By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA
A Health Care Provider Defense and Compliance Firm
The U.S. Department of Justice has reached an $8.4 million settlement with Raytheon Company, its parent RTX Corporation, and Nightwing Group, LLC to resolve False Claims Act allegations related to cybersecurity noncompliance under Department of Defense (DoD) contracts. The case signals a rising wave of enforcement where contractors can no longer overlook strict cyber safeguards embedded in federal contracts.
This case stems from Raytheon’s alleged failure to implement required security protocols, including a compliant System Security Plan (SSP) and adherence to both FAR 52.204-21 and DFARS 252.204-7012 while handling unclassified DoD information. The violations occurred between 2015 and 2021, long before Nightwing acquired Raytheon’s Cybersecurity, Intelligence, and Services division in 2024.
Federal investigators from DCIS, NCIS, and HHS-OIG emphasized the sensitivity of the data involved and the risks that stem from lax protections. According to DOJ, Raytheon and its subsidiary RCSI used a noncompliant development system to handle defense-related work on at least 29 contracts and subcontracts. The internal system lacked key controls, leaving federal contract and covered defense information vulnerable to cyber exploitation.
Critically, the government alleged that Raytheon:
- Failed to maintain a compliant SSP per NIST SP 800-171 and FAR 52.204-21.
- Used a noncompliant system to develop and store sensitive defense information.
- Continued billing under DoD contracts despite knowledge of these cyber deficiencies.
Former Raytheon Director of Engineering Branson Kenneth Fowler, Sr., who blew the whistle on these deficiencies, will receive more than $1.5 million under the settlement’s qui tam provisions.
The government’s message here is unmistakable: cybersecurity compliance is not a suggestion—it’s a contractual and statutory obligation. As U.S. Attorney Edward Martin put it, “There is no room for complacency.”
Federal contractors and subcontractors—especially those handling covered defense or federal contract information—must revisit their cybersecurity compliance posture immediately. If your systems process any government data, ensure you:
- Conduct a full gap analysis against DFARS and NIST 800-171 requirements.
- Maintain documented, tested System Security Plans and Plans of Action and Milestones (POAMs).
- Regularly audit and update IT systems in compliance with contract clauses.
The stakes are not just reputational, they’re financial, operational, and increasingly, legal. If your organization holds DoD or federal contracts and you’re unsure whether your practices meet contractual requirements, contact Parrella Health Law for a risk-based audit and False Claims Act exposure review. For a consultation, reach out to Chris at cparrella@parrellahealthlaw.com or 857-328-0382.
Christopher A. Parrella, Esq., CPC, CHC, CPCO, is a leading healthcare defense and compliance attorney at Parrella Health Law in Boston. With extensive experience in healthcare law, he provides robust legal support in areas including regulatory compliance, audits, healthcare fraud defense, and reimbursement disputes. Christopher emphasizes client-centered advocacy, offering one-on-one consultations for personalized guidance. His proactive approach helps clients navigate complex healthcare regulations, ensuring compliant operations and defending against government investigations, audits, and overpayment demands.
Leave a Reply