Cybersecurity attacks continue to increase in frequency and sophistication for the Aerospace and Defense industry. Adversaries are targeting anyone who possesses the sensitive information they seek including the government, prime contractors, and suppliers. It is imperative that our suppliers understand what’s at stake and recognize our shared role in protecting sensitive information and intellectual property. A single mistake or breach could have enormous consequences for our customers, our business, the Aerospace and Defense Industry, and national security. Lockheed martin has put together a three-pronged strategy in conjunction with suppliers to manage this risk.

Most recent   ___

News and Resources

Feb 19, 2024
The DIB Sector Coordinating Council is implementing a new common and simplified assessment model for evaluating supplier cyber posture (CCRA).
Jan 12, 2024
Critical zero-day exploits have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure Gateways.
Sep 19, 2023
Stay vigilant against the “hidden spies” in your inbox, online or on your mobile devices

Understanding Posture

Lockheed Martin, in partnership with the Defense Industrial Base (DIB) Sector Coordinating Council (SCC) Supply Chain Cybersecurity Task Force (SCCTF), has developed the Cybersecurity Compliance and Risk Assessment (CCRA). The CCRA concept allows suppliers to complete ONE assessment which would be accepted on a reciprocal basis by DoD Prime contractors, or other companies who recognize the CCRA.  This will introduce efficiencies and cost savings in contrast to current practices. As suppliers have observed, while the regulatory requirements for cybersecurity continue to grow and evolve, companies have resorted to developing proprietary assessments or using outdated questionnaires to capture compliance and risk information. This approach has introduced a significant burden to suppliers that  are required to provide unique responses to assessment tools containing  varying numbers of security requirements and  inconsistent language.

For LM suppliers, the CCRA will significantly reduce the burden and time it takes to complete over the legacy CSQ and NIST Questionnaire. The web-based CCRA will be implemented on Exostar’s Onboarding Module (OBM) and suppliers will be asked to migrate to the CCRA starting 1st Quarter 2024.

Understanding a supplier’s ability to protect sensitive information and manage cybersecurity risk is important to Lockheed Martin, the DIB, and our customers. We use a variety of methods such as the Cybersecurity Compliance and Risk Assessment (CCRA), supplier briefings and supplier validations to understand a supplier’s cybersecurity readiness.

Need assistance completing the Cybersecurity Compliance and Risk Assessment (CCRA) in Exostar OBM?

DOD Requirements

All Department of Defense contractors and subcontractors are required to comply with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, imposing baseline security standards and expanding the information that is subject to safeguarding.

Key Impact of DFARS



Achieved by meeting 110 security requirements across fourteen control categories (Industry Best Practices for Implementing and Assessing Security Controls)


Incident Reporting

Contractors have 72 hours to report cyber incidents to the DOD CIO



Cyber DFARS must be flowed down to all suppliers / subcontractors who store, process and/or generate Covered Defense Information as part of contract performance

Supplier Briefings

Periodically, Lockheed Martin will provide supplier briefings which are information sharing sessions where we discuss cybersecurity threats, cybersecurity best practices, and how to better manage risk. These sessions are collaborative in nature and are helpful in introducing suppliers to organizations and teams that can provide ongoing threat and risk management information.

Supplier Validations

Lockheed Martin conducts onsite and virtual assessments of critical suppliers to better understand their cybersecurity posture. The validations look at items like cybersecurity controls and risks in order to help Lockheed Martin and the supplier understand the extent of their cybersecurity capabilities, their ability to protect sensitive information and deliver secure products and services

Building Awareness

As a valued supplier, you play an important role in protecting our information and networks from cyber threats. No one is immune to these attacks, and while we actively work to strengthen our cybersecurity defenses from these ever evolving threats, your cooperation and diligence are needed to ensure we appropriately manage risk throughout our supply chain. As your cybersecurity capabilities mature, you will be better positioned to secure sensitive information and may gain a competitive advantage. Being knowledgeable of potential threats and understanding how to manage those threats is of paramount importance.

There are several resources to help you develop and improve your cybersecurity risk management program including online or in person training, conferences, podcasts, blogs, local and virtual user group meetings, videos, newsletters, email announcements, and wikis. The Defense Industrial Base (DIB) Sector Coordinating Council (SCC) Shared Assist Working Group has developed the Cyber Assist Website to provide trusted resources to assist DIB companies and suppliers of varying sizes with the implementation of cyber protections, and awareness of cyber risk, regulations and accountability for their supply chain.

The CMMC will be a requirement for existing U.S. DoD Contractors, replacing the self-attestation model and moving towards third-party certification. Ensure your suppliers who handle CUI are informed of CMMC and they are also addressing any outstanding NIST 800-171 requirements/ POAM items.

Reducing Risk

A critical part of delivering mission success to our programs and customers is managing and mitigating cyber risks. To do this, Lockheed Martin in partnership with our peer Aerospace and Defense industry companies have developed the Cybersecurity Compliance and Risk Assessment (CCRA) to identify cybersecurity readiness. Our acquisition procedures require the assessment of supplier cybersecurity risks which is an integral part of the buying decision. While Aerospace and Defense primes understand that improving our supply chain cybersecurity posture will require ongoing effort, it is essential that all suppliers take steps now to improve and continuously assess their posture.

Identified Threats in the Defense Industrial Base

The Defense Industrial Base (DIB) Sector Coordinating Council (SCC) partners developed the Cyber Assist Website highlighting a list of high value controls and possible mitigations solutions. The Top 10 High Value Controls listing consists of commonly identified threats followed by publicly available resources to help suppliers mitigate those threats.