Cybersecurity attacks continue to increase in frequency and sophistication for the Aerospace and Defense industry. Adversaries are targeting anyone who possesses the sensitive information they seek including the government, prime contractors, and suppliers. It is imperative that our suppliers understand what’s at stake and recognize our shared role in protecting sensitive information and intellectual property. A single mistake or breach could have enormous consequences for our customers, our business, the Aerospace and Defense Industry, and national security. Lockheed martin has put together a three-pronged strategy in conjunction with suppliers to manage this risk.
Lockheed Martin in partnership with BAE Systems, Boeing, Northrop Grumman and Raytheon have implemented two cybersecurity surveys to measure a supplier’s ability to manage cybersecurity. The companies worked with Exostar to host both on-line questionnaires. A company who completes the questionnaire, and is a supplier to two or more of the partner companies (e.g. Lockheed Martin and Raytheon) will only have to respond once, and then have the option to share the submittal with the other company(s).
Trading Partner Manager Profile Sensitive Information Checklist
If you answer ‘yes’ to any of the following questions, you will need to update your Exostar TPM Profile to indicate that you exchange sensitive information. If you need assistance to update your profile, download the TPM Profile guide.
- Do you have a non-disclosure agreement in place with Lockheed Martin?
- Do you currently possess, or anticipate needing any of the following from Lockheed Martin: Personal Information, Export Controlled Information, Lockheed Martin Proprietary Information, or Third Party Proprietary Information?
- Do you have any past, current or anticipated contracts where Lockheed Martin flows down cyber DFARS 252.204-7012 and Covered Defense Information (CDI) is handled (received or created) in performance of the contract?
Understanding a supplier’s ability to protect sensitive information and manage cybersecurity risk is important to Lockheed Martin and helps us make decisions on how best to manage risk. We use a variety of methods such as the Cybersecurity and NIST questionnaires, supplier briefings and supplier validations to understand a supplier’s cybersecurity readiness.
Cybersecurity & NIST SP 800-171 Questionnaires
A cybersecurity questionnaire based on the Center for Internet Security Critical Security Controls. This questionnaire is required of all Lockheed Martin suppliers that have identified themselves as handling Lockheed Martin sensitive information.
If you need help answering the Cybersecurity Questionnaire, refer to the Cybersecurity Questionnaire section found on the Exostar Partner Integration Manager (PIM) page.
NIST SP 800-171 Cybersecurity Compliance Questionnaire
A cybersecurity questionnaire developed and published by the National Institute of Standards and Technology. This questionnaire is required by cyber DFARS Clause 252.204-7012.
If you need help answering the NIST 800-171 Questionnaire, refer to the NIST SP 800-171 section found on the Exostar Partner Integration Manager (PIM) page. You may also preview a blank version of the NIST SP 800-171 Questionnaire. Please note the only acceptable way to submit either questionnaire is electronically through Exostar.
All Department of Defense contractors and subcontractors are required to comply with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, imposing baseline security standards and expanding the information that is subject to safeguarding.
Key Impacts of DFARS
Achieved by meeting 110 security requirements across fourteen control categories (Industry Best Practices for Implementing and Assessing Security Controls)
Contractors have 72 hours to report cyber incidents to the DOD CIO
Cyber DFARS must be flowed down to all suppliers / subcontractors who store, process and/or generate Covered Defense Information as part of contract performance
Periodically, Lockheed Martin will provide supplier briefings which are information sharing sessions where we discuss cybersecurity threats, cybersecurity best practices, and how to better manage risk. These sessions are collaborative in nature and are helpful in introducing suppliers to organizations and teams that can provide ongoing threat and risk management information.
Lockheed Martin conducts onsite and virtual assessments of critical suppliers to better understand their cybersecurity posture. The validations look at items like cybersecurity controls and risks in order to help Lockheed Martin and the supplier understand the extent of their cybersecurity capabilities, their ability to protect sensitive information and deliver secure products and services
As a valued supplier, you play an important role in protecting our information and networks from cyber threats. No one is immune to these attacks, and while we actively work to strengthen our cybersecurity defenses from these ever evolving threats, your cooperation and diligence are needed to ensure we appropriately manage risk throughout our supply chain. As your cybersecurity capabilities mature, you will be better positioned to secure sensitive information and may gain a competitive advantage. Being knowledgeable of potential threats and understanding how to manage those threats is of paramount importance.
There are several resources to help you develop and improve your cybersecurity risk management program including online or in person training, conferences, podcasts, blogs, local and virtual user group meetings, videos, newsletters, email announcements, and wikis. The Defense Industrial Base (DIB) Sector Coordinating Council (SCC) Shared Assist Working Group has developed the Cyber Assist Website to provide trusted resources to assist DIB companies and suppliers of varying sizes with the implementation of cyber protections, and awareness of cyber risk, regulations and accountability for their supply chain.
CMMC is coming.
The CMMC will be a new requirement for existing U.S. DOD contractors, replacing the self-attestation model and moving towards third party certification. Ensure your suppliers who handle CUI are informed of the CMMC and that they are also addressing any outstanding NIST 800-171 requirements/POAM items.
A critical part of delivering mission success to our programs and customers is managing and mitigating cyber risks. To do this, Lockheed Martin in partnership with our peer Aerospace and Defense industry companies have established several mechanisms to identify cybersecurity readiness. Our acquisition procedures now require the assessment of supplier cybersecurity risks which will be an integral part of the buying decision. While Aerospace and Defense primes understand that improving our supply chain cybersecurity posture will require ongoing effort, it is essential that all suppliers take steps now to improve and continuously assess their posture.
Identified Threats in the Defense Industrial Base
The Defense Industrial Base (DIB) Sector Coordinating Council (SCC) partners developed the Cyber Assist Website highlighting a list of high value controls and possible mitigations solutions. The Top 10 High Value Controls listing consists of commonly identified threats followed by publicly available resources to help suppliers mitigate those threats.