CACI INTERNATIONAL INC /DE/ 10-K Cybersecurity GRC - 2024-08-08

Page last updated on August 8, 2024

CACI INTERNATIONAL INC /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-08 14:03:04 EDT.

Filings

10-K filed on 2024-08-08

CACI INTERNATIONAL INC /DE/ filed a 10-K at 2024-08-08 14:03:04 EDT
Accession Number: 0000016058-24-000132

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy CACI is committed to maintaining a robust cybersecurity management and oversight program to mitigate cybersecurity risks to our systems and to protect both our and our customer’s confidential and sensitive information. We employ technologies and have implemented programs and processes to continually assess, identify, and manage cybersecurity risks as we aim to incorporate industry best practices throughout our cybersecurity program. CACI’s cybersecurity program is integrated into our overall risk management program and is primarily managed by our Chief Information Security Officer (“CISO”) who is responsible for coordinating cross-functional internal and external resources to establish processes and procedures to monitor potential cybersecurity risks, identify cybersecurity incidents, implement appropriate mitigation measures, report cybersecurity breaches and maintain our cybersecurity program. Our CISO has extensive experience assessing and managing cybersecurity programs and cybersecurity risk and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from experienced cybersecurity professionals in the information security team, and with technological tools and software. We continuously monitor cybersecurity threats and assess the robustness of our mitigation and prevention measures through routine internal and independent audits, threat simulations, vulnerability and penetration testing and employee cybersecurity training. Our cybersecurity program is designed to be aligned with applicable industry standards and we continue to invest in capabilities to protect all information assets in our possession. As a government contractor, we have designed our cybersecurity risk management program to align with the National Institute of Standards and Technology (“NIST”) standards and comply with extensive regulations, including but not limited to U.S. government cybersecurity regulations. Additionally, our cybersecurity program is routinely assessed by the government and our network is penetration tested biannually by a third-party independent assessor. We work closely with our subcontractors and suppliers to identify and manage cybersecurity risks and, as appropriate, require them to comply with applicable laws and regulations, including implementing certain security controls and complying with certain reporting obligations. Although we perform due diligence on all service providers to identify potential cybersecurity risks and establish controls through onboarding procedures and contractual requirements, our ability to monitor the cybersecurity practices of our service providers and ensure that we can prevent or mitigate the risk of any compromise or failure in the information system, software, networks and other assets owned or controlled by our vendors is limited. In the event of a cybersecurity incident, the Company has established an incident response plan to address the matter promptly and effectively. Our CISO leads our Cybersecurity Incident Response Team (“CIRT”) that is responsible for leading and coordinating CACI’s response to cybersecurity incidents in accordance with CACI’s established cybersecurity incident response plan and response processes. In accordance with these policies, cybersecurity events and data incidents are evaluated, ranked by severity and prioritized for escalation to CACI’s Executive Incident Assessment Committee. The plan includes procedures for investigating and containing incidents, notifying affected parties, and implementing corrective actions to prevent future occurrences. Board Oversight The Audit and Risk Committee (“Audit Committee”) has oversight responsibility for risks and incidents relating to cybersecurity, including compliance with regulatory requirements, cooperation with law enforcement, and related effects on financial and other risks. The Audit Committee receives regular briefings on our cybersecurity posture, cybersecurity trends and cybersecurity risks from management and, if they occur, is briefed regarding any material cybersecurity incidents. The Audit Committee reports any findings or recommendations to the Board, as appropriate. Cybersecurity Threats To date, we have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business operations or financial condition. While the Company has taken significant steps to manage cybersecurity risks, there can be no assurance that these measures will prevent all potential incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.

Company Information