If you are in a hurry -> Recommendations for CISOs

Introduction

In 2024, Raytheon Technologies Corporation (RTX) and its former cybersecurity subsidiary, Nightwing Group LLC, reached a $8.3 million settlement with the U.S. Department of Justice.

This settlement resolved allegations that Raytheon had violated the False Claims Act by failing to implement necessary cybersecurity controls on systems used for unclassified work on certain Defense Department contracts between 2015 and 2021.

A former director of engineering at Raytheon blew the whistle on these violations, which led to a lawsuit and eventual settlement.

The settlement provides key insights for CISOs and security professionals working with defense contractors or government agencies, particularly regarding the enforcement of cybersecurity controls.

Company

Raytheon Technologies Corporation (RTX), one of the largest defense and aerospace contractors in the world, has long been a key player in the U.S. defense sector.

The company designs and manufactures advanced technology for defense, civil, and commercial applications, including missile systems, cybersecurity, and communications equipment.

Raytheon’s cybersecurity, intelligence, and services business was a significant division of the company until it was acquired by Nightwing Group LLC in 2024.

Raytheon’s involvement in defense contracts, particularly with the U.S. Department of Defense (DoD), means that it was bound by strict cybersecurity requirements to protect sensitive data on government systems.

Nightwing Group LLC, which took over Raytheon’s cybersecurity division in 2024, has maintained a focus on providing critical security services to defense contractors and government agencies.

As part of the settlement, Nightwing assumed responsibility for resolving cybersecurity gaps identified in the system it inherited.

This case primarily involved unclassified systems that were still connected to DoD contracts, requiring Raytheon to meet the same rigorous cybersecurity standards as for classified systems, including compliance with NIST SP 800-53 and other government cybersecurity frameworks.

Prosecutor

The legal action was brought by the U.S. Department of Justice (DOJ) under the False Claims Act (FCA), which allows whistleblowers to bring forward cases of fraud against government contractors.

The lawsuit was filed after a whistleblower complaint was submitted by a former director of engineering at Raytheon, who alleged that the company’s cybersecurity deficiencies violated the terms of its government contracts.

Under the FCA, whistleblowers are entitled to a share of the settlement if their information leads to the recovery of government funds.

In this case, the whistleblower received $1.5 million as part of the settlement.

The DOJ played a central role in investigating and bringing the case forward.

The False Claims Act is often used in cases where contractors receive federal funds and fail to meet the required standards or knowingly submit false claims for government contracts.

In this case, the core issue was Raytheon’s failure to meet cybersecurity requirements.

Claim Types

The claims against Raytheon were brought under the False Claims Act, a key legal tool for prosecuting fraud against the U.S. government.

The allegations and claims in this case revolved around Raytheon’s failure to meet contractually mandated cybersecurity controls for government contracts.

Key legal claims included:

1. False Claims Act Violations: Raytheon allegedly submitted false claims to the government by failing to implement the required cybersecurity controls, resulting in improper payments for DoD contracts.

2. Failure to Comply with Cybersecurity Standards: The company failed to meet DoD cybersecurity requirements outlined in NIST 800-53 and other government regulations. This was a direct violation of the terms of their defense contracts.

3. Whistleblower Protection and Reward: The case also brought attention to the Whistleblower Protection Act, which incentivizes individuals to report government contractors’ failures to comply with required standards. The whistleblower was awarded a percentage of the settlement for their role in bringing the case to light.

4. Corporate Responsibility and Accountability: The settlement emphasized the need for corporate accountability in meeting cybersecurity requirements, particularly for contractors that handle sensitive government data.

Claims – Core Allegations

The central allegations in the case were that Raytheon and its cybersecurity subsidiary failed to implement mandatory cybersecurity controls on internal systems used for performing unclassified work related to DoD contracts between 2015 and 2021.

According to the Department of Justice, Raytheon violated several terms of its government contracts by not adhering to the required cybersecurity standards, which led to systemic vulnerabilities.

1. Failure to Implement Cybersecurity Measures: The government alleged that Raytheon did not apply required cybersecurity safeguards on the internal systems that were used for unclassified work on contracts involving sensitive DoD projects.

2. Inadequate Security Systems for Unclassified Work: Even though the work being performed was unclassified, the systems still needed to meet rigorous standards for cybersecurity controls. Raytheon allegedly failed to implement or update critical controls like encryption, multi-factor authentication, and network segmentation to protect sensitive government data.

3. Risk of Data Breach: By failing to meet the required standards, the company left systems vulnerable to potential cyberattacks, putting sensitive government information at risk of unauthorized access or compromise.

4. Failure to Provide Adequate Reporting and Documentation: Raytheon is also accused of failing to report and document its cybersecurity deficiencies or notify the government of its failure to meet contractual obligations.

The allegations point to a lack of due diligence and failure to follow through with contractual cybersecurity requirements.

