Cybersecurity

Cybersecurity attacks continue to increase in frequency and sophistication for the Aerospace and Defense industry. Adversaries are targeting anyone who possesses the sensitive information they seek including the government, prime contractors, and suppliers. It is imperative that our suppliers understand what’s at stake and recognize our shared role in protecting sensitive information and intellectual property. A single mistake or breach could have enormous consequences for our customers, our business, the Aerospace and Defense Industry, and national security. To manage this risk, Lockheed Martin has put together a three pronged strategy in conjunction with suppliers.

Understanding Posture

cyber-lock
Lockheed Martin conducts onsite and virtual assessments of a supplier’s cybersecurity posture. The validations look at items like cybersecurity controls and risks in order to help Lockheed Martin and the supplier understand the extent of their cybersecurity capabilities, their ability to protect sensitive information and deliver secure products and services.

Understanding a supplier’s ability to protect sensitive information and manage cybersecurity risk is important to Lockheed Martin and helps us make decisions on how best to manage risk. We use a variety of methods such as supplier briefings, validations, and the Exostar Supplier Cybersecurity Questionnaires to understand a supplier’s cybersecurity readiness.

Suppliers can use the Trading Partner Manager (TPM) profile sensitive information checklist below to evaluate if they are exchanging sensitive information, which requires the distinction be made in their Exostar profile and require suppliers to complete cybersecurity surveys.

 

Trading Partner Manager Profile Sensitive Information Checklist

If you answer ‘yes’ to any of the following questions, you will need to update your Exostar TPM Profile to indicate that you exchange sensitive information. If you need assistance to update your profile, download the TPM Profile guide.

  • Do you have a non-disclosure agreement in place with Lockheed Martin?
  • Do you currently possess, or anticipate needing any of the following from Lockheed Martin: Personal Information, Export Controlled Information, Lockheed Martin Proprietary Information, or Third Party Proprietary Information?
  • Do you have any past, current or anticipated contracts where Lockheed Martin flows down cyber DFARS 252.204-7012 and Covered Defense Information (CDI) is handled (received or created) in performance of the contract?

If you have any questions regarding Supply Chain Cybersecurity, contact lm.supplychaincyber@lmco.com.

Lockheed Martin in partnership with BAE Systems, Boeing, Northrop Grumman and Raytheon have implemented two cybersecurity surveys to measure a supplier’s ability to manage cybersecurity. The companies worked with Exostar to host both on-line questionnaires. A company who completes the questionnaire, and is a supplier to two or more of the partner companies (e.g. Lockheed Martin and Raytheon) will only have to respond once, and then have the option to share the submittal with the other company(s). The two questionnaires are 1) the Cybersecurity Questionnaire (CSQ), and 2) the NIST SP 800-171 Questionnaire that supports cyber DFARS compliance. Detailed steps (process flow) for Lockheed Martin suppliers to access and complete the questionnaires can be found here.

Need assistance completing the Exostar Cybersecurity & NIST SP 800-171 questionnaires?

Supplier Cybersecurity Questionnaire

A cybersecurity questionnaire based on the Center for Internet Security Critical Security Controls. This questionnaire is required of all Lockheed Martin suppliers that have answered “YES” to handling Lockheed Martin Sensitive Information. Suppliers with whom we share sensitive information must complete and maintain the supplier cybersecurity questionnaire in their Exostar profile.

To access the Cybersecurity Questionnaire in Exostar:

  • Go to https://portal.exostar.com and login
  • Click on the “My Account” tab
  • Click on “View Organization Details”
  • Click on “View in Trading Partner Manager (TPM)”
    • Must have Organization Administrator rights to access TPM
    • To see who has those rights please see the “Organization Administrator” section of the “View Organization Details” page)
  • Click “Continue” if prompted
  • Click on “Cybersecurity” on the left side menu

The questionnaire should take about 2 – 3 hours to complete. We suggest that you click the button above to print a copy of the questionnaire, meet with your IT security team to gather the necessary information, and then input your company’s responses into your Exostar profile. If you need help answering the Cybersecurity Questionnaire, refer to the Exostar Partner Integration Manager (PIM) CSQ resource page which includes resources, FAQ and guidelines for the cybersecurity questionnaire.

