Outdated security systems render companies vulnerable to data breaches and information compromises that could have detrimental effects throughout the supply chain, for our customers, the aerospace and defense industry and national security. Even a relatively minor breach could have severe consequences for a business’ reputation and finances. With supply chain networks particularly at risk, RTX aims to establish a protected supply chain ecosystem with infrastructure that supports secure collaboration across the supply base. We are steadfast in our commitment to working with our suppliers to keep sensitive information safe, secure and out of the hands of those who would use it to endanger global security.
ALERT: The Cybersecurity & Infrastructure Security Agency (CISA) issued an alert regarding a vulnerability in Progress Software’s MOVEit Transfer software and is urging users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.
UPDATE – CISA and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity advisory with recommended actions and mitigations to protect against and reduce impact from CL0P ransomware gang who is reportedly exploiting the MOVEit vulnerability, see it here.
Raytheon Technologies (RTX) reminds its suppliers to take appropriate steps to protect RTX information in its possession, and to timely report cyber incidents in accordance with existing obligations.
Whether at the airport, in the aircraft or in the sky, we are redefining aviation for safer, more efficient flight. We’re building the technology today to meet the needs of tomorrow’s more information-driven and connected aviation ecosystem.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris suscipit mi a tellus faucibus rhoncus. Nunc sapien ex, lacinia in dictum vitae, feugiat eget turpis. Maecenas at leo pretium metus egestas venenatis.
Supplier annual certification
Raytheon Technologies' annual supplier certification includes questions about your company’s ability to handle CDI in compliance with the cyber DFARS clause 252.204-7012 and your company’s current or planned level of CMMC certification. For an accurate response, we recommend checking with your IT Security professionals and legal counsel. It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it.
Cybersecurity
Together with our suppliers, we play a shared role in securing our global supply chain.
On Oct. 21, 2016, the DoD published the Final Rule for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. It represents DoD’s efforts to prevent improper access to important unclassified information in the supply base. The DFARs clause contains the following main requirements:
Adequate security
Contractors must provide adequate security for “covered contractor information systems,” to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171 as required. A "covered contractor information system" is an unclassified information system that is owned or operated by or for a contractor, and that also processes, stores or transmits covered defense information.
Cyber incident reporting
Contractors must report cyber incidents to the DoD at https://dibnet.dod.mil within 72 hours of discovery, and subcontractors must provide the incident report number, automatically assigned by DoD, to the prime contractor (or next higher-tier subcontractor) as soon as practicable. Contractors must also conduct a review for evidence of compromise, isolate and submit malicious software in accordance with instructions provided by the contracting officer, preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days for potential DoD review, and provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
Subcontractor flowdown
This DFARS clause must be flowed down in any subcontracts or similar contractual instruments in which subcontract performance will involve covered defense information or operationally critical support. The clause must be flowed down without alteration, except to identify the parties. The full DFARS clause can be found in its entirety under related links. Together, the threats we face necessitate that we work together to minimize risk, protect our sensitive information and safeguard our global security.
If you have any questions or would like additional information, please contact [email protected].
Frequently Asked Questions
CDI is unclassified controlled technical information or other information, as described in the Unclassified CUI Registry at www.archives.gov/cui/registry/category-list.html, which requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and governmentwide policies, and is:
-
Marked or otherwise identified in the contract, task order or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
-
Collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract.
A covered contractor information system is an unclassified information system that is owned or operated by or for a contractor, and that processes, stores or transmits covered defense information.
NIST 800-171 refers to the National Institute of Standards and Technology Special Publication 800-171, which governs CUI in Non-Federal Information Systems and Organizations. NIST SP 800-171 security requirements derive from security controls in NIST SP 800-53 Revision 4, which contains 14 key areas you will need to comply with. You can find a listing of these here. These new standards must be met by anyone who processes, stores or transmits this type of potentially sensitive information (CUI) for the DoD, GSA or NASA and other federal or state agencies.