Cybersecurity Maturity Model Certification (CMMC)
Raytheon Intelligence & Space, Raytheon Missiles & Defense Contractual requirements
“Notional Example of Possible Contractual Requirements that Raytheon Technologies may utilize flow CMMC requirements to suppliers. These are subject to change pending release of CMMC requirements into contracts and RTX’s review of those requirements.”
Supplier annual certification
Raytheon Technologies' annual supplier certification includes questions about your company’s ability to handle CDI in compliance with the cyber DFARS clause 252.204-7012 and your company’s current or planned level of CMMC certification. For an accurate response, we recommend checking with your IT Security professionals and legal counsel. It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it.
Together with our suppliers, we play a shared role in securing our global supply chain.
On Oct. 21, 2016, the DoD published the Final Rule for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. It represents DoD’s efforts to prevent improper access to important unclassified information in the supply base. The DFARs clause contains the following main requirements:
Contractors must provide adequate security for “covered contractor information systems,” to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171 as required. A "covered contractor information system" is an unclassified information system that is owned or operated by or for a contractor, and that also processes, stores or transmits covered defense information.
Cyber incident reporting
Contractors must report cyber incidents to the DoD at https://dibnet.dod.mil within 72 hours of discovery, and subcontractors must provide the incident report number, automatically assigned by DoD, to the prime contractor (or next higher-tier subcontractor) as soon as practicable. Contractors must also conduct a review for evidence of compromise, isolate and submit malicious software in accordance with instructions provided by the contracting officer, preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days for potential DoD review, and provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
This DFARS clause must be flowed down in any subcontracts or similar contractual instruments in which subcontract performance will involve covered defense information or operationally critical support. The clause must be flowed down without alteration, except to identify the parties. The full DFARS clause can be found in its entirety under related links. Together, the threats we face necessitate that we work together to minimize risk, protect our sensitive information and safeguard our global security.
If you have any questions or would like additional information, please contact [email protected].