In a settlement agreement, U.S. defense contractors Raytheon and Nightwing Group agreed to pay $8.4 million over cybersecurity failures. The allegations date back to a period from August 2015 through June 2021 when Raytheon’s CODEX division used a network that failed to meet the government’s cybersecurity standards. This network, which contained non-classified defense information, allegedly lacked a “system security plan” detailing the necessary security measures. Despite these issues, Raytheon did not admit to fault, though they acknowledged non-compliance.
In May 2020, Raytheon disclosed to government clients that their network was not up to National Institute of Standards and Technology (NIST) standards. The company claimed to be in the process of developing a more secure system environment to address the problem. The failure to meet federal cybersecurity standards is in violation of the Defense Department’s contract terms, and the settlement was made under the False Claims Act, which allows civil damages against contractors violating government contracts. The act has become a key tool in holding contractors accountable for cybersecurity obligations.
This settlement follows a series of similar agreements in the defense sector. In March 2025, MORSE Corp settled for $4.6 million over using a third-party provider without ensuring proper security. Earlier in February, Health Net Federal Services and Centene Corporation agreed to a $11.2 million settlement for not meeting required cybersecurity standards. These cases highlight the growing trend of using the False Claims Act to enforce cybersecurity compliance among contractors working with the government.
The Raytheon case was brought to light by a whistleblower, the former director of engineering at the company. As part of the settlement agreement, the whistleblower will receive more than $1.5 million for their role in exposing the breach. Additionally, Nightwing, which spun out of Raytheon in 2024, was named as a defendant in the case.
Reference:
