Why Ownership Questions Reveal Governance Gaps Sarah was preparing documentation for an upcoming compliance review…
Raytheon Settlement: $8.4 Million Exposes Cybersecurity Risks
2.
Raytheon Settlement: $8.4 Million Exposes Cybersecurity Risks
On May 1, 2025, the U.S. Attorney’s Office announced a significant Raytheon settlement involving Raytheon Company, its parent RTX Corporation, and successor Nightwing Group. The parties agreed to pay $8.4 million to resolve allegations of failing to implement required cybersecurity controls on Department of Defense contracts. Notably, the alleged failures took place between 2015 and 2021—before Raytheon’s cyber unit was sold—showing how Raytheon settlement liability can transfer to successors after acquisition.
Background: The Qui Tam Complaint and Cybersecurity Allegations
The Raytheon settlement arose from a qui tam lawsuit filed under the False Claims Act (FCA). According to the complaint, Raytheon operated an internal system known as “DarkWeb” to handle Controlled Unclassified Information (CUI) related to 29 DoD contracts. The network allegedly lacked essential cybersecurity safeguards mandated by federal regulations, including:
-
A System Security Plan (SSP) compliant with NIST SP 800-171.
-
Required security controls under DFARS clause 252.204-7012.
-
Continuous monitoring and audit capabilities per FAR clause 52.204-21.
Because these cybersecurity deficiencies violated contract terms requiring affirmative certification, plaintiffs argued that every invoice Raytheon submitted under these contracts was false—ultimately, leading to the settlement.
Key Aspects of the Raytheon Settlement
Whistleblower Reward
Branson Fowler, a former engineering director at Raytheon, played a critical role in bringing the case to light. Fowler will receive approximately $1.5 million, about 18% of the $8.4 million Raytheon settlement, emphasizing the importance of whistleblower protections in federal contracting.
No Admission of Liability
While the settlement resolves the allegations, Raytheon denies any wrongdoing. The agreement serves to close the case without an admission of fault, a common outcome in complex compliance settlements.
Successor Liability Highlighted
A crucial lesson from this settlement is the concept of ‘successor liability’. Nightwing Group, which purchased Raytheon’s cyber unit after the alleged misconduct, remains financially responsible. This case underscores the importance of cyber due diligence during mergers and acquisitions in the defense sector.
Practical Takeaways for Contractors from the Raytheon Settlement
Legacy Systems Carry Risks
The Raytheon settlement underscores that even legacy or internal networks managing (CUI) must comply with DFARS and NIST cybersecurity standards. Failure to maintain compliant systems can lead to severe legal and financial consequences.
Importance of Documented Compliance Plans
Missing or incomplete System Security Plans (SSPs) can transform technical compliance issues into violations of the False Claims Act, as demonstrated by the Raytheon settlement. Contractors should prioritize maintaining detailed, updated SSPs.
Cybersecurity Due Diligence in M&A
This settlement serves as a warning for buyers in the Defense Industrial Base (DIB): cyber compliance history must be carefully evaluated alongside financials and export controls. Ignoring this can result in inherited liabilities.
Conclusion: Lessons from the Raytheon Settlement
The Raytheon settlement reinforces that cybersecurity compliance is not only a technical issue but a legal and contractual obligation for defense contractors. Maintaining strong controls, thorough documentation, and rigorous due diligence is essential to mitigate risks—especially during corporate transitions. Join us next week as we look further into ‘FCA Cyber Penalties’.
For more information regarding this series overview, visit False Claims Act and Cybersecurity.
About RegDOX
At RegDOX Solutions Inc., we help defense contractors and high-security organizations simplify compliance with ITAR, EAR, DFARS, NIST SP 800-171, and CMMC requirements. Our secure, cloud-based platforms combine end-to-end encryption, access controls, and audit-ready documentation to keep your data—and your contracts—safe.
Need help navigating evolving cybersecurity regulations?
Request a Compliance Demo
Or contact us directly at info@regdox.com
Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments