Lockheed Martin Pushes Suppliers Toward Urgent Cybersecurity Compliance
Lockheed Martin demands urgent CMMC Level 2 compliance from suppliers, emphasizing cybersecurity as a key factor for continued business relationships and securing the defense supply chain.
As of June 30, 2025, Lockheed Martin has formally raised the bar for its suppliers, with a new announcement that signals CMMC (Cybersecurity Maturity Model Certification) compliance is no longer a future requirement. The aerospace and defense giant is making it clear that if you're a supplier handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), your cybersecurity practices will soon determine your place in their supply chain.
“Lockheed Martin Supply Chain Cybersecurity is reaching out to all suppliers whose latest self-assessment is indicative of unmet cyber requirements (including unimplemented CMMC controls).”
The Message is Clear: Be CMMC Level 2 Ready
Lockheed Martin’s newly released supplier cybersecurity update highlights one critical expectation.
“By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements.”
This announcement underscores that CMMC is no longer a future regulation, but it’s a soon to be active gatekeeper to doing business with Lockheed Martin and, by extension, the Department of Defense (DoD).
CCRA (Cybersecurity Compliance and Risk Assessment)
Lockheed Martin’s release discusses a vital piece of the compliance puzzle for their suppliers: the Cybersecurity Compliance and Risk Assessment (CCRA) form. This Excel-based self-assessment, created in collaboration with ND-ISAC and top defense contractors like RTX, Booz Allen, and others, is the standard for measuring cyber risk in the supply chain.
Why it matters:
- The CCRA reflects your current NIST 800-171 implementation.
- It's a benchmark Lockheed is actively using to evaluate your cyber maturity.
- Suppliers with outdated or incomplete assessments can expect direct outreach from Lockheed’s cybersecurity supply chain team.
If you haven’t been contacted, it might mean you're not currently viewed as critical, but it’s also a golden opportunity to stand out.
Strategic Insight: Use CMMC to Your Advantage
For proactive suppliers, this moment presents a competitive edge. Companies who can prove full CMMC Level 2 compliance or have a certification date in sight are uniquely positioned to leapfrog others in the supply chain.
You will quickly become a critical supplier if you're able to meet the CMMC requirements.
Don’t wait for the call. Lockheed Martin’s new supplier portal (Exostar’s soon-to-be-renamed "Supplier Management" module) is your hub for updating your CCRA and demonstrating your cyber readiness.
Why This Update Matters for the Defense Ecosystem
CMMC is about securing the future of the U.S. defense infrastructure. Nation-state cyber threats are growing more sophisticated, and the DIB remains a prime target.
By enforcing CMMC standards across the supply chain, Lockheed Martin is helping to ensure that controlled unclassified information (CUI) stays protected, defense capabilities aren’t compromised and only committed, secure vendors remain in the loop.
Next Steps for Defense Suppliers
If you're a current or aspiring supplier to Lockheed Martin or other prime contractors, here’s what you should be doing right now:
- Ensure full implementation of NIST 800-171 Rev. 2 controls.
- Map your current posture to CMMC Level 2 and certify ASAP.
- Complete and update your CCRA.
- Update your status via Exostar/Supplier Management portal.
- Be proactive by informing your clients of your compliance status even if they haven’t asked yet.
Final Thought: Compliance is the Cost of Entry
Lockheed Martin’s announcement is a line in the sand. Suppliers that ignore it may find themselves edged out of defense contracts.
Those that take action now, though, can become indispensable.
CMMC can be a big advantage and opportunity for those who prepare now.
If you need help preparing for CMMC certification, Summit 7 is the leading provider of CMMC, NIST 800-171, and DFARS compliance solutions for the Defense Industrial Base.
Whether you're starting from scratch or refining your current posture, our experts can help you build a compliant, resilient cybersecurity program.