The U.S. Department of justice (DOJ) recently announced an $8.4 million settlement with RTX Corporation (RTX), Raytheon Company (Raytheon), Nightwing Group LLC, and Nightwing Intelligence Solutions LLC (collectively, Nightwing). this settlement resolves allegations that Raytheon failed too comply with cybersecurity requirements in federal contracts, underscoring the government’s continued focus on cybersecurity enforcement under the False Claims Act (FCA).

The Raytheon Case: A Closer Look

The case originated from a qui tam lawsuit filed in August 2021 by Branson Kenneth Fowler, Sr., Raytheon’s former director of engineering. The suit alleged that Raytheon did not meet the cybersecurity controls outlined in the National Institute of Standards and Technology Special publication 800-171 (NIST SP 800-171), which are mandatory for federal defense contractors and subcontractors.

The allegations centered on Raytheon’s internal network system, dubbed “DarkWeb.” According to the lawsuit,Raytheon allegedly:

• Used DarkWeb to store,transmit,and develop protected information for defense contracts despite the system’s non-compliance with NIST SP 800-171.
• Failed to develop the necessary system security plan for DarkWeb.

Raytheon notified certain government contractors in May 2020 that it’s information system might not comply with federal cybersecurity regulations. Afterward, the company deployed a replacement system and ceased using DarkWeb.However, the settlement asserts that Raytheon’s alleged failure to implement mandated security requirements on DarkWeb rendered all claims for federal contracting work performed on the system false.

The defendants deny these allegations but agreed to pay US$8.4 million to resolve the allegations.
U.S. Department of Justice

As the qui tam relator, Mr. Fowler will receive over $1.5 million in connection with the settlement.

Successor Liability and Due Diligence

The conduct in question occurred between 2015 and 2021, before Nightwing purchased RTX’s cybersecurity business in 2024. This highlights the important risk of successor liability and the critical importance of assessing a target’s cybersecurity compliance during due diligence in mergers and acquisitions.

Recommendations for Enhanced Cybersecurity Compliance

Defense contractors and other recipients of federal funds, including colleges and universities, should consider the following steps to enhance cybersecurity compliance and mitigate FCA risk:

1. Catalog and monitor compliance with all government-imposed cybersecurity standards. Ensure a thorough list of all cybersecurity requirements and covered systems. These requirements can stem from prime contracts,subcontracts,grants,or other federal programs. Continuously monitor and assess the organization’s cybersecurity program to identify vulnerabilities and ensure compliance, including third-party relationships.
2. Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. Integrate the compliance program and information security functions. An effective program will address cybersecurity concerns and encourage employees to report them. Promptly escalate and investigate identified concerns.
3. Evaluate potential next steps when non-compliance with cybersecurity standards is identified. Determine whether to disclose the matter to the government and cooperate with investigators. Engage experienced counsel to proactively map out a strategy for investigating and responding to potential non-compliance.
4. Implement robust diligence for compliance with cybersecurity requirements in mergers and acquisitions. Identify cybersecurity requirements in contracts and verify compliance. If thorough due diligence is not feasible before closing, conduct a post-closing assessment to identify and remediate problems promptly.

Disclaimer: This article provides general information and should not be considered legal advice. Consult with a specialist for advice tailored to your specific circumstances.