BAH: 10-K Risk Factor Changes

Our business operations are subject to a variety of risks associated with conducting business internationally, including: •Changes in or interpretations of laws or policies that may adversely affect the performance of our services; 33 33 33 Table of Contents Table of Contents •Political instability in foreign countries and international security concerns, such as those relating to the geopolitical conflict, including the ongoing conflict between Russia and Ukraine, the ongoing conflict between Israel and Hamas, and increased tensions in Asia, and potential actions or retaliatory measures taken in respect thereof; •Imposition of inconsistent or conflicting laws or regulations; •Reliance on the U.S. or other governments to authorize us to export products, technology, and services to clients and other business partners; •Reliance on foreign countries for critical parts in order to meet our technical delivery requirements; •Conducting business in places where laws, business practices, and customs are unfamiliar or unknown; •Failure to comply with U.S. government and foreign laws and regulations applicable to international business, sanctions, employment, privacy, data protection, information security, or data transfer could have an adverse impact on our business with the U.S. government and could expose us to risks and costs of non-compliance with such laws and regulations, in addition to administrative, civil, or criminal penalties; •Failure by third parties that we work with, including suppliers, subcontractors, and vendors, to comply with U.S. government and foreign laws and regulations applicable to international business, sanctions, employment, privacy, data protection, information security, or data transfer could expose Booz Allen to risks and costs of non-compliance with such laws and regulations, in addition to administrative, civil, or criminal penalties; •U.S. and foreign government import and export control requirements and regulations, including International Traffic in Arms Regulations and the anti-boycott provisions of the U.S. Export Administration Act, technology transfer restrictions and other administrative, legislative, or regulatory actions that could materially interfere with our ability to offer our products or services in certain countries; •Imposition of limitations on or increase of withholding and other taxes on payments by foreign subsidiaries or joint ventures; •Changes in state and federal regulations in state money transmission regulations, anti-money laundering regulations, economic and trade sanctions administered by the U.S. Treasury Department's Office of Foreign Asset Control; •Volatility resulting from the United Kingdom's withdrawal from the European Union in January 2020, particularly in countries where the Company has substantial activities; and •Imposition of tariffs or embargoes, export controls, and other trade restrictions. In addition, we are subject to the U.S. Foreign Corrupt Practices Act (the “FCPA”) and other laws that prohibit improper payments or offers of payments to foreign government officials, political parties and commercial entities for the purpose of obtaining or retaining business. We have operations and deal with governmental clients and regulators in countries known to create heightened corruption risk, including certain developing countries. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees or third parties that we work with that could implicate Booz Allen for violations of various laws including the FCPA and other anti-corruption laws, even though these parties are not always subject to our control. Likewise, we are impacted by the recent passage of the U.S. Foreign Extortion Prevention Act (the “FEPA”) that criminalizes a foreign government official’s solicitation of improper payments from U.S. companies or individuals in exchange for conferring an improper advantage. While this law targets improper demands by foreign officials and, therefore, does not directly impact our employees or third parties that we work with, it may increase enforcement of the FCPA other applicable anti-corruption laws and amplify exposure for U.S. companies. Our international operations also involve activities involving the transmittal of information, which may include personal data, which may expose us to data privacy laws in the jurisdictions in which we operate. If our data protection practices become subject to new or different restrictions, and to the extent such practices are not compliant with the laws of the countries in which we process data, we could face increased compliance expenses and face penalties for violating such laws or be excluded from those markets altogether, in which case our operations could be adversely affected. We are also subject to import-export control regulations restricting the use and dissemination of information classified for national security purposes and the export of certain products, services, and technical data, including requirements regarding any applicable licensing of our employees involved in such work. We are also subject to applicable sanctions laws, regulations, embargoes, or restrictive measures intended to prevent unauthorized transactions with prohibited persons, entities, and countries, including, those administered and enforced by the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”), the Office of Financial Sanctions Implementation (“OFSI”) in the UK, and the competent authorities responsible for the administration and enforcement of Sanctions in individual EU Member States. If we were to fail to comply with the FCPA, other applicable anti-corruption laws, import-export control regulations, sanctions, data privacy laws, or other rules and regulations, we could be subject to substantial civil and criminal penalties, including fines for our Company and incarceration for responsible employees and managers, suspension or debarment, and the possible loss of export or import privileges which could have a material adverse effect on our business and results of operations. 34 34 34 Table of Contents Table of Contents

