Raytheon Supplier Cybersecurity

We are steadfast in our commitment to working with our suppliers to keep sensitive information safe, secure and out of the hands of those who would use it to endanger global security.

CYBER SECURITY

We rely on our suppliers to deliver technologically advanced products and services to our customers. Many of the products and services we purchase from our suppliers use technologies or processes that have intellectual value which makes Raytheon, and our suppliers, potential targets for sophisticated cyber threats. Together, we play a shared role in securing our global supply chain.

On October 21, 2016, the DOD published the Final Rule for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Reporting. This follows the interim rules that were published in August 2015 and December 2015. It represents DoD’s efforts to prevent improper access of important unclassified information in the supply base. The DFARs clause contains the following main requirements:

ADEQUATE SECURITY

Contractors must provide adequate security for covered contractor information systems," to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171, as soon as practical but no later than Dec 31, 2017. A "covered contractor information system" is defined as an unclassified system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.

For all contracts awarded prior to October 1, 2017, the contractor must notify the U.S. Department of Defense’s Chief Information Officer, via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any NIST SP 800-171 requirements not yet implemented. The DoD CIO can also approve, in writing, requests to vary from NIST SP 800-171 requirements

CYBER INCIDENT REPORTING

Contractors must report cyber incidents to the DoD at https://dibnet.dod.mil within 72 hours of discovery, and subcontractors must provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable. Contractors must also conduct a review for evidence of compromise, isolate and submit malicious software in accordance with instructions provided by the Contracting Officer, preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days for potential DoD review, and provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

SUBCONTRACTOR FLOWDOWN

This DFARS clause must be flowed down in any subcontracts or similar contractual instruments in which subcontract performance will involve covered defense information or operationally critical support. The clause must be flowed down without alteration, except to identify the parties, to all subtiers handling covered defense information. The full DFARS clause can be found in its entity under Related Links.

Together, the threats we face necessitate that we work together to minimize risk, protect our sensitive information, and safeguard our global security. If you have any questions or would like additional information, please contact supplier_cybersecurity@raytheon.com.

Frequently Asked Questions
 

Q:What is included in the definition of Covered Defense Information (CDI)?

Q:What is a covered contractor information system?

Q: What is a System Security Plan and Plan of Action?

Q:Are there additional resources that can assist with DFARS compliance?