LOCKHEED MARTIN CORP 10-K Cybersecurity GRC - 2024-01-23

Page last updated on April 11, 2024

LOCKHEED MARTIN CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-23 16:17:08 EST.

Filings

10-K filed on 2024-01-23

LOCKHEED MARTIN CORP filed an 10-K at 2024-01-23 16:17:08 EST
Accession Number: 0000936468-24-000010

Item 1C. Cybersecurity.

We believe cybersecurity is critical to advancing our 21st Century Security vision and enabling our digital transformation efforts. As an aerospace and defense company, we face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized adversaries, including nation state actors, that target the defense industrial base and other critical infrastructure sectors. Our customers, suppliers, subcontractors and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. These cybersecurity threats and related risks make it imperative that we are a leader in the information security field, and we expend considerable resources on cybersecurity.

The Board of Directors oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Senior leadership, including our Chief Information Security Officer (CISO), regularly briefs the Board of Directors on our cybersecurity and information security posture and the Board of Directors is apprised of cybersecurity incidents deemed to have a moderate or higher business impact, even if immaterial to us. The Classified Business and Security Committee of the Board of Directors is briefed by senior leadership, as appropriate, on the cybersecurity of classified programs and the security of our classified business supply chain. Other than oversight of classified business cybersecurity, the full Board retains oversight of cybersecurity because of its importance to Lockheed Martin and the heightened risk in the aerospace and defense industry. In the event of an incident, we intend to follow our detailed incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate.

Our corporate information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The current CISO has extensive information technology and program management experience, and has served many years in our corporate information security organization. The corporate information security organization manages and continually enhances a robust enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur. Central to this organization is our computer incident response team (CIRT), which is responsible for the protection, detection and response capabilities used in the defense of Lockheed Martin’s data and enterprise computing networks. Employees outside of our corporate information security organization also have a role in our cybersecurity defenses and they are immersed in a corporate culture supportive of security, which we believe improves our cybersecurity.

The corporate information security organization has implemented a governance structure and processes to assess, identify, manage and report cybersecurity risks. We also have a corporate-wide counterintelligence and insider threat detection program to proactively identify external and internal threats, and mitigate those threats in a timely manner. As a defense contractor, we must comply with extensive regulations, including requirements imposed by the Defense Federal Acquisition Regulation Supplement (DFARS) related to adequately safeguarding controlled unclassified information (CUI) and reporting cybersecurity incidents to the DoD. We have implemented cybersecurity policies and frameworks based on industry and governmental standards to align closely with DoD requirements, instructions and guidance. Moreover, we continue to work with the DoD on assessing cybersecurity risk and on policies and practices aimed at mitigating these risks. For example, we have worked in collaboration with the other members of the defense industrial base to support DoD’s development of the Cybersecurity Maturity Model Certification (CMMC) program, DoD’s program to ensure members of the defense industrial base meet cybersecurity requirements for handling CUI and federal contract information. We believe we are well positioned to meet the requirements of the CMMC and are preparing for certification once the requirements are effective. In addition to following DoD guidance and implementing pre-existing third party frameworks, we have developed our own practices and frameworks, which we believe enhance our ability to identify and manage cybersecurity risks. For example, we use a proactive risk management strategy that we developed and implemented called the Intelligence Driven Defense(R) model that seeks to identify and prevent cybersecurity incidents by understanding the nature of adversaries and using this information to minimize the impact of an attack.

Third parties also play a role in our cybersecurity. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our defense industrial base peers, government agencies, information sharing and analysis centers and cybersecurity associations.

Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process. Cybersecurity related risks are included in the risk universe that the ERM function evaluates to assess top risks to the enterprise on an annual basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process’s annual risk assessment is presented to the Board of Directors.

We rely heavily on our supply chain to deliver our products and services to our customers, and a cybersecurity incident at a supplier, subcontractor or joint venture partner could materially adversely impact us. We assess third party cybersecurity controls through a cybersecurity questionnaire and include security and privacy addendums to our contracts where applicable. We also contractually flow cybersecurity regulatory requirements to our subcontractors as required by the DFARS and other government agency specific requirements. These contractual flow downs include the requirement that our subcontractors implement certain security controls, and that our subcontractors self-report the status of their implementation of these controls to the U.S. Government. These government contracting regulations may create challenges for our supply chain and increase costs. We also require that our subcontractors report cybersecurity incidents to us so that we can assess the impact of the incident on us. For select suppliers, we engage third-party cybersecurity monitoring and alerting services, and seek to work directly with those suppliers to address potential deficiencies identified. We also make available cybersecurity education and awareness materials and briefings to our suppliers.

Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While Lockheed Martin maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.

Item 1A. Risk Factors.

Cyber-attacks and other security threats and disruptions could have a material adverse affect on our business.

As an aerospace and defense company, we face a multitude of security threats, including cybersecurity threats ranging from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized adversaries, including nation state actors, which target the defense industrial base and other critical infrastructure sectors. The sophistication of the threats continue to evolve and grow, including the risk associated with the use of emerging technologies, such as artificial intelligence and quantum computing, for nefarious purposes. In addition to cybersecurity threats, we face threats to the security of our facilities and employees from terrorist acts, sabotage or other disruptions, any of which could adversely affect our business. The improper conduct of our employees or others working on behalf of us who have access to export controlled, classified or other sensitive information could also adversely affect our business and reputation. Our customers (including sites that we operate and manage for our customers), suppliers, subcontractors and joint venture partners, experience similar security threats.

If we are unable to protect sensitive information, including complying with evolving information security, data protection and privacy regulations, our customers or governmental authorities could investigate the adequacy of our threat mitigation and detection processes and procedures; and could bring actions against us for noncompliance with applicable laws and regulations. Moreover, depending on the severity of an incident, our customers’ data, our employees’ data, our intellectual property (including trade secrets and research, development and engineering know-how), and other third-party data (such as subcontractors, suppliers and vendors) could be compromised, which could adversely affect our business. Products and services we provide to customers also carry cybersecurity risks, including risks that they could be breached or fail to detect, prevent or combat attacks, which could result in losses to our customers and claims against us, and could harm our relationships with our customers and financial results.

Given the persistence, sophistication, volume and novelty of threats we face, we may not be successful in preventing or mitigating an attack that could have a material adverse effect on us and the costs related to cyber or other security threats or disruptions may not be fully insured or indemnified by other means. The national security aspects of our business and much of the data we protect increase and create different risks relative to other industries. National security considerations may also preclude us from publicly disclosing a cybersecurity incident.

Our customers, suppliers, subcontractors, joint venture partners and acquired entities face similar security threats and an incident at one of these entities could adversely impact our business. These entities are typically outside our control and may have access to our information with varying levels of security and cybersecurity resources, expertise, safeguards and capabilities. Their relationships with government contractors, including us, may increase the risk that they are targeted by the same threats we face, however, they may not be as prepared for such threats. Adversaries actively seek to exploit security and cybersecurity weaknesses in our supply chain. Breaches in our multi-tiered supply chain, which is comprised of thousands of direct and indirect suppliers, has and could in the future compromise our data and adversely affect customer deliverables. We also must rely on our supply chain for adequately detecting and reporting cyber incidents, which could affect our ability to report or respond to cybersecurity incidents effectively or in a timely manner.

Company Information