NORTHROP GRUMMAN CORP /DE/ 10-K Cybersecurity GRC - 2026-01-27

Page last updated on February 4, 2026

NORTHROP GRUMMAN CORP /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-01-27 16:02:49 EST.

Filings

10-K filed on 2026-01-27

NORTHROP GRUMMAN CORP /DE/ filed a 10-K at 2026-01-27 16:02:49 EST
Accession Number: 0001133421-26-000003

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. This process is supported by both management and our Board of Directors. The company's Chief Information and Digital Officer (CIDO) reports to the CEO. Our Chief Information Security Officer (CISO) reports to the CIDO and leads our cybersecurity functions. The CISO is responsible for the assessment and management of cybersecurity risk and the resiliency, protection and defense of our networks and systems . The CISO leads a team of cybersecurity professionals with broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, data protection, privacy, insider threats and regulatory compliance. The current CISO is an executive with extensive technical and operational experience in building and leading cybersecurity and resiliency teams in industry and the government. Our Board of Directors is responsible for overseeing enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight . The full Board receives an update on the company's risk management process and the risk trends related to cybersecurity at least annually. Periodic briefings are also provided when warranted by emerging risks. The Audit and Risk Committee specifically assists the Board in its oversight of risks related to cybersecurity . To help ensure effective oversight, the CISO briefs the Audit and Risk Committee on the company's information security and cybersecurity risk posture at least four times a year. The company's Enterprise Risk Management Council (ERMC) considers risks relating to cybersecurity, among other significant risks, and applicable mitigation plans to address such risks. The ERMC is comprised of the Executive Leadership Team, as well as the Chief Accounting Officer, Chief Ethics and Compliance Officer, Corporate Secretary, Chief Environment, Quality and Safety Officer, Treasurer and Vice President, Internal Audit. The CIDO and CISO attend each ERMC meeting. The ERMC meets during the year and receives periodic updates from the CIDO and CISO on cybersecurity risks. -21- Table of Contents NORTHROP GRUMMAN CORPORATION We have an established process governing our response to a cybersecurity incident from detection to mitigation, recovery, assessment, internal and external notifications and functional stakeholder engagements with legal, privacy and risk management, among others. Depending on the nature and severity of an incident, this process provides for escalating notification to our CEO and the Board (including our Lead Independent Director and the Audit and Risk Committee chair), as appropriate. Our approach to cybersecurity risk management includes the following key elements: - Multi-Layered Defense and Real Time Monitoring - We maintain a global cybersecurity program designed to identify, assess and manage material risks from cybersecurity threats. Our program is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We employ a defense-in-depth strategy that utilizes automation and intelligence-driven threat hunting methodologies, strictly enforced identity controls and real time monitoring to protect our networks and platform integrity. We continue to invest in our compliance capabilities, maintaining readiness for Cybersecurity Maturity Model Certification requirements and meeting evolving DoW standards. We protect our computing environments and products from cybersecurity threats through multi-layered defenses and apply lessons learned from our defense and monitoring efforts to help prevent future attacks. We are proactive - utilizing data analytics to detect anomalies and search for cyber threats. Our Cybersecurity Operations Center provides comprehensive cyber threat detection and response capabilities and maintains a 24x7 monitoring system which complements the technology, processes and threat detection techniques we use to monitor, manage and mitigate cybersecurity threats or vulnerabilities. From time to time, we engage third-party consultants or other advisors to assist in assessing, identifying and/or managing cybersecurity threats. - Periodic Assessment - The cybersecurity program is subject to periodic internal assessments (including Internal Audit and penetration testing), independent third-party assessments and exercises. We periodically refine our processes to incorporate lessons learned from these assessments and exercises. Additionally, several external entities evaluate our cybersecurity program, including the U.S. Defense Contract Management Agency, the Defense Industrial Base Cybersecurity Assessment Center and a Cybersecurity Maturity Model Certification Third Party Assessment Organization, to assess and certify our cybersecurity regulatory compliance. We also engage with external auditors and consultants who conduct audits and assessments of our cybersecurity controls. - Insider Threats - We maintain an insider threat program, led by our Vice President, Corporate and Enterprise Security, designed to identify, assess, and address potential risks from within our company. Our insider threat program, which is supported by the cybersecurity program, evaluates potential risks consistent with applicable laws and regulations, customer requirements and industry practices. - Information Sharing and Collaboration - We work with government, customer, industry and/or supplier partners, such as the National Defense Information Sharing and Analysis Center and other government-industry partnerships, to gather and develop best practices and share information to address cyber threats. These relationships enable the rapid sharing of threat and vulnerability mitigation information across the defense industrial base and supply chain. - Third Party Risk Management - We conduct cybersecurity assessments before sharing or allowing the hosting or processing of our sensitive data in computing environments managed by third parties. Our standard terms and conditions contain contractual provisions requiring certain cybersecurity and data protections and controls and require third parties to notify us promptly of cyber incidents or data breaches so that we can assess potential impact on us. - Training and Awareness - We provide annual cybersecurity and information security awareness training to our employees with network access to help identify, avoid and mitigate cybersecurity threats and insider risks. This training also includes awareness about the policies and guidance associated with data privacy and protection of personal information, and protection and security of our company, customer and other third-party data. We regularly conduct targeted phishing exercises for employees on each company network. We also periodically host cybersecurity and ransomware tabletop exercises with management and other company functional stakeholders to practice rapid cyber incident response. - Supplier Engagement - We provide training and other resources to our suppliers to support cybersecurity resiliency and data security principles in our supply chain in addition to any requirements from our customers, as a condition of doing business with us, and require them to complete information security -22- Table of Contents NORTHROP GRUMMAN CORPORATION questionnaires to review and assess any potential cyber-related risks depending on the nature of the services or products being provided. - Third Party Cybersecurity Service Providers - We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring and testing of the program's risk prevention and protection measures and process execution, including incident detection, investigation, analysis and response, eradication and recovery. - Product Security - We provide cyber threat intelligence to, and collaboration with, our product security teams and share expertise in cyber vulnerability, exploit and resilience technology that can be applied to network infrastructure and company product offerings. While we have experienced cybersecurity incidents in the past, to date none have materially affected the company or our financial position, results of operations and/or cash flows. We continue to invest in the cybersecurity and resiliency of our networks and products and to enhance our internal controls and processes, which are designed to help protect our programs, systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see "Risk Factors."

Company Information