A recent United States Department of Justice (DOJ) announcement highlights the fact that the government’s emphasis on cybersecurity enforcement under the False Claims Act (FCA) is not slowing down. According to the press release, four companies — RTX Corporation (RTX), Raytheon Company (Raytheon), Nightwing Group LLC, and Nightwing Intelligence Solutions LLC (collectively, Nightwing) — agreed to pay US$8.4 million to settle an FCA matter arising from a qui tam relator’s suit alleging that Raytheon and its former subsidiary failed to comply with cybersecurity requirements in federal contracts. 

The Raytheon Settlement

Raytheon’s former director of engineering, Branson Kenneth Fowler, Sr., filed the qui tam suit in August 2021. Federal defense contractors and subcontractors like Raytheon are required to implement certain cybersecurity controls outlined in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). But, according to this lawsuit, Raytheon allegedly failed to meet these requirements in connection with its work on federal contracts. The allegations centered on Raytheon’s internal network system, referred to as “DarkWeb.” Raytheon allegedly (a) used DarkWeb to store, transmit, and develop protected information in connection with its work on certain defense contracts even though that system failed to comply with NIST SP 800-171’s cybersecurity requirements; and (b) failed to develop the requisite system security plan for this internal system. 

Notably, Raytheon notified certain government contractors, in May 2020, that it believed its information system did not comply with federal cybersecurity regulations and subsequently deployed a replacement system, ceasing to use DarkWeb. But according to the settlement, Raytheon’s alleged failure to implement these mandated security requirements on DarkWeb rendered false all claims for federal contracting work performed on DarkWeb. 

The defendants deny these allegations but agreed to pay US$8.4 million to resolve the allegations. As the qui tam relator, Mr. Fowler will receive over US$1.5 million in connection with the settlement. 

Finally, the conduct giving rise to the qui tamsuit occurred between 2015 and 2021 — years before Nightwing purchased RTX’s cybersecurity business in 2024. This illustrates the significant risk of successor liability and underscores the importance of assessing a target’s cybersecurity compliance as part of due diligence. 

Recommendations

Given those risks, defense contractors and other recipients of federal funds (including colleges and universities) should consider the following steps to enhance cybersecurity compliance and reduce FCA risk:

1. Catalogue and monitor compliance with all government-imposed cybersecurity standards. Ensure your organization has a comprehensive list of all cybersecurity requirements and covered systems in your organization. These requirements may come not only from prime government contracts but also subcontracts, grants, or other federal programs. This includes not only ongoing knowledge of the organization’s contracts but also continuously monitoring and assessing the organization’s cybersecurity program to identify and patch vulnerabilities and to assess compliance with those contractual cybersecurity standards. This assessment should also consider third-party relationships.
    
2. Develop and maintain a robust and effective compliance program that addresses cybersecurity issues. In many companies, the compliance program and information security functions are not well integrated. An effective compliance program will address cybersecurity concerns and encourage employees to report such concerns. When concerns are identified, it is critical to escalate and investigate them promptly. 
    
3. Where non-compliance with cybersecurity standards is identified, organizations should evaluate potential next steps. This includes whether to disclose the matter to the government and cooperate with government investigators. Organizations should work with experienced counsel in this regard. Proactively mapping out a strategy for investigating and responding to potential non-compliance can instill discipline to the process and streamline the organization’s approach.
    
4. Implement robust diligence for compliance with cybersecurity requirements in mergers and acquisitions. As this settlement shows, liability arising from an acquired entity may be imposed on the acquiring entity in some instances. Due diligence processes should seek to identify cybersecurity requirements in contracts (whether contracts with the government or private actors) and obtain verification of compliance. If that level of due diligence is not possible before closing a deal, it is important to conduct that assessment soon after closing so that problems can be identified and remediated promptly.