The US government on Thursday announced that it has reached a settlement with Raytheon, RTX Corporation, and Nightwing Group in a lawsuit over the companies’ alleged failures to meet cybersecurity requirements for defense contractors.
Raytheon, a subsidiary of RTX Corporation (previously Raytheon Technologies Corporation), and its then-subsidiary Raytheon Cyber Solutions, Inc. (RCSI), allegedly failed to comply with cybersecurity requirements in 29 contracts and subcontracts with the Department of Defense (DoD). Nightwing is a cybersecurity and intelligence company that spun out of RTX.
According to the settlement, between 2015 and 2021, Raytheon did not implement necessary cybersecurity controls on a system used to perform work on DoD contracts. In 2015, the company landed a DHS cybersecurity contract worth $1 billion.
Raytheon and RCSI allegedly not only failed to implement a security plan for the internal development system, but also failed to ensure that it complied with other Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR) requirements.
Per DFARS and FAR, contractors are required to apply basic safeguarding to systems that process or store federal contract data, and to provide adequate security for those systems, respectively.
“The settlement resolved allegations that Raytheon used its noncompliant internal system to develop, use, or store covered defense information and federal contract information during its performance on 29 DoD contracts and subcontracts,” the Department of Justice said on Thursday.
According to the settlement, the company submitted false claims for unclassified work performed on the non-compliant system under the DoD contracts. In 2020, it notified government customers of the system’s lack of compliance and subsequently replaced it with a compliant one.
According to the settlement, Raytheon did not admit being at fault, but agreed to pay $8.4 million to the US government to settle the claims. Of the total amount, $4.2 million represents restitution, while the rest represents interest.
The settlement resolves a lawsuit filed by Branson Kenneth Fowler, a former Raytheon director, under the whistleblower provisions of the False Claims Act. Fowler will receive $1.5 million of the settlement amount.
SecurityWeek has emailed RTX for a statement on the settlement and will update this article if a reply arrives.
The $8.4 million settlement pales in comparison to the $950 million Raytheon agreed to pay in October 2024 to settle DoJ investigations into defective pricing on government contracts, violations of the Foreign Corrupt Practices Act (FCPA), the Arms Export Control Act (AECA), and the International Traffic in Arms Regulations (ITAR).
Related: Infosys to Pay $17.5 Million in Settlement Over 2023 Data Breach
Related: US Military Health Provider HNFS Pays $11M in Settlement Over Cybersecurity Failures
Related: AT&T to Pay $13 Million in Settlement Over 2023 Data Breach
Related: Healthcare Provider to Pay $65M Settlement Following Ransomware Attack