© 2015 Lockheed Martin. All Rights Reserved.

Carlos BivinsDebbie StuckeyLockheed MartinCorporate Information Security

Supply Chain Cybersecurity

August 7, 2017

2© 2017 Lockheed Martin. All Rights Reserved.

Agenda:

• Threat brief • Common Vulnerabilities and “Quick Wins”• Lockheed Martin Supply Chain Cybersecurity Strategy• Industry collaboration • Lockheed Martin’s Risk-based Approach• Lockheed Martin’s expectations of suppliers• DFARS changes• Supplier experience• General support and Help sites

3© 2017 Lockheed Martin. All Rights Reserved.

Video Introduction

The Director of National Intelligence has identified Supply Chain cyber risk as a threat to the National Security of the United States and

released this video highlighting supply chain cyber risk.

Office of the Director of National Intelligence’s National Counterintelligence Video: Supply Chain Risk Managementhttps://www.youtube.com/watch?v=oj5iD0D7JsY&feature=youtu.be

Office of the Director of National Intelligence’s National Counterintelligence release of Supply Chain Risk Management Video release statement:https://www.dni.gov/index.php/newsroom/press-releases/215-press-releases-2016/1405-new-video-highlights-foreign-risks-to-private-sector-supply-chains

4© 2017 Lockheed Martin. All Rights Reserved.

Understanding the Cyber Threat Scope

Nation States

Hactivists

Anonymous

Espionage (IP Theft)

Espionage (Intel)

Disruptive (DDoS)

Destructive

Spear Phishing

Web Server

Watering Hole

Social MediaMobile

Supplier

Perimeter

Joint Venture

Mobility

Core Network

Cloud

2017

Platform

2005

SpearPhishing

Nation State

CoreNetwork Espionage

RogueNations

Criminal

Financial

5© 2017 Lockheed Martin. All Rights Reserved.

Common Supply Chain Cyber Vulnerabilities

Spear Phishing

Credential Harvesting

Perimeter Exploitation

Common Adversarial Attack

Vectors

Common Supply Chain Vulnerabilities

Lack of Security Education / Awareness

Lack of multi-factor authentication

Lack of vulnerability scanningLack of multi-factor authentication

6© 2017 Lockheed Martin. All Rights Reserved.

“Quick Wins”

Spear Phishing

Credential Harvesting

Perimeter Exploitation

Common Adversarial Attack

Vectors“Quick Wins” Mitigations

TechnicalEmail Filtering

Category “none” blocking

Minimize Desktop Admins

Multifactor Authentication

Eliminate “End of Life” Internet facing systems

ProcessProperly marked / distributed data

Training and Awareness

Restrict Information Flow Down

Shared Intelligence(Industry/Govt)

7© 2017 Lockheed Martin. All Rights Reserved.

Supply Chain Cyber Initiative Strategy

Supplier Cyber

Security

Understand Posture

(Questionnaires & Validations)

Build Awareness

Reduce Risk

End Goal

Compliance w/ Cyber DFARS

Broad cyber risk assessment, awareness and education

Risk-based cyber mitigation actions

Supplier Threat awareness and Monitoring… Self-Reporting to LM/DoD

Collaboration

Supply Chain

Cyber Security

Program Management

Engineering

Move Defenses “Up Stream”

8© 2017 Lockheed Martin. All Rights Reserved.

Industry Collaboration & Supplier Engagement

• LM chairs the Supply Chain Cybersecurity Working Group

• Exostar hosts cybersecurity questionnaires

• Common supplier expectations

• Supplier inputs once, results shared across multiple primes

Cybersecurity Questionnaire• 180 questions

• APT and risk focus

• Developed by Exostar partners

• Based on standards: Center for Internet Security top Critical Security Controls

NIST 800-171 Questionnaire• 110 questions

• Compliance for Covered Defense Info (CDI) as defined in DFARS 252.204 - 7012

• Regulatory compliance by 12/31/2017

Understand Supplier Posture

COLLABORATIVE APPROACH

9© 2017 Lockheed Martin. All Rights Reserved.

No questionnaires required based

on supplier TPM

certification

Critical Security Controls Questionnaire

ANDNIST Questionnaire

Critical Security Controls

Questionnaire

Supply Chain CyberSupplier Self-Assessments

Lower Risk Higher Risk

No Sensitive Info

LM Critical Info

LMPI / TPPI DoD Regulatory Information (e.g., CDI)

Information Protection Risk

Supplier Questionnaires

10© 2017 Lockheed Martin. All Rights Reserved.

Supply Chain CyberEnterprise Risk-Based Actions

Lower Risk Higher Risk

No Sensitive Info

LM Critical Info

LMPI / TPPI (no CDI or Critical Info.)

