Cybersecurity Questionnaire Transition
Cybersecurity within the defense industrial base (DIB) is critical for U.S. national security and that of our allies. Threat actors, often backed by nation state adversaries, continue to attack DIB contractors large and small, often delivering crippling ransomware while exfiltrating sensitive data. Safeguarding data is mandated by our customers (e.g., Department of Defense) via contractual obligations for protection of controlled unclassified information (CUI).
Lockheed Martin, as part of the Defense Industrial Base Sector Coordinating Council (DIB SCC), is implementing a new common and simplified assessment model for evaluating supplier cyber posture called the Cybersecurity Compliance and Risk Assessment (CCRA). As described in the referenced industry announcement:
“The transition to the CCRA will introduce a consistent approach for acquiring cybersecurity compliance and risk information, will introduce a reduced set of required responses and introduce the efficiency of answering once and sharing with many who recognize the reciprocal value of the CCRA.”
In support of those industry objectives, Lockheed Martin will begin launching initial pilot activities in March, with a goal to fully transition to the new CCRA over six (6) months.
Additional details on the overall industry CCRA initiative can be found here on the CyberAssist public website.
What does this mean for Lockheed Martin suppliers?
Beginning in March and over the next several months, within the LM Procure to Pay system and related Exostar applications, Lockheed Martin will initiate its phased transition from the current Exostar Partner Information Manager (PIM) compliance (NIST SP 800-171 questionnaire) and risk (Cybersecurity Questionnaire or CSQ) forms to the new Cybersecurity Compliance & Risk Assessment (CCRA), in Exostar’s On-Boarding Module (OBM).
Specifically:
- Suppliers will be contacted by Lockheed Martin / Exostar when required to participate – and will be prompted with detailed instructions on how to complete the new CCRA form online.
- Prior to being contacted, suppliers may proactively migrate to the new CCRA. Guidance on how to begin using the CCRA to reflect the current cyber compliance/risk posture will be available online.
- The NIST/CSQ forms in Exostar PIM will not be migrated over to the CCRA in OBM. Each supplier will need to complete the new and much shorter (approximately 60 questions total) cybersecurity and risk assessment when prompted to participate.'
- Suppliers will be able to review their historical cybersecurity assessment submissions (NIST/CSQ forms in Exostar PIM), however changes to legacy forms will not be permitted.
- Suppliers may also elect to complete the CCRA using the Excel-based format made available by the DIB SCC CCRA Working Group (see attached). The online form will provide instructions on how to upload the Excel tool’s exported CSV format.
- Once the CCRA has been submitted, both suppliers and Lockheed Martin buyers will see the compliance and risk ratings resulting from the CCRA replacing their prior individual NIST SP 800-171 questionnaire and CSQ results.
- Upon completion of the transition, cybersecurity compliance and risk posture data from the historic CSQ and NIST SP 800-171 questionnaires (superseded/expired) will be retired from Lockheed Martin systems.
Next Steps
Migration to the new questionnaire will be managed in waves to ensure adequate support and resources for suppliers making the transition. For most Lockheed Martin suppliers, no immediate action will be required. Suppliers with expired or soon expiring NIST SP 800-171 / CSQ questionnaires and SPRS self-assessment status will be among the first contacted to make the transition.
Additional communications, training and FAQ resources will be made available throughout the transition on both the Exostar support and Lockheed Martin Supplier Wire–Cybersecurity websites.
Securing the DIB is a team sport. We value the partnership we share and believe that proactive collaboration is key to safeguarding our businesses against cyber threats. We appreciate your attention to this matter and your dedication to maintaining a secure digital ecosystem for our partnership.
Additional resources:
- National Defense Information Sharing and Analysis Center (NDISAC) CyberAssist public website has information on the CCRA, FAQs, and is the single source for trusted downloading