On May 1, 2025, the U.S. Department of Justice (DOJ) announced a settlement under the False Claims Act (FCA) involving defense contractors Raytheon Company (Raytheon), RTX Corporation (RTX), and Nightwing Group—the successor owner to one of Raytheon’s cybersecurity business lines (collectively “the Companies”). The Companies agreed to pay $8.4 million to resolve allegations of noncompliance with federal cybersecurity requirements. Of this amount, approximately 18%—or $1,512,000—will be awarded to the whistleblower (or “Relator”) who initiated the FCA case, pursuant to the statute’s qui tam provisions. The violations pertain to twenty-nine (29) contracts and subcontracts with the Department of Defense (DoD) between 2015 and 2021.
The Relator, a former Director of Engineering at Raytheon, filed the qui tam complaint on August 31, 2021, in the U.S. District Court for the District of Columbia (United States ex rel. Doe v. Raytheon Co., No. 21‑cv‑2343 (D.D.C.)). Raytheon, a subsidiary of RTX, sold its Cybersecurity, Intelligence, and Services (CIS) business—including Raytheon Cyber Solutions, Inc. (RCSI)—on March 29, 2024. The business was subsequently renamed Nightwing Intelligence Solutions, LLC, and became part of the Nightwing Group. Although the cybersecurity deficiencies occurred prior to the acquisition, Nightwing assumed liability as the successor owner to the CIS business.
The settlement resolves claims that Raytheon and RCSI violated key cybersecurity clauses in federal procurement regulations, including:
DFARS 252.204-7008 and 252.204-7012, which require DoD contractors to implement the security controls outlined in NIST SP 800-171 to ensure adequate protection of covered contractor information systems; and FAR 52.204-21, which mandates the implementation of fifteen (15) basic safeguarding requirements for covered contractor information systems, such as restricting access to authorized users, sanitizing media before disposal, protecting against malware, and conducting periodic system scans.
Notably, the violations did not result in a known cybersecurity incident or demonstrable harm to the government. Instead, the case focuses on Raytheon’s use of a development network—referred to as “1.0”—for unclassified work. The Company stored Covered Defense Information (CDI) on this network without implementing the required NIST SP 800-171 controls, including the development of a System Security Plan (SSP). The SSP is a foundational requirement under NIST SP 800-171, detailing how an organization meets each of the 110 prescribed security controls.
In fact, and somewhat unexpectedly, Raytheon is reported to have informed certain government clients in May 2020 that version 1.0 was not compliant with DFARS 252.204-7012 and FAR 52.204-21. The Company further indicated that it was in the process of developing a new environment intended to implement NIST SP 800-171, which would ultimately replace 1.0.
This settlement follows similar DOJ actions involving MORSECORP, Centene and its subsidiary HealthNet, and underscores the DOJ’s continued use of the FCA to enforce cybersecurity compliance under its Civil Cyber Fraud Initiative.
Alston’s Privacy, Cyber, and Data Strategy and False Claims Act teams continue to monitor developments in this space, including the DOJ’s intervention in the case against Georgia Tech, which is scheduled for a settlement conference at the end of the month.