Our business operations are subject to a variety of risks associated with conducting business internationally, including: •Changes in or interpretations of laws or policies that may adversely affect the performance of our services; •Political instability in foreign countries and international security concerns, such as those relating to the geopolitical conflict, including the ongoing conflict between Russia and Ukraine and increased tensions in Asia, and potential actions or retaliatory measures taken in respect thereof; •Imposition of inconsistent or conflicting laws or regulations; •Reliance on the U.S. or other governments to authorize us to export products, technology, and services to clients and other business partners; •Reliance on foreign countries for critical parts in order to meet our technical delivery requirements; •Conducting business in places where laws, business practices, and customs are unfamiliar or unknown; •Failure to comply with U.S. government and foreign laws and regulations applicable to international business, employment, privacy, data protection, information security, or data transfer could have an adverse impact on our business with the U.S. government and could expose us to risks and costs of non-compliance with such laws and regulations, in addition to administrative, civil, or criminal penalties; •U.S. and foreign government import and export control requirements and regulations, including International Traffic in Arms Regulations and the anti-boycott provisions of the U.S. Export Administration Act, technology transfer restrictions and other administrative, legislative, or regulatory actions that could materially interfere with our ability to offer our products or services in certain countries; •Imposition of limitations on or increase of withholding and other taxes on payments by foreign subsidiaries or joint ventures; •Changes in state and federal regulations in state money transmission regulations, anti-money laundering regulations, economic and trade sanctions administered by the U.S. Treasury Department's Office of Foreign Asset Control; •Volatility resulting from the United Kingdom's withdrawal from the European Union in January 2020, particularly in countries where the Company has substantial activities; and •Imposition of tariffs or embargoes, export controls, and other trade restrictions. In addition, we are subject to the U.S. Foreign Corrupt Practices Act, or the FCPA, and other laws that prohibit improper payments or offers of payments to foreign government officials and political parties by business entities for the purpose of obtaining or retaining business. We have operations and deal with governmental clients and regulators in countries known to create heightened corruption risk, including certain developing countries. Our activities in these countries create the risk of unauthorized payments or offers of payments by one of our employees or third parties that we work with that could implicate Booz Allen for violations of various laws including the FCPA and other anti-corruption laws, even though these parties are not always subject to our control. Our international operations also involve activities involving the transmittal of information, which may include personal data, which may expose us to data privacy laws in the jurisdictions in which we operate. If our data protection practices become subject to new or different restrictions, and to the extent such practices are not compliant with the laws of the countries in which we process data, we could face increased compliance expenses and face penalties for violating such laws or be excluded from those markets altogether, in which case our operations could be adversely affected. We are also subject to import-export control regulations restricting the use and dissemination of information classified for national security purposes and the export of certain products, services, and technical data, including requirements regarding any applicable licensing of our employees involved in such work. If we were to fail to comply with the FCPA, other anti-corruption laws, applicable import-export control regulations, data privacy laws, or other applicable rules and regulations, we could be subject to substantial civil and criminal penalties, including fines for our Company and incarceration for responsible employees and managers, suspension or debarment, and the possible loss of export or import privileges which could have a material adverse effect on our business and results of operations. 34 34 34 Table of Contents Table of Contents

Any failure by us, our vendors or other business partners to comply with international, U.S. federal, state or local laws and regulations regarding data privacy or cybersecurity could result in regulatory actions or lawsuits against us, legal liability, injunctions, fines, damages or other costs. We may also incur substantial expenses in implementing and maintaining compliance with such laws and regulations, including those that require certain types of data to be retained on servers within these jurisdictions. In addition, enactment or expansion of laws related to the use of artificial intelligence in our operations could increase the cost of doing business, subject us to potential liability, regulatory risk or reputational harm. Our failure to comply with applicable laws and regulations may result in privacy claims or enforcement actions against us, including liabilities, fines and damage to our reputation, any of which may have a material adverse effect on our results of operations. 