Supply Chain Resilience in a High Threat Environment
September 2022 --
Russia’s invasion of Ukraine continues to impact organizations both within and beyond the region, including increased malicious cyber activity against the U.S., our partners and allies as well as the systems, networks, and information vital to our national defense. We must take immediate action to mitigate and respond to disruptive cyber incidents. Partners in the Defense Industrial Base (DIB) supply chain – particularly those supporting systems visible in Ukraine’s efforts (e.g., Javelin, HIMARS, etc.) – are faced with elevated cybersecurity risk. Those that fail to defend against cyberattacks pose significant risks to our national security.
Increasing the collective cyber resiliency of our supply chain is a priority for Lockheed Martin and for our customers. Our intelligence indicates an imminent threat by our adversaries to disrupt the U.S. support to Ukraine by targeting our suppliers. To protect our critical technologies, the people and the information used to serve our nation, we must take focused efforts to defend and mitigate the impact of cyberattacks.
As part of the DIB, we need to do the following:
1. Report cyber incidents immediately.
- Ensure you are meeting your regulatory and contractual obligations in reporting to the Department of Defense (DoD) and Lockheed Martin per DFARS 252.204-7012 and Lockheed Martin’s Information Assurance requirements in our standard terms and conditions (CorpDocs).
- Report incidents to Lockheed Martin in accordance with the notification requirements of your contract.
- For DOD, report cyber incidents impacting Covered Defense Information, or other Controlled Unclassified Information and/or the ability to perform operationally critical support within 72 hours of discovery to https://dibnet.dod.mil. For questions or more information, contact DIB Collaboration Information Sharing Environment (DCISE) via DC3.DCISE@us.af.mil or the 24/7 hotline at 1-877-838-2174.
2. Understand cybersecurity posture and reduce risk.
- When DFARS 252.204-7012 applies, complete or update your National Institute of Standards and Technology (NIST) SP 800-171 questionnaire in Exostar’s Partner Information Manager (PIM).
- When DFARS 252.204-7020 also applies, complete an assessment against the DOD NIST SP 800-171 Assessment Methodology and submit your score to the U.S. Government Supplier Performance Risk System (SPRS).
- Prioritize fully implementing the Top 10 High-Value Controls, as documented by the DIB Sector Coordinating Council (SCC): https://ndisac.org/dibscc/implementation-and-assessment/top-10-high-value-controls/.
- Industry incident trends continue to show lack of Muti-Factor Authentication (MFA) as a leading entry point for threat actor exploits.
3. Seek Assistance and Partner. These three organizations can assist you:
- DOD Cyber Crime Center’s (DC3).
- National Security Agency’s Cybersecurity Collaboration Center (NC3)
- National Defense Information Sharing and Analysis Center (ND-ISAC)