--- ticker: BAH company: BAH filing_type: 10-K year_current: 2025 year_prior: 2024 risks_added: 0 risks_removed: 5 risks_modified: 14 risks_unchanged: 43 source: SEC EDGAR url: https://riskdiff.com/bah/2025-vs-2024/ markdown_url: https://riskdiff.com/bah/2025-vs-2024/index.md generated: 2026-05-10 --- # BAH: 10-K Risk Factor Changes 2025 vs 2024 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-10 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > BAH streamlined its risk disclosures by removing five risks, including pandemic-related concerns and Sarbanes-Oxley compliance burdens, while making substantive modifications to 14 existing risks - most significantly strengthening language around debt management, cybersecurity threats, and government contract dependencies. The net reduction of five risks reflects a shift toward more material, operationally-focused disclosures and away from pandemic scenario planning that dominated 2024 filings. With 43 risks remaining unchanged, BAH maintained its core risk framework while recalibrating emphasis on financial leverage, system security vulnerabilities, and reliance on U.S. government contracting. --- ## Summary | Status | Count | |--------|-------| | New risks added | 0 | | Risks removed | 5 | | Risks modified | 14 | | Unchanged | 43 | --- ## No Match in Current: The effects of a disease outbreak, pandemic or widespread health epidemic could have a material adverse effect on our business and results of operations. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* Disease outbreaks, pandemics or similar widespread health epidemics and attempts to contain and reduce their spread may adversely affect U.S. and global economies, including impacts to supply chains, customer demand, international trade, and capital markets. These effects may adversely affect certain of our business operations and may materially and adversely affect our financial condition, results of operations, cash flows, and equity. We have taken precautionary measures intended to minimize the risk of disease outbreaks, pandemics or similar widespread health epidemics, to our employees, our clients, and the communities in which we operate, as well as remedial measures to address residual, lasting issues, including increased medical costs and a rise in mental health issues, which could negatively impact our business. In addition, some of our employees, clients, and subcontractors are located in foreign countries, which may be impacted differently from the United States depending on their circumstances. Although the Company has business continuity plans and other safeguards in place, there is no assurance that such plans and safeguards will be effective or that such measures will not adversely affect our operations or long-term plans. In addition, as local conditions and regulations respond to the risks of disease outbreaks, pandemics or similar widespread health epidemics regarding the return of employees to offices generally, our workforce may not be able to return to work in person immediately, if at all, or may instead choose to pursue competing employment opportunities, including as a result of transportation, childcare, and ongoing health issues, which could negatively affect our business. In addition, disease outbreaks, pandemics or widespread health epidemics may disrupt the operations of our clients, suppliers, vendors, service providers, and subcontractors, including as a result of travel restrictions, business shutdowns, key material shortages, or lack of access to financial markets, all of which could negatively impact our business and results of operations. Any inability to develop alternative sources of supply on a cost-effective and timely basis could materially impair our ability to provide products, systems, and services to our clients. --- ## No Match in Current: Our professional reputation and relationships with U.S. government agencies are critical to our business, and any harm to our reputation or relationships could decrease the amount of business the U.S. government does with us, which could have a material adverse effect on our future revenue and growth prospects. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* 19 19 19 Table of Contents Table of Contents We depend on our contracts with U.S. government agencies for substantially all of our revenue and if our reputation or relationships with these agencies were harmed, our future revenue and growth prospects would be materially and adversely affected. Our reputation and relationship with the U.S. government is a key factor in maintaining and growing revenue under contracts with the U.S. government. In addition, a significant portion of our business relates to designing, developing, and implementing advanced defense and technology systems and products, including cybersecurity products and services. Negative press reports regarding poor contract performance, employee misconduct, information security breaches, engagements in or perceived connections to politically or socially sensitive activities, or other aspects of our business, or regarding government contractors generally, could harm our reputation. In addition, to the extent our performance under a contract does not meet a U.S. government agency's expectations, the client might seek to terminate the contract prior to its scheduled expiration date, provide a negative assessment of our performance to government-maintained contractor past-performance data repositories, fail to award us additional business under existing contracts or otherwise, and direct future business to our competitors. If our reputation or relationships with these agencies are negatively affected, or if we are suspended or debarred from contracting with government agencies for any reason, such actions would decrease the amount of business that the U.S. government does with us, which would have a material adverse effect on our future revenue and growth prospects. --- ## No Match in Current: The operation of financial management systems may have an adverse effect on our business and results of operations. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* From time to time, we modernize and upgrade our management systems. For example, in fiscal 2022, we launched new financial management systems designed to modernize and enhance our financial systems infrastructure and cost accounting practices through minimizing manual processes, increasing automation, and providing enhanced business analytics. Operation of these kinds of new systems requires significant investment of human and financial resources. With the operation of these new systems, we have incurred additional expenses and experienced certain one-time impacts to profitability related to the roll-out and operation of the financial systems. In addition, any significant difficulties in the operation could have a material adverse effect on our ability to fulfill and invoice customer orders, apply cash receipts, place purchase orders with suppliers, and make cash disbursements, and could negatively impact data processing and electronic communications among business locations, which may have a material adverse effect on our business, consolidated financial condition, or results of operations. We also face the challenge of supporting our legacy systems and implementing necessary upgrades to those systems to support routine government and financial audits while operating our new systems. --- ## No Match in Current: Fulfilling our obligations incident to being a public company, including with respect to the requirements of and related rules under the Sarbanes Oxley Act of 2002, is expensive and time consuming and any delays or difficulty in satisfying these obligations could have a material adverse effect on our future results of operations and our stock price. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* As a public company, the Sarbanes-Oxley Act of 2002 and the related rules and regulations of the SEC, as well as the New York Stock Exchange rules, require us to implement various corporate governance practices and adhere to a variety of reporting requirements and complex accounting rules. Compliance with these public company obligations requires us to devote significant management time and place significant additional demands on our finance, accounting, and legal staff and on our management systems, including our financial, accounting, and information systems. Other expenses associated with being a public company include increased auditing, accounting, and legal fees and expenses, investor relations expenses, increased directors' fees and director and officer liability insurance costs, registrar and transfer agent fees, listing fees, as well as other expenses. In particular, the Sarbanes-Oxley Act of 2002 requires us to document and test the effectiveness of our internal control over financial reporting in accordance with an established internal control framework, and to report on our conclusions as to the effectiveness of our internal controls. It also requires an independent registered public accounting firm to test our internal control over financial reporting and report on the effectiveness of such controls. In addition, we are required under the Exchange Act to maintain disclosure controls and procedures and internal control over financial reporting. Because of inherent limitations in any internal control environment, there can be no assurance that all control issues and instances of fraud, errors or misstatements, if any, within our Company have been or will be detected on a timely basis. Such deficiencies could result in the correction or restatement of financial statements of one or more periods. Any failure to maintain effective controls or implement new or improved controls, or difficulties encountered in their implementation, could harm our operating results or cause us to fail to meet our reporting obligations. We also rely on third parties for certain calculations and other information that support our accounting and financial reporting, which includes reports from such organizations on their controls and systems that are used to generate this data and information. Any failure by such third parties to provide us with accurate or timely information or implement and maintain effective controls may cause us to fail to meet our reporting obligations as a publicly traded company. In addition, as we operate our financial management systems, we could experience deficiencies in their operation that could have an adverse effect on the effectiveness of our internal control over financial reporting. If we are unable to conclude that we have effective internal control over financial reporting, or if our independent registered public accounting firm is unable to provide us with an unqualified report regarding the effectiveness of our internal control over financial reporting, investors could lose confidence in the reliability of our consolidated financial statements, which could result in a decrease in the value of our common stock. Failure to comply with the Sarbanes-Oxley Act of 2002 could potentially subject us to sanctions or investigations by the SEC, the New York Stock Exchange, or other regulatory authorities. --- ## No Match in Current: Our amended and restated certificate of incorporation designates the Court of Chancery of the State of Delaware as the sole and exclusive forum for certain litigation that may be initiated by our stockholders, which could limit our stockholders' ability to obtain a favorable judicial forum for disputes with us or our current or former directors, officers, or stockholders. *This section from the 2024 filing does not have a high-confidence textual match in 2025. It may have been removed, merged, or substantially reworded.