Cybersecurity Maturity Model Certification (CMMC): Rulemaking Progress
As of June 30, Lockheed Martin has made it official per their new release on cybersecurity suppliers updates: CMMC (Cybersecurity Maturity Model Certification) Level 2 isn’t optional if you want to stay in their supply chain. If your business touches Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), your cybersecurity posture now determines your ability to win or keep contracts.
“Lockheed Martin Supply Chain Cybersecurity is reaching out to all suppliers whose latest self-assessment is indicative of unmet cyber requirements (including unimplemented CMMC controls).”
Translation? All Defense Industrial Base (DIB) companies handling CUI are expected to have implemented and meet NIST 800-171(r2) requirements.
CMMC Level 2: No Longer a “Future Requirement”
Lockheed is making it clear: suppliers managing CUI must already meet the full NIST SP 800-171 Rev. 2 requirements. This isn’t prep work anymore, it’s the new bar for entry.
If you’re still treating CMMC like a “someday” project, you’re already behind.
What’s Lockheed Looking At?
They’ve introduced the Cybersecurity Compliance and Risk Assessment (CCRA), a detailed self-assessment tool built with ND-ISAC, RTX, Booz Allen, and others. This Excel-based submission is now how Lockheed is benchmarking cyber maturity across the supply chain.
Here’s why it matters:
- It measures your current NIST 800-171 implementation status.
- Lockheed is actively using it to assess supplier risk.
- If you’re not on their radar, that’s either a blessing or a missed opportunity to stand out.
Strategic Advantage: Be the One Who’s Ready
The smart suppliers aren’t waiting for an email; they’re getting in front of this. Those who can prove CMMC Level 2 compliance now (or have a firm timeline in place) will quickly become critical vendors as less prepared competitors fall off.
Lockheed’s new Supplier Management portal (formerly Exostar, which will be renamed “Supplier Management” Module) is your next stop to update your CCRA, show your compliance, and position yourself to win.
Why This Actually Matters
This isn’t about paperwork; it’s about protecting national defense. Nationwide cyber threats are getting smarter, faster, and more aggressive. The DIB is a constant target.
By drawing a hard line on CMMC, Lockheed’s doing what every prime and subprime should be doing: making sure controlled unclassified information (CUI) and all sensitive data stays locked down, defense capabilities stay intact, and only serious, secure vendors stay in the game.
What You Should Do Now
- Fully implement NIST 800-171 (Rev. 2)
- Map your security program to CMMC Level 2 requirements
- Complete and submit your CCRA
- Update your cyber status in Lockheed’s supplier portal/Exostar
- Communicate your compliance readiness before you’re asked
Final Word: Compliance Is Now the Price of Admission
Lockheed Martin isn’t giving suppliers wiggle room. They’ve set the standard. If you’re not on the path to certification, you’re already losing ground.
The defense ecosystem within the DOD is moving fast, and only secure, prepared partners will be left standing.
Need Help Getting CMMC-ready fast?
At Elevate, we work exclusively with suppliers across the Defense Industrial Base (DIB), guiding them towards being certified, audit-ready, and locked into prime contracts. Whether you’re starting from scratch or cleaning up your SPRS score, we’ll help you build a cybersecurity program that holds up to scrutiny.
Let’s talk. We’ll show you how to turn this compliance curveball into a competitive edge.