As of June 30, 2025, Lockheed Martin has formally raised the bar for its suppliers, with a new announcement that signals CMMC (Cybersecurity Maturity Model Certification) compliance is no longer a future requirement. The aerospace and defense giant is making it clear that if you're a supplier handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), your cybersecurity practices will soon determine your place in their supply chain.
“Lockheed Martin Supply Chain Cybersecurity is reaching out to all suppliers whose latest self-assessment is indicative of unmet cyber requirements (including unimplemented CMMC controls).”
Lockheed Martin’s newly released supplier cybersecurity update highlights one critical expectation.
“By now, all DIB companies managing CUI should have fully implemented – and be confidently meeting – NIST SP 800-171 (r2) requirements.”
This announcement underscores that CMMC is no longer a future regulation, but it’s a soon to be active gatekeeper to doing business with Lockheed Martin and, by extension, the Department of Defense (DoD).
Lockheed Martin’s release discusses a vital piece of the compliance puzzle for their suppliers: the Cybersecurity Compliance and Risk Assessment (CCRA) form. This Excel-based self-assessment, created in collaboration with ND-ISAC and top defense contractors like RTX, Booz Allen, and others, is the standard for measuring cyber risk in the supply chain.
If you haven’t been contacted, it might mean you're not currently viewed as critical, but it’s also a golden opportunity to stand out.
For proactive suppliers, this moment presents a competitive edge. Companies who can prove full CMMC Level 2 compliance or have a certification date in sight are uniquely positioned to leapfrog others in the supply chain.
You will quickly become a critical supplier if you're able to meet the CMMC requirements.
Don’t wait for the call. Lockheed Martin’s new supplier portal (Exostar’s soon-to-be-renamed "Supplier Management" module) is your hub for updating your CCRA and demonstrating your cyber readiness.
CMMC is about securing the future of the U.S. defense infrastructure. Nation-state cyber threats are growing more sophisticated, and the DIB remains a prime target.
By enforcing CMMC standards across the supply chain, Lockheed Martin is helping to ensure that controlled unclassified information (CUI) stays protected, defense capabilities aren’t compromised and only committed, secure vendors remain in the loop.
If you're a current or aspiring supplier to Lockheed Martin or other prime contractors, here’s what you should be doing right now:
Lockheed Martin’s announcement is a line in the sand. Suppliers that ignore it may find themselves edged out of defense contracts.
Those that take action now, though, can become indispensable.
CMMC can be a big advantage and opportunity for those who prepare now.
If you need help preparing for CMMC certification, Summit 7 is the leading provider of CMMC, NIST 800-171, and DFARS compliance solutions for the Defense Industrial Base.
Whether you're starting from scratch or refining your current posture, our experts can help you build a compliant, resilient cybersecurity program.