Government contractors regularly handle sensitive federal data, and cybersecurity compliance is no longer optional—it’s mandatory. A recent settlement between the Department of Justice (DOJ) and defense contractor Raytheon Company (Raytheon) highlights the critical importance of strict adherence to federal cybersecurity standards and the severe consequences of falling short. DOD contractors that neglect compliance or inaccurately represent their cybersecurity posture may find themselves facing costly False Claims Act (FCA) litigation.
The Raytheon Settlement: Key Facts and Allegations
On April 4, 2025, the DOJ announced an $8.4 Million settlement resolving allegations that Raytheon and affiliated entities violated the FCA by falsely representing compliance with federal cybersecurity regulations. Specifically, the DOJ alleged that Raytheon failed to implement required cybersecurity safeguards mandated by the Defense Federal Acquisition Regulation Supplement (DFARS) and the Federal Acquisition Regulation (FAR).
Raytheon, along with its parent RTX Corporation and successor Nightwing Group LLC, was accused of knowingly submitting false claims to various Department of Defense (DoD) agencies—including the Defense Threat Reduction Agency, U.S. Cyber Command, and the Army, Navy, and Air Force—for work performed on an internal development network known as “1.0.” According to the DOJ’s allegations, Raytheon’s 1.0 system handled Covered Defense Information (CDI) and Federal Contract Information (FCI) without meeting critical security requirements established by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and FAR 52.204-21.
Federal Cybersecurity Standards: DFARS and FAR Requirements
Central to the allegations were DFARS Clauses 252.204-7008 and 252.204-7012, which require defense contractors and subcontractors to implement stringent cybersecurity measures detailed in NIST SP 800-171 by December 31, 2017. FAR 52.204-21 similarly mandates minimum safeguarding standards for contractors handling federal data.
Compliance with these clauses extends beyond procedural requirements, playing a crucial role in safeguarding national security and preserving the integrity of sensitive federal information. The settlement underscores the federal government’s increasing scrutiny of cybersecurity compliance under its Civil Cyber-Fraud Initiative, which emphasizes accountability for contractors who knowingly misrepresent their security posture or fail to meet contractual cybersecurity obligations.
To that end, in December 2024, the DOD issued a Final Rule formally implementing the Cybersecurity Maturity Model Certification (CMMC) program, with requirements expected to begin phasing in over the coming months and becoming standard in DOD solicitations thereafter. As these new requirements take hold, contractors should expect the government to leverage the FCA to increase cybersecurity enforcement.
Cybersecurity Non-Compliance: A False Claims Act Risk
This case sends a clear message: cybersecurity compliance is not just a technology issue—it’s also a critical compliance risk under the FCA. The DOJ alleged that Raytheon knowingly failed to meet the regulatory cybersecurity requirements and consequently submitted claims for payment that were, by law, false.
The Raytheon settlement highlights a key legal theory under the FCA: falsely certifying compliance with cybersecurity standards can constitute fraud against the government. Contractors found non-compliant with DFARS and FAR cybersecurity standards risk facing substantial financial penalties, treble damages, and significant reputational harm.
Lessons Learned and Best Practices for Contractors
The Raytheon case offers several key lessons and actionable takeaways for contractors looking to mitigate similar risks:
- Develop Comprehensive System Security Plans (SSPs): Contractors must have a detailed SSP that documents precisely how systems comply with each NIST SP 800-171 and FAR requirement. The DOJ specifically cited Raytheon’s lack of an SSP as a critical compliance gap.
- Proactively Identify and Remediate Compliance Issues: Early identification and remediation of cybersecurity gaps are essential. Contractors who wait for government audits or whistleblower complaints to uncover deficiencies may find themselves facing costly FCA litigation. Early voluntary disclosure can also demonstrate transparency and mitigate enforcement risk.
- Accurate Representations in Proposals and Certifications: Misrepresenting cybersecurity compliance in bids, proposals, or progress reports can lead directly to FCA liability. It is crucial to ensure accuracy and truthfulness in all communications regarding cybersecurity posture.
- Conduct Regular and Thorough Cybersecurity Audits: Regular audits of cybersecurity measures help verify compliance and enable contractors to correct any shortcomings promptly. Contractors should not only implement security protocols but also consistently assess their effectiveness.
- Engage Expert Legal and Cybersecurity Advisors: Given the complexity of federal cybersecurity regulations, contractors benefit significantly from experienced counsel and cybersecurity specialists who can guide effective compliance strategies and assist in the event of government inquiries or audits.
Conclusion: The Compliance Imperative for Government Contractors
Raytheon’s settlement provides a powerful reminder that non-compliance with cybersecurity standards is not merely a contractual issue—it’s also a substantial litigation risk. As cybersecurity enforcement intensifies under initiatives like DOJ’s Civil Cyber-Fraud Initiative, government contractors must prioritize robust cybersecurity compliance programs and oversight. The stakes are high: inadequate security measures or inaccurate representations about compliance can trigger costly FCA claims and lasting reputational damage.
At PilieroMazza, attorneys in our Cybersecurity & Data Privacy and False Claims Act practice groups assist contractors in navigating complex cybersecurity obligations under DFARS, FAR, and NIST requirements. If you have questions regarding cybersecurity compliance or related FCA risks, please contact Matt Feinberg, Jackie Unger, Nate Jahnigen, or another member of our Cybersecurity & Data Privacy and False Claims Act practice groups.
____________________
If you’re seeking practical insights to gain a competitive edge by understanding the government’s compliance requirements, tune into PilieroMazza’s podcasts: GovCon Live!, Clocking in with PilieroMazza, and Ex Rel. Radio.
