Incident Reporting

Our customers count on our products and services to support their missions each and every time. This includes protecting the information related to these products and services and ensuring timely reporting when this information is compromised or exposed to unauthorized parties.

It is our customer and our expectation that we will be notified if any information provided as part of, or generated in support of, contract performance is impacted as a result of a cybersecurity compromise. We have included cyber incident reporting language in many of our contracts with suppliers and moving forward all future contracts will include this contract language. Expectations of suppliers:

  • “Compromise” is defined as unauthorized access, inadvertent disclosure, known misuse, loss, destruction, or alteration of information provided by Lockheed Martin other than as required to perform agreed to scope of work
  • Take appropriate and immediate actions to investigate and contain the incident and any associated risks
  • Provide reasonable cooperation to Lockheed Martin in conducting any investigation regarding the nature and scope of any incident
  • Costs incurred in investigating or remedying incidents shall be borne by the supplier

For contracts not governed by cyber DFARS suppliers are required to notify the Lockheed Martin (LM) point of contact specified in the Lockheed Martin contract (e.g. Subcontracts Program Manager, Subcontracts Administrator, or Buyer) within 72 hours or as specified in the LM contract. Lockheed Martin Programs and personnel must coordinate all cyber incidents with the LMC Computer Incident Response Team (LM CIRT). The LM CIRT will work with impacted programs to make all required cyber incident notifications.

For contracts governed by cyber DFARS Clause 252.204-7012 refer to the “Adhering to DoD Cybersecurity Requirements” section. In general, suppliers are required to notify the DoD, and Lockheed Martin (e.g. Subcontracts Program Manager, Subcontracts Administrator, or Buyer) within 72 hours of discovery of cyber events. Lockheed Martin Programs and personnel must coordinate all cyber incidents with the LMC Computer Incident Response Team (LM CIRT). The LM CIRT will work with impacted programs to make all required cyber incident notifications.