With supply chain networks particularly at risk, RTX aims to establish a protected supply chain ecosystem with infrastructure that supports secure collaboration across the supply base. Outdated security systems render companies vulnerable to data breaches and information compromises that could have detrimental effects throughout the supply chain, for our customers, the aerospace and defense industry, and national security. We are steadfast in our commitment to working with our suppliers to keep sensitive information safe, secure and out of the hands of those who would use it to endanger global security.
RTX reminds its suppliers to take appropriate steps to protect RTX information in its possession, and to report cyber incidents in accordance with existing obligations and in a timely manner.
Supplier Incident Reporting
All suppliers who discover a cyber incident, or suspect a cyber incident may have occurred must report it to RTX
- If you need to report a data incident involving RTX personal information, please email [email protected].
- Suppliers who support U.S. Department of Defense (DoD) contracts must first report any suspected cyber incident to https://dibnet.dod.mil in accordance with the version of the DFARS clause flowed on their purchase order and then as soon as practicable to RTX at [email protected].
Build Awareness + Reduce Risk
Cybersecurity Resources
In partnership with leaders from across RTX and the DIB (Defense Industrial Base) Community, we have created the Top 10 Cyber Best Practices guidebook. This resource highlights steps you and your team can take today to reduce risk while providing awareness on available resources to promote resiliency.
The identified top Cyber Best Practices are applicable to any industry and are a starting point on steps you can take to help reduce risk. Each slide briefly describes the best practices, phased actions to take, and some available resources or services to support this best practice. This list is not inclusive of all resources and services available.
Check back for additional updates and resources.
Cybersecurity
Top 10 Best Practices
Learn moreSupply Chain Resilience Documents
RTX Supplier Cyber Requirements (Applicable to All Suppliers)
RTX Standard Terms & Conditions
Security for RTX, including Third Party, Information
Overview of elements:
- Suppliers must
- develop, implement, maintain, monitor, and update a written security program
- install and implement security hardware and software designed to:
- protect the integrity of Supplier's network, products, and RTX information
- guard against security incidents
- demonstrate compliance to generally accepted cyber frameworks
- restrict access to RTX information to authorized employees and authorized 3rd parties
- use standard encryption methods
- support RTX in investigating cyber incidents
Flow down of U.S. Government Contract Clauses
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
Suppliers supporting DoD contracts and handing CDI must:
provide adequate security on information systems
Rapidly report cyber incidents
Flow down requirements to subcontractors
DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
Applies if suppliers are required to implement NIST SP 800-171 pursuant to DFARS 252.204-7012 for handling CDI/ Prior to award, supplier must have:
- Completed at least Basic Assessment within the last three years for all covered contractor information systems
- Submitted its summary level scores into the Supplier Performance Risk Systems (SPRS) or via encrypted email to [email protected] for posting to the SPRS
Cybersecurity Maturity Model Certification 2.0
The DoD CIO has published an initial draft of the new CMMC 2.0 ruling. Suppliers are encouraged to stay up to date with the latest CMMC 2.0 information here. At this time all suppliers are encouraged to review their latest NIST 800-171 self-assessments and begin to close any open POAM’s over the coming months.
Frequently Asked Questions
CDI is unclassified controlled technical information or other information, as described in the Unclassified CUI Registry at www.archives.gov/cui/registry/category-list.html, which requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and governmentwide policies, and is:
-
Marked or otherwise identified in the contract, task order or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
-
Collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract.
A covered contractor information system is an unclassified information system that is owned or operated by or for a contractor, and that processes, stores or transmits covered defense information.
NIST 800-171 refers to the National Institute of Standards and Technology Special Publication 800-171, which governs CUI (Controlled Unclassified Information) in Non-Federal Information Systems and Organizations. NIST SP 800-171 security requirements derive from security controls in NIST SP 800-53 Revision 4, which contains 14 key areas you will need to comply with. You can find a listing of these here. These new standards must be met by anyone who processes, stores or transmits this type of potentially sensitive information (CUI) for the DoD, GSA or NASA and other federal or state agencies.
For an accurate response, we recommend checking with your IT Security professionals and legal counsel. It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it.