Science Applications International Corp 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

Science Applications International Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 12:16:06 EDT.

Filings

10-K filed on 2025-03-17

Science Applications International Corp filed a 10-K at 2025-03-17 12:16:06 EDT
Accession Number: 0001571123-25-000022

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We are subject to various cybersecurity risks and continuously monitor and assess our cybersecurity measures to protect against a multitude of cyber threats from adversaries, including nation state actors, that target critical infrastructure sectors such as the defense industrial base. A cybersecurity incident impacting us or our subcontractors or suppliers could materially adversely affect our operations, performance, and results. We expend considerable resources on our cybersecurity management and oversight program designed to identify, manage, and mitigate cybersecurity risks. This program is integrated into our overall risk management systems and processes and includes continuous monitoring of cybersecurity threats, regular assessments of information systems, vulnerability management, penetration testing, employee training on cybersecurity best practices, and ongoing assessments of risk. We have established an incident response plan to promptly and effectively address cybersecurity incidents. The incident response plan provides steps to identify, mitigate, and recover from incidents, and procedures to escalate issues to senior management, legal, and, when appropriate, our Board of Directors. The plan includes procedures for investigating and containing incidents, notifying affected parties, as appropriate, and implementing corrective actions. As a defense contractor, we must comply with DoD cybersecurity requirements for handling Controlled Unclassified Information (“CUI”) and requirements in the Defense Federal Acquisition Regulation Supplement (“DFARS”) regarding reporting cybersecurity incidents to the DoD, including the DoD’s Cybersecurity Maturity Model Certification (“CMMC”) program. We are prepared to participate in this program and obtain associated CMMC certification. We also adhere to the standards set forth by the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization (“ISO”) to ensure the highest level of security and operational excellence. Our commitment to compliance with these rigorous frameworks is integral to maintaining the confidentiality, integrity, and availability of our services and products. We rely on various third-party providers, such as vendors, suppliers and other business partners for certain aspects of our operations. These third parties are also susceptible to cybersecurity risks. We conduct due diligence on the cybersecurity practices and controls on these providers and include provisions in our contracts requiring appropriate cybersecurity measures. In addition, in the case of a third-party cybersecurity incident, we identify and mitigate risks to minimize impacts to us from third-party incidents. We share and receive threat intelligence with our peers in the defense industrial base, government agencies, information sharing and analysis centers, and cybersecurity associations. We have relationships with third-party service providers who also assess our security controls through penetration testing, independent audits, and consulting on best practices to address emerging challenges. These assessments evaluate the effectiveness of our security controls. Governance Management’s Responsibilities Our information security program is led by our corporate Chief Information Security Officer (“CISO”) , who works closely in a cross-functional capacity with key corporate and operational business stakeholders, including our Chief Information Officer. They and the other individuals supporting our information security program demonstrate their cybersecurity expertise through qualifications such as prior work experience, possession of a cybersecurity certification, degree, or other cybersecurity experience. The CISO collaborates with these functions for the purpose of establishing processes and procedures to monitor potential cybersecurity risks, identifying cybersecurity incidents, implementing appropriate mitigation measures, reporting cybersecurity breaches, assessing materiality, SCIENCE APPLICATIONS INTERNATIONAL CORPORATION maintaining our cybersecurity program, and other information security incidents. The CISO provides regular updates on our cybersecurity posture and preparedness to senior management. Board of Directors’ Roles and Responsibilities Our cybersecurity risks and associated mitigations, as part of our enterprise risk management, are continually monitored by senior leadership. These risks and mitigations are also subject to oversight by the Audit Committee and the Risk Oversight Committee (“ROC”) of our Board of Directors. The ROC is the primary committee that oversees enterprise cybersecurity risks and reviews cybersecurity matters, including our policies and procedures for protecting our cybersecurity infrastructure and for compliance with data protection and security regulations, and related risks. The ROC receives information regarding such risks from management, including our CISO, and reports to the Board on a quarterly basis. The ROC also oversees the Board’s response to any significant cybersecurity incidents. Cybersecurity Threats While we have taken significant steps to manage cybersecurity risks, there can be no assurance that these measures will prevent all potential incidents. A material cybersecurity incident could have material adverse effect on our financial condition, results of operations, or cash flows. We are committed to addressing cybersecurity risks in an ever-evolving technological landscape. Management will continue to evaluate and enhance its cybersecurity measures to adapt to emerging threats and comply with evolving regulatory requirements. We describe whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our organizational strategy, results of operations, or financial condition as part of our risk factor disclosures in Part I, Item 1A of this report.

Company Information