* Our seventh amended and restated certificate of incorporation requires that the Court of Chancery of the State of Delaware be the sole and exclusive forum for (i) any derivative action or proceeding brought on behalf of the Company, (ii) any action asserting a claim of breach of a fiduciary duty owed by any director, officer, or other employee of the Company to the Company or the Company's stockholders, (iii) any action asserting a claim against the Company arising pursuant to any provision of the Delaware General Corporation Law, the Company's seventh amended and restated certificate of incorporation or the Company's bylaws, or (iv) any action asserting a claim against the Company governed by the internal affairs doctrine. Because the applicability of the exclusive forum provision is limited to the extent permitted by applicable law, we do not intend that the exclusive forum provision would apply to suits brought to enforce any duty or liability created by the Exchange Act or any other claim for which the federal courts have exclusive jurisdiction, and acknowledge that federal courts have concurrent jurisdiction over all suits brought to enforce any duty or liability created by the Securities Act. We note that there is uncertainty as to whether a court would enforce the provision and that investors cannot waive compliance with federal securities laws and the rules and regulations thereunder. Although we believe this provision benefits us by providing increased consistency in the application of Delaware law in the types of lawsuits to which it applies, the provision may have the effect of discouraging lawsuits against our directors and officers. --- ## Modified: We have substantial indebtedness and may incur substantial additional indebtedness, which could adversely affect our financial health and our ability to obtain financing in the future as well as to react to changes in our business. **Key changes:** - Reworded sentence: "As of March 31, 2025, we had total indebtedness of approximately $4.0 billion and $1.0 billion of availability under our revolving credit facility (the "Revolving Credit Facility")." - Reworded sentence: "Our substantial indebtedness could have important consequences to holders of our common stock, including: ▪making it more difficult for us to satisfy our obligations with respect to our Senior Credit Facility, our outstanding senior notes, and our other debt; ▪limiting our ability to obtain additional financing to fund future working capital, capital expenditures, acquisitions or other general corporate requirements; ▪requiring a substantial portion of our cash flows to be dedicated to debt service payments instead of other purposes, thereby reducing the amount of cash flows available for working capital, capital expenditures, acquisitions and other general corporate purposes; ▪increasing our vulnerability to general adverse economic and industry conditions; ▪exposing us to the risk of increased interest rates as certain of our borrowings, including under the Senior Credit 32 32 32 Table of Contents Table of Contents Facility, are at variable rates of interest; ▪limiting our flexibility in planning for and reacting to changes in the industry in which we compete; ▪placing us at a disadvantage compared to other, less leveraged competitors or competitors with comparable debt and more favorable terms and thereby affecting our ability to compete; and ▪increasing our cost of borrowing." - Reworded sentence: "In addition, the Revolving Credit Facility provides for commitments of $1.0 billion, which as of March 31, 2025, had availability of $999 million." **Prior (2024):** As of March 31, 2024, we had total indebtedness of approximately $3.4 billion and $998.7 million of availability under our revolving credit facility (the "Revolving Credit Facility"). We are able to, and may, incur additional indebtedness in the future, subject to the limitations contained in the agreements governing our indebtedness. Our substantial indebtedness could have important consequences to holders of our common stock, including: ▪making it more difficult for us to satisfy our obligations with respect to our Senior Credit Facility, consisting of a $1.6 billion term loan facility ("Term Loan A"), a $1.0 billion Revolving Credit Facility, with a sublimit for letters of credit of $200.0 million, our $700.0 million in aggregate principal amount of 3.875% Senior Notes due 2028 (the "Senior Notes due 2028"), our $500.0 million in aggregate principal amount of 4.000% Senior Notes due 2029 (the "Senior Notes due 2029"), our $650.0 million in aggregate principal amount of 5.950% Senior Notes due 2033 (the "Senior Notes due 2033", and together with the Senior Notes due 2028 and the Senior Notes due 2029, the "Senior Notes") and our other debt; ▪limiting our ability to obtain additional financing to fund future working capital, capital expenditures, acquisitions or other general corporate requirements; ▪requiring a substantial portion of our cash flows to be dedicated to debt service payments instead of other purposes, thereby reducing the amount of cash flows available for working capital, capital expenditures, acquisitions and other general corporate purposes; ▪increasing our vulnerability to general adverse economic and industry conditions; ▪exposing us to the risk of increased interest rates as certain of our borrowings, including under the Senior Credit Facility, are at variable rates of interest; ▪limiting our flexibility in planning for and reacting to changes in the industry in which we compete; ▪placing us at a disadvantage compared to other, less leveraged competitors or competitors with comparable debt and more favorable terms and thereby affecting our ability to compete; and ▪increasing our cost of borrowing. Although the Senior Credit Facility and the indentures governing the Senior Notes contain restrictions on the incurrence of additional indebtedness, these restrictions are subject to a number of qualifications and exceptions, and the additional indebtedness incurred in compliance with these restrictions could be substantial. These restrictions also will not prevent us from incurring obligations that do not constitute indebtedness. In addition, the Revolving Credit Facility provides for commitments of $1.0 billion, which as of March 31, 2024, had availability of $998.7 million. Additionally, the used portion as it pertains to open standby letters of credit and bank guarantees totaled $1.3 million. Furthermore, subject to specified conditions, without the consent of the then-existing lenders (but subject to the receipt of commitments), the indebtedness under the Senior Credit Facility may be increased by up to $500.0 million. If new debt is added to our current debt levels, the related risks that we and the guarantors now face would increase and we may not be able to meet all our debt obligations, including the repayment of the Senior Notes. 39 39 39 Table of Contents Table of Contents **Current (2025):** As of March 31, 2025, we had total indebtedness of approximately $4.0 billion and $1.0 billion of availability under our revolving credit facility (the "Revolving Credit Facility"). We are able to, and may, incur additional indebtedness in the future, subject to the limitations contained in the agreements governing our indebtedness. Our substantial indebtedness could have important consequences to holders of our common stock, including: ▪making it more difficult for us to satisfy our obligations with respect to our Senior Credit Facility, our outstanding senior notes, and our other debt; ▪limiting our ability to obtain additional financing to fund future working capital, capital expenditures, acquisitions or other general corporate requirements; ▪requiring a substantial portion of our cash flows to be dedicated to debt service payments instead of other purposes, thereby reducing the amount of cash flows available for working capital, capital expenditures, acquisitions and other general corporate purposes; ▪increasing our vulnerability to general adverse economic and industry conditions; ▪exposing us to the risk of increased interest rates as certain of our borrowings, including under the Senior Credit 32 32 32 Table of Contents Table of Contents Facility, are at variable rates of interest; ▪limiting our flexibility in planning for and reacting to changes in the industry in which we compete; ▪placing us at a disadvantage compared to other, less leveraged competitors or competitors with comparable debt and more favorable terms and thereby affecting our ability to compete; and ▪increasing our cost of borrowing. Although the Senior Credit Facility and the indentures governing our $700 million in aggregate principal amount of 3.875% senior notes due 2028 and our $500 million in aggregate principal amount of 4.000% senior notes due 2029 contain restrictions on the incurrence of additional indebtedness, and the indentures governing our $650 million in aggregate principal amount of 5.950% senior notes due 2033 and our $650 million in aggregate principal amount of 5.950% senior notes due 2035 contain restrictions on the incurrence of additional liens, these restrictions are subject to a number of qualifications and exceptions, and the additional indebtedness incurred in compliance with these restrictions could be substantial. These restrictions also will not prevent us from incurring obligations that do not constitute indebtedness. In addition, the Revolving Credit Facility provides for commitments of $1.0 billion, which as of March 31, 2025, had availability of $999 million. Additionally, the used portion as it pertains to open standby letters of credit and bank guarantees totaled approximately $1 million. Furthermore, subject to specified conditions, without the consent of the then-existing lenders (but subject to the receipt of commitments), the indebtedness under the Senior Credit Facility may be increased by up to $500 million. If new debt is added to our current debt levels, the related risks that we and the guarantors now face would increase and we may not be able to meet all our debt obligations, including the repayment of our outstanding senior notes. --- ## Modified: Systems that we develop, integrate, maintain, or otherwise support could experience security breaches which may damage our reputation with our customers and hinder future contract win rates. **Key changes:** - Reworded sentence: "Our systems also store, process, and transmit sensitive Company and government and commercial customer information, including personally identifiable, health and financial information." **Prior (2024):** We develop, integrate, maintain, or otherwise support systems and provide services that include managing and protecting information involved in intelligence, national security, and other sensitive government functions. Our systems also store and process sensitive Company and commercial client information, including personally identifiable, health and financial information. The cybersecurity threats we and our clients face have grown more frequent and sophisticated, including but not limited to bad actors looking to augment traditional cyber tools and tradecraft with artificial intelligence capabilities that increase the speed, scale, and intricacy of threats. A security breach, including from insider threats, could result in the exfiltration of our or our clients' data and has the potential to do serious harm to our business, damage our reputation, prevent us from executing further work on sensitive systems for U.S. government or commercial clients, and/or hinder future contract win rates. Damage to our reputation or limitations on our eligibility for additional work or any liability resulting from a security breach in one of the systems we develop, install, maintain, or otherwise support could have a material adverse effect on our results of operations. **Current (2025):** We develop, integrate, maintain, or otherwise support systems and provide services that include managing and protecting information involved in intelligence, national security, and other sensitive government functions. Our systems also store, process, and transmit sensitive Company and government and commercial customer information, including personally identifiable, health and financial information. The cybersecurity threats we, our customers, and third parties face have grown more frequent and sophisticated, including but not limited to bad actors looking to augment traditional cyber tools and tradecraft with artificial intelligence capabilities that increase the