Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Mar. 31, 2026 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Cybersecurity oversight is embedded in our ERM Steering Committee, chaired by the President and Chief Operating Officer and including senior executives such as the Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”). This committee: •Provides oversight of cybersecurity risk within the broader ERM framework and reviews management’s approach to cybersecurity risk identification, assessment, and response; •Reviews management’s alignment of cybersecurity risk management priorities and strategies with business objectives; and •Receives updates from management regarding cybersecurity assessments, exercises, mitigation activities, and significant cybersecurity risks. See “Item 1C. Cybersecurity—Governance—Management’s Responsibilities” below for additional information regarding our cybersecurity risk management program.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | As one of the world’s largest cybersecurity solution providers, we routinely defend against advanced persistent threats both internally and for our customers. Our cybersecurity risk management program is an integral part of our overall Enterprise Risk Management (“ERM”) program, and is designed to assess, identify, manage and mitigate internal and external cybersecurity risks, threats and incidents. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Our cybersecurity risk management program is led by our CIO and CISO, who are responsible for our information security strategy, policies, compliance, security architecture and engineering, security operations, and cybersecurity threat detection and response. Our CIO has served as chief technology officer for several large-scale enterprises in the healthcare industry and has more than 30 years of enterprise information technology experience, with deep expertise in aligning technology strategy with business goals, advancing cybersecurity capabilities, and leveraging AI and cloud computing to drive performance and efficiency. Our CISO has over 20 years of information security and program management experience and has served as the CISO for other large-scale enterprises. In addition to our CIO and CISO, we leverage our commercial incident response team and government cyber expertise to harden our cybersecurity infrastructure. As a government contractor, we are required to comply with extensive regulations and standards, including but not limited to, cybersecurity regulations and standards, Cybersecurity Maturity Model Certification (CMMC) requirements, and the requirements of the DFARS. Booz Allen achieved a Final C3PAO (CMMC Third Party Assessment Organization) CMMC Level 2 Certification in October 2025 which is valid for 3 years with a mandated annual attestation of compliance from the CISO. Additionally, our cybersecurity risk management program is guided by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Our policies and implemented controls have been assessed and are subject to assessment by external organizations, including industry partners, the federal government, and third party assessors. We work closely with our subcontractors and suppliers to identify and manage cybersecurity risks and, as appropriate, require them to comply with applicable laws and regulations. These contractual requirements include the requirement that our subcontractors implement certain security controls, and that our subcontractors self-report the status of their implementation of these controls to the U.S. government. To manage cybersecurity risk introduced from our supply chain, depending on the nature of a supplier's work and the sensitivity of our and our customers’ information provided to the supplier, we also require suppliers to complete our security questionnaire and provide evidence of security accreditations, to include as applicable CMMC compliance proof, and we evaluate supplier compliance with security requirements using internal and third-party resources. Our CISO also leads our Cyber Fusion Center (“CFC”), whose function is, pursuant to our Cyber Incident Response Plan, to stay apprised of existing and emerging cybersecurity threats and monitor our information systems to proactively identify, protect against, and mitigate cybersecurity threats. The CFC uses intelligence collected from various sources, fused with intelligence collected from analysis and response actions, to proactively search for and address adversary activity against our information systems. The CFC possesses in-depth knowledge of network, endpoint, perimeter security systems, identity-based vulnerabilities, data protection, threat intelligence, forensics, penetration testing, and threat detection, monitoring, and response, as well as the functioning of specific applications or underlying information systems infrastructure. Additionally, the CFC regularly conducts table top exercises to test and evaluate our incident response processes in routine and emerging areas of cyber risk. The CFC partners with a third party managed systems security provider (“MSSP”) to augment 24x7 cyber incident monitoring. The Cyber Incident Response Team (“CIRT”) is responsible for the incident response process and provides direction and guidance to users of our information systems when responding to cybersecurity incidents. The CIRT also provides intrusion monitoring of networks and information systems, and performs triage and analysis of cyber and data loss events to identify and respond to potential incidents, including potential incidents occurring on third-party systems. The CIRT also includes data loss prevention (“DLP”) capabilities, and proactively monitors and protects sensitive data across the organization, identifying and mitigating risks of data exfiltration, misuse, or unauthorized access. The team leverages DLP tools to detect and respond to anomalies in data usage, transmissions, and storage. The CIRT categorizes anomalous cybersecurity and data loss events into discrete levels in which cybersecurity events are escalated to appropriate levels of management, as well as our Crisis Management Team, Cyber Incident Materiality Committee, Audit Committee, and Board, based on the severity of the incident. While typical cybersecurity management and incident response is provided by internal resources, we have arrangements with certain third parties whom we can engage if additional support or resources are required.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our cybersecurity risk management program is led by our CIO and CISO, who are responsible for our information security strategy, policies, compliance, security architecture and engineering, security operations, and cybersecurity threat detection and response. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board oversees the Company’s risk management processes, including those relevant to cybersecurity risks, and the Audit Committee provides focused governance of cybersecurity, ensuring that cybersecurity threats, vulnerabilities, and incident response measures are continuously assessed and managed. |
| Cybersecurity Risk Role of Management [Text Block] | The Board oversees the Company’s risk management processes, including those relevant to cybersecurity risks, and the Audit Committee provides focused governance of cybersecurity, ensuring that cybersecurity threats, vulnerabilities, and incident response measures are continuously assessed and managed. The Audit Committee receives regular briefings from the CISO on risks related to internal systems, third-party relationships, and emerging cybersecurity threats. The Audit Committee provides updates to the Board on significant cybersecurity risks and the Company’s mitigation strategies.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our CISO also leads our Cyber Fusion Center (“CFC”), whose function is, pursuant to our Cyber Incident Response Plan, to stay apprised of existing and emerging cybersecurity threats and monitor our information systems to proactively identify, protect against, and mitigate cybersecurity threats. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CIO has served as chief technology officer for several large-scale enterprises in the healthcare industry and has more than 30 years of enterprise information technology experience, with deep expertise in aligning technology strategy with business goals, advancing cybersecurity capabilities, and leveraging AI and cloud computing to drive performance and efficiency. Our CISO has over 20 years of information security and program management experience and has served as the CISO for other large-scale enterprises. In addition to our CIO and CISO, we leverage our commercial incident response team and government cyber expertise to harden our cybersecurity infrastructure. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The Audit Committee receives regular briefings from the CISO on risks related to internal systems, third-party relationships, and emerging cybersecurity threats. The Audit Committee provides updates to the Board on significant cybersecurity risks and the Company’s mitigation strategies. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |