Outdated security systems render companies vulnerable to data breaches and information compromises that could have detrimental effects throughout the supply chain, for our customers, the aerospace and defense industry and national security. Even a relatively minor breach could have severe consequences for a business’ reputation and finances. With supply chain networks particularly at risk, Raytheon Technologies aims to establish a protected supply chain ecosystem with infrastructure that supports secure collaboration across the supply base. We are steadfast in our commitment to working with our suppliers to keep sensitive information safe, secure and out of the hands of those who would use it to endanger global security.

For official guidance and up to date recommendations on the Log4Shell vulnerability, visit: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

Supplier Incident Reporting

To report a suspected cyber incident:

  • All suppliers who discover a cyber incident, or suspect a cyber incident may have occurred should report it to [email protected]. If you need to report a data incident involving Raytheon Technologies personal information, please email [email protected].
  • Suppliers who support U.S. Department of Defense (DoD) contracts must first report any suspected cyber incident to https://dibnet.dod.mil in accordance with the version of the DFARS clause flowed on their purchase order and then as soon as practicable to Raytheon Technologies at [email protected].

U.S. Government Subcontractor Regulatory Alert

Beginning November 30, 2020, Contracting Officers must include the new DFARS 252.204-7019 provision and DFARS clause 252.204-7020 clause in all solicitations and contracts, with certain exceptions including solicitations or contracts solely for the acquisition of commercial-off-the-shelf (COTS) items. These will require the DoD supply chain to quantify their current cybersecurity compliance with NIST SP 800-171 requirements using the NIST SP 800-171 DoD Assessment Methodology. Pursuant to 252.204-7020, contractors such as Raytheon Technologies may not award a subcontract or other contractual instrument that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS 252.204-7012, unless the supplier has

  • Completed at least a Basic Assessment in accordance with NIST SP 800-171 DoD Assessment Methodology (or in the alternative the Government performed Medium or High Assessment) within the last three years for all covered contractor information systems relevant to its offer that are not part of an information technology system operated on behalf of the Government; and
  • To the extent the supplier completed a Basic Assessment, it submitted its summary level scores, and other information required by paragraph (d) of DFARS 252.204-7020, either directly into the Supplier Performance Risk System (SPRS) or via encrypted email to [email protected] for posting to the SPRS.

Please note that both the NIST SP 800-171 DoD Assessment Methodology and SPRS are government tools and independent of Raytheon Technologies. The Basic self-assessment can be found at here at the third link titled, “NIST SP 800-171 DoD Assessment Methodology rev. 1.2.1.” Within the document there is an assessment template and instructions are provided on how to score your company. The SPRS site can be accessed directly here, there is a help guide posted at the top of the page.

For full communication

Supplier annual certification

Raytheon Technologies' annual supplier certification includes questions about your company’s ability to handle CDI in compliance with the cyber DFARS clause 252.204-7012 and your company’s current or planned level of CMMC certification. For an accurate response, we recommend checking with your IT Security professionals and legal counsel. It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it.


Together with our suppliers, we play a shared role in securing our global supply chain.

On Oct. 21, 2016, the DoD published the Final Rule for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. It represents DoD’s efforts to prevent improper access to important unclassified information in the supply base. The DFARs clause contains the following main requirements:

Adequate security

Contractors must provide adequate security for “covered contractor information systems,” to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171 as required. A "covered contractor information system" is an unclassified information system that is owned or operated by or for a contractor, and that also processes, stores or transmits covered defense information.

Cyber incident reporting

Contractors must report cyber incidents to the DoD at https://dibnet.dod.mil within 72 hours of discovery, and subcontractors must provide the incident report number, automatically assigned by DoD, to the prime contractor (or next higher-tier subcontractor) as soon as practicable. Contractors must also conduct a review for evidence of compromise, isolate and submit malicious software in accordance with instructions provided by the contracting officer, preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days for potential DoD review, and provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

Subcontractor flowdown

This DFARS clause must be flowed down in any subcontracts or similar contractual instruments in which subcontract performance will involve covered defense information or operationally critical support. The clause must be flowed down without alteration, except to identify the parties. The full DFARS clause can be found in its entirety under related links. Together, the threats we face necessitate that we work together to minimize risk, protect our sensitive information and safeguard our global security.

If you have any questions or would like additional information, please contact [email protected].

Frequently Asked Questions