speed, scale, and intricacy of threats, which may not be recognized until after they have been launched. A security breach, including from insider threats, could result in the exfiltration of our or our customers' data and has the potential to do serious harm to our business, damage our reputation, prevent us from executing further work on sensitive systems for U.S. government or commercial customers, hinder future contract win rates, and/or cause us to incur significant expense to respond to and remediate the breach. Damage to our reputation or limitations on our eligibility for additional work or any liability resulting from a security breach in one of the systems we develop, install, maintain, or otherwise support could have a material adverse effect on our results of operations. --- ## Modified: We depend on contracts with U.S. government agencies for substantially all of our revenue. If our reputation or relationships with such agencies are harmed, our future revenue and operating profits would decline. **Key changes:** - Reworded sentence: "government is our primary customer, with revenue from contracts and task orders, either as a prime or a subcontractor, with U.S." - Reworded sentence: "government contracts, as we expect this will continue to be the primary source of substantially all of our revenue." - Reworded sentence: "government agencies is our performance on contracts and task orders, the strength of our professional reputation, compliance with applicable laws and regulations, and the strength of our relationships with customer personnel." - Reworded sentence: "In addition, to the extent our performance under a contract does not meet a U.S." - Removed sentence: "16 16 16 Table of Contents Table of Contents" **Prior (2024):** The U.S. government is our primary client, with revenue from contracts and task orders, either as a prime or a subcontractor, with U.S. government agencies accounting for 98% of our revenue for fiscal year 2024. Our belief is that the successful future growth of our business will continue to depend primarily on our ability to be awarded work under U.S. government contracts, as we expect this will be the primary source of substantially all of our revenue in the foreseeable future. For this reason, any issue that compromises our relationship with the U.S. government generally or any U.S. government agency that we serve would cause our revenue to decline. Among the key factors in maintaining our relationship with U.S. government agencies is our performance on contracts and task orders, the strength of our professional reputation, compliance with applicable laws and regulations, and the strength of our relationships with client personnel. In addition, the mishandling or the perception of mishandling of sensitive information, such as our failure to maintain the confidentiality of the existence of our business relationships with certain of our clients, including as a result of misconduct or other improper activities by our employees, subcontractors, or suppliers, or a failure to maintain adequate protection against security breaches, including those resulting from cyber attacks, could harm our relationship with U.S. government agencies. See " - Our employees or subcontractors may engage in misconduct or other improper activities, which could harm our ability to conduct business with the U.S. government." Our relationship with the U.S. government could also be damaged as a result of an agency's dissatisfaction with work performed by us, a subcontractor, or other third parties who provide services or products for a specific project for any reason, including due to perceived or actual deficiencies in the performance or quality of our work, and we may incur additional costs to address any such situation and the profitability of that work might be impaired. Further, negative publicity concerning government contractors in general, or us, regardless of accuracy, may harm our reputation among federal agencies and federal government contractors. Due to the sensitive nature of our work and our confidentiality obligations to our customers, we may be unable or limited in our ability to respond to such negative publicity, which could also harm our reputation and business. To the extent our reputation or relationships with U.S. government agencies is impaired, our revenue and operating profits could materially decline. 16 16 16 Table of Contents Table of Contents **Current (2025):** The U.S. government is our primary customer, with revenue from contracts and task orders, either as a prime or a subcontractor, with U.S. government agencies accounting for 98% of our revenue for fiscal year 2025. Our belief is that the successful future growth of our business will continue to depend primarily on our ability to be awarded work under U.S. government contracts, as we expect this will continue to be the primary source of substantially all of our revenue. For this reason, any issue that compromises our relationship with the U.S. government generally or any U.S. government agency that we serve would cause our revenue to decline. Among the key factors in maintaining our relationship with U.S. government agencies is our performance on contracts and task orders, the strength of our professional reputation, compliance with applicable laws and regulations, and the strength of our relationships with customer personnel. Our relationship with U.S. government agencies could be harmed by the mishandling or the perception of mishandling of sensitive information, such as our failure to maintain the confidentiality of the existence of our business relationships with certain of our customers, including as a result of misconduct or other improper activities by our employees, subcontractors, or suppliers, or a failure to maintain adequate protection against security breaches, including those resulting from cyber attacks. See " - Our employees or subcontractors may engage in misconduct or other improper activities, which could harm our ability to conduct business with the U.S. government." Our relationship with the U.S. government could also be damaged as a result of an agency's dissatisfaction with work performed by us, a subcontractor, or other third parties who provide services or products for a specific project for any reason, including due to perceived or actual deficiencies in the performance or quality of our work, and we may incur additional costs to address any such situation and the profitability of that work might be impaired. In addition, to the extent our performance under a contract does not meet a U.S. government agency's expectations, the customer might seek to terminate the contract prior to its scheduled expiration date, provide a negative assessment of our performance to government-maintained contractor past-performance data repositories, fail to award us additional business under existing contracts or otherwise, and direct future business to our competitors. 10 10 10 Table of Contents Table of Contents Further, negative publicity concerning government contractors in general, or us, regardless of accuracy, may harm our reputation among federal agencies and federal government contractors, and the credibility of our brand, and adversely affect our ability to attract or retain customers or talent. There has been increased publicity regarding government contractors in general, and including the Company, in connection with the U.S. government's efforts to improve efficiency and reduce costs, which could harm our reputation and could have a material impact on our business, results of operations and financial condition. Due to the sensitive nature of our work and our confidentiality obligations to our customers, we may be unable or limited in our ability to respond to such negative publicity, which could also harm our reputation and business. To the extent our reputation or relationships with U.S. government agencies is impaired, our revenue and operating profits could materially decline. --- ## Modified: Legal and Regulatory Risks **Key changes:** - Reworded sentence: "government audit, review, or investigation; •inherent uncertainties and potential adverse developments in legal or regulatory proceedings; •the impact of changes in accounting rules and regulations, or interpretations thereof, that may affect the way we recognize and report our financial results, including changes in accounting rules governing recognition of revenue; and •the impact of changing weather patterns, natural disasters, and pandemics, epidemics, and similar disease outbreaks on our and our customers' businesses and operations, as well as risks related to increased scrutiny and changing expectations and practices related to climate change and related governance matters generally." **Prior (2024):** •failure to comply with numerous laws and regulations, including the FAR, False Claims Act, DFARS, and FAR Cost Accounting Standards and Cost Principles; •risks related to our international operations; •the adoption by the U.S. government of new laws, rules, and regulations, such as those relating to organizational conflicts of interest issues or limits; •the incurrence of additional tax liabilities, including as a result of changes in tax laws or management judgments involving complex tax matters; •continued efforts to change how the U.S. government reimburses compensation related costs and other expenses or otherwise limit such reimbursements and an increased risk of compensation being deemed unreasonable and unallowable or payments being withheld as a result of U.S. government audit, review, or investigation; •inherent uncertainties and potential adverse developments in legal or regulatory proceedings; •the impact of changes in accounting rules and regulations, or interpretations thereof, that may affect the way we recognize and report our financial results, including changes in accounting rules governing recognition of revenue; and •the impact of ESG-related risks and climate change generally on our and our clients' businesses and operations. **Current (2025):** •failure to comply with numerous laws and regulations, including the FAR, False Claims Act, DFARS, and FAR Cost Accounting Standards and Cost Principles; •risks related to our international operations; •the adoption by the U.S. government of new laws, rules, and regulations, such as those relating to organizational conflicts of interest issues or limits; •the incurrence of additional tax liabilities, including as a result of changes in tax laws or management judgments involving complex tax matters; •continued efforts to change how the U.S. government reimburses compensation related costs and other expenses or otherwise limit such reimbursements and an increased risk of compensation being deemed unreasonable and unallowable or payments being withheld as a result of U.S. government audit, review, or investigation; •inherent uncertainties and potential adverse developments in legal or regulatory proceedings; •the impact of changes in accounting rules and regulations, or interpretations thereof, that may affect the way we recognize and report our financial results, including changes in accounting rules governing recognition of revenue; and •the impact of changing weather patterns, natural disasters, and pandemics, epidemics, and similar disease outbreaks on our and our customers' businesses and operations, as well as risks related to increased scrutiny and changing expectations and practices related to climate change and related governance matters generally. --- ## Modified: We may fail to obtain and maintain necessary security clearances which may adversely affect our ability to perform on certain contracts. **Key changes:** - Added sentence: "Security clearances are issued at the discretion of the U.S." - Added sentence: "government and there can be no assurance that we will be able to obtain or maintain the security clearances necessary to perform our contracts." - Reworded sentence: "In the current environment we are seeing delays by the U.S." **Prior (2024):** Many U.S. government programs require contractor employees and facilities to have security clearances. Depending on the level of required