22 22 22 Table of Contents Table of Contents For example, the European Union’s General Data Protection Regulation (the “GDPR”), and the United Kingdom’s GDPR impose compliance obligations on companies that process personal data of people in the European Union and United Kingdom, respectively. Compliance with these laws requires investment into ongoing data protection activities and documentation requirements, and creates the potential for fines and liabilities for noncompliance. In addition, California, Colorado, Connecticut, Iowa, Virginia, Utah, and other states have enacted comprehensive privacy laws that restrict the collection, use, and processing of personal information, provide rights to residents of those respective states, and create corresponding compliance obligations and litigation risks. For example, the California Consumer Privacy Act (the “CCPA”, as amended by the California Privacy Rights Act, the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), and the Colorado Privacy Act (the “CPA”), provide for consumer rights for residents of those respective states and create corresponding compliance obligations and litigation risks. The impact from the VCDPA and the CPA to Booz Allen is currently low because most of our personal information is client- or employee-related and therefore not defined as consumer-related. However, the CCPA now covers personal information collected from California residents in the context of recruitment and employment, as well as business-to-business arrangements, and therefore imposes additional compliance obligations on Booz Allen with respect to such personal information. These comprehensive state privacy laws, or other emerging U.S. state or global privacy laws, may require additional investment in compliance programs and potential modifications to business processes, and could result in fines, individual claims, and liabilities for certain compliance failures, particularly in the event of a data breach. As other states follow this trend, laws of this nature could be deemed applicable to some aspects of our business. This will impose new compliance obligations and require additional investment into data protection activities. Any obligations that may be imposed on us under CCPA, CPRA, VCDPA, CPA or similar laws may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use personal information or our results of operations. The U.S. Congress is considering federal privacy, cybersecurity and AI legislation that would create requirements similar to or possibly exceeding these comprehensive U.S. state privacy laws on a 50-state basis. Any federal legislation may or may not preempt the comprehensive U.S. state privacy laws, creating the possibility of different compliance measures or enforcement risks nationally or on a per-state basis. Any obligations that may be imposed on us under any of the comprehensive U.S. state privacy laws or similar laws may be different from or in addition to those required by the EU GDPR, UK GDPR, and any other applicable international laws, which may cause additional expense for compliance across jurisdictions. The EU GDPR, UK GDPR, other international laws, and the laws of U.S. states also impose obligations to maintain and implement an information security program that includes administrative, technical, physical, or organizational safeguards, as well as obligations to give notice to affected individuals and to certain regulators in the event of a data breach. We may be required to spend significant resources to comply with these information security and data breach legal requirements. A significant data breach (including various forms of external attack, such as ransomware, as well as data incidents resulting from internal actions or omissions) could have negative consequences for our business and future prospects, including possible penalties, fines, damages, reduced customer demand, legal claims against and by clients, personnel, business partners or other persons claiming to be affected, harm to our systems and operations and harm to our reputation and brand. 23 23 23 Table of Contents Table of Contents In addition, as a contractor supporting defense and national security clients, we are subject to certain additional regulatory compliance requirements relating to data privacy and cybersecurity. Under DFARS and other federal regulations, our networks and IT systems are required to comply with the security and privacy controls in certain National Institute of Standards and Technology Special Publications (“NIST SP”). To the extent that we do not comply with the applicable security and control requirements, unauthorized access or disclosure of sensitive information could result in a contract termination, which could have a material adverse effect on our business and financial results and lead to reputational harm. We are also subject to the Department of Defense Cybersecurity Maturity Model Certification (“CMMC”), requirements, which will require all contractors to receive specific third-party certifications relating to specified cybersecurity standards in order to be eligible for contract awards. Under “CMMC 1.0”, released in January 2020, there were 5 maturity levels, comprised of 171 requirements and 14 required processes. In March 2021, the Department of Defense initiated an interim review of CMMC’s implementation, which led to a refinement of the overall program and implementation strategy. In November 2021, the Department of Defense announced “CMMC 2.0”, which included updated program structure and requirements. These refinements included a reduction in levels from 5 to 3, which includes the removal of CMMC-unique practices and reliance on the practices set forth in NIST SP 800-171(r2). The Department of Defense announced that CMMC 2.0 will become a contract requirement, likely to appear in contracts within one year of the rule going into effect, and is expected to appear in all defense contracts within two years of the rule going into effect. On December 26, 2023, the Department of Defense published a proposed rule for the CMMC 2.0 program requirements, and may face delays with uncertainties regarding final details and timing of the final requirements. To the extent we are unable to achieve certification in advance of applicable contract awards that specify the requirement, we will be unable to bid on such contract awards or on follow-on awards for existing work with the Department of Defense, depending on the level of standard as required for each solicitation, which could adversely impact our revenue and profitability. In addition, our subcontractors, and in some cases our vendors, may also be required to adhere to the CMMC program requirements and potentially to achieve certification. Should our supply chain fail to meet compliance requirements or achieve certification, this may adversely affect our ability to receive award or execute on relevant government programs. In addition, any obligations that may be imposed on us under the CMMC may be different from or in addition to those otherwise required by applicable laws and regulations, which may cause additional expense for compliance.

