Lockheed Martin Just Dropped A New CMMC Memo

A

All right folks, it is July of 2025 and I am back from vacation, joined by Daniel Acreage and boy, oh boy. On June 30, 2025, Lockheed Martin, you might have heard of him, posted a memo to their suppliers about CMMC that kind of sort of freaked everybody out because of two things that it said. One, they said by now all DIB companies managing CUI should have fully implemented and be confidently meeting NIST special publication 800171 revision 2 requirements. And two, by this time all Lockheed Martin suppliers should have transitioned their company self assessments to the Cybersecurity Compliance and Risk Assessment CCRA tool. As it turns out, this is the sixth Lockheed Martin memo to suppliers about CMMC in the last 18 months. And as it turns out, they've all said basically exactly the same thing. We hear a lot of people say that CMMC requirements are still unclear, there's still a lot of churn and there's a lot of change. But when you read all of the Lockheed Martin memos back to back, it's pretty clear that Lockheed Martin disagrees with you and that things to them are extremely clear. And that's what we're going to talk about today. So Daniel, I was on vacation. It was a wonderful time. This memo came out while I was gone and you tackled it, you did a whole video, you did a blog, you talked about it. So can you give us a quick summary? What does it say? Maybe. What are some of the reactions you've been hearing about the memo? What's on going, going on with this memo?

B

First off, I want to state I'm very disappointed that your vacation did not lead to the publication of 48 CFR. So we'll try my hardest, we'll go and put that out there. But we got something, you know, not of equal weight but a pretty significant weight with the Lockheed memo. So when it dropped and it dropped on a Friday, even though the publication date was technically the 30th, that Monday. So I guess that was just an accident. I saw it circular circulating around LinkedIn. I clicked on it, I'm like, oh, this is like primes don't talk a lot about cmmc or so I thought. Then you did some research and said they've kind of been saying this for a while now. And so I started going through it, hey, this has been a requirement, you should have done this already. And then the big kind of splash, which I don't think was on any of the other blogs, was, hey, our cyber security team is going to come all audit those of you with unmet cyber controls, you know, nist, cmmc. So basically be ready. And so of all the things, it's like, yes, everyone has sort of already done this. We've been saying that for years. Lockheed has been saying it for at least 18 months. But the added bonus of oh no, locked will very, very likely come and audit me if I have something not marked as met is problematic. And that's going to lead to really two big things. And in calls this week I've had with different companies, they've been like, oh my God, like I need to get compliant asap. Like this is a problem, this is a problem. Lockheed's a huge customer of ours.

A

Right.

B

The DoD is not a huge customer of ours, but Lockheed directly is a huge customer of ours and we've got to make sure we're compliant. What I'm afraid is going to happen, Jacob, is yes, I'm happy there was kind of a spike in a reaction of hey, we need to do something. I think LOCKHEED Communicating this versus the DoD is exponentially more impactful because the DoD has been relatively silent.

A

Yeah.

B

Past the tier one, tier one suppliers. And so that's really kind of what happens. Like tier 2, tier 3, etc are really just listening to Lockheed and nobody else or whoever their primes are. So I, I'm really happy that communication is becoming a lot more stern I guess is probably the best way and direct. But the other thing I'm afraid of, Jacob, is with this CCRA form that people are just gonna mark met on a bunch of stuff and then what will be interesting is false claims. When you lie to the dod, Right. If you lied to Lockheed and they found find out that you're actually not compliant, what does that end up looking like? Right? So I'm afraid that people are gonna pivot, do the wrong thing. Executives are gonna say just mark them all as met, we'll deal with it later. And then the ones that are, that are trying to do it right are, are kind of back and re energized to, to go down that path successfully. So yeah, we'll see what ends up shaking out with it. But I am a little concerned that people will knee jerk and do the wrong thing instead of do the right thing that they should have been doing, as we all say the whole time.

