LOCKHEED MARTIN CORP - (LMT)
10-K Filing Date: January 23, 2024
ITEM 1C. Cybersecurity
We believe cybersecurity is critical to advancing our 21st Century Security vision and enabling our digital transformation efforts. As an aerospace and defense company, we face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized adversaries, including nation state actors, that target the defense industrial base and other critical infrastructure sectors. Our customers, suppliers, subcontractors and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. These cybersecurity threats and related risks make it imperative that we are a leader in the information security field, and we expend considerable resources on cybersecurity.
The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Information Security Officer (CISO), regularly briefs the Board of Directors on our cybersecurity and information security posture and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. The Classified Business and Security Committee of the Board of Directors is briefed by senior leadership, as appropriate, on the
22
cybersecurity of classified programs and the security of our classified business supply chain. Other than oversight of classified business cybersecurity, the full Board retains oversight of cybersecurity because of its importance to Lockheed Martin and the heightened risk in the aerospace and defense industry. In the event of an incident, we intend to follow our detailed incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate.
Our corporate information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The current CISO has extensive information technology and program management experience, and has served many years in our corporate information security organization. The corporate information security organization manages and continually enhances a robust enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Central to this organization is our computer incident response team (CIRT), which is responsible for the protection, detection and response capabilities used in the defense of Lockheed Martin’s data and enterprise computing networks. Employees outside of our corporate information security organization also have a role in our cybersecurity defenses and they are immersed in a corporate culture supportive of security, which we believe improves our cybersecurity.
The corporate information security organization has implemented a governance structure and processes to assess, identify, manage and report cybersecurity risks. We also have a corporate-wide counterintelligence and insider threat detection program to proactively identify external and internal threats, and mitigate those threats in a timely manner. As a defense contractor, we must comply with extensive regulations, including requirements imposed by the Defense Federal Acquisition Regulation Supplement (DFARS) related to adequately safeguarding controlled unclassified information (CUI) and reporting cybersecurity incidents to the DoD. We have implemented cybersecurity policies and frameworks based on industry and governmental standards to align closely with DoD requirements, instructions and guidance. Moreover, we continue to work with the DoD on assessing cybersecurity risk and on policies and practices aimed at mitigating these risks. For example, we have worked in collaboration with the other members of the defense industrial base to support DoD’s development of the Cybersecurity Maturity Model Certification (CMMC) program, DoD’s program to ensure members of the defense industrial base meet cybersecurity requirements for handling CUI and federal contract information. We believe we are well positioned to meet the requirements of the CMMC and are preparing for certification once the requirements are effective. In addition to following DoD guidance and implementing pre-existing third party frameworks, we have developed our own practices and frameworks, which we believe enhance our ability to identify and manage cybersecurity risks. For example, we use a proactive risk management strategy that we developed and implemented called the Intelligence Driven Defense® model that seeks to identify and prevent cybersecurity incidents by understanding the nature of adversaries and using this information to minimize the impact of an attack.
Third parties also play a role in our cybersecurity. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our defense industrial base peers, government agencies, information sharing and analysis centers and cybersecurity associations.
Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process. Cybersecurity related risks are included in the risk universe that the ERM function evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process’s annual risk assessment is presented to the Board of Directors.
We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or joint venture partner could materially adversely impact us. We assess third party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addendums to our contracts where applicable. We also contractually flow cybersecurity regulatory requirements to our subcontractors as required by the DFARS and other government agency specific requirements. These contractual flow downs include the requirement that our subcontractors implement certain security controls, and that our subcontractors self-report the status of their implementation of these controls to the U.S. Government. These government contracting regulations may create challenges for our supply chain and increase costs. We also require that our subcontractors report cybersecurity incidents to us so that we can assess the impact of the incident on us. For select suppliers, we engage third-party cybersecurity monitoring and alerting services, and seek to work directly with those suppliers to address potential deficiencies identified. We also make available cybersecurity education and awareness materials and briefings to our suppliers.
23
Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While Lockheed Martin maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.