Any failure by us, our vendors or other business partners to comply with international, U.S. federal, state or local laws and regulations regarding data privacy or cybersecurity could result in regulatory actions or lawsuits against us, legal liability, injunctions, fines, damages or other costs. We may also incur substantial expenses in implementing and maintaining compliance with such laws and regulations, including those that require certain types of data to be retained on servers within these jurisdictions. Our failure to comply with applicable laws and regulations may result in privacy claims or enforcement actions against us, including liabilities, fines and damage to our reputation, any of which may have a material adverse effect on our results of operations. For example, the European Union’s General Data Protection Regulation, or “GDPR”, and the United Kingdom’s GDPR impose compliance obligations on companies that process personal data of people in the European Union and United Kingdom, respectively. Compliance with these laws requires investment into ongoing data protection activities and documentation requirements, and creates the potential for fines and liabilities for noncompliance. In addition, California, Colorado, Connecticut, Iowa, Virginia, and Utah have enacted comprehensive state privacy laws that provide rights to residents of those respective states, and other states are considering similar legislation. The California Consumer Privacy Act, or “CCPA” (as amended by the California Privacy Rights Act, or “CPRA”), the Virginia Consumer Data Protection Act, or “VCDPA”, and the Colorado Privacy Act, or “CPA”, provide for consumer rights for residents of those respective states and create corresponding compliance obligations and litigation risks. The impact from the VCDPA and the CPA to Booz Allen is currently low because most of our personal information is client- or employee-related and therefore not defined as consumer-related. However, the CCPA now covers personal information collected from California individuals in the context of recruitment and employment, as well as business-to-business arrangements, and therefore imposes additional compliance obligations on Booz Allen with respect to such personal information. The CCPA will require additional investment in compliance programs and potential modifications to business processes, and could result in fines, individual claims, and liabilities for certain compliance failures. As other states follow this trend, laws of this nature could be deemed applicable to some aspects of our business. This will impose new compliance obligations and require additional investment into data protection activities. Any obligations that may be imposed on us under CCPA, CPRA, VCDPA, CPA or similar laws may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use personal information or our results of operations. The U.S. Congress is considering federal privacy and cybersecurity legislation that would create requirements similar to or possibly exceeding CCPA, CPRA, VCDPA, and CPA on a 50-state basis. Any federal legislation may or may not preempt the CCPA, CPRA, VCDPA, and CPA or other state laws, creating the possibility of different compliance measures or enforcement risks nationally or on a per-state basis. Any obligations that may be imposed on us under the CCPA, CPRA, VCDPA, CPA or similar laws may be different from or in addition to those required by GDPR, which may cause additional expense for compliance across jurisdictions. The GDPR and the laws of other U.S. states also impose obligations to maintain and implement an information security program that includes administrative, technical, physical, or organizational safeguards, as well as obligations to give notice to affected individuals and to certain regulators in the event of a data breach. We may be required to spend significant resources to comply with these information security and data breach legal requirements. A significant data breach (including various forms of external attack, such as ransomware, as well as data incidents resulting from internal actions or omissions) could have negative consequences for our business and future prospects, including possible penalties, fines, damages, reduced customer demand, legal claims against and by clients, personnel, business partners or other persons claiming to be affected, harm to our systems and operations and harm to our reputation and brand. 23 23 23 Table of Contents Table of Contents In addition, as a contractor supporting defense and national security clients, we are subject to certain additional regulatory compliance requirements relating to data privacy and cybersecurity. Under the Defense Federal Acquisition Regulation Supplement and other federal regulations, our networks and IT systems are required to comply with the security and privacy controls in National Institute of Standards and Technology Special Publications, or “NIST SP”. To the extent that we do not comply with the applicable security and control requirements, unauthorized access or disclosure of sensitive information could result in a contract termination, which could have a material adverse effect on our business and financial results and lead to reputational harm. We are also subject to the Department of Defense Cybersecurity Maturity Model Certification, or “CMMC”, requirements, which will require all contractors to receive specific third-party certifications relating to specified cybersecurity standards in order to be eligible for contract awards. Under “CMMC 1.0,” released in January 2020, there were 5 maturity