<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Audit Management, DFARS, Corporate Compliance and Oversight, Cybersecurity Frameworks

Did You Receive a DFARS Questionnaire? What it is, What it isn't, and What You Can Do Now


A while back, Lockheed Martin published New Guidelines for Adhering to Department of Defense (DoD) Requirements. This overview is for their supply chain and vendors specifically, and gives good insight into the process that large defense contractors are embarking on to become compliant and save their DoD contracts. This process is important not only for those larger contractors, but also for the supply chain members. Those who have DoD related revenue regardless of size, or who want to generate similar revenue in the future, must be compliant with DFARS by the end of the year to win contracts. Ultimately, it's a regulation and gives an organization the upper hand amongst the competition, as those who win contracts will have to become compliant if they aren't already.

Lockheed gave some interesting and informative answers to popular questions, especially those regarding questionnaires sent down the supply chain by prime contractors. The question of whether filling out this questionnaire is enough to comply, or whether it is just a means for initiating the compliance process by these larger contractors was addressed. Therefore, the third answer in the list is the most informative from what we've seen. Here's the FAQ:

"Frequently Asked Questions

Do I as a supplier need to notify Lockheed Martin of my compliance status on cyber DFARS clause 252.204-7012?

If a supplier is non-compliant with the NIST cybersecurity controls outlined in the cyber DFARS clause 252.204-7012 dated December 2015, then the supplier must notify the DoD CIOs office within 30 days of contract award with LMC of the areas of non-compliance. The supplier must copy Lockheed Martin through the authorized procurement representative identified in the subcontract or purchase order on the DoD notification.

What are the incident reporting requirements for suppliers?

A supplier must report an incident within 72 hours of discovery to both 1) Lockheed Martin (e.g. Lockheed Martin Subcontract Program Manager (SPM), Buyer, or Subcontract Administrator (SCA)) and in parallel to 2) the DoD at the following DFAR directed site: DOD Dibnet. LM SPMs, buyers and/or SCAs must immediately notify the LM CIRT of supplier cyber incident reports. Please note: the cyber incident reporting requirements associated with this cyber DFARS clause do not negate any additional reporting requirements found in the contract between Lockheed Martin and the supplier.

How is the cybersecurity questionnaire used by Lockheed Martin different than the actions required by cyber DFARS clause 252.204-7012?

The cybersecurity questionnaire in Exostar is used as a tool to obtain a high-level understanding of a supplier’s ability to protect sensitive information and manage cyber security risk. To be clear, performing all activities outlined in the questionnaire does not satisfy the requirements associated with cyber DFARS clause 252.204-7012. Suppliers which store/process CDI are responsible for assessing their systems for compliance with the requirements outlined in cyber DFARS clause 252.204-7012."

Free DFARS Compliance Guide: Learn What is Required and How to Approach NIST SP 800-171

So, it's clear that a questionnaire alone won't get you compliant, but paying for hours of consulting and outsourcing to a third party may be too costly, or just not efficient enough for those who want an easy solution in-house. Doing DFARS in-house also assures you'll be up to date, as you'll have to continuously report or prove compliance for your new contracts and having that information readily available with artifacts that show your status is a huge advantage. 

CyberStrong not only can streamline your DFARS assessment for you, but we can give you an automated way of creating your compliance documents (POAM and SSP). You could save hours of time wondering what the best path to compliance is and assessing different options. CyberStrong gives you the optimal path tailored to your organization by allowing you to see clearly into your cybersecurity program and identify gaps and low-cost remediation strategies. There's still time, and we are still taking clients before the deadline. It's not too late to get compliant and have the advantage of complying ahead of your competition. 

Email info@cybersaint.io or schedule a meeting on our homepage with one of our Solutions Consultants who can walk you through your options with no obligation to us required.


You may also like

Conducting Your First Risk ...
on January 30, 2023

As digital adoption across industries increases, companies are facing increasing cybersecurity risks. Regardless of their size, cyber-attacks are a persistent threat that must be ...

Your Guide to Cloud Security ...
on January 26, 2023

Cloud computing refers to the delivery of multiple services via the internet (also known as the “cloud”), including software, databases, servers, storage, intelligence, and ...

Compliance and Regulations for ...
on January 9, 2023

Compliance for many cybersecurity programs has been the cornerstone and the catalyst for why many programs exist in the first place. Since the rise of the information technology ...

Cyber Risk Quantification: Metrics ...
on January 6, 2023

Risk management is the new foundation for an information security program. Risk management, coupled with necessary compliance activities to support ongoing business operations, ...

Padraic O'Reilly
Cybersecurity Maturity Models You ...
on January 27, 2023

Cybercrime has forced businesses worldwide into paying billions of dollars yearly. As more of the population becomes dependent on technology, the fear of cyber attacks continues ...

Top 10 Risks in Cyber Security
on December 23, 2022

Increasing cyber security threats continue creating problems for companies and organizations, obliging them to defend their systems against cyber threats. According to research ...