With supply chain networks particularly at risk, RTX aims to establish a protected supply chain ecosystem with infrastructure that supports secure collaboration across the supply base. Outdated security systems render companies vulnerable to data breaches and information compromises that could have detrimental effects throughout the supply chain, for our customers, the aerospace and defense industry, and national security. We are steadfast in our commitment to working with our suppliers to keep sensitive information safe, secure and out of the hands of those who would use it to endanger global security.
RTX reminds its suppliers to take appropriate steps to protect RTX information in its possession, and to report cyber incidents in accordance with existing obligations and in a timely manner.
Supplier incident reporting
All suppliers who discover a cyber incident, or suspect a cyber incident may have occurred must report it to RTX
- If you need to report a data incident involving RTX personal information, please email [email protected].
- Suppliers who support U.S. Department of War (DoW) contracts must first report any suspected cyber incident to https://dibnet.dod.mil in accordance with the version of the DFARS clause flowed on their purchase order and then as soon as practicable to RTX at [email protected].
Cybersecurity Maturity Model Certification (CMMC) Program with Revised DFARS 252.204-7021
On September 10, 2025, the Department of Defense (DoD) published the final CMMC acquisition rule with an effective date of November 10, 2025. The rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the final Cybersecurity Maturity Model Certification (CMMC) program rule (Title 32 Code of Federal Regulations (CFR) Part 170, effective December 2024). The rule prescribes the use of the solicitation provision at DFARS 252.204-7025 and the contract clause at DFARS 252.204-7021 in certain solicitations and contracts, task orders, or delivery orders.
The final rule’s November 10th effective date means the new DFARs clause, DFARS 252.204-7021, that requires some level of CMMC certification, may be included in all applicable DoD solicitations and contracts issued on or after November 10, 2025. Additionally, new contract awards (or task orders and delivery orders for existing indefinite-delivery indefinite-quantity (IDIQ) contracts) issued after this rule takes effect may include a requirement for CMMC, even if solicitation or IDIQ contract award was prior to November 10.
All RTX suppliers supporting DoD contracts and/or solicitations with DFARS 252.204-702:
- Will be required to have an active CMMC certification at the appropriate level, as defined within the Prime Contract or Solicitation
- Must immediately take steps to ensure their Annual Supplier Registration Data, Representations and Certifications remains current on CMMC status
- Are asked to stay connected with the DoD Chief Information Officer Website for CMMC for available resources and information here
Note: While Phase 1 CMMC implementation, requiring CMMC level 1 or CMMC level 2 (self-certification) begins November 10th, the DoD may require higher levels of certification in advance of the full phased implementation.
Key Points on DFARS 252.204-7021:
- Applicable to all Prime Contractors and Subcontracts processing, storing or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI)
- Prime Contractors and Subcontractors must enter their certification level into DoD Supplier Performance Risk System (SPRS) database: After each assessment for Level 1, after each assessment and annually thereafter for Levels 2 & 3.
- CMMC certification where required is a condition of award
- Level 1 - Basic Safeguarding of FCI: 15 controls need to be fully implemented, as Plan of Action & Milestones (POA&M) are not permitted
- Levels 2 & 3 – Protection of CUI: Plan of Action & Milestones (POA&M) accepted, excluding certain critical requirements, but must be confirmed by a POA&M closeout assessment within 180 days
- Levels 1 & 2 self-certification requires evidence collection and retention for 6 years
DoW CMMC resources
Build awareness + reduce risk
Cybersecurity Resources
In partnership with leaders from across RTX and the DIB (Defense Industrial Base) Community, we have created the Top 10 Cyber Best Practices guidebook. This resource highlights steps you and your team can take today to reduce risk while providing awareness on available resources to promote resiliency.
The identified top Cyber Best Practices are applicable to any industry and are a starting point on steps you can take to help reduce risk. Each slide briefly describes the best practices, phased actions to take, and some available resources or services to support this best practice. This list is not inclusive of all resources and services available.
Check back for additional updates and resources.
Cybersecurity
Top 10 Best Practices
Learn moreSupply chain resilience documents
RTX supplier cyber requirements (applicable to all suppliers)
RTX Standard Terms & Conditions
Security for RTX, including Third Party, Information
Overview of elements:
- Suppliers must
- develop, implement, maintain, monitor, and update a written security program
- install and implement security hardware and software designed to:
- protect the integrity of Supplier's network, products, and RTX information
- guard against security incidents
- demonstrate compliance to generally accepted cyber frameworks
- restrict access to RTX information to authorized employees and authorized 3rd parties
- use standard encryption methods
- support RTX in investigating cyber incidents
Flow down of U.S. Government Contract Clauses
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
Suppliers supporting DoW contracts and handing CDI must:
provide adequate security on information systems
rapidly report cyber incidents
flow down requirements to subcontractors
DFARS 252.204-7020 NIST SP 800-171 DoW Assessment Requirements
Applies if suppliers are required to implement NIST SP 800-171 pursuant to DFARS 252.204-7012 for handling CDI/ Prior to award, supplier must have:
- Completed at least Basic Assessment within the last three years for all covered contractor information systems
- Submitted its summary level scores into the Supplier Performance Risk Systems (SPRS) or via encrypted email to [email protected] for posting to the SPRS
Frequently asked questions
CDI is unclassified controlled technical information or other information, as described in the Unclassified CUI Registry at www.archives.gov/cui/registry/category-list.html, which requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and governmentwide policies, and is:
-
Marked or otherwise identified in the contract, task order or delivery order and provided to the contractor by or on behalf of DoW in support of the performance of the contract; or
-
Collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract.
A covered contractor information system is an unclassified information system that is owned or operated by or for a contractor, and that processes, stores or transmits covered defense information.
NIST 800-171 refers to the National Institute of Standards and Technology Special Publication 800-171, which governs CUI (Controlled Unclassified Information) in Non-Federal Information Systems and Organizations. NIST SP 800-171 security requirements derive from security controls in NIST SP 800-53 Revision 4, which contains 14 key areas you will need to comply with. You can find a listing of these here. These new standards must be met by anyone who processes, stores or transmits this type of potentially sensitive information (CUI) for the DoW, GSA or NASA and other federal or state agencies.
For an accurate response, we recommend checking with your IT Security professionals and legal counsel. It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it.