levels, comprised of 171 requirements and 14 required processes. In March 2021, the Department of Defense initiated an interim review of CMMC’s implementation, which led to a refinement of the overall program and implementation strategy. In November 2021, the Department of Defense announced “CMMC 2.0”, which included updated program structure and requirements. These refinements included a reduction in levels from 5 to 3, which includes the removal of CMMC-unique practices and reliance on the practices set forth in NIST SP 800-171(r2). The Department of Defense announced that CMMC 2.0 will become a contract requirement once rule making is completed and indicated that the rule making process and timeline would take place within 9 to 24 months of November 2021. However, rule making is not yet complete and questions remain as to the precise timing of that rule and its effective date. Despite uncertainties regarding ultimate timing of the effective date and final details regarding the CMMC 2.0 requirements, we are in the process of preparing for certification against the CMMC program. To the extent we are unable to achieve certification in advance of applicable contract awards that specify the requirement, we will be unable to bid on such contract awards or on follow-on awards for existing work with the Department of Defense, depending on the level of standard as required for each solicitation, which could adversely impact our revenue and profitability. The extended rule making timeline adds an additional degree of uncertainty as to when such a risk may occur. In addition, our subcontractors, and in some cases our vendors, may also be required to adhere to the CMMC program requirements and potentially to achieve certification. Should our supply chain fail to meet compliance requirements or achieve certification, this may adversely affect our ability to receive award or execute on relevant government programs. In addition, any obligations that may be imposed on us under the CMMC may be different from or in addition to those otherwise required by applicable laws and regulations, which may cause additional expense for compliance.

We create, implement, integrate, and maintain information technology (“IT”) systems that (a) are often mission critical, (b) regularly involve sensitive information, (c) may be deployed within war zones or other hazardous environments, and/or (d) can include information whose confidentiality is protected by law or contract. Additionally, we maintain internal systems housing sensitive employee and confidential company data. As a result, our systems and IT work products are susceptible to systems or service failures resulting from technical complexity, failures of third-party service providers, natural disasters, power shortages, insider threats (including improper access to the Company’s, clients’ or third parties’ information or resources, employee error, or malfeasance), terrorist attacks, physical or electronic security breaches, cyber attacks, computer viruses, or similar events or disruptions. Our systems and IT work product are the target of constantly evolving cyber attack vectors, including malware, social engineering, denial-of-service attacks, malicious software programs, phishing, account takeovers, and other cyber attacks fueled by emerging technologies, such as artificial intelligence. We have noticed an increase in the frequency and sophistication of the cyber and security threats these systems face, with attacks that are more advanced and persistent, targeting us because, as a defense services contractor, we hold classified, controlled unclassified, and other sensitive information. As a result, we and our vendors face a heightened risk of a security breach or disruption resulting from an attack by computer hackers, persons with access to systems inside our organization, foreign governments, and cyber terrorists. We have put in place policies, controls, and technologies to help detect and protect against such attacks, but we cannot guarantee that future incidents will not occur. If an incident occurs, we may not be able to successfully mitigate the impact. We have been the target of these types of attacks in the past, and attempted attacks are likely to continue. Due to the ongoing geopolitical conflicts in Europe and the Middle East, and increased tensions in Asia, state-sponsored parties or their supporters may launch retaliatory cyber attacks, and may attempt to conduct other geopolitically motivated retaliatory actions. Those same parties may also attempt to fraudulently induce employees or authorized third parties, including contractors, to disclose sensitive information in order to gain access to our systems or data, or that of our clients, customers, or service providers. If successful, these types of attacks on our network or other systems or service failures could have a material adverse effect on our business and results of operations, due to, among other things, the loss of client or proprietary data, interruptions or delays in our clients' businesses, or damage to our reputation. In addition, the failure or disruption of our systems, communications, vendors, or utilities could cause us to interrupt or suspend our operations, which could have a material adverse effect on our business and results of operations. If our employees, contractors, suppliers or other authorized third parties do not adhere (whether inadvertently or intentionally) to appropriate information security protocols, our protocols are inadequate, or our or our clients' sensitive information is released and/or compromised, we may experience significant negative impacts to our reputation and expose us or our clients to liability. We are not immune from the possibility of a malicious insider compromising our information systems and infrastructure, including but not limited to insiders exfiltrating the personal data of employees and clients, stealing corporate trade secrets and key financial metrics, and illegally diverting funds. No series of measures can fully safeguard against every insider threat. Refer to “Item 1C. Cybersecurity” for additional information about our cybersecurity risk management program. 