Raytheon, its parent company RTX, and tech vendor Nightwing Intelligence Solutions agreed to pay $8,400,000 to resolve charges that Raytheon breached the False Claims Act (FCA) when it failed to adhere to NIST cybersecurity standards in government contracts that involved storing and transmitting defense information. Nightwing, which acquired Raytheon’s cybersecurity business in 2024, is its successor in liability.

The claim, which was initiated qui tam by a private relator, alleged that Raytheon failed to develop a “system security plan” required by NIST cybersecurity standards in the development of a development network that was used to execute unclassified Department of Defense contracts and subcontracts.

A system security plan is a requirement of the NIST SP 800-171 protocols which were incorporated into Raytheon’s contracts with the United States. That made Raytheon’s submission of claims involving its development network false, according to the settlement order.

That system security plan required the release of “information to enable assessment of the contractor’s system, including by describing system boundaries, system environments of operation, how security requirements are implemented, and the relationships or connections to other systems.”

Basic safeguarding requirements

The government claimed that Raytheon also breached Federal Acquisition Regulation 52.204-21, which requires federal contractors to apply “basic safeguarding requirements and procedures.”

The contracts required Raytheon to develop a system security plan by the end of 2017. According to the settlement order, Raytheon noticed in 2020 that it was not in compliance with the Federal Acquisition Regulations and notified its government customers. Raytheon lacked a system security plan from 2015 to June 2021, when the issue was finally remediated.

To settle the charges, Raytheon will pay $8,400,000, of which $1,512,000 will be paid to the qui tam relator. The settlement did not require Raytheon to admit wrongdoing.

The FCA allows for treble damages (3x) for each false claim submitted to the government and allows for actions to be initiated by private actors, who typically share in a fraction of the recovery.

The constitutionality of qui tam is currently being challenged in court.

This is not the first time in recent memory that Raytheon has fallen afoul of the False Claims Act. Last year, it settled for $950m with the DOJ for violations of FCA, the Foreign and Corrupt Practices Act (FCPA), and export controls. In that case, the Department of Defense alleged that Raytheon caused it to pay $111m more than it should have in contracts to buy Patriot missiles.

Cybersecurity enforcement still a priority

“Cyber threats have grown in size and reach in recent years, leaving no room for complacency among those in the public sector, private sector, or even among private citizens,” said US Attorney Edward R. Martin Jr. for the District of Columbia.

The settlement, and that statement, demonstrate that the Trump administration is still actively pursuing stringent Biden-era cybersecurity enforcement actions.

While certain financial markets regulators (SEC, CFTC) have stated their intent to scale back aggressive enforcement of cybersecurity disclosure requirements through lawsuits, the DOJ has evidently not agreed to equally pull back on FCA cybersecurity enforcement.

The action against Raytheon marks the DOJ’s third cybersecurity FCA settlement of the year, including a prominent $11m settlement with a healthcare services contractor in February, and another with a defense contractor in March.

But NIST, the federal agency that develops the same cybersecurity standards that the government relies on to formulate its contractual requirements, is facing serious budget and personnel cuts at the hands of the Department of Government Efficiency, leading some to question its future vitality.