Lockheed Martin asks suppliers for details on compliance with upcoming Pentagon cyber regime

By Sara Friedman  / November 20, 2020

Lockheed Martin is working with its suppliers to get details on their efforts to reach compliance with current and upcoming cybersecurity regulations from the Pentagon.

The prime defense company sent a letter to its "Lockheed Martin Suppliers Handling Controlled Unclassified Information" on Oct. 15 to follow up on the interim rule issued by DOD to implement the Pentagon's Cybersecurity Maturity Model Certification program.

The Defense Department is rolling out the CMMC program over a five-year period. Starting Dec. 1, contractors who handle controlled unclassified information will need to submit a self-assessment on their compliance with National Institute of Standards and Technology Special Publication 800-171 through DOD’s Supplier Performance Risk System, when they submit a bid for a new contract.

In the letter obtained by Inside Cybersecurity, Lockheed is asking its suppliers to make sure they have their "current DOD Assessment score in SPRS" prior to new contracts coming out.

The letter said, "At a minimum, determine your score through the basic assessment (self-assessment), and submit it to DOD SPRS." The letter directs suppliers to use the NIST 800-171 DOD Assessment Methodology that the Defense Contract Management Agency has been using for over a year.

Suppliers should also work to "address the additional controls in the CMMC practices and processes now" that go beyond the 110 controls in NIST 800-171.

"To achieve CMMC Level 3 certification by a CMMC Third-Party Assessor Organization (C3PAO), organizations need to demonstrate implementation of all 130 Level 3 practices (NIST 800-171's 110+20), as well as the three processes associated with Maturity Level (ML) 3 (inclusive of ML2). Plans of Action and Milestones (POAMs) will not satisfy the certification requirement," the letter said.

Lockheed said in the letter it was planning to send out a survey on Oct. 29, and set Nov. 5 as the deadline for suppliers to fill it out and return it.

The letter said the survey was intended to help Lockheed "assess risk and preparedness for the November 30 effective date of the new rules" through getting a status update from its "applicable suppliers."

The letter said the survey asks for:

* Confirmation of NIST 800-171 Assessment Score in SPRS

* POAM ECD for any unimplemented NIST 800-171 requirements

* Status/ECD for additional 20 (7 Level 2 / 13 Level 3) CMMC practices

* Status/ECD for Level 2/3 maturity processes

* The estimated completion date (ECD) is intended to provide Lockheed with a timeline for when each contractor will reach compliance.

The letter said, "Going forward, we are requesting you provide updates to this set of information [in the survey] until all outstanding practices and processes are implemented. When responding to this email, please provide the estimated date for closure of all NIST SP 800-171 POAM items, and the expected closure date for the additional controls."

Asked why Lockheed is collecting this information, a company spokesperson told Inside Cybersecurity: "In recent weeks we have reached out to suppliers handling CUI to provide updates on the recently released CMMC DFARS requirements and gather more information about readiness of upcoming requirements detailed in the new DFARS rules. We are reviewing and will use that feedback to ensure compliance with the new regulations as they take effect."

Lockheed is an active member of the Defense Industrial Base Sector Coordinating Council.

The council's Supply Chain Cybersecurity Industry Task Force has developed CyberAssist, a website outlining all of the CMMC practices and processes for levels one through five. CyberAssist has links to references for each item and publicly available resources.