A

No, absolutely. It puts people into a precarious position because they are pressured by the prime to submit a score that says they're good, otherwise they don't get the work. And so they submit the score, they don't actually represent their posture accurately. And then the can gets thoroughly kicked down the road. And then when CMMC shows up to do the verification from the DoD side, Lockheed says they told us they were good and then you're left essentially holding the bag. I think the way that the CCRA tool is set up will allow for that to happen more than it should. But we'll talk about it at the end. Let's just talk about this idea where, you know, the main thing that they talk about in this memo besides showing up to audit, is you should have fully implemented these requirements and you should be confidently meeting these requirements. When the DoD says this, people hate it. They've hated it forever. The thing that annoys people the most is when the DoD has said you've had these requirements all along. Nobody really talks back to Lockheed whenever they say it. So when I was catching up on all the things that I missed and I was reading this memo, I kept scrolling on this Lockheed supplier memo page and as it turns out, there has been a memo for each of the major milestones across the general CMMC saga since February of 2024. Six memos total, including this one over the last 18 months. So let's just quickly sort of go through them and I think we'll paint the picture of this has been very obvious, Lockheed. And so if you haven't been reading these memos and you haven't been listening to the podcast like and subscribe, then this can sort of maybe catch you by surprise. So On February of 2024, they released a blog called Cyber Security Questionnaire Transition. And this is the one in which they announced that they, along with everybody else, all the other major primes participating in the Defense Industrial Based Sector Coordinating Council, the DIB scc, are implementing a new common and simplified assessment model for evaluating cyber supplier cyber posture called the Cybersecurity Compliance and Risk Assessment ccra. It's a spreadsheet. You got to download it, you got to enable macros. Shame, shame, in order for you to actually answer the questions. And that is supposed to be the single questionnaire that everybody's using for their cybersecurity compliance, you know, as this collaboration between NDISAC and the DIB SCC. But in that memo from February of 2024, they say cyber is critical for national security. Threat actors continue to attack the DIV and its contractors, blah, blah, blah. Then they say safeguarding data is mandated by our customers, the Department of Defense, via contractual obligations for protection of controlled unclassified information. And so now they are going through a six month transition period after which they will fully move to CCRA. That happened in February of 2024. In March of 2024 they released a memo that called CMMC 2.0 Progressing Through Rulemaking. This was the memo that they published that said, hey, right after Christmas of 2023 they published the 32 CFR CMMC proposed rule. We expect that rulemaking will continue through 2024. And the quote that jumped out to me in this memo, they said current regulatory mandates require DIB companies with DoD CUI to implement NIST SP 800171 security requirements. Current regulatory mandates. CMMC is still in rulemaking. It's going to continue for another year or two. But current mandates require you to implement SP 800 171. They say all DIB companies who manage controlled and classified information should have fully implemented and be confidently meeting the underlying NIST SP 800171 revision 2 requirements ahead of potential contractual CMMC requirements. The thing that DoD has been saying that people hate when DoD says it. Nobody seemed to notice whenever Lockheed said it. They've said it twice now at the beginning of 2024 I have to hope.

B

That there's a newsletter they send out to all their suppliers with these blogs and they're not just posting them for, you know, man, I hope somebody finds these. You know, I was really hope this communication thread was going out the whole time.

A

Yeah, it would be great. It would be great. So then in June of 2024, so just a couple months later there was a bunch of confusion because people were saying at that time, hey, CMMC in this proposed rule says they're going to assess 171 revision 2. But DFARS 7012. We did a whole video on it. Check out the link below. DFAR7012 says you have to implement the most current version of SP800171 and the most current version is Rev3. So how is that supposed to work? 7012 says 171 Rev3 CMMC says 171 Rev2 not to worry. DoD released what's known as a class deviation which said ignore the language in 7012. Use this language in 7012 instead. You are only required to do 171 revision 2 until further notice. Crisis averted, still in effect right now. Lockheed published a memo about it. We did a whole episode about it. Check out the link below. And in the memo where they describe this class deviation, they say as most defense industry companies are aware I would stop you right there Lockheed.

B

Yeah, nice. Nice try. You think they're aware?