21 21 21 Table of Contents Table of Contents If our or our vendors' systems, services, or other applications have significant defects, errors, or vulnerabilities, are successfully attacked by cyber and other security threats, suffer delivery delays, or otherwise fail to meet our clients’ expectations, we may: •lose revenue due to adverse client reaction; •be required to provide additional services to a client at no charge; •incur additional costs related to remediation, monitoring, and enhancing our cybersecurity; •lose revenue due to the deployment of employees for remediation efforts instead of client assignments; •receive negative publicity, which could damage our reputation and credibility of our brand and adversely affect our ability to attract or retain clients or talent; •be unable to successfully market services that are reliant on the creation and maintenance of secure information technology systems to U.S. government, international, and commercial clients; •suffer claims by clients, employees, or impacted third parties for substantial damages, particularly as a result of any successful network or systems breach and exfiltration of client and/or third-party information; or •incur significant costs, including fines from government regulators, related to complying with applicable federal or state laws, including laws pertaining to the security and protection of personal information. In addition to any costs resulting from contract performance or required corrective action, these failures may result in increased costs or loss of revenue if they result in clients postponing subsequently scheduled work or canceling or failing to renew contracts. The costs related to cyber or other security threats or disruptions may not be fully insured or indemnified by other means. Additionally, some cyber technologies and techniques that we utilize or develop may raise potential liabilities related to legal compliance, intellectual property, and civil liberties, including privacy concerns, which may not be fully insured or indemnified. We may not be able to obtain and maintain insurance coverage on reasonable terms or in sufficient amounts to cover one or more large claims, or the insurer may disclaim coverage as to some types of future claims. The successful assertion of any large claim against us could seriously harm our business. Even if not successful, these claims could result in significant legal and other costs, may be a distraction to our management, may harm our client relationships, and may adversely affect our ability to attract or retain talent. In certain new business areas, we may not be able to obtain sufficient insurance and may decide not to accept or solicit business in these areas.

We create, implement, and maintain information technology and engineering systems and also use vendors to provide services that are often critical to our clients' operations, some of which involve sensitive information and may be conducted in war zones or other hazardous environments, or include information whose confidentiality is protected by law or contract. As a result, we are subject to systems or service failures, not only resulting from our own failures or the failures of third-party service providers, natural disasters, power shortages, insider threats (including improper access, employee error, or malfeasance), or terrorist attacks, but also from continuous exposure to constantly evolving cyber and other security threats, including computer viruses and malware, attacks by computer hackers, or physical break-ins. There has been an increase in the frequency and sophistication of the cyber and security threats we face, with attacks ranging from those common to businesses generally to those that are more advanced and persistent, which may target us because, as a cybersecurity services contractor, we hold classified, controlled unclassified, and other sensitive information. As a result, we and our vendors face a heightened risk of a security breach or disruption resulting from an attack by computer hackers, persons with access to systems inside our organization, foreign governments, and cyber terrorists. While we put in place policies, controls, and technologies to help detect and protect against such attacks, we cannot guarantee that future incidents will not occur. If an incident occurs, we may not be able to successfully mitigate the impact. We have been the target of these types of attacks in the past, and future attacks are likely to continue. The ongoing geopolitical conflict between Russia and Ukraine, and increased tensions in Asia, increase the potential threat of cybersecurity attacks. If successful, these types of attacks on our network or other systems or service failures could have a material adverse effect on our business and results of operations, due to, among other things, the loss of client or proprietary data, interruptions or delays in our clients' businesses, or damage to our reputation. In addition, the failure or disruption of our