FORENSIC LEGIBILITY EXAMINER

CASE 106|SECURE DOCUMENTATION & CREDENTIALING|2025-05-01|DISPOSITION: COMPLIANCE CERTIFICATIONS SUBMITTED ACROSS 29 DOD CONTRACTS WITHOUT CORRESPONDING SYSTEM SECURITY PLAN; SUCCESSOR LIABILITY EXTENDED TO ACQUIRING ENTITY FOR PRE-ACQUISITION CREDENTIAL FAILURES|ARCHIVE →

Cybersecurity Compliance Credential Authority Failure Through System Security Plan Not Implemented Across 29 DoD Contracts at Raytheon

Raytheon Company held contracts and subcontracts with the Department of Defense requiring compliance with NIST SP 800-171 — a defined set of cybersecurity controls for systems that process, store, or transmit Covered Defense Information. Compliance required implementation of a System Security Plan documenting how those controls were satisfied. Raytheon submitted claims certifying compliance across 29 contracts over six years. The System Security Plan required by those contracts had not been implemented on the internal network used to perform them. The credential said the controls were in place. The architecture said otherwise. When RTX sold the relevant business to Nightwing in 2024, the successor inherited not only the operations but the liability for the credentials the predecessor had submitted.

Failure classification: Cybersecurity Compliance Certifications Submitted Across 29 DoD Contracts Without Corresponding System Security Plan Implementation; Successor Entity Named as Liable for Pre-Acquisition Credential Failures

Entities:

Raytheon Company; RTX Corporation (formerly Raytheon Technologies Corporation); Nightwing Group LLC; Nightwing Intelligence Solutions LLC

Contracts at issue:

29 DoD contracts and subcontracts; conduct alleged from 2015 through 2021

Standards required:

NIST Special Publication 800-171 security controls; DFARS clauses 252.204-7008 and 252.204-7012 requiring System Security Plan implementation; FAR 52.204-21 requiring 15 basic safeguarding requirements

Alleged failure:

Raytheon used a noncompliant internal network to develop, use, or store Covered Defense Information across the 29 contracts; System Security Plan satisfying NIST 800-171 not implemented on that network

Whistleblower:

Branson Kenneth Fowler Sr., former director of engineering at Raytheon; filed qui tam suit August 2021; received $1.5 million (18%) of the settlement

Settlement:

$8.4 million; announced May 1, 2025; DOJ Civil Cyber-Fraud Initiative

Successor liability:

Nightwing named as successor in liability despite acquiring the business in 2024, three years after the relevant conduct ended — the first extension of successor liability in a Civil Cyber-Fraud Initiative case

Data breach alleged:

None

Context

Defense contractors handling Covered Defense Information — a category of sensitive but unclassified information — are required under DFARS to implement the cybersecurity controls defined in NIST SP 800-171. Those controls must be documented in a System Security Plan that describes how the contractor's information systems satisfy each requirement. Raytheon, a major defense contractor and subsidiary of RTX Corporation, held contracts and subcontracts with the Department of Defense for work performed on an internal network. That network processed, stored, or transmitted Covered Defense Information. Under DFARS 252.204-7012, the network was required to meet NIST 800-171 and be covered by a compliant System Security Plan.

In March 2024, RTX sold its Cybersecurity, Intelligence, and Services business to Nightwing Group, a new entity headquartered in Dulles, Virginia. The business that transferred included the contracts and the operational history associated with the noncompliant network. When the DOJ announced the settlement in May 2025, Nightwing was named alongside Raytheon and RTX as a settling party — held liable as successor for conduct that predated the acquisition by three years.

Trigger

The qui tam suit was filed in August 2021 by Branson Kenneth Fowler Sr., a former director of engineering at Raytheon, who alleged that Raytheon had submitted false claims by certifying compliance with cybersecurity requirements it had not met. The DOJ intervened. The government's theory was that Raytheon's contracts required compliance with DFARS 252.204-7008 and 252.204-7012 — both of which mandate NIST 800-171 implementation and a corresponding System Security Plan — and that Raytheon had used a noncompliant network to perform contract work while submitting claims that did not disclose this noncompliance. FAR 52.204-21, requiring 15 basic safeguarding requirements for covered contractor information systems, was also cited.