A

Bo statement guys. As most defense industry companies are aware, DFARS 252-204-7012 has long required contractors and subcontractors to safeguard DoD's CUI or covered defense information, including requirements to protect their company networks consistent with the NIST Special Publication 800171 standard. For the time being, industry can remain focused on ensuring that they are fully meeting 171 Rev2 requirements and preparing for third party CMMC level 2 certification requirements against that standard. Don't worry about Rev3. Not a big deal. Perfect clarity. So everybody who's a Lockheed supplier being like we don't know which version we're supposed to do. Lockheed said in June of 2024 a year ago when the deviation came out that it's just Rev 2. So if you didn't believe it from the podcast like and subscribe, you could get it from Lockheed after the podcast comes out. Anyways, September of 2024 rolls around and they publish a blog called Cyber Security maturity model CMMC 2.0. This was a blog published in response to the publication of the 48 CFR CMMC proposed rule in August of 2024. They say the comments are open. The timeline for phased implementation hasn't been updated. We expect rulemaking for this to continue into 2025. But then they say DIB companies with DoD CUI are reminded that current regulatory mandates remain unchanged. You know those regulatory requirements we just told you about in the three previous blogs this year still there? Not they're still there. They haven't changed. They say DFARS 7012 and DFARS 7020. We did whole episodes on them. We'll link them below. Continue to require organizations to Assess and implement 171Rev2 security requirements and submit their DoD NIST assessment methodology score into the Supplier performance risk system SPRs. All DIB companies managing CUI should have fully implemented and be confidently meeting NIST SP 800171 rev 2 requirements. It's the same line from the previous memos that is it in bold.

B

It's in bold in the latest memo. I have a feeling it's the only bold text of each of these blogs is do the thing you should have already been doing.

A

Basically yeah. Well if they were going to bold anything, that's definitely the thing to bold for sure. Then in December of 2024. These are all in 2024, by the way. In December of 2024, there's another blog that says Cybersecurity Maturity Model Certification 2.0. This was published in response to the 32 CFR final rule that came out in December and they say it has gone into effect the week of December 16th. So they published a blog that said the proposed 32 CFR rule is out. They published a blog memo, whatever this is, when they said it is now gone into effect. They say we still expect rulemaking for the contract rule, the clause rule, to extend into 2025 and the requirement won't make its way into contracts until that rule is done. However, the 32 CFR Part 170 CMMC program rule is in effect and makes the basis for the future of CMMC requirements clear is what they say. There's CMMC level one, CMMC level two, CMMC Level three. That's it. Then the memo goes on to say Defense industrial based companies with CUI are reminded that DFARS 7012 and 7020 regulatory mandates in current contracts continue to require organizations to assess and implement 171 rev2 security requirements and submit their DoD NIST assessment methodology score into SPRs. Exactly what they said a couple months prior to all DIB companies managing cui. Repeat after me, everybody sing along at home. Follow the bouncing ball. Should have fully implemented and be confidently meeting NIST SB 800171 rev 2 requirements. Hooray. It's the same line in all of.

B

The memos, all of 2024. I have a feeling legal approved that. And they're like we're not going back for updated verbiage. We're just taking that and we're putting it on everything, man.

A

The easiest memo to write ever. You just copy and paste what you wrote two months prior and then slap.

B

It when you can. Just yeah, copy paste.

A

The most confusing part about their the memo process for them is should we put this line in bold or italics or both? So then we get to the current memo which we talked about earlier and they say here, you know, here we are in July of 2025 and they say you should be working with the CCRA in full now because we announced this in February, February of 2024 and we gave you a six month process to transition to the CCRA and you should be fully and confidently compliant with SP 800171 Rev 2 in accordance with existing DFARS clauses, just like we said five times over the last year or so. And that's. And that's the deal. So it's very clear to Lockheed what their requirements are. It's very clear how you attest to them that you are meeting those requirements. And I thought it was very interesting that it was so consistent in those memos from Lockheed. When you talk to the people ostensibly who these memos are supposed to be going to, and they often say that the requirements are not clear, that there's a ton of uncertainty, and you're like, not according to your customer. They're not like this. They didn't even change the wording of the memos.

