Raytheon & Nightwing to Pay $8.4M in Cybersecurity Compliance Settlement

Defence contractors Raytheon Company, RTX Corporation and Nightwing Group LLC have agreed to pay $8.4 million to settle allegations of non-compliance with Department of Defense (DoD) cybersecurity requirements. The resolution underscores growing regulatory scrutiny of cyber controls across the defence supply chain.

Cybersecurity Failures Trigger False Claims Act Enforcement

The US Department of Justice announced on 1 May 2025 that Raytheon and Nightwing Group will jointly pay $8.4 million to resolve claims that they violated the False Claims Act by failing to adhere to mandatory cybersecurity standards under federal contracts.

The violations relate to the period 2015 to 2021, when Raytheon allegedly failed to implement key security measures required under the Federal Acquisition Regulation (FAR) 52.204-21 and the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. These regulations mandate the protection of federal contract information and covered defence information through system security plans and adequate safeguarding protocols.

Deficient Security on Development Systems

At the core of the allegations is the claim that Raytheon Cyber Solutions Inc., then a Raytheon subsidiary, failed to implement cybersecurity controls on an internal development system used for unclassified DoD work. The company allegedly neglected to establish a system security plan and did not meet other critical requirements for securing sensitive government data.

This internal system, despite lacking the required safeguards, was reportedly used to store and process protected information under 29 separate DoD contracts and subcontracts.

Corporate Changes & Liability

Raytheon, now a subsidiary of RTX Corporation, had transferred its cybersecurity, intelligence and services business to Nightwing Group in March 2024. Although the alleged conduct predates this acquisition, Nightwing has agreed to share in the settlement. RTX Corporation, previously known as Raytheon Technologies Corporation, retains residual liability due to its historical oversight of the operations in question.

Strong Message from Federal Authorities

Federal authorities emphasised the broader implications of this settlement. US Attorney Edward R. Martin Jr. stated:

Other senior officials from the Department of Defense Criminal Investigative Service (DCIS), Air Force Office of Special Investigations (AFOSI), Naval Criminal Investigative Service (NCIS) and Army Criminal Investigation Division echoed concerns about the national security risks posed by inadequate cybersecurity protections.

Whistleblower Receives Over $1.5 Million

The settlement resolves a qui tam lawsuit filed by Branson Kenneth Fowler, Sr., a former Director of Engineering at Raytheon, under the False Claims Act’s whistleblower provisions. Fowler will receive $1.512 million as part of the resolution.

The case, U.S. ex rel. Doe v. Raytheon Co. et al., No. 21-cv-2343 (D.D.C.), was investigated by the Justice Department’s Civil Division and the US Attorney’s Office for the District of Columbia, with the support of multiple DoD investigative bodies.

Key Takeaway for Defence Contractors

This case serves as a stark reminder that failure to implement required cybersecurity measures can not only compromise national security but also expose contractors to significant legal and financial consequences. The US government is continuing to enforce cyber obligations under federal procurement rules, signalling a zero-tolerance approach to misrepresentation and lax compliance in this high-risk domain.

Read the press release here.