The $8.4 million settlement, announced May 1, 2025, resolved the allegations. No data breach or incident involving Covered Defense Information was alleged. As in the HNFS case, liability arose from the knowing submission of false compliance certifications — not from harm that had been realized, but from a credential that did not correspond to the security architecture it represented.

Failure Condition

The compliance certification submitted under DFARS functions as a credential. It asserts, as a condition of contract performance and payment, that the contractor's systems meet defined cybersecurity requirements. The contracting officer accepts the certification. There is no independent mechanism to verify the security architecture it represents at the point of contract performance or payment. The credential is the instrument. What the credential asserts — that a System Security Plan satisfying NIST 800-171 is implemented on the relevant network — is not evaluable by the relying party through the credential itself.

The case introduces a dimension not present in prior catalog entries: the credential's false assertion did not terminate with the entity that submitted it. When RTX sold the Nightwing business, the acquisition transferred not only the operational assets but the liability for the compliance representations made during the period of noncompliance. The credential's evidentiary gap — the absence of a correspondence between what was certified and what was implemented — traveled with the business. Nightwing, which did not exist during the period of alleged noncompliance, was held liable as successor for the credential failures of the predecessor.

This successor liability dimension establishes that compliance credential failures are not bounded by the entity that created them. When a business is acquired, the credential history transfers. The evidentiary boundary that was never encoded in the original credential becomes a liability that the acquiring entity inherits without the ability to evaluate at the point of acquisition what the predecessor's credential actually represented.

Observed Response

The $8.4 million settlement resolved the FCA allegations without admission of liability. The whistleblower received $1.5 million as his relator share. The settlement was the fifth announced under the DOJ's Civil Cyber-Fraud Initiative in 2025 and notable for the explicit naming of Nightwing as successor in liability — a signal to defense contractors and their acquirers that cybersecurity compliance credential failures do not disappear in acquisition. DOJ enforcement activity in cybersecurity FCA matters continued to accelerate through 2025, with recoveries totaling more than $52 million across eight cases.

Analytical Findings

Raytheon submitted compliance certifications across 29 DoD contracts while using a noncompliant internal network that lacked the System Security Plan required by DFARS and NIST SP 800-171
The compliance credential encoded an assertion about the contractor's security architecture; it did not encode the evidentiary boundary between what was asserted and what was implemented, and that boundary was not evaluable by the contracting authority at the point of contract performance or payment
No data breach or incident involving Covered Defense Information was alleged; FCA liability arose from the submission of certifications that did not correspond to the security posture they represented
Nightwing Group was named as successor in liability for conduct that predated its acquisition of the business by three years — the first extension of successor liability in a Civil Cyber-Fraud Initiative case, establishing that compliance credential failures transfer with business acquisitions
The successor liability holding means that an acquiring entity cannot evaluate, at the point of acquisition, what compliance credentials submitted by the predecessor actually represented — the evidentiary gap in the credential travels with the business
The whistleblower, a former director of engineering, filed in 2021; the settlement resolved in 2025 — the gap between internal knowledge of the noncompliance and external enforcement spanned the full duration of the alleged conduct plus four additional years
The case is structurally identical to Case 101 (SPRS score misrepresentation) and Case 104 (HNFS annual certification) but introduces a corporate transaction dimension that extends liability beyond the originating entity

References

1. U.S. Department of Justice, Office of Public Affairs. "Raytheon Companies and Nightwing Group to Pay $8.4M to Resolve False Claims Act Allegations Relating to Non-Compliance with Cybersecurity Requirements in Federal Contracts." May 1, 2025.
2. Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 and 252.204-7012; NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
3. Federal Acquisition Regulation (FAR) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
4. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. "Cybersecurity-Related Enforcement Under the False Claims Act in 2025: New Settlements, Same Lessons." January 2026.
5. Arnold & Porter, FCA Qui Notes. "DOJ Settles Another False Claims Act Case for Alleged Failures in Implementing NIST SP 800-171 and Basic Cybersecurity Controls." May 2025.