DoD Regulatory Information (e.g., CDI)

Information Protection Risk

Corporate Information Security (CIS) Actions

Ensure supplier TPM certification is updated if sensitive info / CDI is confirmed

Virtual Validations

Audits and Deep Dives

Active Monitoring & Testing

Confirm supplier’s IT controls are in place

as stated and collaborate on best

practices

Review/validate supplier questionnaire

comprehension & responses

LM active technical testing and/or reviews of supplier environments

(e.g., Netflow analysis)

Broad to Program-Specific Cyber Security Education/Awareness

11© 2017 Lockheed Martin. All Rights Reserved.

Supplier Experience

12© 2017 Lockheed Martin. All Rights Reserved.

Lockheed Martin’s Expectations of our Suppliers

• Assess internal cybersecurity maturity using Exostar questionnaire(s)– Handling Sensitive Information

• Complete the Cybersecurity Questionnaire (180 questions)• Result: ~40 page report with Rating/Scores and links to recommendations• Define a remediation plan and work to close on open items

– Handling Covered Defense Information (CDI) as defined by DFARS• Be aware of applicable DFARS clauses in LM CorpDocs• Flow DFARS requirements to sub-tier suppliers• Complete the NIST 800-171 Questionnaire (110 questions)• Be compliant by December 31, 2017• 30 Day notification to DoD CIO and LMC of non compliant NIST controls• Report cyber incidents within 72 hours to DoD CIO and LMC

13© 2017 Lockheed Martin. All Rights Reserved.

Exostar Cybersecurity Questionnaire

14© 2017 Lockheed Martin. All Rights Reserved.

Exostar NIST Questionnaire

15© 2017 Lockheed Martin. All Rights Reserved.

Supply Chain Resources• Supplier Accessible Support Sites

– Lockheed Martin External website for Supply Chain Cyber• http://www.lockheedmartin.com/us/suppliers/cybersecurity.html

– Exostar PIM Cybersecurity Questionnaire and Supplier Process FAQs• http://www.myexostar.com/pim/cq/• http://www.myexostar.com/PIM/NQ/

• Lockheed Martin internal Support Sites– Internal CIS Cyber Questionnaire migration support site (under construction)

• https://ebs.global.lmco.com/cyber/suppliers/• Go Live Kit (“Support” / Migration Go Live Kit)• LM Buyer FAQ (Main page, FAQs)• Exostar process (Main page, FAQs) • Cybersecurity and NIST 800-171 Questionnaire information – Main page • DFARS Overview (Main page, “Support”)

– Internal GSCO Website for Cyber • https://eo-sharepoint.external.lmco.com/sites/eu-

GSCO/CustomPages/Secure_Supply_Chain.aspx

16© 2017 Lockheed Martin. All Rights Reserved.

Supplier Takeaway

• As an A&D supplier you are a target of our adversaries• Lockheed Martin is working with suppliers:

– To understand their cybersecurity posture– To bring a heightened sense of cybersecurity awareness

• Suppliers are responsible – To complete the Cyber Security Questionnaire– To complete the DFARS/NIST 800-171 Questionnaire if applicable – To improve their cybersecurity posture as necessary– To be compliant with NIST 800-171 by December 31, 2017 (if applicable)

18© 2017 Lockheed Martin. All Rights Reserved.

Sensitive Information (ref CRX-015)

Sensitive Information – Information in any or all of these categories: Personal Information, Export Controlled Information, Lockheed Martin Proprietary Information, and Third Party Proprietary Information.

Information – Data in written, pictorial, electronic, audio, oral, or other form.

Supplier must complete 180-question CybersecurityQuestionnaire If Receiving / Storing Sensitive Information

19© 2017 Lockheed Martin. All Rights Reserved.

Covered Defense Information (CDI) Scope• Controlled Technical Information – Technical data or computer software with military

or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure or dissemination.

• Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).

• Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations, and munitions list; license applications; and sensitive nuclear technology information.

• Other information – Any other information marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information)

Supplier must complete NIST 110-question Questionnaire If Receiving / Storing CDI

20© 2017 Lockheed Martin. All Rights Reserved.

Adversary Threats

Identified Threats in the DIB: 1. Spear Phishing – Spear Phishing is a method by which attackers

(organized perpetrators out for financial gain, trade secrets or national security information) target specific individuals or organizations seeking unauthorized access to data.

2. Credential Harvesting – Credential harvesting uses social engineering techniques to obtain legitimate user ID’s (and passwords) allowing access to a network. Techniques include an attacker sending an email with a link to a spoofed website that looks legitimate, or a person posing as an authoritative resource (e.g. help desk) to fraudulently obtain a user’s logon id or password.

3. Unsecure Perimeter Infrastructure – An unsecure Perimeter Infrastructure means there are limited / misconfigured security devices at the outer boundary of a network. An unsecure perimeter allows nefarious actors to easily enter the network and create havoc/damage.

21© 2017 Lockheed Martin. All Rights Reserved.

Quick Hit Mitigations (Technical)

22© 2017 Lockheed Martin. All Rights Reserved.

Quick Hit Mitigations (Non-Technical)