7d4a1f46-4921-11ee-b89c-5bb527580f51.html" rel="nofollow noreferrer">https://www.psucollegian.com/news/campus/penn-state-whistleb...</a>
The title is false. The 2B has nothing to do with lying about IT security. The 2B went to applied research lab and the CISO was at Penn state university. 2 completely different entities.<p>Penn state university had the IT fraud. Applied research lab (arl) had 2b contract ceiling (also incorrect, not awarded 2b). The arl ciso reported the univ ciso for IT fraud.<p>Corrected article.
<a href="https://www.psucollegian.com/news/campus/penn-state-whistleblower-alleges-university-did-not-protect-sensitive-government-information-pass-compliance-requirements/article_7d4a1f46-4921-11ee-b89c-5bb527580f51.html" rel="nofollow noreferrer">https://www.psucollegian.com/news/campus/penn-state-whistleb...</a>
I know what I’m going to bring up in my CMMC compliance call tomorrow.<p>The university I am an information security engineer for has been working for years to become CMMC level 2 compliant.<p>Penn State using public cloud (assuming Azure) and the commercial Office 365 would place them about 18-24 months away from being able to pivot to GCC or GCC-High. That is assuming they have the staff and capabilities to do this.<p>That doesn’t include all of the policies and other paper processes that need to happen.<p>Hopefully there are consequences for this level of deception.
I’m curious whether the government certification / reporting process is punitive in nature and perhaps provides incentives to fabricate compliance. I’ve led a fintech startup through IT security audits mandated by top US banks and found them to be highly collaborative and helpful. Much less of a “pass/fail” judgement and more “you’ve made it to X on your own; here’s some resources on how to hit Y affordably so we can begin to do business.”
NIST 800-171, if that's what this is, is actually a decent set of regulations. I find, however, that the software solutions that are available drive companies to use just a few solution providers that creates concentrated points of vulnerability.
Buried on page 4 now.<p>93. Whistleblower CISO says PennState lied about IT security to win $2B from US gov (centredaily.com) 54 points by jollofricepeas 2 hours ago | flag | hide | 38 comments
> Contractors like Penn State are required to self-attest to compliance with 110 security requirements spelled out by the National Institute of Standards and Technology; there is no oversight, Newman wrote.<p>> The self-reported scores must be submitted before a defense contract is renewed or awarded. At least 20 records submitted to the government were falsified, the lawsuit alleged.<p>If you're not going to do any actual verification of the security of a subcontractor and just ask them to "self assess", with a significant financial incentive for them to lie to win a contract, you can't be too surprised when they....lie to win the contract.