clearance, security clearances can be difficult and time-consuming to obtain. If we or our employees are unable to obtain or retain necessary security clearances in a timely manner, we may not be able to win new business, and our existing clients could terminate their contracts with us or decide not to renew them. To the extent we are not able to obtain and maintain facility security clearances or engage employees with the required security clearances for a particular contract, we may not be able to bid on or win new contracts, effectively rebid on expiring contracts, or retain existing contracts, which may adversely affect our operating results and inhibit the execution of our growth strategy. **Current (2025):** Many U.S. government programs require contractor employees and facilities to have security clearances. Security clearances are issued at the discretion of the U.S. government and there can be no assurance that we will be able to obtain or maintain the security clearances necessary to perform our contracts. Depending on the level of required clearance, security clearances can be difficult and time-consuming to obtain. In the current environment we are seeing delays by the U.S. government in the processing of security clearances and there have been recent examples of large numbers of security clearances being revoked by executive orders by the new presidential administration. If we or our employees are unable to obtain or retain necessary security clearances in a timely manner, or a significant number of our employees lose security clearances, we may not be able to win new business, and our existing customers could terminate their contracts with us or decide not to renew them. To the extent we are not able to obtain and maintain facility security clearances or engage employees with the required security clearances for a particular contract, we may not be able to bid on or win new contracts, effectively rebid on expiring contracts, or retain existing contracts, which may adversely affect our operating results and inhibit the execution of our growth strategy. --- ## Modified: We develop and utilize artificial intelligence, which could expose us to risks including potential liability as well as regulatory, competition, reputational and other risks. **Key changes:** - Reworded sentence: "The development, deployment and oversight of the use of AI by us, either directly, through our suppliers, or by engaging third-party AI developers, as well as the use of AI by competitors, is expected to require us to invest substantially in AI technology resources and related governance." - Added sentence: "Further, ownership and intellectual property rights of content generated by artificial intelligence is a developing area." - Added sentence: "This presents unique complexity and challenges that could affect our business and impact our delivery of AI-driven solutions." - Reworded sentence: "Legal and regulatory frameworks related to the use of AI are evolving, including due to the perceived or actual risks of bias, lack of transparency, and information security." - Reworded sentence: "For example, there have been significant changes in U.S." **Prior (2024):** We utilize artificial intelligence, including generative artificial intelligence, machine learning, and similar tools and technologies that collect, aggregate, analyze, or generate data or other materials (collectively, "AI") in connection with our business. The development, deployment and oversight of the use of AI by us, either directly or by engaging third-party AI developers, as well as the use of AI by competitors, is expected to require us to invest substantially in AI technology resources and related governance. There are significant risks involved in using AI and no assurance can be provided that our use of AI will enhance our products or services, produce the intended results, or keep pace with the use of AI by our competitors. For example, AI algorithms may produce incomplete, insufficient, biased or otherwise flawed results or rely upon biased or inaccurate data, and any of these deficiencies may not be easily detectable despite internal policies and diligence efforts in place to mitigate such deficiencies. The degraded or flawed performance could also result from adversarial attacks that include data poisoning, malware risks, and evasion techniques. If the AI that we use produces deficient, inaccurate, or controversial results, or if public opinion of AI is adversely affected due to actual or perceived risks regarding the usage of AI, we could incur operational inefficiencies, competitive harm, legal liability, brand or reputational harm, or other adverse impacts on our business and results of operations. If we, or the third-party AI developers on which we rely, do not have sufficient rights to use the data or other material relied upon by such AI technologies, we also may incur liability through the alleged violation of applicable laws and regulations, third-party intellectual property, data privacy, or other rights, or contractual obligations. Although we conduct diligence on third-party AI developers, we will not be able to control the manner in which third-party AI technologies are developed or maintained. Legal and regulatory frameworks related to the use of AI are evolving, including due to the perceived or actual risks of bias, unfair discrimination, transparency, and information security. The technologies underlying AI and its uses are subject to a variety of laws and regulations, including intellectual property, data privacy and security, consumer protection, competition, and equal opportunity laws, and may be subject to new laws and regulations or new interpretations of existing laws and regulations. AI is the subject of ongoing review by various U.S. and foreign governmental and regulatory agencies. For example, in October 2023, the Biden Administration signed an executive order on Safe, Secure, and Trustworthy Artificial Intelligence which charges various Federal agencies to establish standards for AI safety and security. In addition, in March 2024, the EU enacted a new regulation applicable to certain AI technologies and the data used to train, test and deploy them. The enactment or expansion of laws and regulations related to the use of AI in our operations could result in increased compliance costs related to our use of AI. Furthermore, it is not possible to predict all the legal, operational or technological risks that may arise relating to the use of AI, any of which may materially and adversely affect our business and results of operations. 24 24 24 Table of Contents Table of Contents **Current (2025):** We utilize artificial intelligence, including generative artificial intelligence, machine learning, and similar tools and technologies that collect, aggregate, analyze, or generate data or other materials (collectively, "AI") in connection with our business. The development, deployment and oversight of the use of AI by us, either directly, through our suppliers, or by engaging third-party AI developers, as well as the use of AI by competitors, is expected to require us to invest substantially in AI technology resources and related governance. There are significant risks involved in using AI and no assurance can be provided that our use of AI will enhance our products or services, produce the intended results, or keep pace with the use of AI by our competitors. For example, AI algorithms may produce incomplete, insufficient, biased or otherwise flawed results or rely upon biased or inaccurate data, and any of these deficiencies may not be easily detectable despite internal policies and diligence efforts in place to mitigate such deficiencies. The degraded or flawed performance could also result from adversarial attacks that include data poisoning, malware risks, and evasion techniques. If the AI that we use produces deficient, inaccurate, or controversial results, or if public opinion of AI is adversely affected due to actual or perceived risks regarding the usage of AI, we could incur operational inefficiencies, competitive harm, legal liability, brand or reputational harm, or other adverse impacts on our business and results of operations. Further, ownership and intellectual property rights of content generated by artificial intelligence is a developing area. This presents unique complexity and challenges that could affect our business and impact our delivery of AI-driven solutions. If we, or the third-party AI developers on which we rely, do not have sufficient rights to use the data or other material relied upon by such AI technologies, we also may incur liability through the alleged violation of applicable laws and regulations, third-party intellectual property, data privacy, or other rights, or contractual obligations. Although we conduct diligence on third-party AI developers, we will not be able to control the manner in which third-party AI technologies are developed or maintained. Legal and regulatory frameworks related to the use of AI are evolving, including due to the perceived or actual risks of bias, lack of transparency, and information security. The technologies underlying AI and its uses are subject to a variety of laws and regulations, including intellectual property, data privacy and security, consumer protection, competition, and equal opportunity laws, and may be subject to new laws and regulations or new interpretations of existing laws and regulations. AI is the subject of ongoing review by various U.S. and foreign governmental and regulatory agencies. For example, there have been significant changes in U.S. AI policy introduced by the new presidential administration, including the rescinding of the prior administration's October 2023 executive order on Safe, Secure, and Trustworthy Artificial Intelligence. In addition, in March 2024, the EU enacted a new regulation applicable to certain AI technologies and the data used to train, test and deploy them. The enactment or expansion of laws and regulations related to the use of AI in our operations could result in increased compliance costs related to our use of AI, while the persistence of regulatory ambiguity results in uncertainty regarding potential compliance obligations and presents challenges to longer-term strategic decision-making. Additionally, we may not always be able to anticipate how courts and regulators will apply existing laws to AI, predict how new legal frameworks will develop to address AI, or otherwise respond to these frameworks as they are still rapidly evolving. We may also have to expend resources to adjust our offerings in certain jurisdictions if the legal frameworks on AI are not consistent across jurisdictions. Furthermore, it is not possible to predict all the operational or technological risks that may arise relating to the use of AI, any of which may materially and adversely affect our business and results of operations. Further, we face significant competition from other companies that are developing their own AI features and technologies. Other companies may develop AI features and technologies that are similar or superior to our technologies or are more cost-effective to develop and deploy. Additionally, while AI is currently the focus of significant investment and strategic prioritization, there is a risk that if the expected value of AI does not materialize at scale, or if high-profile AI failures emerge, customers may reassess their AI plans, which could lead to reduced funding and a reduction in certain of our AI initiatives. These factors could materially and adversely affect our business, financial condition and results of operations. --- ## Modified: Global inflationary pressures and new or increased tariffs on certain imports have increased the prices of goods and services, which could raise the costs associated with providing our services, diminish our ability to compete for new contracts or task orders, and/or reduce customer buying power. **Key changes:** - Reworded sentence: "These inflationary pressures have been and could continue to be exacerbated by geopolitical turmoil and economic policy actions, including new or increased tariffs on certain