Cybersecurity
Cybersecurity attacks continue to increase in frequency and sophistication for the Aerospace and Defense industry. Adversaries are targeting anyone who possesses the sensitive information they seek including the government, prime contractors, and suppliers. It is imperative that our suppliers understand what’s at stake and recognize our shared role in protecting sensitive information and intellectual property. A single mistake or breach could have enormous consequences for our customers, our business, the Aerospace and Defense Industry, and national security. Lockheed martin has put together a three-pronged strategy in conjunction with suppliers to manage this risk.
Understanding Posture
Lockheed Martin, in partnership with the Defense Industrial Base (DIB) Sector Coordinating Council (SCC) Supply Chain Cybersecurity Task Force (SCCTF), has developed the Cybersecurity Compliance and Risk Assessment (CCRA). The CCRA concept allows suppliers to complete ONE assessment which would be accepted on a reciprocal basis by DoD Prime contractors, or other companies who recognize the CCRA. This will introduce efficiencies and cost savings in contrast to current practices. As suppliers have observed, while the regulatory requirements for cybersecurity continue to grow and evolve, companies have resorted to developing proprietary assessments or using outdated questionnaires to capture compliance and risk information. This approach has introduced a significant burden to suppliers that are required to provide unique responses to assessment tools containing varying numbers of security requirements and inconsistent language.
For LM suppliers, the CCRA will significantly reduce the burden and time it takes to complete over the legacy CSQ and NIST Questionnaire. The web-based CCRA will be implemented on Exostar’s Onboarding Module (OBM) and suppliers will be asked to migrate to the CCRA starting 1st Quarter 2024.
Need assistance completing the Cybersecurity Compliance and Risk Assessment (CCRA) in Exostar OBM?
DOD Requirements
All Department of Defense contractors and subcontractors are required to comply with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, imposing baseline security standards and expanding the information that is subject to safeguarding.
Key Impact of DFARS
Compliance
Achieved by meeting 110 security requirements across fourteen control categories (Industry Best Practices for Implementing and Assessing Security Controls)
Incident Reporting
Contractors have 72 hours to report cyber incidents to the DOD CIO
Flowdown
Cyber DFARS must be flowed down to all suppliers / subcontractors who store, process and/or generate Covered Defense Information as part of contract performance
Supplier Briefings
Periodically, Lockheed Martin will provide supplier briefings which are information sharing sessions where we discuss cybersecurity threats, cybersecurity best practices, and how to better manage risk. These sessions are collaborative in nature and are helpful in introducing suppliers to organizations and teams that can provide ongoing threat and risk management information.
Supplier Validations
Lockheed Martin conducts onsite and virtual assessments of critical suppliers to better understand their cybersecurity posture. The validations look at items like cybersecurity controls and risks in order to help Lockheed Martin and the supplier understand the extent of their cybersecurity capabilities, their ability to protect sensitive information and deliver secure products and services
Building Awareness
As a valued supplier, you play an important role in protecting our information and networks from cyber threats. No one is immune to these attacks, and while we actively work to strengthen our cybersecurity defenses from these ever evolving threats, your cooperation and diligence are needed to ensure we appropriately manage risk throughout our supply chain. As your cybersecurity capabilities mature, you will be better positioned to secure sensitive information and may gain a competitive advantage. Being knowledgeable of potential threats and understanding how to manage those threats is of paramount importance.
There are several resources to help you develop and improve your cybersecurity risk management program including online or in person training, conferences, podcasts, blogs, local and virtual user group meetings, videos, newsletters, email announcements, and wikis. The Defense Industrial Base (DIB) Sector Coordinating Council (SCC) Shared Assist Working Group has developed the Cyber Assist Website to provide trusted resources to assist DIB companies and suppliers of varying sizes with the implementation of cyber protections, and awareness of cyber risk, regulations and accountability for their supply chain.
Reducing Risk
A critical part of delivering mission success to our programs and customers is managing and mitigating cyber risks. To do this, Lockheed Martin in partnership with our peer Aerospace and Defense industry companies have developed the Cybersecurity Compliance and Risk Assessment (CCRA) to identify cybersecurity readiness. Our acquisition procedures require the assessment of supplier cybersecurity risks which is an integral part of the buying decision. While Aerospace and Defense primes understand that improving our supply chain cybersecurity posture will require ongoing effort, it is essential that all suppliers take steps now to improve and continuously assess their posture.
Identified Threats in the Defense Industrial Base
The Defense Industrial Base (DIB) Sector Coordinating Council (SCC) partners developed the Cyber Assist Website highlighting a list of high value controls and possible mitigations solutions. The Top 10 High Value Controls listing consists of commonly identified threats followed by publicly available resources to help suppliers mitigate those threats.