With supply chain networks particularly at risk, RTX aims to establish a protected supply chain ecosystem with infrastructure that supports secure collaboration across the supply base. Outdated security systems render companies vulnerable to data breaches and information compromises that could have detrimental effects throughout the supply chain, for our customers, the aerospace and defense industry, and national security. We are steadfast in our commitment to working with our suppliers to keep sensitive information safe, secure and out of the hands of those who would use it to endanger global security.
RTX reminds its suppliers to take appropriate steps to protect RTX information in its possession, and to report cyber incidents in accordance with existing obligations and in a timely manner.
Whether at the airport, in the aircraft or in the sky, we are redefining aviation for safer, more efficient flight. We’re building the technology today to meet the needs of tomorrow’s more information-driven and connected aviation ecosystem.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris suscipit mi a tellus faucibus rhoncus. Nunc sapien ex, lacinia in dictum vitae, feugiat eget turpis. Maecenas at leo pretium metus egestas venenatis.
Whether at the airport, in the aircraft or in the sky, we are redefining aviation for safer, more efficient flight. We’re building the technology today to meet the needs of tomorrow’s more information-driven and connected aviation ecosystem.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Mauris suscipit mi a tellus faucibus rhoncus. Nunc sapien ex, lacinia in dictum vitae, feugiat eget turpis. Maecenas at leo pretium metus egestas venenatis.

Cybersecurity
Top 10 Best Practices
Learn moreSupply Chain Resilience Documents
RTX Supplier Cyber Requirements (Applicable to All Suppliers)
RTX Standard Terms & Conditions
Security for RTX, including Third Party, Information
Overview of elements:
- Suppliers must
- develop, implement, maintain, monitor, and update a written security program
- install and implement security hardware and software designed to:
- protect the integrity of Supplier's network, products, and RTX information
- guard against security incidents
- demonstrate compliance to generally accepted cyber frameworks
- restrict access to RTX information to authorized employees and authorized 3rd parties
- use standard encryption methods
- support RTX in investigating cyber incidents
Flow down of U.S. Government Contract Clauses
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
Suppliers supporting DoD contracts and handing CDI must:

provide adequate security on information systems

Rapidly report cyber incidents

Flow down requirements to subcontractors
DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
Applies if suppliers are required to implement NIST SP 800-171 pursuant to DFARS 252.204-7012 for handling CDI/ Prior to award, supplier must have:
- Completed at least Basic Assessment within the last three years for all covered contractor information systems
- Submitted its summary level scores into the Supplier Performance Risk Systems (SPRS) or via encrypted email to [email protected] for posting to the SPRS
Cybersecurity Maturity Model Certification 2.0
The DoD CIO has published an initial draft of the new CMMC 2.0 ruling. Suppliers are encouraged to stay up to date with the latest CMMC 2.0 information here. At this time all suppliers are encouraged to review their latest NIST 800-171 self-assessments and begin to close any open POAM’s over the coming months.
DoD CMMC Resources
Frequently Asked Questions
CDI is unclassified controlled technical information or other information, as described in the Unclassified CUI Registry at www.archives.gov/cui/registry/category-list.html, which requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and governmentwide policies, and is:
-
Marked or otherwise identified in the contract, task order or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
-
Collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract.
A covered contractor information system is an unclassified information system that is owned or operated by or for a contractor, and that processes, stores or transmits covered defense information.
NIST 800-171 refers to the National Institute of Standards and Technology Special Publication 800-171, which governs CUI (Controlled Unclassified Information) in Non-Federal Information Systems and Organizations. NIST SP 800-171 security requirements derive from security controls in NIST SP 800-53 Revision 4, which contains 14 key areas you will need to comply with. You can find a listing of these here. These new standards must be met by anyone who processes, stores or transmits this type of potentially sensitive information (CUI) for the DoD, GSA or NASA and other federal or state agencies.
For an accurate response, we recommend checking with your IT Security professionals and legal counsel. It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it.