Approach to Cybersecurity
The Leidos Board of Directors’ Technology & Information Security Committee, which meets at least quarterly, provides oversight of matters involving the Company’s overall strategic direction and associated exposure to, and management of, significant business risks in the areas of technology, information, and operational security.
The Leidos Security Council is responsible for harmonizing effective security strategy, governance, command media, communications, and major initiatives across functional and line of business teams.
Established in 2019, the team is co-chaired by the Chief Information Security Officer and the Chief Security Officer and is supported by voting representatives from the lines of business, Legal Department, Ethics and Compliance, Corporate Performance Excellence, Enterprise Risk Management, and Global Privacy Office. Nonvoting members include the Chief Audit Executive, Chief Technology Officer, and the Corporate Controller.
Leidos has also formed a Data Governance Steering Committee, Data Classification Working Group, Records Retention Working Group, Cyber Regulatory Working Group and Data Privacy Working Group – all of which play a significant role in the continued maturation of Leidos’ global cybersecurity, data protection and privacy strategy.
Commitment to Industry Standards
Leidos uses industry-standard frameworks with which to provide appropriate governance of our cybersecurity efforts. To that end, the National Institute of Standards and Technology NIST 800-37 Risk Assessment methodology is used every day as our standard methodology for assessing risk related to hardware, software, systems, and cybersecurity controls.
In 2019, the Defense Contract Management Agency (DCMA) conducted a NIST 800-171 assessment of our Corporate System Security Plan and related controls to ensure that we are compliant with the 800-171 requirements aligned to the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause. We successfully achieved a perfect score of 110.
In Q1 2020, we successfully renewed our ISO 27001 certification, which was conducted by an independent, accredited third-party auditor.
Our compliance with both NIST 800-171 and ISO 27001 standard speaks to our unwavering and industry-leading cybersecurity program. Our business relies entirely on the ability to assure and attest to the confidentiality, security, integrity, and availability of data and systems - that includes our own and those of our customers and partners.
Audit and Risk Assessments
To further validate our externally-validated standards, Leidos Internal Audit has developed an Information Technology Risk Assessment Framework (IT-RAF) and a Cybersecurity Risk Assessment Framework (CS-RAF). Both of these frameworks are based on Industry Standard Frameworks (e.g., NIST 800-171) and identify various domains under broader categories, including:
- Governance and Organization;
- Policy and Standards;
- Infrastructure and Architecture;
- Applications; Operations;
- Continuous Controls Monitoring;
- Metrics and Reporting; and
Internal Audit uses the above frameworks to perform continuous IT and Cybersecurity risk assessments. Data privacy is a consideration under both frameworks, while cybersecurity risk is predominately covered under CS-RAF. Using these two frameworks; the underlying risk methodology; discussions with the CIO and CISO, other senior executives, and members of both the Technology and Info Security Committee and the Audit and Finance Committee of the Board of Directors; as well as white papers published by both commercial entities and industry trade groups, Internal Audit develops Information Technology and Cybersecurity Internal Audit Plans.
Types of internal audits that are generally performed include:
- Information Security Governance
- Information Assets Classification and Management
- Identity and Access Management
- Change Management
- Cybersecurity Incident Response
- Vulnerability Identification and Remediation
- Business Continuity and Disaster Recovery
In 2019, Corporate Information Security also conducted its own self-assessment of the Leidos program, based on the Aerospace Industries Association (AIA) National Aerospace Standard (NAS) number 9933. NAS 9933, mostly derived from the Center for Internet Security Maturity Model, adds further control families that are frequently associated with the Defense industry. After a baseline of existing practices in each control family, Corporate Information Security established maturity targets aligned against a strategy of becoming a Superior Cybersecurity provider in our marketplace.
In addition, Leidos Global Privacy Office has implemented a software system, which it calls the Global Privacy Management System, to administer various types of data mapping questionnaires and Privacy Impact assessments
Preparedness and Incident Response
Leidos has enterprise-wide an enterprise Incident Response Plan, accompanied by related policies and procedures which address how various types of data are to be protected and handled, and in the event of a cybersecurity or data security incident, the procedures which must be followed. These policies and procedures identify incident response teams and outline accountability for key stakeholder communications.
Additionally, Leidos periodically conducts an external penetration test of our network defenses and continually tests our cybersecurity resilience, while continuing to mature our cybersecurity defenses and incident management practices.
Our Incident Response Plan includes collaboration with the Global Privacy Office when responding to incidents that involve personal information. The plan includes remediation and mitigation actions, for data managed both internally and by third parties.
We undertake regular cybersecurity tabletop exercises, taking employees through the process of dealing with a simulated incident scenario and providing hands-on training.