imports from other countries, and the duration of such pressures is uncertain." - Reworded sentence: "In addition, new or increased tariffs could result in increased costs for hardware and other goods necessary to support business operations." **Prior (2024):** For a variety of reasons, including geopolitical factors, the global economy in which we operate has faced, and may continue to face, heightened inflationary pressure, impacting the cost of doing business (in both supply and labor markets). These inflationary pressures have been and could continue to be exacerbated by geopolitical turmoil and economic policy actions, and the duration of such pressures is uncertain. We generate revenue through various fixed price and multi-year government contracts, our primary customer being the U.S. government, which has traditionally been viewed as less affected by inflationary pressures. However, our approach to include modest annual price escalations in our bids for multi-year work may be insufficient to counter inflationary cost pressures, which may result in significant cost overruns on each contract. This could result in reduced profits, or even losses, as inflation increases, particularly for fixed priced contracts, and our longer-term multi-year contracts as contractual prices become less favorable to us over time. In the competitive environment in which we operate as a government contractor, the lack of pricing leverage and power to renegotiate long-term, multi-year contracts, coupled with reduced customer buying power as a result of inflation, could reduce our profits, disrupt our business, or otherwise materially adversely affect our results of operations. **Current (2025):** For a variety of reasons, including geopolitical factors, the global economy in which we operate has faced, and may continue to face, heightened inflationary pressure, impacting the cost of doing business (in both supply and labor markets). These inflationary pressures have been and could continue to be exacerbated by geopolitical turmoil and economic policy actions, including new or increased tariffs on certain imports from other countries, and the duration of such pressures is uncertain. We generate revenue through various fixed price and multi-year government contracts, our primary customer being the U.S. government, which has traditionally been viewed as less affected by inflationary pressures. However, our approach to include modest annual price escalations in our bids for multi-year work may be insufficient to counter inflationary cost pressures, which may result in significant cost overruns on each contract. In addition, new or increased tariffs could result in increased costs for hardware and other goods necessary to support business operations. This could result in reduced profits, or even losses, as inflation increases, particularly for fixed-priced contracts, and our longer-term multi-year contracts as contractual prices become less favorable to us over time. In the competitive environment in which we operate as a government contractor, the lack of pricing leverage and power to renegotiate long-term, multi-year contracts, coupled with reduced customer buying power as a result of inflation, could reduce our profits, disrupt our business, or otherwise materially adversely affect our results of operations. --- ## Modified: Risks Related to Our Common Stock **Key changes:** - Reworded sentence: "•the volatility of the market price of our Class A common stock; and •the timing and amount of our dividends, if any." **Prior (2024):** •the volatility of the market price of our Class A common stock; •the timing and amount of our dividends, if any; and •the impact of fulfilling our obligations incident to being a public company. **Current (2025):** •the volatility of the market price of our Class A common stock; and •the timing and amount of our dividends, if any. --- ## Modified: The U.S. government may prefer small and small disadvantaged businesses; therefore, we may have fewer opportunities to bid for. **Key changes:** - Reworded sentence: "government may decide to restrict certain procurements only to bidders that qualify as small or small disadvantaged businesses." - Added sentence: "31 31 31 Table of Contents Table of Contents" **Prior (2024):** As a result of the Small Business Administration set-aside program, the U.S. government may decide to restrict certain procurements only to bidders that qualify as minority-owned, small, or small disadvantaged businesses. As a result, we would not be eligible to perform as a prime contractor on those programs and would be restricted to a maximum of 49% of the work as a subcontractor on those programs. An increase in the amount of procurements under the Small Business Administration set-aside program may impact our ability to bid on new procurements as a prime contractor or restrict our ability to re-compete on incumbent work that is placed in the set-aside program. **Current (2025):** As a result of the Small Business Administration set-aside program, the U.S. government may decide to restrict certain procurements only to bidders that qualify as small or small disadvantaged businesses. As a result, we would not be eligible to perform as a prime contractor on those programs and would be restricted to a maximum of 49% of the work as a subcontractor on those programs. An increase in the amount of procurements under the Small Business Administration set-aside program may impact our ability to bid on new procurements as a prime contractor or restrict our ability to re-compete on incumbent work that is placed in the set-aside program. 31 31 31 Table of Contents Table of Contents --- ## Modified: U.S. government spending levels and mission priorities could change in a manner that adversely affects our future revenue and limits our growth prospects. **Key changes:** - Reworded sentence: "These expenditures have not remained constant over time, have been and in the future may be reduced in certain periods, and have been and in the future may be affected by the U.S." - Reworded sentence: "government programs that we support or related requirements, including shifts in the scope of work that we support and delays in procurements; •changes in U.S." - Reworded sentence: "government agencies awarding contracts on a technically acceptable/lowest cost basis in order to reduce expenditures; •increased U.S." - Reworded sentence: "government closures and shutdowns, terrorism, war, international conflicts (including the ongoing conflict between Russia and Ukraine, ongoing conflicts in the Middle East, and increased tensions in Asia), trade tensions related to recent shifts in international trade policies, natural disasters, public health crises, destruction of U.S." - Reworded sentence: "A reduction in the amount of, or delays or cancellations of funding for, services that we are contracted to provide as a result of initiatives with certain U.S." **Prior (2024):** Our business depends upon continued U.S. government expenditures on defense, intelligence, and civil programs for which we provide support. These expenditures have not remained constant over time, have been reduced in certain periods, and have been affected by the U.S. government's efforts to improve efficiency and reduce costs affecting U.S. government programs generally. Our business, prospects, financial condition, or operating results could be materially harmed by, among other causes, the following: •budgetary constraints, including mandated automatic spending cuts, affecting U.S. government spending generally, or specific agencies in particular, and changes in available funding; •a shift in the permissible federal debt limit; •a shift in expenditures away from agencies or programs that we support; •reduced U.S. government outsourcing of functions that we are currently contracted to provide, including as a result of increased insourcing by various U.S. government agencies due to changes in the definition of "inherently governmental" work, including proposals to limit contractor access to sensitive or classified information and work assignments; •changes or delays in U.S. government programs that we support or related requirements; •U.S. government shutdowns due to, among other reasons, a failure to fund the government and other potential delays in the appropriations process; •U.S. government agencies awarding contracts on a technically acceptable/lowest cost basis in order to reduce expenditures; •delays in the payment of our invoices by government payment offices; •an inability by the U.S. government to fund its operations as a result of a failure to increase the U.S. government's debt ceiling, the exhaustion of "extraordinary measures" to borrow additional funds without breaching the government's debt ceiling, a credit downgrade of U.S. government obligations or for any other reason; and •changes in the political climate and general economic conditions, including political changes from successive presidential administrations, a slowdown of the economy or unstable economic conditions and other conditions, such as emergency spending, that reduce funds available for other government priorities. In addition, any disruption in the functioning of U.S. government agencies, including as a result of U.S. government closures and shutdowns, terrorism, war, international conflicts (including the ongoing conflict between Russia and Ukraine and the ongoing conflict between Israel and Hamas), natural disasters, public health crises, destruction of U.S. government facilities, and other potential calamities could have a negative impact on our operations and cause us to lose revenue or incur additional costs due to, among other things, our inability to deploy our staff to client locations or facilities as a result of such disruptions. The U.S. government budget deficits, the national debt, and prevailing economic conditions, and actions taken to address them, could negatively affect U.S. government expenditures on defense, intelligence, and civil programs for which we provide support. The Department of Defense is one of our significant clients and cost cutting, including through consolidation and elimination of duplicative organizations and insourcing, has become a major initiative for the Department of Defense. A reduction in the amount of, or delays or cancellations of funding for, services that we are contracted to provide as a result of any of these related initiatives, legislation, or otherwise could have a material adverse effect on our business and results of operations. In addition, government agencies have reduced management support services spending in recent years. If federal awards for management support services continue to decline, our revenue and operating profits may materially decline and could have a material and adverse effect on our business and results of operations. Considerable uncertainty exists regarding how future budget and program decisions will unfold, including the spending priorities of the U.S. government. In January 2025, the U.S. Congress may have to contend with the legal limit on U.S. debt commonly known as the debt ceiling. If the debt ceiling is not raised, the U.S. government may not be able to fulfill its funding obligations and there could be significant disruption to all discretionary programs, which would have corresponding impacts on us and our industry. If government funding relating to our contracts with the U.S. government or Department of Defense becomes unavailable, or is reduced or delayed, or planned orders are reduced, our contract or subcontract under such programs may be terminated or adjusted by the U.S. government or the prime contractor, if applicable. Our operating results could also be adversely affected by spending caps or changes in the budgetary priorities of the U.S. government or Department of Defense, as well as delays in program starts or the award of contracts or task orders under contracts. 