US Government Reaches $8.4 Million Cybersecurity Settlement with Raytheon and Affiliates

On Thursday, the U.S. Department of Justice (DoJ) announced an $8.4 million settlement with Raytheon Company, its parent RTX Corporation, and affiliated firm Nightwing Group, over allegations that the defense contractors failed to meet federal cybersecurity requirements.

Background and Scope of the Case

The case centers on cybersecurity compliance violations under 29 contracts and subcontracts Raytheon and its subsidiary, Raytheon Cyber Solutions, Inc. (RCSI), held with the U.S. Department of Defense (DoD) between 2015 and 2021. These contracts required adherence to federal cybersecurity protocols aimed at safeguarding sensitive defense-related data.

Nightwing Group, a cybersecurity and intelligence firm that spun off from RTX, was also named in the suit. Though not central to the violations, the company's involvement stems from its historical link to the RTX family of companies.

In 2015, Raytheon was awarded a $1 billion cybersecurity contract with the Department of Homeland Security (DHS), making its compliance with federal security standards critically important.

Failure to Comply with DFARS and FAR Regulations

Under the Defense Federal Acquisition Regulation Supplement (DFARS) and the Federal Acquisition Regulation (FAR), contractors are required to implement robust cybersecurity controls on systems that process or store Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

However, according to the settlement, Raytheon and RCSI failed to implement such controls. Specifically, the companies did not apply an approved system security plan to an internal development system used to handle DoD-related projects. The Department of Justice alleges this non-compliance continued for several years, during which time Raytheon knowingly submitted false claims for work performed using the insecure system.

It wasn't until 2020 that the company disclosed the compliance failure to its government clients and transitioned to a properly secured system.

Settlement Terms and Whistleblower Involvement

Although Raytheon has not admitted to any wrongdoing, the company agreed to pay $8.4 million to settle the allegations. The settlement includes:

• $4.2 million in restitution for the government contracts affected.

• $4.2 million in interest, bringing the total to $8.4 million.

The case originated from a whistleblower lawsuit filed by Branson Kenneth Fowler, a former Raytheon director, under the False Claims Act. The act allows private individuals to sue on behalf of the government and share in any recovery. As part of the settlement, Fowler will receive $1.5 million.

Federal Perspective on Cybersecurity in Defense Contracting

This case highlights the U.S. government’s ongoing effort to hold contractors accountable for cybersecurity lapses, particularly when such failures jeopardize sensitive national security data.

“The settlement resolved allegations that Raytheon used its noncompliant internal system to develop, use, or store covered defense information and federal contract information during its performance on 29 DoD contracts and subcontracts,” the Department of Justice said in a press release.

Context: Broader Regulatory Scrutiny

The settlement follows a broader pattern of regulatory scrutiny aimed at large defense and technology contractors. Just months earlier, in October 2024, Raytheon agreed to pay $950 million to resolve a different set of federal investigations. That settlement involved:

• Allegations of defective pricing on government contracts.

• Violations of the Foreign Corrupt Practices Act (FCPA).

• Infractions under the Arms Export Control Act (AECA).

• Breaches of the International Traffic in Arms Regulations (ITAR).

These cases collectively underline the increasing pressure placed on defense contractors to comply not only with traditional procurement standards but also with stringent cybersecurity and anti-corruption laws.

Conclusion

This recent $8.4 million settlement sends a strong message to federal contractors: cybersecurity compliance is not optional. As the U.S. government continues to invest in national security through digital platforms, maintaining secure and compliant systems is now a baseline expectation for doing business with federal agencies.