This type of negligence can lead to substantial legal and financial consequences for contractors working on defense projects.

Technical Claims – Security Failures and Vulnerabilities

The core technical claims in this case revolve around Raytheon’s failure to implement the required cybersecurity controls on systems used for unclassified work.

Key technical deficiencies identified in the settlement include:

1. Failure to Implement NIST Controls: Raytheon’s internal systems were alleged to have lacked the necessary security controls specified by NIST SP 800-53, a key framework for managing risk and ensuring the protection of U.S. government systems. These controls include proper access control, audit logging, data encryption, and incident response.

2. Inadequate Patch Management and System Updates: The failure to maintain updated systems or address known vulnerabilities was another major technical issue. Proper patch management is critical to ensure that vulnerabilities are remediated in a timely manner, especially in defense contracts that handle sensitive government data.

3. Weak Authentication and Access Controls: The systems in question allegedly lacked robust access controls and multi-factor authentication (MFA) for sensitive accounts. This failure to limit access to authorized users left the systems exposed to potential exploitation by threat actors.

4. Unencrypted Data: Another key issue raised was the lack of encryption for sensitive data on internal systems. Even if the systems were not handling classified data, data at rest still needed to be encrypted to protect it from unauthorized access.

5. Vulnerability to Cyberattacks: By not implementing necessary cybersecurity measures, the systems were vulnerable to cyberattacks, including data breaches, ransomware attacks, and data exfiltration. A sophisticated adversary could potentially have exploited these gaps to access sensitive government information.

6. Failure to Secure Unclassified Systems: While the systems in question were used for unclassified work, Raytheon still had a contractual obligation to secure them. The settlement notes that even unclassified systems handling DoD contracts must meet the same stringent cybersecurity requirements.

   
   

Suggestions to Avoid Such Claims in the Future

For CISOs and security leaders working in the defense industry or with government contracts, the Raytheon settlement serves as an important case study in the risks associated with failing to implement and maintain mandatory cybersecurity controls.

Below are actionable recommendations to help avoid similar claims in the future:

1. Strict Adherence to NIST Guidelines: Ensure that all systems involved in government contracts adhere to the cybersecurity standards specified by NIST SP 800-53 and other relevant frameworks. Even unclassified systems that handle government data must meet the highest standards for cybersecurity. Develop a robust process for regular security audits and compliance checks to ensure full adherence to these guidelines.

2. Robust Cybersecurity Governance: Establish a cybersecurity governance framework to ensure clear accountability and ownership of cybersecurity efforts. This includes ensuring that contract managers, IT teams, and security teams collaborate to ensure that cybersecurity controls are in place and regularly updated, especially when dealing with sensitive government data.

3. Ongoing Risk Management and Vulnerability Remediation: Develop an ongoing risk management strategy to identify and mitigate vulnerabilities before they are exploited. Implement vulnerability scanning, patch management, and threat detection tools to stay on top of potential risks. Proactive cyber hygiene practices, like ensuring timely patching and vulnerability assessments, are essential.

4. Implement Robust Access Control Systems: Ensure that all systems, especially those that handle sensitive government information, have strong access controls, including multi-factor authentication (MFA) and role-based access control (RBAC). Limit system access to only those individuals or teams who absolutely need it.

5. Data Encryption and Protection: Encrypt sensitive data at rest and in transit, regardless of whether the system handles classified information. Implement data masking and tokenization when possible to further protect sensitive information.

6. Incident Response and Reporting: Develop a comprehensive incident response plan that includes a process for reporting vulnerabilities and incidents to government clients in a timely manner. In the case of government contracts, failure to report vulnerabilities can result in severe consequences. Create a streamlined and automated system for handling breach notifications and compliance reporting.

7. Ongoing Security Training and Awareness: Ensure that all employees and contractors working on government contracts are trained on the latest cybersecurity best practices and government compliance requirements. Regular security training can help mitigate the risk of human error or insider threats.

8. Whistleblower Protection and Transparency: Foster a culture of transparency and whistleblower protection. Ensure that employees feel safe reporting any potential security issues or compliance violations, knowing they will not face retaliation. Whistleblowers, like the former Raytheon employee, can significantly impact the outcome of legal and financial settlements, so it’s crucial to have policies in place that encourage reporting.

   
   

By following these best practices and maintaining a proactive cybersecurity strategy, organizations can ensure they meet the cybersecurity requirements for government contracts, avoid costly legal settlements, and ultimately protect sensitive data.

References

• U.S. Department of Justice Press Release – "Raytheon, RTX, Nightwing Group to Pay $8.3 Million to Settle False Claims Act Allegations" (May 2025).

• Federal False Claims Act Overview – U.S. Department of Justice.

• DefenseOne – "Raytheon’s Cybersecurity Shortcomings and the $8.3 Million Settlement" (May 2025).

• DefenseTech – "Contractor Cybersecurity Failures: A Case Study on Raytheon" (April 2025).