NIST SP 800-171 Cybersecurity Compliance Questionnaire

A cybersecurity questionnaire developed and published by the National Standards of Science and Technology (NIST). This questionnaire is required by cyber DFARS Clause 252.204-7012.  Refer to the “Adhering to “DoD Cybersecurity Requirements” section for further information.   

To access the NIST 800-171 questionnaire in Exostar:

  • Go to https://portal.exostar.com and login
  • Click on the “My Account” tab
  • Click on “View Organization Details”
  • Click on “View in Trading Partner Manager (TPM)”
    • Must have Organization Administrator rights to access TPM
    • To see who has those rights please see the “Organization Administrator” section of the “View Organization Details” page)
  • Click “Continue” if prompted
  • Click on NIST 800-171


We suggest that you click the button above to print a copy of the questionnaire.

 

 

Supplier Briefings

Periodically, Lockheed Martin will provide supplier briefings which are information sharing sessions where we discuss cybersecurity threats, cybersecurity best practices, and how to better manage risk. These sessions are collaborative in nature and are helpful in introducing suppliers to organizations and teams that can provide ongoing threat and risk management information.

Supplier Validations

Lockheed Martin conducts onsite and virtual assessments of a supplier’s cybersecurity posture. The validations look at items like cybersecurity controls and risks in order to help Lockheed Martin and the supplier understand the extent of their cybersecurity capabilities, their ability to protect sensitive information and deliver secure products and services.


Building Awareness

awareness-quote
Lockheed Martin and our partners have defined a cybersecurity questionnaire based on the Center for Internet Security Critical Security Controls. Completing this questionnaire is often a foundation for a supplier’s cybersecurity awareness. Lockheed Martin facilitates supplier cybersecurity awareness through participation in targeted outreach events and supplier development and mentoring.

As a valued supplier, you play an important role in protecting our information and networks from cyber threats. No one is immune to these attacks, and while we actively work to strengthen our cybersecurity defenses from these ever evolving threats, your cooperation and diligence are needed to ensure we appropriately manage risk throughout our supply chain. As your cybersecurity capabilities mature, you will be better positioned to secure sensitive information and may gain a competitive advantage. Being knowledgeable of potential threats and understanding how to manage those threats is of paramount importance. There are a number of resources to help you develop and improve your cybersecurity risk management program including online or in person training, conferences, podcasts, blogs, local and virtual user group meetings, videos, newsletters, email announcements, and wikis. There are also several government and industry organizations that provide information and guidance on cybersecurity threats, controls, and risk management techniques. While Lockheed Martin does not endorse any specific organization or set of controls, below are a few that may help.


Reducing Risk

A critical part of delivering mission success to our programs and customers is managing and mitigating cyber risks. To do this, as previously discussed, Lockheed Martin in partnership with our peer Aerospace and Defense industry companies have established several mechanisms to identify cybersecurity readiness. Our acquisition procedures now require the assessment of supplier cybersecurity risks which will be an integral part of the buying decision. Decisions Lockheed Martin, and our peer companies, understand that improving our supply chain cybersecurity posture will be an effort over a period of years. It is imperative that our suppliers improve their cyber posture as soon as feasible.
One of the keys to delivering mission success for any program or customer is the ability to manage risks in whatever form. Lockheed Martin and its suppliers must work together to ensure that the appropriate risk mitigations are in place to protect sensitive information and deliver results

Incident Reporting

Our customers count on our products and services to support their missions each and every time. This includes protecting the information related to these products and services and ensuring timely reporting when this information is compromised or exposed to unauthorized parties.

It is the expectation of Lockheed Martin and its customers that we will be notified if any information provided as part of, or generated in support of, contract performance is impacted as a result of a cybersecurity compromise. We have included cyber incident reporting language in many of our contracts with suppliers and moving forward all future contracts will include this contract language. Expectations of suppliers:

  • “Compromise” is defined as unauthorized access, inadvertent disclosure, known misuse, loss, destruction, or alteration of information provided by Lockheed Martin other than as required to perform agreed to scope of work
  • Take appropriate and immediate actions to investigate and contain the incident and any associated risks
  • Provide reasonable cooperation to Lockheed Martin in conducting any investigation regarding the nature and scope of any incident
  • Costs incurred in investigating or remedying incidents shall be borne by the supplier

Contracts not governed by cyber DFARS suppliers are required to notify the Lockheed Martin (LM) point of contact specified in the Lockheed Martin contract (e.g. Subcontracts Program Manager, Subcontracts Administrator, or Buyer) within 72 hours or as specified in the LM contract. Lockheed Martin Programs and personnel must coordinate all cyber incidents with the LMC Computer Incident Response Team (LM CIRT). The LM CIRT will work with impacted programs to make all required cyber incident notifications.