systems, communications, vendors, or utilities could cause us to interrupt or suspend our operations, which could have a material adverse effect on our business and results of operations. In addition, if our employees do not adhere (whether inadvertently or intentionally) to appropriate information security protocols, our protocols are inadequate, or our or our clients' sensitive information is released and/or compromised, thereby causing significant negative impacts to our reputation and expose us or our clients to liability. We are not immune from the possibility of a malicious insider compromising our information systems and infrastructure, including but not limited to insiders exfiltrating the personal data of clients, stealing corporate trade secrets and key financial metrics, and illegally diverting funds. No series of measures can fully safeguard against every insider threat. If our or our vendors' systems, services, or other applications have significant defects, errors, or vulnerabilities, are successfully attacked by cyber and other security threats, suffer delivery delays, or otherwise fail to meet our clients’ expectations, we may: •lose revenue due to adverse client reaction; •be required to provide additional services to a client at no charge; •incur additional costs related to remediation, monitoring, and enhancing our cybersecurity; •lose revenue due to the deployment of employees for remediation efforts instead of client assignments; •receive negative publicity, which could damage our reputation and adversely affect our ability to attract or retain clients or talent; •be unable to successfully market services that are reliant on the creation and maintenance of secure information technology systems to U.S. government, international, and commercial clients; •suffer claims by clients or impacted third parties for substantial damages, particularly as a result of any successful network or systems breach and exfiltration of client and/or third-party information; or •incur significant costs, including fines from government regulators, related to complying with applicable federal or state laws, including laws pertaining to the security and protection of personal information. In addition to any costs resulting from contract performance or required corrective action, these failures may result in increased costs or loss of revenue if they result in clients postponing subsequently scheduled work or canceling or failing to renew contracts. 22 22 22 Table of Contents Table of Contents The costs related to cyber or other security threats or disruptions may not be fully insured or indemnified by other means. Additionally, some cyber technologies and techniques that we utilize or develop may raise potential liabilities related to legal compliance, intellectual property, and civil liberties, including privacy concerns, which may not be fully insured or indemnified. We may not be able to obtain and maintain insurance coverage on reasonable terms or in sufficient amounts to cover one or more large claims, or the insurer may disclaim coverage as to some types of future claims. The successful assertion of any large claim against us could seriously harm our business. Even if not successful, these claims could result in significant legal and other costs, may be a distraction to our management, may harm our client relationships, and may adversely affect our ability to attract or retain talent. In certain new business areas, we may not be able to obtain sufficient insurance and may decide not to accept or solicit business in these areas.

We are subject to, and may become a party to, a variety of litigation or other claims and suits that arise from time to time in the ordinary course of our business. For example, our performance under U.S. government contracts and compliance with the terms of those contracts and applicable laws and regulations are subject to continuous audit, review, and investigation by the U.S. government which may include such investigative techniques as subpoenas or civil investigative demands. Given the nature of our business, these audits, reviews, and investigations may focus, among other areas, on various aspects of procurement integrity, labor time reporting, sensitive and/or classified information access and control, executive compensation, and post government employment restrictions. In addition, from time to time, we are also involved in legal proceedings and investigations arising in the ordinary course of business, including those relating to employment matters (such as matters involving alleged violations of civil rights, wage and hour, and worker’s compensation laws), relationships with clients and contractors, intellectual property disputes, and other business matters. Any such claims, proceedings or investigations may be time-consuming, costly, divert management resources, or otherwise have a material adverse effect on our result of operations. The results of litigation and other legal proceedings, including the other claims described under “Item 3. Legal Proceedings,” are inherently uncertain and adverse judgments or settlements in some or all of these legal disputes may result in materially adverse monetary damages or injunctive relief against us. Any claims or litigation, even if fully indemnified or insured, could damage our reputation and make it more difficult to compete effectively or obtain adequate insurance coverage in the future. The litigation and other legal proceedings described under “Item 3. Legal Proceedings” are subject to future developments and management’s view of these matters may change in the future.

