Readiness for CMMC

Lockheed Martin Logo
Back to Supplier News

Readiness for CMMC 

September 29, 2025

Get to Green and Demonstrate Readiness for CMMC

As part of Lockheed Martin’s efforts to position its programs Ahead of ReadyTM, we are seeking to minimize potential supply chain disruptions by verifying that our suppliers are adequately preparing for Cybersecurity Maturity Model Certification (CMMC) requirements. Suppliers handling sensitive information with unmet key NIST 800-171 requirements and a Risk Rating of either “Moderate” (Yellow) or “Significant” (Red) risk on their Cybersecurity Compliance and Risk Assessment (CCRA) response in Exostar’s Supplier Management (SM) application (formerly Onboarding Module (OBM)), are being strongly encouraged to quickly close those gaps/POAM and provide an updated re-assessment.

What do we need from you?

A “Minimal” risk (Green) rating in the Exostar CCRA questionnaire is a strong indicator of readiness for CMMC Level 2, and requires that you complete the questionnaire and attest “Yes” to having implemented all 31 of the identified NIST 800-171 requirements.  (Note that CMMC Level 2 requires an organization to have fully implemented all 110 NIST 800-171 requirements.)

Beginning as early as November 9, 2025, DoD contracts are anticipated to begin requiring a self-attestation of CMMC Level 2. Suppliers without a green CCRA rating create significant risk for programs anticipating CMMC requirements, and may evoke program mitigation actions to reduce or eliminate dependencies on suppliers who are under-prepared to achieve CMMC Level 2 compliance.

Resources

  1. Frequently Asked Questions on how to access and complete the questionnaires are provided here.
  2. Lockheed Martin Cybersecurity requirements page provides useful information regarding supply chain cybersecurity and the Exostar CCRA Questionnaire.
  3. DIB SCC CyberAssist site provides resources to assist DIB companies and suppliers of varying sizes with the implementation of cyber protections, and awareness of cyber risk, regulations and accountability for their supply chain, including recently added CMMC and CCRA resources.
  4. NIST SP 800-171 Assessment Methodology