Raytheon and its former subsidiary, Raytheon Cyber Solutions Inc., will pay $8.4 million to settle claims they failed to meet key cybersecurity rules in dozens of U.S. defense contracts.
The U.S. Department of Justice announced the agreement on Thursday. It stems from allegations that Raytheon and related entities used an unsecured system to handle sensitive government work between 2015 and 2021.
Raytheon, now a subsidiary of RTX Corporation, allegedly didn’t follow required security controls while working on 29 defense contracts and subcontracts. These agreements were with the Department of Defense (DoD). At the time, Raytheon was also working under a $1 billion cybersecurity contract with the Department of Homeland Security.
Under federal rules, contractors must safeguard systems that manage federal data. But according to the DOJ, Raytheon failed to implement a compliant cybersecurity plan. The company also didn’t meet standards under DFARS and FAR, which govern how defense contractors must secure their systems.
Instead, it used an internal development system that lacked basic protections. That system was used to store or process sensitive defense information. The DOJ said Raytheon submitted false claims for work done using this noncompliant system.
In 2020, the company disclosed the issue to its government clients. It then replaced the insecure system with a compliant one.
While Raytheon hasn’t admitted to any wrongdoing, it agreed to pay $8.4 million to resolve the matter. Of that, $4.2 million will serve as restitution. The rest covers interest.
The case was originally brought forward by a former Raytheon director, Branson Kenneth Fowler. He filed the suit under the False Claims Act’s whistleblower provisions. For his role, Fowler will receive $1.5 million from the settlement.
This isn’t the first time Raytheon has faced government scrutiny. Last year, the company agreed to pay $950 million in a much larger settlement. That case involved allegations of pricing fraud and violations of arms export laws.
RTX, the parent company, has not issued a public statement yet.
