Back to top
Cyber analysts discussing data

Cybersecurity

Approach to Cybersecurity

The Leidos Board of Directors’ Technology & Information Security Committee, which meets at least quarterly, provides oversight of matters involving the Company’s overall strategic direction and associated exposure to, and management of, significant business risks in the areas of technology, information, and operational security. 

The Leidos Security Council is responsible for harmonizing effective security strategy, governance, command media, communications, and major initiatives across functional and line of business teams. 

Established in 2019, the team is co-chaired by the Chief Information Security Officer and the Chief Security Officer and is supported by voting representatives from the lines of business, Legal Department, Ethics and Compliance, Corporate Performance Excellence, Enterprise Risk Management, and Global Privacy Office. Nonvoting members include the Chief Audit Executive, Chief Technology Officer, and the Corporate Controller.

Leidos has also formed a Data Governance Steering Committee, Data Classification Working Group, Records Retention Working Group, Cyber Regulatory Working Group and Data Privacy Working Group – all of which play a significant role in the continued maturation of Leidos’ global cybersecurity, data protection and privacy strategy.

Commitment to Industry Standards

Leidos adheres to industry-standard frameworks to provide robust governance over our cybersecurity efforts. We employ the National Institute of Standards and Technology (NIST) 800-37 Risk Assessment methodology as our standard approach for evaluating risk related to hardware, software, systems, and cybersecurity controls.

Our commitment to cybersecurity is demonstrated through regular third-party assessments. We undergo an independent ISO 27001 certification audit annually, ensuring continuous alignment with best practices for information security management. Additionally, our enterprise systems are subject to an external NIST SP 800-171 assessment every three years to maintain compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and evolving Cybersecurity Maturity Model Certification (CMMC) requirements.

By maintaining these rigorous certifications and assessments, we reinforce our industry-leading cybersecurity program. Our business depends on ensuring the confidentiality, security, integrity, and availability of data and systems—both our own and those of our customers and partners.

Audit and Risk Assessments

To further validate our externally-validated standards, Leidos Internal Audit has developed an Information Technology Risk Assessment Framework (IT-RAF) and a Cybersecurity Risk Assessment Framework (CS-RAF).  Both of these frameworks are based on Industry Standard Frameworks (e.g., NIST 800-171) and identify various domains under broader categories, including:

  • Governance and Organization
  • Policy and Standards
  • Infrastructure and Architecture;
  • Applications 
  • Operations
  • Awareness
  • Continuous Controls Monitoring
  • Metrics and Reporting
  • Compliance

 

Internal Audit uses the above frameworks to perform continuous IT and Cybersecurity risk assessments.  Data privacy is a consideration under both frameworks, while cybersecurity risk is predominately covered under CS-RAF. Using these two frameworks; the underlying risk methodology; discussions with the CIO and CISO, other senior executives, and members of both the Technology and Info Security Committee and the Audit and Finance Committee of the Board of Directors; as well as white papers published by both commercial entities and industry trade groups, Internal Audit develops Information Technology and Cybersecurity Internal Audit Plans. 

Types of internal audits that are generally performed include: 

  • Information Security Governance
  • Identity and Access Management
  • Information Assets Classification and Management
  • Vulnerability Identification and Remediation
  • Change Management
  • Cybersecurity Incident Response
  • Business Continuity and Disaster Recovery

 

In 2019, Corporate Information Security also conducted its own self-assessment of the Leidos program, based on the Aerospace Industries Association (AIA) National Aerospace Standard (NAS) number 9933.  NAS 9933, mostly derived from the Center for Internet Security Maturity Model, adds further control families that are frequently associated with the Defense industry.  After a baseline of existing practices in each control family, Corporate Information Security established maturity targets aligned against a strategy of becoming a Superior Cybersecurity provider in our marketplace.

In addition, Leidos Global Privacy Office has implemented a software system, which it calls the Global Privacy Management System, to administer various types of data mapping questionnaires and Privacy Impact assessments

Preparedness and Incident Response

Leidos has enterprise-wide an enterprise Incident Response Plan, accompanied by related policies and procedures which address how various types of data are to be protected and handled, and in the event of a cybersecurity or data security incident, the procedures which must be followed. These policies and procedures identify incident response teams and outline accountability for key stakeholder communications.

Additionally, Leidos periodically conducts an external penetration test of our network defenses and continually tests our cybersecurity resilience, while continuing to mature our cybersecurity defenses and incident management practices. 

Our Incident Response Plan includes collaboration with the Global Privacy Office when responding to incidents that involve personal information. The plan includes remediation and mitigation actions, for data managed both internally and by third parties.

We undertake regular cybersecurity tabletop exercises, taking employees through the process of dealing with a simulated incident scenario and providing hands-on training.