Governance 19 As part of our information security program, our businesses protect our company from cyberthreats by: y i dentifying cyberthreats and critical information assets; y implementing cybersecurity prevention, detection and response controls; y incorporating cyber risk assessment practices into program activities; y integrating cyber risk management into business risk governance practices; and y engaging with suppliers to address supply chain cyber risks to enable their compliance. The maturity of our cyber capabilities was recently affirmed by DoD’s pilot audit program to assess control compliance with the Cyber Maturity Model Certification (CMMC) program. The independent audit confirmed General Dynamics’ readiness to meet the program’s cyber control standards across all defense business units. We monitor our program’s effectiveness by performing audits, leveraging commercial tools for assessing cybersecurity posture and health, and conducting cyber penetration testing. These penetration tests emulate the most recent techniques used by advanced persistent threat adversaries. The corporate information security team notifies key decision-makers of any breaches and regularly reports to management and the board on the maturity and performance of our cybersecurity program. General Dynamics maintains cyber defense collaboration capabilities that empower our cyber defenders with high quality, actionable cyberthreat intelligence from government, industry and commercial sources. Our intelligence sharing and analysis center serves as the central hub for threat activity, incident reporting and response, and proactive sharing of the intelligence we develop from those activities with industry peers and supply chain partners. Our incident reporting processes are designed to ensure timely notification and escalation to executive leadership and the board of directors. We are committed to reporting cyber incidents to our customers and in accordance with regulatory or legal requirements. In addition, our business units regularly participate in penetration tests and cyber response exercises to gain experience with the challenging decisions required to optimize outcomes in the event of a real incident.