Raytheon and its parent company RTX just agreed to pay $8.4 million to settle allegations that they failed to meet cybersecurity requirements across nearly 30 Department of Defense contracts. If you’re overseeing IT compliance or managing vendor risk, this one cuts close to home.

According to the U.S. Department of Justice, Raytheon and its then-subsidiary Raytheon Cyber Solutions (RCSI) used a noncompliant internal system between 2015 and 2021 to develop, use, or store sensitive defense and contract data. The company was working under the Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Acquisition Regulation (FAR), both of which mandate minimum security safeguards for contractors handling federal data.

But Raytheon allegedly skipped some critical steps. The company didn’t implement a required security plan and failed to verify that its development systems aligned with contract cybersecurity clauses. The system in question was used across 29 DoD contracts and subcontracts, which included unclassified but sensitive work.

The issue came to light after Branson Kenneth Fowler, a former Raytheon director, filed a whistleblower lawsuit under the False Claims Act. He’ll receive $1.5 million from the settlement. While Raytheon didn’t admit fault, it did notify government customers in 2020 and later replaced the system with one that meets compliance standards.

This isn’t the company’s only run-in with regulators. In October 2024, Raytheon agreed to a separate $950 million settlement involving allegations around defective pricing, foreign bribery violations (FCPA), and arms export controls (ITAR/AECA).

For those of us tracking federal cybersecurity expectations, this case underscores how noncompliance—even with unclassified systems—can lead to major legal and financial consequences. Especially when it spans years and involves systems that were never brought up to contract standards.