Cybersecurity attacks continue to increase in frequency and sophistication for the Aerospace and Defense industry. Adversaries are targeting anyone who possesses the sensitive information they seek including the government, prime contractors, and suppliers. It is imperative that our suppliers understand what’s at stake and recognize our shared role in protecting sensitive information and intellectual property. A single mistake or breach could have enormous consequences for our customers, our business, the Aerospace and Defense Industry, and national security. Lockheed martin has put together a three-pronged strategy in conjunction with suppliers to manage this risk.
Lockheed Martin in partnership with BAE Systems, Boeing, Northrop Grumman and Raytheon have implemented two cybersecurity surveys to measure a supplier’s ability to manage cybersecurity. The companies worked with Exostar to host both on-line questionnaires. A company who completes the questionnaire, and is a supplier to two or more of the partner companies (e.g. Lockheed Martin and Raytheon) will only have to respond once, and then have the option to share the submittal with the other company(s).
Suppliers can use the Trading Partner Manager (TPM) profile sensitive information checklist below to evaluate if they are exchanging sensitive information, which requires the distinction be made in their Exostar profile and require suppliers to complete cybersecurity surveys.
Trading Partner Manager Profile Sensitive Information Checklist
If you answer ‘yes’ to any of the following questions, you will need to update your Exostar TPM Profile to indicate that you exchange sensitive information. If you need assistance to update your profile, download the TPM Profile guide.
- Do you have a non-disclosure agreement in place with Lockheed Martin?
- Do you currently possess, or anticipate needing any of the following from Lockheed Martin: Personal Information, Export Controlled Information, Lockheed Martin Proprietary Information, or Third Party Proprietary Information?
- Do you have any past, current or anticipated contracts where Lockheed Martin flows down cyber DFARS 252.204-7012 and Covered Defense Information (CDI) is handled (received or created) in performance of the contract?
The two questionnaires are:
- Cybersecurity Questionnaire (CSQ)
- National Institute of Standards and Technology (NIST) SP 800-171 Questionnaire that supports cyber DFARS compliance.
Please refer to the process flow for detailed steps Lockheed Martin suppliers should take to complete the questionnaires.
A cybersecurity questionnaire based on the Center for Internet Security Critical Security Controls. This questionnaire is required of all Lockheed Martin suppliers that have identified themselves as handling Lockheed Martin sensitive information.
If you need help answering the Cybersecurity Questionnaire, refer to the Cybersecurity Questionnaire section found on the Exostar Partner Integration Manager (PIM) page.
NIST SP 800-171 Cybersecurity Compliance Questionnaire
A cybersecurity questionnaire developed and published by the National Institute of Standards and Technology. This questionnaire is required by cyber DFARS Clause 252.204-7012.
If you need help answering the NIST 800-171 Questionnaire, refer to the NIST SP 800-171 section found on the Exostar Partner Integration Manager (PIM) page.
To access the questionnaires in Exostar:
- Go to https://portal.exostar.com and login
- Click on the “My Account” tab
- Click on “View Organization Details”
- Click on “View in Trading Partner Manager (TPM)”
- Must have Organization Administrator rights to access TPM
- To see who has those rights please see the “Organization Administrator” section of the “View Organization Details” page
- Click “Continue” if prompted
- Click on “Cybersecurity” or “NIST 800-171” on the left side menu
We suggest you print a copy of the questionnaire to familiarize yourself with the content and ensure the appropriate resource is identified to provide your organization's response. Please note the only acceptable way to submit either questionnaire is electronically through Exostar. For more PIM resources click here.
All Department of Defense contractors and subcontractors are required to comply with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, imposing baseline security standards and expanding the information that is subject to safeguarding.
Key Impacts of DFARS
Achieved by meeting 110 security requirements across fourteen control categories additional (NIST 800-171 - industry best practice information)
- Incident Reporting
Contractors have 72 hours to report cyber incidents to the DOD CIO
Cyber DFARS must be flowed down to all suppliers / subcontractors who store, process and/or generate Covered Defense Information as part of contract performance
For more information on DFARS incident reporting please reference the Cybersecurity Incident Reporting article found under Featured News and Resources.
Periodically, Lockheed Martin will provide supplier briefings which are information sharing sessions where we discuss cybersecurity threats, cybersecurity best practices, and how to better manage risk. These sessions are collaborative in nature and are helpful in introducing suppliers to organizations and teams that can provide ongoing threat and risk management information.
Lockheed Martin conducts onsite and virtual assessments of a supplier’s cybersecurity posture. The validations look at items like cybersecurity controls and risks in order to help Lockheed Martin and the supplier understand the extent of their cybersecurity capabilities, their ability to protect sensitive information and deliver secure products and services.
As a valued supplier, you play an important role in protecting our information and networks from cyber threats. No one is immune to these attacks, and while we actively work to strengthen our cybersecurity defenses from these ever evolving threats, your cooperation and diligence are needed to ensure we appropriately manage risk throughout our supply chain. As your cybersecurity capabilities mature, you will be better positioned to secure sensitive information and may gain a competitive advantage. Being knowledgeable of potential threats and understanding how to manage those threats is of paramount importance. There are a number of resources to help you develop and improve your cybersecurity risk management program including online or in person training, conferences, podcasts, blogs, local and virtual user group meetings, videos, newsletters, email announcements, and wikis. There are also several government and industry organizations that provide information and guidance on cybersecurity threats, controls, and risk management techniques. While Lockheed Martin does not endorse any specific organization or set of controls, below are a few that may help.
