Understanding Posture

supplier-cyber-posture-460

Understanding a supplier’s ability to protect sensitive information and manage cybersecurity risk is important to Lockheed Martin and helps us make decisions on how best to manage risk. We use a variety of methods such as supplier briefings, validations, and the Exostar Supplier Cybersecurity Questionnaires to understand a supplier’s cybersecurity readiness.

Lockheed Martin in partnership with BAE Systems, Boeing, Northrop Grumman, Raytheon, Rolls-Royce have implemented two cybersecurity surveys to measure a supplier’s ability to manage cybersecurity. The companies worked with Exostar to host both questionnaires. A supplier who supplies to two or more of the partner companies (e.g. Lockheed Martin and Raytheon) will only answer once, and Exostar will share the submittal with the other company(s). The two questionnaires are 1) the cybersecurity questionnaire, 2) the NIST SP 800-171 cybersecurity compliance questionnaire.

 

Supplier Cybersecurity Questionnaire

A cybersecurity questionnaire based on the Center for Internet Security Critical Security Controls. This questionnaire is required of all Lockheed Martin suppliers that have answered “YES” to handling Lockheed Martin Sensitive Information. We suppliers with whom we share sensitive information complete and maintain the supplier cybersecurity questionnaire in their Exostar profile.

To access the Cybersecurity Questionnaire in Exostar:

  • Go to https://portal.exostar.com and login
  • Click on the “My Account” tab
  • Click on “View Organization Details”
  • Click on “View in Trading Partner Manager (TPM)”
    • Must have Organization Administrator rights to access TPM
    • To see who has those rights please see the “Organization Administrator” section of the “View Organization Details” page)
  • Click “Continue” if prompted
  • Click on “Cybersecurity” on the left side menu

The questionnaire should take about 2 – 3 hours to complete. We suggest that you print a copy of the questionnaire, meet with your IT security team to gather the necessary information, and then input your company’s responses into your Exostar profile. If you need help answering the Cybersecurity Questionnaire, please see our answers to Exostar Partner Integration Manager (PIM) Questionnaire Frequently Asked Questions.

 

NIST SP 800-171 Cybersecurity Compliance Questionnaire

A cybersecurity questionnaire developed and published by the National Standards of Science and Technology (NIST). This questionnaire is required by DFARS Clause 252.204-7012.  Refer to the “Adhering to “DoD Cybersecurity Requirements” section for further information.  

To access the NIST 800-171 questionnaire in Exostar:

  • Go to https://portal.exostar.com and login
  • Click on the “My Account” tab
  • Click on “View Organization Details”
  • Click on “View in Trading Partner Manager (TPM)”
    • Must have Organization Administrator rights to access TPM
    • To see who has those rights please see the “Organization Administrator” section of the “View Organization Details” page)
  • Click “Continue” if prompted
  • Click on NIST 800-171

 

Supplier Briefings

Periodically, Lockheed Martin will provide supplier briefings which are information sharing sessions where we discuss cybersecurity threats, cybersecurity best practices, and how to better manage risk. These sessions are collaborative in nature and are helpful in introducing suppliers to organizations and teams that can provide ongoing threat and risk management information.

 

Supplier Validations

Lockheed Martin conducts onsite and virtual assessments of a supplier’s cybersecurity posture. The validations look at items like cyber security controls and risks in order to help Lockheed Martin and the supplier understand the extent of their cybersecurity capabilities, their ability to protect sensitive information and deliver secure products and services.