Document CMMC status in Exostar

Lockheed Martin Logo
Back to Supplier News

Document CMMC Status in Exostar

December 01, 2025

Background

Following our recent notice, “Upcoming CMMC Requirements – Immediate Actions to Complete”, all active Lockheed Martin suppliers are required to submit their Cybersecurity Maturity Model Certification (CMMC) status. To address these requirements, a new form - the Cybersecurity Compliance Attestation (CCA) – must be completed in Exostar.

  • What the CCA does: It records your organization’s attestations on the applicability of / compliance to U.S. Government (USG) cybersecurity regulations, including your current CMMC status. 
  • When you’ll receive it: Within the next few weeks, you will be sent an invitation through Exostar that includes step-by-step guidance for accessing the CCA and updating your self certifications. 
  • Why it matters: The CCA is an interim form, pending an update to our Cybersecurity Compliance and Risk Assessment (CCRA). It will be the primary source for CMMC and other compliance related attestations. 
1. Address DOD’s Requirements
 
Based on the history of contracts received from Lockheed Martin and the types of possible future work, active suppliers should determine their required CMMC level and document corresponding self-assessment or C3PAO assessment in DOD’s SPRS system.
 
2. Provide your CMMC Status to Lockheed Martin
 
As part of an organization’s vendor profile self-certifications in Exostar, Lockheed Martin requires all suppliers to attest regarding USG cyber regulatory applicability and their compliance with any applicable regulations. Effective with DOD’s CMMC requirements, this includes documenting an organization’s applicable CMMC statuses that support LM subcontract work using the Cybersecurity Compliance Attestation (CCA) in Exostar.
  • When you receive the system-generated email from Exostar (noreply@exostar.com), log into Exostar Supplier Management (SM) and complete the CCA as soon as possible to avoid business disruptions for awarding subcontracts with CMMC requirements. 
  • See TPM SM User Guide for additional details on how to access and complete the Cyber Compliance Attestation. 
  • Note for organizations with previously submitted CCRA: prior submissions will be available for review only (cannot be edited).

3. Maintain Current CMMC Status

Be aware that any lapse in required CMMC status will directly impact your organization’s ability to receive DOD subcontracts. Ensure that you maintain current annual affirmations of continuous compliance, and that your last assessment date is within required timeframes:

  • Level 1 – FCI Only: Re-assessment (and affirmation) required each (1) year 
  • Level 2/3 Conditional – CUI: Finalize within 180 days from assessment date, otherwise expires 
  • Level 2/3 Final – CUI: Re-assessment required every 3 years 
  • Affirmations of Continued Compliance required annually for all CMMC Statuses 

Proactive cooperation is essential to maintaining the security of the Defense Industrial Base and guaranteeing uninterrupted business operations with Lockheed Martin. Please allocate the necessary resources promptly to ensure your company is prepared. Thank you for your continued partnership and dedication to cybersecurity excellence.

Contact Us