skip to Main Content
Digital Infographic highlighting the key concepts behind risks of noncompliance. The graphic depicts elements mentioned in the Raytheon Settlement with a gavel to represent the legal repercussions. The graphic also highlights the importance of solutions like RegDOX and how audit-ready compliance tools are necessary to operate in this industry.

Raytheon Settlement: $8.4 Million Exposes Cybersecurity Risks

In this FCA Blog Series
1. False Claims Act and Cybersecurity: A New Era of Compliance Risk
2. Raytheon Settlement: $8.4 Million Exposes Cybersecurity Risks
3. Stacking the Settlements: Five Cyber FCA Cases, One Clear Direction
4. Five Predictions for FCA Cyber Litigation in the CMMC Era

On May 1, 2025, the U.S. Attorney’s Office announced a significant Raytheon settlement involving Raytheon Company, its parent RTX Corporation, and successor Nightwing Group. The parties agreed to pay $8.4 million to resolve allegations of failing to implement required cybersecurity controls on Department of Defense contracts. Notably, the alleged failures took place between 2015 and 2021—before Raytheon’s cyber unit was sold—showing how Raytheon settlement liability can transfer to successors after acquisition.

Background: The Qui Tam Complaint and Cybersecurity Allegations

The Raytheon settlement arose from a qui tam lawsuit filed under the False Claims Act (FCA). According to the complaint, Raytheon operated an internal system known as “DarkWeb” to handle Controlled Unclassified Information (CUI) related to 29 DoD contracts. The network allegedly lacked essential cybersecurity safeguards mandated by federal regulations, including:

Because these cybersecurity deficiencies violated contract terms requiring affirmative certification, plaintiffs argued that every invoice Raytheon submitted under these contracts was false—ultimately, leading to the settlement.

Key Aspects of the Raytheon Settlement

Whistleblower Reward

Branson Fowler, a former engineering director at Raytheon, played a critical role in bringing the case to light. Fowler will receive approximately $1.5 million, about 18% of the $8.4 million Raytheon settlement, emphasizing the importance of whistleblower protections in federal contracting.

No Admission of Liability

While the settlement resolves the allegations, Raytheon denies any wrongdoing. The agreement serves to close the case without an admission of fault, a common outcome in complex compliance settlements.

Successor Liability Highlighted

A crucial lesson from this settlement is the concept of ‘successor liability’. Nightwing Group, which purchased Raytheon’s cyber unit after the alleged misconduct, remains financially responsible. This case underscores the importance of cyber due diligence during mergers and acquisitions in the defense sector.

Practical Takeaways for Contractors from the Raytheon Settlement

Legacy Systems Carry Risks

The Raytheon settlement underscores that even legacy or internal networks managing (CUI) must comply with DFARS and NIST cybersecurity standards. Failure to maintain compliant systems can lead to severe legal and financial consequences.

Importance of Documented Compliance Plans

Missing or incomplete System Security Plans (SSPs) can transform technical compliance issues into violations of the False Claims Act, as demonstrated by the Raytheon settlement. Contractors should prioritize maintaining detailed, updated SSPs.

Cybersecurity Due Diligence in M&A

This settlement serves as a warning for buyers in the Defense Industrial Base (DIB): cyber compliance history must be carefully evaluated alongside financials and export controls. Ignoring this can result in inherited liabilities.

Conclusion: Lessons from the Raytheon Settlement

The Raytheon settlement reinforces that cybersecurity compliance is not only a technical issue but a legal and contractual obligation for defense contractors. Maintaining strong controls, thorough documentation, and rigorous due diligence is essential to mitigate risks—especially during corporate transitions. Join us next week as we look further into ‘FCA Cyber Penalties’.

For more information regarding this series overview, visit False Claims Act and Cybersecurity.

About RegDOX

At RegDOX Solutions Inc., we help defense contractors and high-security organizations simplify compliance with ITAREARDFARSNIST SP 800-171, and CMMC requirements. Our secure, cloud-based platforms combine end-to-end encryptionaccess controls, and audit-ready documentation to keep your data—and your contracts—safe.

Need help navigating evolving cybersecurity regulations?

Request a Compliance Demo
Or contact us directly at info@regdox.com

Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top