We are subject to, and may become a party to, a variety of litigation or other claims and suits that arise from time to time in the ordinary course of our business. For example, our performance under U.S. government contracts and compliance with the terms of those contracts and applicable laws and regulations are subject to continuous audit, review, and investigation by the U.S. government which may include such investigative techniques as subpoenas or civil investigative demands. As more fully described under “Item 3. Legal Proceedings”, the U.S. Department of Justice (the “DOJ”) is conducting a civil investigation of the Company, and the Company has also been in contact with other regulatory agencies and bodies, including the Securities and Exchange Commission, which notified the Company that it is conducting an investigation that the Company believes relates to matters that are also the subject of the DOJ's investigation. The Company may receive additional regulatory or governmental inquiries related to the matters that are the subject of the DOJ's investigation. The total cost associated with these matters will depend on many factors, including the duration of these matters and any related finding. Given the nature of our business, these audits, reviews, and investigations may focus, among other areas, on various aspects of procurement integrity, labor time reporting, sensitive and/or classified information access and control, executive compensation, and post government employment restrictions. In addition, from time to time, we are also involved in legal proceedings and investigations arising in the ordinary course of business, including those relating to employment matters (such as matters involving alleged violations of civil rights, wage and hour, and worker’s compensation laws), relationships with clients and contractors, intellectual property disputes, and other business matters. Any such claims, proceedings or investigations may be time-consuming, costly, divert management resources, or otherwise have a material adverse effect on our result of operations. The results of litigation and other legal proceedings, including the other claims described under “Item 3. Legal Proceedings,” are inherently uncertain and adverse judgments or settlements in some or all of these legal disputes may result in materially adverse monetary damages or injunctive relief against us. Any claims or litigation, even if fully indemnified or insured, could damage our reputation and make it more difficult to compete effectively or obtain adequate insurance coverage in the future. The litigation and other legal proceedings described under “Item 3. Legal Proceedings” are subject to future developments and management’s view of these matters may change in the future.

We develop, integrate, maintain, or otherwise support systems and provide services that include managing and protecting information involved in intelligence, national security, and other sensitive government functions. Our systems also store and process sensitive Company and commercial client information, including personally identifiable, health and financial information. The cybersecurity threats we and our clients face have grown more frequent and sophisticated, including but not limited to bad actors looking to augment traditional cyber tools and tradecraft with artificial intelligence capabilities that increase the speed, scale, and intricacy of threats. A security breach, including from insider threats, could result in the exfiltration of our or our clients’ data and has the potential to do serious harm to our business, damage our reputation, prevent us from executing further work on sensitive systems for U.S. government or commercial clients, and/or hinder future contract win rates. Damage to our reputation or limitations on our eligibility for additional work or any liability resulting from a security breach in one of the systems we develop, install, maintain, or otherwise support could have a material adverse effect on our results of operations.

We develop, integrate, maintain, or otherwise support systems and provide services that include managing and protecting information involved in intelligence, national security, and other sensitive or classified government functions. Our systems also store and process sensitive information for commercial clients, including personally identifiable, health and financial information. The cyber and security threats that our clients face have grown more frequent and sophisticated. A security breach, including from insider threats, in one of these systems could cause the exfiltration of our or our clients’ data or serious harm to our business, damage our reputation, and prevent us from being eligible for further work on sensitive systems for U.S. government or commercial clients or hinder future contract win rates. Work for non-U.S. government and commercial clients involving the protection of information systems or that store clients' information could also be harmed due to associated security breaches. Damage to our reputation or limitations on our eligibility for additional work or any liability resulting from a security breach in one of the systems we develop, install, maintain, or otherwise support could have a material adverse effect on our results of operations.

•the volatility of the market price of our Class A common stock; •the timing and amount of our dividends, if any; and •the impact of fulfilling our obligations incident to being a public company. 16 16 16 Table of Contents Table of Contents

We derive a substantial portion of our revenue from contracts with the U.S. government that are classified or subject to security restrictions that preclude the dissemination of certain information. In general, access to classified information, technology, facilities, or programs requires appropriate personnel security clearances, is subject to additional contract oversight and potential liability, and may also require appropriate facility clearances and other specialized infrastructure. A significant number of our employees have security clearances which preclude them from providing information regarding certain clients and services provided to such clients to other employees (or members of our board of directors) without security clearances and investors. Because we are limited in our ability to provide information about these contracts and services, the various risks associated with these contracts or services or any dispute or claims relating to such contracts or services, important information concerning our business may not be available, which may limit insight into a substantial portion of our business and reduce the ability to fully evaluate the risks related to that portion of our business.

We derive a substantial portion of our revenue from contracts with the U.S. government that are classified or subject to security restrictions that preclude the dissemination of certain information. In addition, a significant number of our employees have security clearances which preclude them from providing information regarding certain clients and services provided to such clients to other employees without security clearances and investors. Because we are limited in our ability to provide information about these contracts and services, the various risks associated with these contracts or services or any dispute or claims relating to such contracts or services, you may not have important information concerning our business, which will limit your insight into a substantial portion of our business and therefore may be less able to fully evaluate the risks related to that portion of our business.