Podcast Summary: Sum IT Up: CMMC News Roundup Episode: Lockheed Martin Just Dropped A New CMMC Memo
Host: Summit 7
Release Date: July 10, 2025

Introduction

In this episode of Sum IT Up: CMMC News Roundup, hosted by Summit 7, the focus centers on the latest developments surrounding the Cybersecurity Maturity Model Certification (CMMC), particularly highlighting a new memo released by Lockheed Martin. The hosts, Summit 7 and Daniel Acreage, delve into the implications of this memo for Defense Industrial Base (DIB) suppliers, exploring the broader context of CMMC compliance and the challenges faced by contractors in meeting these stringent cybersecurity requirements.

Background: Lockheed Martin's CMMC Communication

Lockheed Martin has been proactive in communicating CMMC requirements to its suppliers. Over the past 18 months, they have issued six consecutive memos, consistently emphasizing the necessity for suppliers to adhere to NIST Special Publication 800-171 Revision 2 and transition to the Cybersecurity Compliance and Risk Assessment (CCRA) tool for self-assessment.

Notable Quote:
A: "When you read all of the Lockheed Martin memos back to back, it's pretty clear that Lockheed Martin disagrees with you and that things to them are extremely clear." [00:02]

The Latest Memo: Key Highlights and Reactions

Released on June 30, 2025, the latest memo from Lockheed Martin reiterates two primary expectations:

1. Full Implementation of NIST SP 800-171 Rev 2: All DIB companies managing Controlled Unclassified Information (CUI) must have fully implemented and confidently meet the requirements of NIST SP 800-171 Revision 2.

2. Transition to the CCRA Tool: All Lockheed Martin suppliers are required to transition their company self-assessments to the CCRA tool.

These directives have reignited concerns among suppliers, leading to urgent calls for compliance to avoid potential audits and loss of contracts.

Notable Quote:
B: "We've got something, you know, not of equal weight but a pretty significant weight with the Lockheed memo." [01:50]

Impact on Suppliers: Urgency and Compliance Concerns

The memo's release has caused a ripple effect among suppliers, many of whom express anxiety over meeting the stringent requirements. Summit 7 and Daniel discuss the anxiety stemming from the possibility of audits by Lockheed Martin's cybersecurity team, emphasizing the critical nature of compliance.

Notable Quote:
A: "The DoD is not a huge customer of ours, but Lockheed directly is a huge customer of ours and we've got to make sure we're compliant." [03:27]

Critique of the CCRA Tool: Inadequacies and Risks

A significant portion of the discussion revolves around the CCRA tool introduced by Lockheed Martin for self-assessment. The hosts argue that the tool is inadequate for comprehensive compliance assessment, labeling it a "Cover Your Ass (CYA)" tool rather than a robust evaluation mechanism. Key shortcomings include:

• Lack of NIST SP 800-171A Criteria: The tool does not incorporate assessment objectives from NIST SP 800-171A, leading to superficial compliance checks.

• Limited Functionality: The CCRA tool functions primarily as a spreadsheet with yes/no questions, which may not accurately reflect an organization's cybersecurity posture.

• Missing Elements: Critical areas such as FedRAMP compliance and comprehensive cloud migration assessments are notably absent.

Notable Quotes:
A: "It's very clear that the CCRA is a CYA tool for Lockheed. It is not a robust assessment preparation tool for you." [19:45]
B: "The CCRA has good intentions, but we're missing FedRAMP, we're missing assessment Objectives to your point." [20:20]

Consistency and Clarity in Communication

Despite the complexity and evolving nature of CMMC requirements, Lockheed Martin's series of memos have been consistent and clear. From February 2024 to the latest memo in July 2025, each communication has reinforced the same key messages regarding NIST SP 800-171 Rev 2 compliance and the transition to the CCRA tool.

Notable Quote:
A: "If you just read these six memos back to back, it kind of tells you everything you need to know that's happened since the 32 CFR proposal came out in December of 2023." [17:59]

Challenges in Supplier Compliance and Communication Gaps

Despite Lockheed Martin's clear communications, many suppliers remain unclear about CMMC requirements, primarily due to:

• Insufficient Circulation of Memos: Suppliers report a lack of awareness regarding the memos, suggesting they may not be effectively reaching all intended audiences.

• Pressure to Comply Quickly: The urgency imposed by Lockheed Martin's audits has led some organizations to consider marking compliance as met without thorough verification, risking future discrepancies.

Notable Quote:
B: "I've done the math. I think my number's over five or six thousand contractors I've talked to in the, in the course of my tenured year at Summit 7. And it's like, I can tell you most of them feel like the DOD is not communicating." [16:45]

Future Implications: Potential for Increased Certification Requirements

The hosts express concerns that Lockheed Martin may leverage its position to enforce earlier or more stringent certification requirements than previously anticipated. This flexibility could mandate suppliers to obtain CMMC certifications ahead of the established schedule, further intensifying compliance pressures.

Notable Quote:
B: "Suppliers are encouraged to engage with NIST MEP and or the Cyber AB Marketplace to validate preparedness for an anticipated CMMC third party assessment and certification." [23:09]

Recommendations and Summit 7’s Role in Supporting Compliance

Summit 7 emphasizes the need for suppliers to seek comprehensive support beyond the CCRA tool. They advocate for leveraging expert partnerships and attending dedicated events to navigate the complexities of CMMC compliance effectively.

• Upcoming Event: Secure the DIB on August 26, 2025, is highlighted as a valuable opportunity for suppliers to gain deeper insights and assistance.

Notable Quote:
A: "If you're not currently meeting your requirements, your secret safe with us. If you aren't feeling confident in your current ability to meet those requirements... Great news. Our mad scientist alter egos at Summit 7 Labs are going to do a virtual event called Secure the DIB on August 26, 2025, full of awesome nuggets of helpful, useful, valuable information." [22:31]

Conclusion

The episode underscores the critical and evolving landscape of CMMC compliance within the Defense Industrial Base. Lockheed Martin's clear and consistent communications serve as both a guide and a stressor for suppliers striving to meet stringent cybersecurity standards. However, the limitations of tools like the CCRA and gaps in effective communication highlight the ongoing challenges in achieving comprehensive compliance. Summit 7 positions itself as a pivotal resource, offering support and expertise to navigate these complexities.

For Further Information:

• Secure the DIB Event: Register Here
• Summit 7 Labs Resources: Visit Website
• Past Episodes and Blog Posts: Explore More