Raytheon Company, RTX Corporation, and Nightwing Group LLC — the entity that acquired Raytheon's cybersecurity and intelligence business from RTX in March 2024 — paid $8,400,000 to the United States to resolve False Claims Act allegations that Raytheon Cyber Solutions Inc. failed to implement required cybersecurity controls on an internal development system used for unclassified Department of Defense contract work from 2015 through 2021, while certifying to the government that it was in compliance. Whistleblower Branson Kenneth Fowler Sr., a former Director of Engineering at Raytheon, will receive approximately $1.512 million — 18 percent of the government's recovery — under the FCA's qui tam relator provisions. The settlement was announced by the Department of Justice Civil Division, acting under the DOJ Civil Cyber-Fraud Initiative.
What Raytheon Allegedly Failed to Do
The complaint centers on Raytheon Cyber Solutions Inc. (RCSI), a former Raytheon subsidiary that provided cybersecurity and intelligence analysis services to DoD under multiple contracts and subcontracts between 2015 and 2021. RCSI operated an internal software development system — a computing environment used by its engineers to develop, test, and deploy the cybersecurity tools and software it delivered to government clients — that handled controlled, unclassified DoD information.
Under the Defense Federal Acquisition Regulation Supplement clause DFARS 252.204-7012, contractors and subcontractors handling covered defense information on unclassified systems must implement the 110 security controls specified in NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." RCSI allegedly failed to implement a number of these controls on its development system — leaving the environment that processed DoD information without the access controls, audit logging, configuration management, and other protections that NIST 800-171 mandates.
Beyond the technical non-compliance, RCSI allegedly failed to develop and maintain a System Security Plan — the documented plan required under NIST 800-171 that describes how an organization implements each security control, who is responsible for it, and how compliance is verified. The SSP is both a compliance artifact and a management tool; its absence suggests that RCSI's cybersecurity posture was not being systematically assessed or remediated.
Despite these deficiencies, RCSI's representations and certifications on its DoD contracts certified compliance with DFARS 252.204-7012 — the false statement that constitutes the predicate act for FCA liability. The contracts covered by the alleged non-compliance spanned 29 DoD contracts and subcontracts, according to the DOJ announcement.
The Nightwing Succession and Why It Matters
RTX sold Raytheon's cybersecurity and intelligence unit to private equity firm Veritas Capital in March 2024, renaming the acquired business Nightwing Group LLC. The FCA settlement binds Nightwing as the corporate successor to RCSI's liabilities — establishing an important precedent that cybersecurity FCA exposure travels with a business unit through M&A transactions.
For firms contemplating acquisitions in the defense cyber market, the Nightwing settlement signals that cybersecurity compliance history is a material due diligence item. A target company's DFARS 252.204-7012 compliance status, its System Security Plans, and the accuracy of its government compliance certifications are potential FCA liabilities that survives the acquisition and binds the acquirer. Buyers in defense cyber M&A should conduct thorough compliance audits covering NIST 800-171 implementation and the accuracy of past compliance certifications.
Civil Cyber-Fraud Initiative: The Pattern of Enforcement
The DOJ Civil Cyber-Fraud Initiative, launched in October 2021 by then-Deputy Attorney General Lisa Monaco, has now produced multiple significant settlements. The pattern is consistent: a whistleblower with insider knowledge of a contractor's cybersecurity posture files a qui tam complaint; DOJ investigates; the contractor settles rather than face the full treble damages and litigation costs of a contested FCA case.
The settlements to date — including Aerojet Rocketdyne ($9M in 2023 for CMMC-related compliance gaps), Verizon Business ($4.1M in 2022 for cloud security failures), and now Raytheon/Nightwing ($8.4M) — establish a consistent enforcement message: DFARS cybersecurity compliance certifications carry real FCA liability, whistleblowers are receiving substantial qui tam shares that incentivize reporting, and DOJ will pursue cases regardless of contractor size or political profile.
The Raytheon settlement also establishes that the Civil Cyber-Fraud Initiative applies retroactively to conduct as far back as 2015 — well before DFARS 252.204-7012 reached its current mature form. The regulation has been in effect in some form since 2013 and has required NIST 800-171 compliance since 2017; contractors who believed that pre-2017 conduct was not actionable should note that DOJ investigated and settled conduct dating to 2015.
CMMC and What This Means Going Forward
The Raytheon settlement comes as DoD's Cybersecurity Maturity Model Certification (CMMC) program enters its implementation phase. CMMC requires contractors handling controlled unclassified information to obtain third-party assessments of their NIST 800-171 compliance — replacing the current self-attestation model that allowed contractors to certify compliance without independent verification. The CMMC rule became effective December 16, 2024; DoD contracts began requiring CMMC assessments in phased rollout starting in 2025.
For contractors still relying on self-attestation for current contracts, the Raytheon settlement is a stark reminder: if your System Security Plan is incomplete, if your NIST 800-171 implementation has gaps, and if you have certified compliance in any government contract, you may have FCA exposure right now. The question is whether a whistleblower inside your organization knows about the gap.
What It Means for Contractors
- Conduct an internal NIST 800-171 gap assessment immediately if your company handles controlled unclassified information on DoD contracts — identify any controls that are not fully implemented and document your remediation plan in your System Security Plan.
- Review all compliance certifications in current contracts and task orders: if you have certified full NIST 800-171 compliance but have known gaps, you may need to update your representations or risk FCA exposure.
- CMMC Level 2 third-party assessments, required for companies handling CUI, are now a legal shield as well as a compliance requirement — getting assessed and certified before a whistleblower complaint is filed dramatically reduces your FCA risk profile.
- M&A due diligence: add cybersecurity compliance history — specifically DFARS 252.204-7012 compliance status, SSP completeness, and self-certification accuracy — to your standard due diligence checklist for defense company acquisitions. The Nightwing settlement confirms this liability travels through corporate succession.
- Whistleblower risk is real: the $1.512 million relator share in this case is a substantial financial incentive for any employee who knows about cybersecurity compliance gaps to file a qui tam complaint. Foster a culture where employees can raise compliance concerns internally before they escalate to DOJ.
Sources
- Department of Justice — Raytheon Companies and Nightwing Group Pay $8.4M to Resolve FCA Allegations (April 2025)
- SecurityWeek — Raytheon to Pay $8.4M in Settlement Over Cybersecurity Failures (2025)
- Clark Hill — Key Lessons on the FCA for Government Contractors After Raytheon's Settlement (2025)
- Federal News Network — Cyber Roundup: Another Cybersecurity FCA Settlement (May 2025)
- Quarles & Brady — DOJ's Civil Cyber-Fraud Initiative: Raytheon and Successor Settlement (2025)