June 30, 2020

Last Updated on January 15, 2024


Did you know that 65% of US Department of Defense (DoD) direct spending—involving about 150,000 companies—is transacted over one service provider’s secure platform? That company is Exostar. If your organization is part of the US Defense Industrial Base (DIB), you may want to get familiar with Exostar and the services they offer to DoD prime contractors and their subcontractors and suppliers.
To find out more, look no further than a recent episode of The Virtual CISO Podcast. It features Stuart Itkin, VP of Products and Marketing for Exostar. Pivot Point Security’s CISO and Managing Partner, John Verry, hosts the podcast as always.
Stuart does a great job describing Exostar in a nutshell: “We really occupy a very unique position within the defense industrial base in the aerospace and defense industry. We’re about a 20-year-old organization and we were formed by five large defense contractors, specifically to address really tough and common problems that existed among large primes within the defense industrial base.”
Stuart continues: “Today, ultimately what we’ve created is a secure collaboration and transaction platform over which about 65% of all direct spend of the DoD is transacted. So for example, Lockheed Martin manages its entire F35 supply chain over the Exostar infrastructure.”
The platform helps manage not only collaboration, but also risk: “We are the critical infrastructure that allows … organizations to exchange information, to place purchase orders, to acknowledge purchase orders and so forth. But among the areas that we’ve also addressed for our primes and other large contractors is their ability to manage risk within their supply chain. Cybersecurity being a big element of risk within their supply chain, but not the only area of risk with which they are interested.”

Like many organizations, the primes are increasingly interested in assessing third-party risk:

“So over the last several years we’ve created a series of tools for contractors … to be able to assess the risk associated with suppliers, to be able to assess compliance of those suppliers. Among those is compliance with NIST 800-171. Contractors today are required to assure that their subcontractors are eligible, that they have the proper systems and controls in place to be able to receive controlled defense information. One way that they can satisfy that is by self-attesting to their compliance, having satisfied the 110 controls of NIST 800-171, and we provide a tool that enables them to be able to perform that function, to monitor that compliance across their supply base.”
What is great for suppliers about Exostar’s reporting infrastructure is they only have to complete the NIST 800-171 self-attestation a single time to support the due diligence of all the primes they work with.
Overall, the role of Exostar’s evolving platform is to drive a stronger cybersecurity posture both for individual suppliers and for the DIB overall, as well as streamlining compliance with CMMC and/or NIST 800-171 mandates. (As we all know, compliance does not equal security.)
While actually having robust security controls in place is the bottom line to prevent the exfiltration of sensitive data, contractors also need their supply chain partners to be provably CMMC or NIST 800-171 compliant when contracts come out. Suppliers’ participation in said contracts hinges on their ability to show primes that they are in compliance, and that doing business with them reduces a prime’s overall risk.
To listen to the podcast episode with Stuart Itkin in its entirety, and check out the rest of the series including the inaugural episode with Katie Arrington, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.