DOJ announced an $8.4 million False Claims Act settlement on April 4, 2025 with Raytheon Company, RTX Corporation, and Nightwing Group LLC (with Nightwing Intelligence Solutions LLC) over allegations Raytheon failed to comply with cybersecurity requirements in DoD contracts. Coverage from DOJ and PilieroMazza.
The conduct at issue
Raytheon and then-subsidiary Raytheon Cyber Solutions (RCSI) failed to implement required cybersecurity controls on an internal development system used to perform unclassified work on DoD contracts. The government alleged Raytheon and RCSI never developed and implemented a System Security Plan for the system — the specific deliverable required by DFARS 252.204-7012 — and failed to ensure the system met other DFARS 252.204-7012 / FAR 52.204-21 controls.
Why it's the template
The settlement is being cited across the bar as the template for cybersecurity-FCA enforcement. SSP existence is a cheap, document-driven check; failure to produce one is the easiest qui tam case for relators and DOJ to bring.
What to do
- Audit every internal development environment that touches CUI — confirm an SSP exists, is current, and is approved
- Cross-walk DFARS 252.204-7012 paragraph (b) controls to NIST SP 800-171 implementation status
- If you self-attest at SAM.gov, lock down the certification chain — the cert is the FCA hook