B

Nope. And that's what I mean. I just don't think people are reading these, like, quite honestly. I mean, listen, I've done the math. I think my number's over five or six thousand contractors I've talked to in the, in the course of my tenured year at Summit 7. And it's like, I can tell you most of them feel like the DOD is not communicating. And then the next level they say is, oh, but I haven't heard anything from my prime, you know, about do I need to do this or not. Now, that's probably not a good sign. It probably means you're not as critical as you think to their supply chain. Hate to bust that particular bubble. But. But, you know, it is one of those things where it's like, Lockheed's actually been doing a good job of at least publishing the content. I hope they've been doing a even better job of circulating it.

A

I mean, honestly, when you, when you look at these six memos back to back, they're doing a better job than the dud has done. They're very consistent. The memos are not very long. They bold the most important part. They tell you exactly what's going on, what the anticipated timeline is, what the details are like, what parts are uncertain and what parts are not uncertain. If you just read these six memos back to back, it kind of tells you everything you need to know that's happened since the 32 CFR proposal came out in December of 2023.

B

A little bit of a reader's Digest version.

A

Right.

B

Of what the DoD has been communicating.

A

So my sort of three takeaways here from this series of memos and this most recent one specifically. First, if people are surprised by this memo in particular and what they're saying, then you haven't been paying attention. Exactly what you're saying. Yeah. You hadn't read them, you didn't hear about them. You. I don't know what's going on, but if you are surprised by it, you shouldn't be because, as in Lockheed's own words, the requirements are very clear. The situation, you know, clearly has been clear to Lockheed for quite a while now.

B

Yeah, quite.

A

Quite a while. Which is probably why these memos are just so cut and dry whenever you read them. They're just. There's not a lot of. There's not a lot of beating around the bush in these memos. You know, the second takeaway here, this CCRA tool, we don't have time to go into the details. I think it's allowed to be a different episode in the future. The CCRA is inadequate for full assessment preparation period. It's inadequate because for. For, well, multiple set of reasons. But the big reason to me, it doesn't include 171A criteria. So when you open up this spreadsheet, if you're able to turn on the macros and get it to work, be careful. You answer the question and it's like 3.1.1. Did you do it? Yes or no. So, as people who listen to this podcast in the past are very familiar, that is not a sufficient way for you to know if you are meeting the requirement. No, no, it is not. Which is funny because one of the questions at the top of the CC is do you have a shared responsibility Matrix with your third party, its security provider? And people know that your SRM needs to be mapped to 171A, but the CCRA itself is not mapped to 171A. So it's very clear that the CCRA is a CYA tool for Lockheed. It is not a robust assessment preparation tool for you. So make sure that you're using their tool and making the attestation that they need for you to be able to do the work. But realize that there is a lot of other work that needs to be done in addition to what the CCRA asks you.

B

By the way, the largest thing, in my opinion, that is missing. So they have incident response covered in there, which is great. They don't have FedRamp, validate FedRamp or moderate or equivalent clouds as part of it. When you're looking at a business transformation for CMMC that's usually migrating from one cloud to another. One of the longest things. Yeah, like it takes the longest of most of the, you know, when you overlay NIST controls, all of the controls, plus you got to move cloud providers. So here's the thing. I wish they would have made a more comprehensive document. The CCRA has good intentions, but we're missing FedRAMP, we're missing assessment Objectives to your point, they covered the primary control and they covered flow down. Right. And it's like if you're going to make a tool to actually help the DIB and your suppliers make it comprehensive to DFAR7012 requirements and CMMC requirements. And I think that's the tricky part here is I'm kind of torn about the CCRA because it's not a full fledged education tool, it's more of a cya. To your point, Jacob, of we know enough about our suppliers to be able to state if they're compliant or not, but in reality a large portion, because this might be the only document that they actually see to figure out if they're compliant or not. It's actually inaccurate a lot of their reporting.

A

It's not a GRC tool, essentially. Right? It's not.

B

Yeah, it's not a grc. And a couple of small tweaks and they could have made it, even though you have to enable macro.

A

I mean, they obviously had the, the collective, you know, agreement between all the primes here in order to force people to use this one tool. And to be fair, making people use a single attestation form or tool or whatever is the right move. But yeah, it's like you're just missing 10% of the stuff here. Well, more than that if you include 171A. But it's like you're so close to having something that would be extremely useful rather than partially useful.