17 17 17 Table of Contents Table of Contents These or other factors could cause our defense, intelligence, or civil clients to decrease the number of new contracts awarded generally and fail to award us new contracts, reduce their purchases under our existing contracts, exercise their right to terminate our contracts, or not exercise options to renew our contracts, any of which could cause a material decline in our revenue. **Current (2025):** Our business depends upon continued U.S. government expenditures on defense, intelligence, and civil programs for which we provide support. These expenditures have not remained constant over time, have been and in the future may be reduced in certain periods, and have been and in the future may be affected by the U.S. government's efforts to improve efficiency and reduce costs affecting U.S. government programs generally. Our business, prospects, financial condition, or operating results could be materially harmed by, among other causes, the following: •budgetary constraints, including mandated automatic spending cuts, affecting U.S. government spending generally, or specific agencies in particular, and changes in available funding; •a shift in the permissible federal debt limit; •a shift in expenditures away from agencies or programs that we support; •reduced U.S. government outsourcing of functions that we are currently contracted to provide, including as a result of increased insourcing by various U.S. government agencies due to changes in the definition of "inherently governmental" work, including proposals to limit contractor access to sensitive or classified information and work assignments; •changes or delays in U.S. government programs that we support or related requirements, including shifts in the scope of work that we support and delays in procurements; •changes in U.S. government customer cybersecurity investments and resourcing that impact the security posture of systems hosted by the Company on behalf of the U.S. government and under a U.S. government authority to operate; •U.S. government shutdowns due to, among other reasons, a failure to fund the government and other potential delays in the appropriations process; •U.S. government agencies awarding contracts on a technically acceptable/lowest cost basis in order to reduce expenditures; •increased U.S. government processing times for security clearances and other governmental consents; •delays in the payment of our invoices by government payment offices; •loss of government points of contact at the various U.S. government agencies we support as a result of the government's efforts to reduce spending; •an inability by the U.S. government to fund its operations as a result of a failure to increase the U.S. government's debt ceiling, the exhaustion of "extraordinary measures" to borrow additional funds without breaching the government's debt ceiling, a credit downgrade of U.S. government obligations or for any other reason; and •changes in the political climate and general economic conditions, including political changes from successive presidential administrations, a slowdown of the economy or unstable economic conditions and other conditions, such as emergency spending, that reduce funds available for other government priorities. In addition, any disruption in the functioning of U.S. government agencies, including as a result of U.S. government closures and shutdowns, terrorism, war, international conflicts (including the ongoing conflict between Russia and Ukraine, ongoing conflicts in the Middle East, and increased tensions in Asia), trade tensions related to recent shifts in international trade policies, natural disasters, public health crises, destruction of U.S. government facilities, and other potential calamities could have a negative impact on our operations and cause us to lose revenue or incur additional costs due to, among other things, our inability to deploy our staff to customer locations or facilities as a result of such disruptions. 11 11 11 Table of Contents Table of Contents Considerable uncertainty exists regarding how future budget and program decisions will unfold, including as a result of the changing spending priorities of the U.S. government. The U.S. government is currently in the process of reviewing federal spending across federal civilian, defense, and intelligence departments and agencies, to ensure it aligns with the new administration's priorities of maximizing governmental efficiency and productivity. As a leading provider of advanced technology products and services to U.S. government customers, we have been, and will continue to be, subject to these reviews, and we have had, and may in the future have, certain of our contracts impacted, reduced or canceled as a result of these reviews. We have also experienced price adjustments and renegotiations prior to option exercise of certain of our contracts as a result of these reviews and may in the future continue to experience such adjustments. Further, we are, and may in the future be, subject to customer mandates to formulate additional methods by which to achieve efficiencies in providing our services, and we remain in ongoing discussions with various government departments and agencies in relation to cost reductions and other potential contract modifications. There can be no assurance that these reviews will not ultimately have a material adverse impact on our business and financial performance - such as through more stringent and frequent reviews of our contracts, potential changes in government procurement policies which could affect our ability to secure new contracts or renew existing ones, the cancellation or reduction of contracts critical to our business, or the implementation of stricter compliance requirements that could increase our operational costs. The U.S. government budget deficits, the national debt, and prevailing economic conditions, and actions taken to address them, could negatively affect U.S. government expenditures on defense, intelligence, and civil programs for which we provide support. A reduction in the amount of, or delays or cancellations of funding for, services that we are contracted to provide as a result of initiatives with certain U.S. government departments, legislation, or otherwise could have a material adverse effect on our business and results of operations. Further, there is ongoing uncertainty regarding how the U.S. Congress will address the legal limit on U.S. debt commonly known as the debt ceiling, and for which the U.S. Treasury has announced that it has been using extraordinary measures to prevent the U.S. government's default on its payment obligations, and to extend the time that the U.S. Congress has to raise its statutory debt limit or otherwise resolve the funding situation. If the debt ceiling is not raised, the U.S. government may not be able to fulfill its funding obligations and there could be significant disruption to all discretionary programs, which would have material adverse impacts on us and our industry. If government funding relating to our contracts with the U.S. government or Department of Defense becomes unavailable, or is reduced or delayed, or planned orders are reduced, our contract or subcontract under such programs may be terminated or adjusted by the U.S. government or the prime contractor, if applicable. Our operating results could also be adversely affected by spending caps or changes in the budgetary priorities of the U.S. government or Department of Defense, as well as delays in program starts or the award of contracts or task orders under contracts. These or other factors could cause our defense, intelligence, or civil customers to decrease the number of new contracts awarded generally and fail to award us new contracts, reduce their purchases under our existing contracts, exercise their right to terminate our contracts, or not exercise options to renew our contracts, any of which could cause a material decline in our revenue. --- ## Modified: Implementation of and compliance with various data privacy and cybersecurity laws, regulations and standards could require significant investment into ongoing compliance activities, trigger potential liability, and limit our ability to use personal data. **Key changes:** - Reworded sentence: "federal, state or local laws and regulations regarding data privacy, including the protection of personal or confidential information of our customers or employees which we may handle and process, or cybersecurity could result in significant monetary damages, regulatory enforcement actions, fines, penalties, private litigation or claims, and/or criminal prosecution in one or more jurisdictions, including as a result of the perception of our practices, products, and services in relation to violations of individual privacy, data protection rights, or cybersecurity requirements." - Reworded sentence: "For example, the European Union's General Data Protection Regulation (the "GDPR"), and the United Kingdom's GDPR impose compliance obligations on companies that process personal data of people in the European Union and United Kingdom, respectively." - Reworded sentence: "A significant data breach (including various forms of external attack, such as ransomware, as well as data incidents resulting from internal actions or omissions) could have negative consequences for our business and future prospects, including possible penalties, fines, damages, reduced customer demand, legal claims against and by customers, personnel, business partners or other persons claiming to be affected, harm to our systems and operations and harm to our reputation and brand." - Reworded sentence: "We are also subject to the Department of Defense Cybersecurity Maturity Model Certification ("CMMC"), requirements, which will require all contractors to receive specific certifications relating to specified cybersecurity standards in order to be eligible for contract awards." - Added sentence: "17 17 17 Table of Contents Table of Contents" **Prior (2024):** Any failure by us, our vendors or other business partners to comply with international, U.S. federal, state or local laws and regulations regarding data privacy or cybersecurity could result in regulatory actions or lawsuits against us, legal liability, injunctions, fines, damages or other costs. We may also incur substantial expenses in implementing and maintaining compliance with such laws and regulations, including those that require certain types of data to be retained on servers within these jurisdictions. In addition, enactment or expansion of laws related to the use of artificial intelligence in our operations could increase the cost of doing business, subject us to potential liability, regulatory risk or reputational harm. Our failure to comply with applicable laws and regulations may result in privacy claims or enforcement actions against us, including liabilities, fines and damage to our reputation, any of which may have a material adverse effect on our results of operations. 