Last month, the aerospace and defense giant Raytheon Company (now part of RTX Corporation) and its successor Nightwing Group LLC agreed to pay $8.4 million to resolve allegations that the company failed to meet critical cybersecurity requirements on twenty-nine Department of Defense (DoD) contracts and subcontracts between 2015 and 2021.

Behind the case

According to the settlement, Raytheon and its then-subsidiary Raytheon Cyber Solutions, Inc. (RCSI) failed to fully implement mandatory cybersecurity controls on internal systems used to perform unclassified work on DoD contracts. The settlement alleges that Raytheon and RCSI failed to develop and implement a system security plan as required by DoD cybersecurity regulations and failed to ensure that the system complied with other cybersecurity requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR).

Behind DoD Cybersecurity Compliance

Late last year, the DoD finalized its Cybersecurity Maturity Model Certification (CMMC) rule, which required that nearly all DOD contractors would need to meet minimum cybersecurity requirements. The effort came in response to an increasing threat of cyberattacks against defense contractors which was putting sensitive, nonpublic information at risk.  Thus, firms who enter into business with the DoD would need to certify they are compliant with the requirements. Those who falsified their cybersecurity compliance would be putting sensitive information at risk and could be held liable for violating the False Claims Act (FCA).

The role of whistleblowers

The settlement between Raytheon and the US government originated from a lawsuit filed under the whistleblower provisions of the False Claims Act. The whistleblower in this case was a former Director of Engineering with Raytheon. For their important information, the whistleblower was awarded a $1.5 million share of the settlement amount.

It’s important that firms, no matter the size and whatever the cost, who are entrusted with protecting data take their cybersecurity responsibilities seriously. Firms who falsify compliance not only put sensitive data at risk, but they also get an unfair advantage over businesses who do follow the rules. Just like a whistleblower played a crucial role in this case with Raytheon, whistleblowers can play a crucial role in helping uncover other instances of cybersecurity compliance fraud. Whistleblowers could be employees or contractors involved in a company’s cybersecurity operations or compliance processes, third-party auditors who certify a company’s compliance, or anyone else with inside knowledge of a company committing fraud to win or maintain government contracts. Not to mention, whistleblowers whose information leads to a successful recovery can receive up to 30% of the amount recovered by the government.

Contact Us

Baron & Budd’s whistleblower representation team has more than 50 years of experience representing dozens of clients in government fraud cases. They have returned more than $6.0 billion to federal and state agencies with whistleblower recovery shares as high as 50%.

For more information, see What You Need to Know About Becoming a Whistleblower.