B

Because I think a lot of their suppliers are filing with good intent and honesty for sure. But they're completely inaccurate.

A

Right. Well, we all, you know, we've griped in the past where we're like, NIST really needs to make 171 and 171A a single document. The DoD made it a single document with the CMMC Assessment Guide and then the primes, they left it where they don't even mention it. They don't even mention it in the tool. So I think that there needs to be a episode in the future where we sort of go through like we did with the. I believe it was the DIBCAC Access Database tool.

B

Yes.

A

That came out a while ago. Maybe we can, maybe we can walk through and give them some, some feedback on, on their CCRA tool. So did you. What were your, some of your takeaways from, from this series of memos here?

B

So the big one, at least in this latest memo, and it kind of ties into, I think their supply chains aren't as compliant as they think they are because of some of These missing tools is Lockheed came out in the blog and said two big things around certification. Because in this it's not soft. I'm sure legal had to approve every word that's written in this when it was flowing downstream. But they said two things that should make people very concerned. Number one, it was also reaffirmed expectations around the time phase schedule of self assessment versus certification requirements. Okay, that's clear. And then a little caveat here though. Contracting officers retain flexibility to work ahead of the phase schedule. So FYI, you could very easily require certification because Kos have that capacity.

A

Now we've talked about DOD discretion a.

B

Bunch on this show and Lockheed's just reinforcing that.

A

Yep.

B

And then here's the big one. Suppliers are encouraged to engage with NIST MEP and or the Cyber AB Marketplace to validate preparedness for an anticipated CMMC third party assessment and certification. So Lockheed's already saying guys like FYI, people can work ahead of the schedule and require certs early. And by the way, you need to be prepared to go through a certification. That's, that's huge. And from what I've kind of skimmed the rest of the blogs after you brought those to my attention. I haven't seen any language kind of as forward as that in relation to actually having to possess a CMMC cert. But they're saying it in a kind of a nice way. It sounds more educational, but I have a feeling there's a punch behind it that people are not reading into that's like, hey, we're going to need you to be certified.

A

Yeah. So level two self assessment is really not something to bank to bank on. Don't, definitely don't bet the farm on your ability to, to have level 2 self assessment in the future. So that kind of brings me to the last takeaway from these memos. The recommended resources that they list at the end of each of these memos are insufficient. Right. You need to work with the right partners at the end of all of these memos. Right. They say you should have been doing this, you should be confidently doing this. You need to be ready for this. Blah blah, blah. They go. You should talk to the NIST Manufacturing Extension Partnership. For a lot of people that might not even exist anymore given the way that politics and things have occurred, I'm pretty sure that the NIST MEP is a desiccated husk of its former self. So that's not really an option. That's going to take you soup to nuts. They say the Cyber AB Marketplace, well, there's a lot of people listed on the Cyber AB marketplace with a lot of different types of expertise and different offerings and things like that. So thanks. I guess they say you talk to ND ISAC for threat intel sharing information. That's fine. That organization puts out some good information for its members, but not exactly going to tell you how to go from where you are to where you need to be for implementation, assessment, readiness, things like that, and the Lockheed Martin monthly supply chain Cyber Academy sessions. Probably some decent info that gets put out on those, but certainly not going to walk you through how to do a compliant migration for a thousand users and your licensing needs and stuff like that. However, if you're not currently meeting your requirements, your secret safe with us. If you aren't feeling confident in your current ability to meet those requirements, or even if you are and you want to have a sanity check on what's going on Great news. Our mad scientist alter egos at Summit 7 Labs are going to do a virtual event called Secure the DIB on August 26, 2025 full of awesome nuggets of helpful, useful, valuable information. So be sure to register and tune in for that. You might see us. You might see crazy lab coats and chemistry sets and all kinds of fun stuff. We're going to put out information like that. We put out tons of information in this podcast every week. Daniel. You and I do the CUI hotline every Friday. You got a podcast that comes out like and subscribe to the channel. We put out tons and tons of information. Let us know. Do you want a deep dive into the CCRA tool in a future episode? And we can go from there. And we'll see you next week.

B

See y' all.