22 22 22 Table of Contents Table of Contents For example, the European Union's General Data Protection Regulation (the "GDPR"), and the United Kingdom's GDPR impose compliance obligations on companies that process personal data of people in the European Union and United Kingdom, respectively. Compliance with these laws requires investment into ongoing data protection activities and documentation requirements, and creates the potential for fines and liabilities for noncompliance. In addition, California, Colorado, Connecticut, Iowa, Virginia, Utah, and other states have enacted comprehensive privacy laws that restrict the collection, use, and processing of personal information, provide rights to residents of those respective states, and create corresponding compliance obligations and litigation risks. For example, the California Consumer Privacy Act (the "CCPA", as amended by the California Privacy Rights Act, the "CPRA"), the Virginia Consumer Data Protection Act (the "VCDPA"), and the Colorado Privacy Act (the "CPA"), provide for consumer rights for residents of those respective states and create corresponding compliance obligations and litigation risks. The impact from the VCDPA and the CPA to Booz Allen is currently low because most of our personal information is client- or employee-related and therefore not defined as consumer-related. However, the CCPA now covers personal information collected from California residents in the context of recruitment and employment, as well as business-to-business arrangements, and therefore imposes additional compliance obligations on Booz Allen with respect to such personal information. These comprehensive state privacy laws, or other emerging U.S. state or global privacy laws, may require additional investment in compliance programs and potential modifications to business processes, and could result in fines, individual claims, and liabilities for certain compliance failures, particularly in the event of a data breach. As other states follow this trend, laws of this nature could be deemed applicable to some aspects of our business. This will impose new compliance obligations and require additional investment into data protection activities. Any obligations that may be imposed on us under CCPA, CPRA, VCDPA, CPA or similar laws may increase our compliance costs and potential liability, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use personal information or our results of operations. The U.S. Congress is considering federal privacy, cybersecurity and AI legislation that would create requirements similar to or possibly exceeding these comprehensive U.S. state privacy laws on a 50-state basis. Any federal legislation may or may not preempt the comprehensive U.S. state privacy laws, creating the possibility of different compliance measures or enforcement risks nationally or on a per-state basis. Any obligations that may be imposed on us under any of the comprehensive U.S. state privacy laws or similar laws may be different from or in addition to those required by the EU GDPR, UK GDPR, and any other applicable international laws, which may cause additional expense for compliance across jurisdictions. The EU GDPR, UK GDPR, other international laws, and the laws of U.S. states also impose obligations to maintain and implement an information security program that includes administrative, technical, physical, or organizational safeguards, as well as obligations to give notice to affected individuals and to certain regulators in the event of a data breach. We may be required to spend significant resources to comply with these information security and data breach legal requirements. A significant data breach (including various forms of external attack, such as ransomware, as well as data incidents resulting from internal actions or omissions) could have negative consequences for our business and future prospects, including possible penalties, fines, damages, reduced customer demand, legal claims against and by clients, personnel, business partners or other persons claiming to be affected, harm to our systems and operations and harm to our reputation and brand. 23 23 23 Table of Contents Table of Contents In addition, as a contractor supporting defense and national security clients, we are subject to certain additional regulatory compliance requirements relating to data privacy and cybersecurity. Under DFARS and other federal regulations, our networks and IT systems are required to comply with the security and privacy controls in certain National Institute of Standards and Technology Special Publications ("NIST SP"). To the extent that we do not comply with the applicable security and control requirements, unauthorized access or disclosure of sensitive information could result in a contract termination, which could have a material adverse effect on our business and financial results and lead to reputational harm. We are also subject to the Department of Defense Cybersecurity Maturity Model Certification ("CMMC"), requirements, which will require all contractors to receive specific third-party certifications relating to specified cybersecurity standards in order to be eligible for contract awards. Under "CMMC 1.0", released in January 2020, there were 5 maturity levels, comprised of 171 requirements and 14 required processes. In March 2021, the Department of Defense initiated an interim review of CMMC's implementation, which led to a refinement of the overall program and implementation strategy. In November 2021, the Department of Defense announced "CMMC 2.0", which included updated program structure and requirements. These refinements included a reduction in levels from 5 to 3, which includes the removal of CMMC-unique practices and reliance on the practices set forth in NIST SP 800-171(r2). The Department of Defense announced that CMMC 2.0 will become a contract requirement, likely to appear in contracts within one year of the rule going into effect, and is expected to appear in all defense contracts within two years of the rule going into effect. On December 26, 2023, the Department of Defense published a proposed rule for the CMMC 2.0 program requirements, and may face delays with uncertainties regarding final details and timing of the final requirements. To the extent we are unable to achieve certification in advance of applicable contract awards that specify the requirement, we will be unable to bid on such contract awards or on follow-on awards for existing work with the Department of Defense, depending on the level of standard as required for each solicitation, which could adversely impact our revenue and profitability. In addition, our subcontractors, and in some cases our vendors, may also be required to adhere to the CMMC program requirements and potentially to achieve certification. Should our supply chain fail to meet compliance requirements or achieve certification, this may adversely affect our ability to receive award or execute on relevant government programs. In addition, any obligations that may be imposed on us under the CMMC may be different from or in addition to those otherwise required by applicable laws and regulations, which may cause additional expense for compliance. **Current (2025):** Any failure by us, our vendors or other business partners to comply with international, U.S. federal, state or local laws and regulations regarding data privacy, including the protection of personal or confidential information of our customers or employees which we may handle and process, or cybersecurity could result in significant monetary damages, regulatory enforcement actions, fines, penalties, private litigation or claims, and/or criminal prosecution in one or more jurisdictions, including as a result of the perception of our practices, products, and services in relation to violations of individual privacy, data protection rights, or cybersecurity requirements. We may also incur substantial expenses in implementing and maintaining compliance with such laws and regulations, or anticipated laws and regulations, including those that require certain types of data to be retained on servers within these jurisdictions. These laws and regulations, and anticipated laws and regulations, are increasing in complexity and number, change frequently, sometimes conflict or create different requirements across jurisdictions, and are subject to interpretation by different regulators and courts, creating the possibility of different compliance measures or enforcement risks across jurisdictions, which may cause additional expenses for compliance with such laws and regulations. Our failure to comply with applicable laws and regulations may result in privacy claims or enforcement actions against us, including liabilities, fines and damage to our reputation, any of which may have a material adverse effect on our results of operations. For example, the European Union's General Data Protection Regulation (the "GDPR"), and the United Kingdom's GDPR impose compliance obligations on companies that process personal data of people in the European Union and United Kingdom, respectively. In the U.S., numerous federal, state, and local data privacy laws and regulations govern the collection, use, and processing of personal information, provide rights to residents of those respective states, in some cases including personal information collected from residents in the context of recruitment and employment, as well as business-to-business arrangements. Compliance with these laws, or emerging international, U.S. federal, state or local privacy laws, requires investments into compliance programs, investments to deploy, operate and maintain technology that enables compliance, potential modifications to business processes, ongoing data protection activities and documentation requirements, and creates the potential for fines, individual claims and other liabilities for noncompliance as well as litigation risks, particularly in the event of a data breach, and could have a material adverse effect on our business, including how we use personal information or our results of operations. Certain international, U.S. federal, state laws and regulations also impose obligations to maintain and implement an information security program that includes administrative, technical, physical, or organizational safeguards, as well as obligations to give notice to affected individuals and to certain regulators in the event of a data breach. We may be required to spend significant resources to comply with these information security and data breach legal requirements. A significant data breach (including various forms of external attack, such as ransomware, as well as data incidents resulting from internal actions or omissions) could have negative consequences for our business and future prospects, including possible penalties, fines, damages, reduced customer demand, legal claims against and by customers, personnel, business partners or other persons claiming to be affected, harm to our systems and operations and harm to our reputation and brand. In addition, as a contractor supporting defense and national security customers, we are subject to certain additional regulatory compliance requirements relating to data privacy and cybersecurity. Under the DFARS and other federal regulations, our networks and IT systems are required to comply with the security and privacy controls in certain National Institute of Standards and Technology Special Publications ("NIST SP"). To the extent that we do not comply with the applicable security and control requirements, unauthorized access or disclosure of sensitive information could result in a contract termination, which could have a material adverse effect on our business and financial results and lead to reputational harm. We are also subject to the Department of Defense Cybersecurity Maturity Model Certification ("CMMC"), requirements, which will require all contractors to receive specific certifications relating to specified cybersecurity standards in order to be eligible for contract awards. In addition, CMMC certification requirements may be required in modifications to existing contracts. To the extent we are unable to achieve certification in advance of applicable contract awards that specify the requirement, we will be unable to bid on such contract awards or on follow-on awards for existing work with the Department of Defense, depending on the level of standard as required for each solicitation, or be ineligible to receive option awards under existing contracts that specify the certification requirement, which could adversely impact our revenue and profitability. In addition, our subcontractors, and in some cases our vendors, may also be required to adhere to the CMMC program requirements and potentially to achieve certification. Should our supply chain fail to meet compliance requirements or achieve certification, this may adversely affect our ability to receive award or execute on relevant government programs. In addition, any obligations that may be imposed on us under the CMMC may be different from or in addition to those otherwise required by applicable laws and regulations, which may cause additional expense for compliance. 