DOJ’s Continued Focus on Implementation of NIST SP Controls

Continuing a recent trend, late last week defense contractor Raytheon and successor company Nightwing settled allegations that Raytheon’s former Cybersecurity, Intelligence, and Services (CIS) business failed to comply with applicable cybersecurity requirements on nearly 30 U.S. Department of Defense (DoD) contracts and subcontracts and implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. By our count at Qui Notes, this is the U.S. Department of Justice’s (DOJ) tenth settlement under its Civil Cyber Fraud Initiative and its fourth settlement of allegations of non-compliance with applicable NIST SP controls.

The settlement resolves a qui tam filed by a former Director of Engineering at Raytheon. He will receive $1.5 million or 18% of the $8.4 million settlement amount for bringing the case. According to the settlement agreement, Raytheon’s DoD contracts required compliance with DFARS 252.204-7012 and/or FAR 52.204-21. DFARS 252.204-7012 requires that a contractor adhere to cybersecurity standards in NIST SP 800-171 for any unclassified information system that processes, stores, or transmits Covered Defense Information (CDI). NIST SP 800-171 also requires development of a system security plan (SSP) that describes how the information system satisfies the NIST security requirements. FAR 52.204-21 requires more basic cybersecurity controls for covered contractor information systems.

Absent from the settlement agreement or DOJ’s press release is any suggestion that the alleged non-compliances resulted in any breach, incident, or other harm to the government. Rather, the allegations are focused on a network referred to as “1.0” that Raytheon’s CIS business allegedly used for unclassified work on the relevant contracts. DOJ and the relator contend that the work for these contracts involved the collection, development, receipt, transmission, use, or storing of CDI, which meant that 1.0 was required to implement the NIST SP 800-171 security controls and have an SSP. The Covered Conduct of the settlement agreement states that 1.0 did not implement these controls, have an SSP, or meet the more basic requirements contained in FAR 52.204-21.

It is also noteworthy that the Covered Conduct indicates that Raytheon notified certain of its government customers in May 2020 that 1.0 was not in compliance with DFARS 252.204-7012 and FAR 52.204-21 and that it was in the process of developing a new environment that would be designed to implement NIST SP 800-171 and would replace 1.0. There is no indication in the settlement agreement or relator’s original complaint that any government customer responded to Raytheon’s notification, raising the possibility of a materiality defense had the matter gone to litigation.

This settlement is yet another reminder that DoD contractors with contracts that incorporate DFARS 252.242-7012 face risks associated with potential non-compliance with that clause and their implementation of NIST SP 800-171. We at Qui Notes will continue to monitor and report on cyber FCA cases, including the suit against Georgia Tech in which DOJ intervened and alleges that Georgia Tech’s relevant information systems did not implement the NIST SP 800-171 controls. Briefing is complete on Georgia Tech’s motion to dismiss and the case is set for a settlement conference at the end of this month before a magistrate judge. Stay tuned for our continued reporting on these cases.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.