A critical part of delivering mission success to our programs and customers is managing and mitigating cyber risks. To do this, Lockheed Martin in partnership with our peer Aerospace and Defense industry companies have established several mechanisms to identify cybersecurity readiness. Our acquisition procedures now require the assessment of supplier cybersecurity risks which will be an integral part of the buying decision. While Aerospace and Defense primes understand that improving our supply chain cybersecurity posture will require ongoing effort, it is essential that all suppliers take steps now to improve and continuously assess their posture.
Identified Threats in the Defense Industrial Base
The following items were identified by MDA and Industry partners (Boeing, Lockheed Martin, Northrop Grumman, Raytheon) as threats in the Defense Industrial Base. A list of both technical and non-technical focus items were developed as possible mitigation solutions. The technical focus items are ranked on effectiveness in countering the threat. This section provides commonly identified threats followed by available quick win mitigation solutions:
- Spear Phishing – Spear Phishing is a method by which attackers target individuals or organizations seeking unauthorized access to data. Spear Phishing attempts are no typically initiated by random hackers, but are more likely to be conducted by organized perpetrators our for financial gain, trade secrets or national security information.
- Credential Harvesting – Credential harvesting is a technique that is used to obtain legitimate user ID’s (and passwords) to gain access to a network. This can be done by social engineering when a person who acts as a helpful source inquiries about your logon id, or your password. Another way to obtain this information is by accessing a website that appears to be legitimate, but is slightly altered in order to trick a person into providing a logon id/password.
- Unsecure Perimeter Infrastructure – An unsecure Perimeter Infrastructure means that there is limited /or faulty security devices at the outer boundary of the network. An unsecure perimeter can allow nefarious actors to easily enter the network and create havoc/damage.
Technical Focus Items
Possible Mitigation Solutions with a HIGH level of effectiveness based on implementation:
- Email Filter: An email filter can reject certain types of file extensions into the network. For example, an email filter could block an .mp3 extension, thereby denying the transmission of .mp3 files into one’s network
- Category None Blocking with Proxy (web content filter): Category None Blocking with Proxy allows one to limit the types of information a user can access on the internet. For example, this filter could block the category “sports” thereby denying any user the opportunity to access espn.com
- Elimination of Desktop Administrators: Eliminating desktop administrators takes away the ability to change settings on a local computer. If everyone has the ability to change settings, there is no control over what rights and privileges someone may have.
- Two/Multi-factor authentication for remote access, sysadmins, Outlook Web Access(OWA) on internet facing devices: Two/Mult-factor authentication acts as a measure to validate and verify a user before allowing access to an application. For example, one must provide a Smart Card (what you have) and a PIN (what you know) to access OWA on many corporate/military networks
- End of life operating systems for internet connected system: Many servers and computers are never updated with newer Operating System versions. Those devices are at risk since manufacturers usually stop providing security updates to known vulnerabilities on those machines. It is a best practice to remove old and antiquated operating systems
Possible Mitigation Solutions with a MEDIUM level of effectiveness based on implementation:
- Whole Disk encryption for remote laptops: Laptops are at risk to being stolen or lost. Full Disk encryption protects the data on the laptop in case the laptop falls into the wrong hands
- Data encryption at rest: Data encryption at rest means protecting data that is not moving through the networks. This information can reside in databases, file systems, and other storage devices
- Transport Layer Security: Transport Layer Security is a protocol that provides security over the network. It ensure the privacy and the authenticity of the information is safely transmitted
- Secure Dropbox: Secure Dropbox is a file storage service that allows you to access all the documents (in Dropbox) regardless of what device you use to access the information
- Sharing of Hardening practices / Configuration Control Practices: Sharing of Hardening practices / Configuration Control practices between MDA and Industry allows for analysis of best practices so that all may improve their security posture
Non-Technical Focus Items
Definition and Possible Mitigation Solutions:
- Distribution Statements: A distribution statement is a statement used in marking a technical document to denote its availability for secondary distribution, release, and disclosure without additional approvals or authorizations.
- New (TBD) markings for Controlled Unclassified Information (CUI)
- Mandate Distribution Statements on CDRLs AND “Work Products” (non-deliverables)
- Mandatory Government & Contractor Training: Training on FOUO/CUI, Distribution Markings and Cybersecurity awareness allows for a common understanding of all employees on their roles and responsibilities to appropriately mark and share documentation. This understanding is paramount in order to create a culture where document marking and cybersecurity is valued and practiced regularly
- FOUO/CUI Marking & Safeguarding
- Cybersecurity Awareness
- Distribution Statement Markings
- Supply Chain Operational Security (OPSEC) Practices: Supply Chain OPSEC practices limit information flow down to the company that is providing the service or part for the paying organization. Limiting information reduces the risk of data compromise. Only the information that is relevant and is needed to know by the servicing company should be provided – any other information should not be shared
- Restrict Information Flow-Down (Manufacturing need-to-know)
- Limit information listed on commodity Purchase Orders (P.O.s)
- Improve Cyber Intelligence sharing between MDA & Industry: Sharing of Cyber Intelligence practices between MDA and Industry allows for the analysis and understanding of the threats that exist for both MDA and Industry. If we know the threat by sharing information, we can better protect our networks.
- Known supplier issues