17 17 17 Table of Contents Table of Contents --- ## Modified: Certain services we provide and technologies we develop are designed to prevent, detect and monitor threats to our customers and may expose us or our customers and business partners to financial loss or physical or reputational harm. **Key changes:** - Reworded sentence: "We help our customers prevent, detect, monitor and mitigate threats to their people, information, and facilities." **Prior (2024):** We help our clients detect, monitor and mitigate threats to their people, information, and facilities. These threats may originate from nation states, terrorists or criminal actors, activist hackers or others who seek to harm our clients. Successful attacks on our clients may cause reputational harm to us and our clients, as well as liability to our clients or third parties. In addition, if we are associated with our clients in this regard, our staff, systems, information, and facilities may be targeted by a similar group of threat actors and may be at risk for financial loss, or physical or reputational harm. **Current (2025):** We help our customers prevent, detect, monitor and mitigate threats to their people, information, and facilities. These threats may originate from nation states, terrorists or criminal actors, activist hackers, financially or politically motivated actors, or others who seek to harm our customers. Successful attacks on our customers may cause reputational harm to us and our customers and business partners, as well as liability to our customers or third parties. If we are associated with our customers and business partners in this regard, our staff, systems, information, and facilities may be targeted by a similar group of threat actors and may be at risk for financial loss or physical or reputational harm. We also design and develop technologies that are highly technical and complex and may contain errors, defects, or security vulnerabilities that cannot be discovered before they are released, installed, and used by our customers. The introduction of new and emerging technologies, such as AI, further increases this risk. Errors, defects or vulnerabilities in the technology we develop could disrupt our customers' or their customers' proper functioning of the technology, cause disruptions in our customers' business operations, or allow unauthorized access to proprietary information, which could cause reputational harm to us and our customers, and could have a material adverse effect on our business and results of operations. --- ## Modified: Increasing scrutiny and changing expectations regarding business operations and associated practices related to matters receiving substantial scrutiny from stakeholders and governmental authorities may impose additional costs on us or expose us to new or additional risks. **Key changes:** - Reworded sentence: "There is increased scrutiny from governmental organizations, customers, employees, investors, and other stakeholders on climate change, employee empowerment, and governance issues such as workplace culture, community investment, environmental management, climate impact, and information security." **Prior (2024):** There is increased scrutiny from governmental organizations, clients, employees, investors, and other stakeholders on environmental, social and governance ("ESG") issues such as diversity, equity and inclusion, workplace culture, community investment, environmental management, climate impact and information security. We have expended and may further expend resources to monitor, report on and adopt policies and practices that we believe will improve alignment with our evolving ESG strategy and goals, as well as ESG-related standards and expectations of legal regimes and stakeholders such as clients, investors, stockholders, raters, employees, and business partners. If our ESG practices, including our goals for diversity, equity and inclusion, environmental sustainability and information security, do not meet evolving rules and regulations or stakeholder expectations and standards (or if we are viewed negatively based on positions we do or do not take or work we do or do not perform or cannot publicly disclose for certain clients and industries), then our reputation, our ability to attract or retain leading experts, employees and other professionals and our ability to attract new business and clients could be negatively impacted, as could our attractiveness as an investment, service provider, employer, or business partner. Similarly, our failure or perceived failure in our efforts to execute our ESG strategy and achieve our current or future ESG-related goals, targets and objectives, or to satisfy various reporting standards within the timelines expected by stakeholders, or at all, could also result in similar negative impacts. Organizations that provide information to investors on corporate governance and related matters have developed ratings processes for evaluating companies on their approach to ESG matters, and unfavorable ratings of our ESG efforts may lead to negative investor sentiment, diversion of investment to other companies, and difficulty in hiring skilled employees. In addition, complying or failing to comply with existing or future federal, state, local, and foreign ESG legislation and regulations applicable to our business and operations, including related to greenhouse gas emissions, climate change, or other matters could cause us to incur additional compliance and operational costs or actions and suffer reputational harm, which could adversely affect our business. 38 38 38 Table of Contents Table of Contents **Current (2025):** There is increased scrutiny from governmental organizations, customers, employees, investors, and other stakeholders on climate change, employee empowerment, and governance issues such as workplace culture, community investment, environmental management, climate impact, and information security. The quickly evolving technological, social, legal, and political context of these issues may create conflicts, disaffection, and dissatisfaction among laws and various stakeholder expectations. We comply with various federal, state, local, and foreign legislation and regulations related to these issues and applicable to our business and operations. Stakeholders may have expectations that conflict or do not align with our understanding of these laws, our strategies, or the expectations of the U.S. government. We have expended and may further expend resources to monitor, report on and adopt policies and practices that we believe will improve alignment with our evolving strategy and goals regarding these issues and related standards and expectations of legal regimes and stakeholders such as customers, investors, stockholders, raters, employees, and business partners. If our related practices, including our goals for environmental sustainability, and information security, do not meet evolving rules and regulations or stakeholder expectations and standards (or if we are viewed negatively based on positions we do or do not take or work we do or do not perform or cannot publicly disclose for certain customers and industries), then our reputation, ability to attract or retain leading experts, employees and other professionals, and ability to attract new business and customers could be negatively impacted, as could our attractiveness as an investment, service provider, employer, or business partner. Similarly, our failure or perceived failure with respect to these issues in our efforts to execute our related strategies and achieve our current or future goals, targets and objectives, or to satisfy various reporting standards within the timelines expected by stakeholders could also result in similar negative impacts. Organizations that provide information to investors on corporate governance and related matters have developed ratings processes for evaluating companies on their approach to many of these issues, and unfavorable ratings of our associated efforts may lead to negative investor sentiment, diversion of investment to other companies, and difficulty in hiring skilled employees. --- ## Modified: Our business is subject to disruption caused by physical or transition risks that could adversely affect our results of operations or financial condition. **Key changes:** - Reworded sentence: "We have significant operations located in regions that have been, and may in the future be, subject to a variety of physical risks related to changing weather patterns (including rising temperatures and sea levels, extreme heat, and other severe weather events), natural disasters (including hurricanes, typhoons, tsunamis, floods, earthquakes, fires or wildfires, water shortages and prolonged drought), or pandemics, epidemics and similar disease outbreaks." **Prior (2024):** Due to the global nature of our business, we are exposed to a variety of physical risks related to climate change, including rising temperatures and sea levels, extreme heat, and other extreme weather events. Our worldwide operations and the operations of our customers could be subject to natural disasters (including those from climate change) such as hurricanes, typhoons, tsunamis, floods, earthquakes, fires, water shortages and prolonged drought. Such events could disrupt our operations or those of our customers and suppliers, including the inability of employees to work, destruction of facilities, loss of life, and adverse effects on supply chains, power, infrastructure, and the integrity of information technology systems, all of which could materially increase our costs and expenses, delay or decrease revenue from our customers, and disrupt our ability to maintain business continuity. We could incur significant costs to improve the climate-related resiliency of our infrastructure and otherwise prepare for, respond to, and mitigate the effects of climate change. Additionally, if insurance or other risk transfer mechanisms are unavailable or insufficient to recover all costs or if we experience a significant disruption to our business due to a natural disaster, our results of operations could be adversely affected. We may also face operational costs and transition risks due to decisions we make to conduct or change our activities in response to considerations relating to climate change, such as our goal to eventually reach net-zero greenhouse gas emissions. In addition, complying or failing to comply with existing or future federal, state, local, and foreign legislation and regulations applicable to our business and operations related to greenhouse gas emissions and climate change could cause us to incur additional compliance and operational costs. **Current (2025):** We have significant operations located in regions that have been, and may in the future be, subject to a variety of physical risks related to changing weather patterns (including rising temperatures and sea levels, extreme heat, and other severe weather events), natural disasters (including hurricanes, typhoons, tsunamis, floods, earthquakes, fires or wildfires, water shortages and prolonged drought), or pandemics, epidemics and similar disease outbreaks. Such events could disrupt our operations or those of our customers and suppliers, including the inability of employees to work, destruction of facilities, loss of life, and adverse effects on supply chains (including materials shortages), power, infrastructure, and the integrity of information technology systems, all of which could materially increase our costs and expenses, delay or decrease revenue from our customers, and disrupt our ability to maintain business continuity. We could incur significant costs to improve the resiliency of our infrastructure and otherwise prepare for, respond to, and mitigate the effects of changing weather patterns, as well as increased compliance and operational costs and transition risks due to changes in future federal, state, local and foreign legislation and regulations applicable to our business or decisions we make to conduct or change our activities in response to considerations relating to changing weather patterns. Additionally, if insurance or other risk transfer mechanisms are unavailable or insufficient to recover all costs or if we experience a significant disruption to our business due to changing weather patterns, natural disasters, or disease outbreaks, our results of operations or financial condition could be adversely affected. --- *Data sourced from SEC EDGAR. Last updated 2026-05-10.*