Contracts governed by cyber DFARS Clause 252.204-7012 refer to the “Adhering to DoD Cybersecurity Requirements” section. In general, suppliers are required to notify the DoD, and Lockheed Martin (e.g. Subcontracts Program Manager, Subcontracts Administrator, or Buyer) within 72 hours of discovery of cyber events. Lockheed Martin Programs and personnel must coordinate all cyber incidents with the LMC Computer Incident Response Team (LM CIRT). The LM CIRT will work with impacted programs to make all required cyber incident notifications.

It is our customer and our expectation that we will be notified if any information provided as part of, or generated in support of, contract performance is impacted as a result of a cybersecurity incident.

Adhering to DoD Requirements

cyber-requirements
All Department of Defense (DoD) contractors and subcontractors are required to comply with the Defense Federal Acquisition Regulation (DFARS) interim rule that replaces the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and significantly expanding the information that is subject to safeguarding and can trigger the reporting requirements.

In August 2015, the Department of Defense (DoD) issued an updated interim rule that imposed significant expanded obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cyber incidents occurring on unclassified information systems that contain such information. This interim rule, which was updated in December 2015, replaced the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and significantly expanding the information that is subject to safeguarding and can trigger reporting requirements.  Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.

Four main elements of the December 2015 version of the cyber DFARS clause 252.204-7012, include:

  • Contractors have until December 2017 to be in full compliance with the requirements outlined in the clause and NIST 800-171
  • Areas of non-compliance need to be reported to the DoD CIOs office within 30 days after contract award
  • Contractors have 72 hours to report cyber incidents to the DoD CIO
  • The cyber DFARS clause needs to flow down to all suppliers/subcontractors storing, processing and/or generating Covered Defense Information as part of contract performance

Click the button below for more available resources.

Frequently Asked Questions

 

Do I as a supplier need to notify Lockheed Martin of my compliance status on cyber  DFARS clause 252.204-7012?

If a supplier is non-compliant with the NIST cybersecurity controls outlined in the cyber DFARS clause 252.204-7012 dated December 2015, then the supplier must notify the DoD CIOs office within 30 days of contract award with LMC of the areas of non-compliance. The supplier must copy Lockheed Martin through the authorized procurement representative identified in the subcontract or purchase order on the DoD notification.

What are the incident reporting requirements for suppliers?

A supplier must report an incident within 72 hours of discovery to both 1) Lockheed Martin (e.g. Lockheed Martin Subcontract Program Manager (SPM), Buyer, or Subcontract Administrator (SCA)) and in parallel to 2) the DoD at the following DFAR directed site: DOD Dibnet. LM SPMs, buyers and/or SCAs must immediately notify the LM CIRT of supplier cyber incident reports. Please note: the cyber incident reporting requirements associated with this cyber DFARS clause do not negate any additional reporting requirements found in the contract between Lockheed Martin and the supplier.

How is the cybersecurity questionnaire used by Lockheed Martin different than the actions required by cyber DFARS clause 252.204-7012?

The cybersecurity questionnaire in Exostar is used as a tool to obtain a high-level understanding of a supplier’s ability to protect sensitive information and manage cyber security risk. To be clear, performing all activities outlined in the questionnaire does not satisfy the requirements associated with cyber DFARS clause 252.204-7012. Suppliers which store/process CDI are responsible for assessing their systems for compliance with the requirements outlined in cyber DFARS clause 252.204-7012.

 

Terms & Definitions

Covered Defense Information falls in any of the following categories:

Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry found here, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, and is —

A.  Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

B. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

“Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution

statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

 

Controlled Technical Information
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.