Key lessons on the False Claims Act for government contractors after Raytheon’s $8.4 million settlement

Government contractors should be on high alert following the recent announcement that Raytheon Company, its parent RTX Corporation, and Nightwing Group, LLC, have agreed to pay $8.4 million to resolve allegations of violating the False Claims Act (FCA). The core issue was failing to meet mandatory cybersecurity standards required in their Department of Defense (DoD) contracts. This settlement serves as a stark reminder that cybersecurity compliance is not just an IT requirement, it’s a critical business and legal obligation with significant financial consequences.

This is not a new or singular issue and Raytheon isn’t alone, several high profile DOJ cybersecurity FCAs were filed in recent years against Georgia Institute of Technology, Georgia Tech Research Corp., Guidehouse Inc.,  Nan McKay, Insight Global LLC. Each case falls under the DOJ’s Civil Cyber-Fraud Initiative, which began in 2021.

What Happened in the Raytheon Case?

This case originated from a qui tam, or whistleblower, lawsuit filed in 2021 by a former Raytheon Director of Engineering. The lawsuit alleged that between 2015 and 2021, Raytheon had violated the terms of a contract with the Department of Defense by failing to meet the contractual cybersecurity requirements. Specifically, the allegation was that Raytheon used an internal system for work on numerous DoD contracts that did not meet the cybersecurity standards required by DFAR clause 252.204-7012 and FAR clause 52.204-21. These clauses mandate adherence to security controls, such as those in NIST SP 800-171, designed to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI).

The government alleged that Raytheon failed to implement a required system security plan and did not ensure its system met other crucial cybersecurity benchmarks. The government contended that Raytheon submitted “false claims” when it submitted invoices under these contracts while purportedly not meeting these cybersecurity requirements.

Interestingly, in 2020, Raytheon self-reported to the government that certain systems used by Raytheon in support of various government contractors were not in compliance with DFARS and FAR security requirements. However, the government’s decision to still proceed with the lawsuit makes clear that it takes seriously its expectation for contractors to maintain “strict compliance with contractual cybersecurity requirements. The government holds compliance as “dire importance to adequately safeguard sensitive information from sophisticated adversaries, assure the safety of our warfighters, and maintain our military’s competitive edge” and it will investigate all entities that “do not responsibly protect critical information entrusted to them.”

Why This Matters for Your Business

This settlement highlights several critical points for all government contractors:

1. The False Claims Act is a Powerful Cyber Enforcement Tool: This case underscores the Department of Justice’s commitment to using the FCA, particularly through its Civil Cyber-Fraud Initiative, to hold contractors accountable for cybersecurity failures. Failing to meet contractual cyber standards can be treated as fraud, leading to potentially massive penalties (treble damages plus penalties per claim).
2. Compliance is Mandatory, Not Optional: Per applicable FAR and DFAR cybersecurity clauses, defense contractors must provide basic safeguards to systems that process or store CUI, including Covered Defense Information or Federal Contract Information, and provide adequate security for these systems. Simply “working on it” or having plans to comply, isn’t enough; contractors must be compliant and be able to prove it.
3. Whistleblowers Pose a Significant Risk: Employees, former employees, or even competitors can file qui tam lawsuits. As seen here, even self-reporting may not shield a company from liability if a whistleblower comes forward. This makes robust internal compliance and reporting mechanisms essential.
4. Documentation is Key: Maintaining thorough records of cybersecurity programs, including System Security Plans, Plans of Action & Milestones (POA&Ms), assessments, and incident responses, is crucial for demonstrating compliance and defending against allegations.
5. Successor Liability: Nightwing Group, which acquired the relevant Raytheon business unit in 2024 (after the period of alleged non-compliance), was both a defendant and jointly liable as part of the settlement. This emphasizes the need for thorough cybersecurity due diligence during mergers and acquisitions.

As this settlement clearly evidences the government’s increased focus on cyber enforcement, we strongly recommend that all Federal contractors and subcontractors adopt the following best practices:

• Mandatory Requirements: Understand the specific cybersecurity clauses and applicable regulatory requirements (FAR, DFARS, NIST standards, etc.) applicable to each of your government contracts.
• Appoint a Cybersecurity Team: Evaluate your needs and appoint a cybersecurity compliance point person (or team) responsible for establishing and maintaining a cybersecurity compliance plan.
• Assess Your Compliance: Conduct a thorough, objective assessment of your current cybersecurity posture against these requirements. Don’t rely solely on self-attestation.
• Bolster Documentation: Ensure your System Security Plan and any Plan of Action and Milestones (POA&Ms) documents are current, accurate, and actively managed.
• Train Your Team: Make sure leaders and employees understand their cybersecurity responsibilities – on your prime contractor team and your subcontractors’ teams as well.
• Review Incident Response Plans: Ensure you can meet the strict reporting requirements (e.g., 72 hours under DFARS).

The Raytheon settlement is a clear signal that the federal government is serious about cybersecurity requirements among the federal contracting community. Proactive steps to ensure and document compliance are the best defense against a potentially crippling FCA case. Please do not hesitate to reach out to our team if you would like to discuss your specific cybersecurity compliance obligations and risk mitigation strategies.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.