Managing Cybersecurity Risks in the DoD Supply Chain

Syracuse University’s Institute for Veterans and Military Families (IVMF) partners with a number of companies and organizations. These partnerships are some of the IVMF’s greatest assets as their connections and support allow us to provide invaluable resources to the veteran and military spouse populations we serve.

Lockheed Martin Corporation (LMCO) has been a long-standing partner of the IVMF and allowed our entrepreneurship portfolio to provide impactful events to help train veteran- and military-spouse owned businesses on topics relevant to their growth. On May 9, 2019, along with the Lockheed Martin’s Information Security team, we hosted nearly 50 veteran business owners on the Syracuse University campus to discuss the importance of cybersecurity measures when working with the Department of Defense. As IVMF programs often have a national or global reach, when we get to work with those in the Central New York area, it is a special occasion.

LMCO’s Orysia Buchan, Supplier Diversity Government Programs Manager, Asad Siddiqui, Cyber Governance Risk and Compliance, and Rebecca Brenker Cyber Governance Risk and Compliance Senior Analyst, provided a three-hour training to discuss all things cybersecurity when working with the Department of Defense, whether as a prime or subcontractor. This training was highly relevant to our mission as we strive to encourage smaller, veteran-owned businesses to seek out private contracting opportunities. Many of our Coalition for Veteran Owned Business (CVOB) partners, like Lockheed Martin, have a strong desire to grow the number of veteran-owned businesses in their supply chains, and events like this allow us to make those connections and drive growth.

Below are some considerations from that training that veteran-owned businesses need to be mindful of when seeking contracting opportunities with Lockheed Martin or the Department of Defense:

  • According to Symantec, 43% of cyber attacks are lodged against small businesses. According to a Verizon investigation in 2017 on data breaches, 61% hit smaller businesses, which is an increase over the previous years’ 53%. Additionally, according to the National Cyber Security Alliance, 60% of small businesses are unable to sustain their businesses more than six months after a cyber attack. Small businesses are an attacker favorite because they typically allocate fewer resources to protect against attacks, internal employees can willingly or unwillingly provide access to hackers, and credit card transactions are especially susceptible.
  • The aerospace and defense (A&D) industry is especially susceptible to cybersecurity attacks, which continue to increase in frequency and sophistication. Those who possess any type of sensitive information are targets of these attacks, from government agencies down to small business suppliers.
  • Any business that is looking to contract under the Department of Defense needs to understand the various threats to sensitive information they may hold, create a program to manage risks, and identify and manage those risks. Lockheed Martin also requires that their suppliers engage in incident reporting if they believe or know their sensitive information was compromised.
  • Cybersecurity threats are continuously evolving and can include: Advanced Persistent Threats (APT), broad-based and criminal, insider, hacktivists, and rogue actors. Attackers seek opportunities to gain access to all layers of an IT ecosystem as a weakness in one system can be exploited by attackers to target another system.
  • Common supply chain vulnerabilities can include: lack of security education/awareness around spear phishing, lack of multi-factor authentication leading to credential harvesting, and lack of vulnerability scanning/lack of multi-factor authentication leading to perimeter exploitation.
  • Lockheed Martin uses two questionnaires to measure a supplier’s cyber posture: Cybersecurity Questionnaire (CSQ) – based on industry standards; NIST 800-171 – required by cyber DFARS. LMCO also works with other DoD prime contractors, such as BAE Systems, Northrop Grumman, and Raytheon, to offer these questionnaires to their suppliers, whose results are shared with the other primes in the group.
  • Cyber DFARS clause 252.204-7012 outlines cybersecurity safeguarding requirements for any business (small or large) that handles Covered Defense Information (CDI) on non-federal systems.
  • Cyber DFARS also requires DoD contractors to subscribe to NIST Special Publication 800-171 which consists of 110 security requirements, ensuring that they have the requisite information security knowledge, expertise and resources to comply. Non-compliance would mean the termination of that contractor’s work with the DoD.[1]

For more information about cybersecurity preventative measures and working with the DoD, visit Lockheed Martin’s Cybersecurity site for suppliers.

[1] Lockheed Martin Supply Chain Cybersecurity Academy, Lockheed Martin Cyber Governance Risk and Compliance,

Back to top.