Lockheed Martin's CMMC Mandate: The "Get to Green" Action Plan for Subcontractors
What every subcontractor needs to do to avoid being cut from the supply chain.
If you're one of Lockheed Martin's thousands of subcontractors, CMMC just became your most urgent problem.
The company recently shared its “Get to Green” CMMC readiness memo and Lockheed is now actively sorting its supply chain, stating that under-prepared contractors create "significant risk" and may take "program mitigation actions to reduce or eliminate dependencies" on them.
For years, CMMC was a future problem. But now, it’s time to take action. Here is the direct analysis of what's happening and your immediate action plan.
First, Here’s What Lockheed Martin Said
The mandate is built around the NIST CCRA (Cybersecurity Compliance and Risk Assessment) questionnaire, which rates you "Minimal" (Green), "Moderate" (Yellow), or "Significant" (Red).
Here is the key language:
"Suppliers handling sensitive information with unmet key NIST 800-171 requirements...are being strongly encouraged to quickly close those gaps..."
"A 'Minimal' risk (Green) rating...requires that you...attest 'Yes' to having implemented all 31 of the identified NIST 800-171 requirements."
"Suppliers without a green CCRA rating create significant risk...and may evoke program mitigation actions..."
Now, here’s what that actually means.
I've been on calls over the past few weeks translating this for subcontractors. Here is the direct version:
- Compliance is a must: Yellow or Red status makes your organization a potential cybersecurity liability, and Lockheed's program managers are being directed to "reduce or eliminate dependencies" on any organisations that aren’t making strides towards achieving CMMC level 2 compliance in a timely manner.
- The 31 NIST 800-171 requirements are a triage: With this request, Lockheed is telling subcontractors to get moving. CMMC Level 2 requires an organization to have fully implemented all 110 NIST 800-171 requirements. By focusing on the 31 NIST 800-171 requirements initially Lockheed is looking to filter out the organizations that don’t make meaningful strides towards CMMC in the short-term.
- It’s flow-down power play: Lockheed is pushing CMMC as a flow-down requirement to its entire supplier base. For Lockheed this means they don’t need to stress about the security postures of individual suppliers as they know any organizations who remain in their database will meet the required CMMC standards.
The Key Message: Progress Beats Perfection
Lockheed Martin is looking for subcontractors to demonstrate credible progress, not immediate perfection. They know you have gaps and can't implement all 110 controls for CMMC Level 2 overnight.
The key takeaway? You need to get moving on CMMC now. Even if that first step is a self-assessment, an initial SPRS score, and a plan for a subset of the 800-171 controls, that's the proof of momentum they need.
At Workstreet, we can help you automate your CMMC Level 2 compliance, protect CUI, and win contracts with a complete, AI-enabled security program from the only AI-powered RPO. Get certified faster with our automation-first services and dedicated public sector specialists. Book a call with our team here.
