Multi-Factor Authentication Implementation
In recent years, Lockheed Martin has witnessed a significant increase in damaging network breaches, system compromises, ransomware and phishing attacks on our subcontractors, suppliers and partners. Nation-state adversaries and cyber criminals are actively seeking access to protected networks, using stolen credentials to obtain initial access to the victim’s network. Our analysis reveals that 95 percent of these incidents could have been mitigated by enforcing multi-factor authentication (MFA).
Enforcing MFA is far more than an issue of compliance, it is perhaps the most critical control in protecting your network, intellectual property and our critical customer missions.
What is MFA and why should it be implemented?
MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application or email account. Users will have to identify themselves by more than just a username and password, such as with the addition of an RSA token, Duo, Smartcard, YubiKey or via biometrics.
Passwords can be compromised via social engineering or phishing – threat actors will look to exploit the credentials of users who create weak passwords and/or reuse passwords across systems. Enforcing MFA is the most effective way to prevent unauthorized access, even when credentials are compromised.
Is MFA a requirement for Lockheed Martin suppliers?
Subcontractors supporting Lockheed Martin’s Department of Defense prime contracts that store, transmit and/or process controlled unclassified information (CUI) have the contractual and regulatory requirement to enforce MFA on their systems to protect CUI as part of their DFARS 252.204-7012 and NIST SP 800-171 (requirement 3.5.3) compliance. Lockheed Martin further requires subcontractors to evidence their compliance via the Exostar NIST SP 800-171 questionnaire. Refer to the Quick Reference Guide for more information.
To ensure compliance, Lockheed Martin will review supplier submissions and request updates as needed on their MFA implementation status. Suppliers should review their System Security Plan (SSP) and Plan of Action and Milestones (POAMs) for open MFA requirements and take immediate action to fully implement the security controls.
Where should MFA be implemented?
MFA should be implemented where technically feasible, but we encourage suppliers to take immediate action if they’re lacking MFA in these key areas:
- Email infrastructure, whether on-premise or hosted through managed service providers (e.g., Microsoft O365).
- External/remote access to their environment.
- Key cloud IT services (IaaS, SaaS and PaaS) containing sensitive data.
- Access to critical systems.
- Administrative level access to systems.
Additional resources: