DOJ’s Civil Cyber Fraud Initiative Utilizes False Claims Act to Settle Allegations of Knowing Non-Compliance with NIST SP 800-171 Against Raytheon and its Successor

The United States Department of Justice (DOJ) recently settled a qui tam suit with defense contractor Raytheon and its successor company, Nightwing Intelligence Solutions, LLC (Nightwing), totaling $8.4 million. The settlement resolves allegations that the defendants violated the False Claims Act (FCA) by falsely representing compliance with federal cybersecurity regulations.  Specifically, the DOJ alleged that Raytheon failed to implement cybersecurity requirements consistent with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as per the terms in approximately thirty contracts and subcontracts with the Department of Defense (DoD). While this settlement reinforces a pattern by the DOJ’s Civil Cyber-Fraud Initiative of using the FCA to enforce cybersecurity requirements consistent with NIST SP 800-171, it is significant because DOJ has held a contractor’s successor liable for pre-acquisition conduct involving the predecessor’s cybersecurity compliance.

According to the settlement agreement, Raytheon utilized an internal network to handle unclassified information in its contracts with the DoD. However, the network allegedly lacked the cybersecurity safeguards mandated by Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008, DFARS 252.204-7012, and Federal Acquisition Regulation (FAR) 52.204-21.  DFARS clauses 252.204-7008 and 252.204-7012 require defense contractors and subcontractors to implement a system security plan (SSP) that satisfies NIST SP 800-171. FAR 52.204-21 imposes fifteen additional cybersecurity requirements for covered contractor information systems.

The government asserts that Raytheon violated the FCA by knowingly submitting false claims to DoD for work Raytheon performed on the non-compliant network. Notably, the settlement names Nightwing as “the successor in liability” in the claims against Raytheon, despite involving allegations that occurred several years prior to Nightwing’s acquisition of Raytheon’s cybersecurity business. To further evaluate the impact of this settlement in the mergers and acquisition space in relation to successor liability, see another article here. While both defendants denied the allegations set forth in the qui tam and the settlement, they agreed to pay $8.4 million to resolve the suit. The qui tam relator will receive over $1.5 million.

This settlement is the federal government’s fourth FCA settlement involving allegations of knowing non-compliance with cybersecurity controls, including NIST standards, in DoD contracts since the launch of the Civil Cyber Fraud Initiative in 2021. The settlement with Raytheon and Nightwing underscores both the government’s increased scrutiny of cybersecurity compliance and its continued willingness to seek penalties for misrepresenting compliance with security requirements when submitting claims for payment—regardless of whether the fraud predates a successor’s acquisition of a contracting business.  

With the phased rollout of the Cybersecurity Maturity Model Certification, which expands cybersecurity compliance obligations, government contractors and other recipients of federal funds within the Defense Industrial Base should expect increased exposure for non-compliance, especially under the FCA. 

If you have questions regarding the application of the FCA to your company or questions about data privacy and security obligations in general, please contact your Quarles attorney or:

• Kirti Vaidya Reddy: (414) 277 5260 / kirti.reddy@quarles.com
• Sarah Erdmann: (414) 277 5512 / sarah.erdmann@quarles.com

• Candice Andalia: (202) 780 2627 / candice.andalia@quarles.com