Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Redwire is committed to maintaining the trust and confidence of our stakeholders, which includes taking appropriate technical and organizational measures for maintaining information security and data privacy. Cybersecurity is critical to advancing our “Heritage plus Innovation” strategy and enabling our digital transformation efforts. We face a multitude of cybersecurity threats that range from attacks common to most industries, such as ransomware and denial-of-service, to attacks from more advanced and persistent, highly organized adversaries, including nation state actors, that target the defense industrial base and other critical infrastructure sectors. Our customers, suppliers, subcontractors and joint venture partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our operations, performance and results of operations. These cybersecurity threats and related risks make it imperative that we strive to be a leader in the information security field, and we expend considerable resources on cybersecurity.
Our corporate information technology department, which maintains our cybersecurity function, is led by our Chief Information Officer (“CIO”), who reports to our Chief Financial Officer (“CFO”) and has direct access to the CEO regarding information technology and cybersecurity related matters. The Chief Information Security Officer (“CISO”) reports to the CIO and has direct access to the CEO regarding cybersecurity matters. The CISO is responsible for our Company’s information security strategy, policy, security engineering, operations and cyber threat detection and response. Our current CIO and CISO have extensive information technology, cybersecurity and project management experience. Our CIO is a cyber defense, operations and communications officer as a U.S. Navy information professional. Our CISO has over 35 years in various information technology roles, including experience with three other public companies and is a certified information systems security professional (“CISSP”) and DoD information systems security manager. The CISO manages a team of cybersecurity professionals with broad experience and expertise, and have an average of over 15 years in various roles involving information technology, including security and compliance. The corporate cybersecurity and compliance department manages and continually enhances our enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur.
In order to assess, identify and manage information security and cybersecurity threats, the Company has implemented a cybersecurity program that includes risk assessment and prevention measures to facilitate communication, training, awareness and incident response procedures. These are integrated into our overall enterprise risk management (“ERM”) process. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process’ annual risk assessment is presented to the Board.
The Company maintains policies and procedures to ensure timely and appropriate notifications to relevant parties and regulators as required for cybersecurity threats and data breaches. A designated incident response team is responsible for the execution of Redwire’s data breach response plan. Comprised of Company officers who serve across several functions, the incident response team includes the Company’s CISO, CIO, General Counsel, CFO, Chief Accounting Officer, Cybersecurity Manager and cybersecurity professionals or other employees from the Company’s information technology, finance, compliance and human resources functions support the incident response team, including with respect to diagnosing and mitigating cybersecurity events.
Our cybersecurity policies and frameworks are based on industry and governmental standards to align closely with DoD requirements, instructions and guidance. The Company has adopted the National Institute of Standards and Technology (“NIST”) Special Procedure (SP) 800-171, NIST Cybersecurity Framework and Zero Trust Framework. The NIST SP 800-171 is to ensure compliance for protecting controlled unclassified information for U.S. Government projects as contractually required. The NIST Cybersecurity Framework models the best practices for security and the capabilities needed to identify, protect, detect and respond to cybersecurity risks and events, while the Zero Trust Framework addresses security challenges. The Company is pursuing the U.S. DoD Cybersecurity Maturity Model Certification (CMMC) in 2025. We evaluate our physical, electronic and administrative safeguards on a continuous basis to ensure they are effectively deployed across the business.
The Company has implemented cybersecurity tools to enable a Zero Trust Network Access that includes an Internet Intrusion detection and response combined with an always-on virtual private network solution to reduce our external exposure. We utilize third-party tools to protect Redwire data and implemented the security and data protection technologies. The Company utilizes the industry leading endpoint protection tool recognized by Gartner. We employ threat protection firewalls at our facilities and perform network and vulnerability monitoring with industry leading tools.
We also work with trusted and leading third parties to help us assess and strengthen our information security program. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls.
We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an
increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we require our providers to meet appropriate security requirements, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate. Similar to many other companies, we experience attempts to gain unauthorized access to our systems and information on a regular basis, and a number of our employees work remotely, which creates additional opportunities for cybercriminals to exploit vulnerabilities. Despite our security measures, including employee training, our information technology and infrastructure are vulnerable to cyber-attacks, malicious intrusions, breakdowns, destruction, loss of data privacy, breaches due to employee error, malfeasance or other disruptions and we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our operations or financial results. See Item 1A. “Risk Factors” for further discussion of these risks.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] |
In order to assess, identify and manage information security and cybersecurity threats, the Company has implemented a cybersecurity program that includes risk assessment and prevention measures to facilitate communication, training, awareness and incident response procedures. These are integrated into our overall enterprise risk management (“ERM”) process. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process’ annual risk assessment is presented to the Board.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
The Company’s Board is responsible for the oversight of management’s process for identifying and mitigating risks, including cybersecurity risks. IT leadership of the Company briefs the Board on a quarterly basis regarding information security matters, including the current cybersecurity landscape, progress on information security initiatives and accomplishments, and an information security dashboard. The Board is apprised of cybersecurity incidents concluded to have a moderate or higher business impact, even if immaterial to us. In the event of an incident, we intend to follow our incident response process, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g. legal), as well as senior leadership and the Board, as appropriate.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Company’s Board is responsible for the oversight of management’s process for identifying and mitigating risks, including cybersecurity risks. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | IT leadership of the Company briefs the Board on a quarterly basis regarding information security matters, including the current cybersecurity landscape, progress on information security initiatives and accomplishments, and an information security dashboard |
| Cybersecurity Risk Role of Management [Text Block] | Our corporate information technology department, which maintains our cybersecurity function, is led by our Chief Information Officer (“CIO”), who reports to our Chief Financial Officer (“CFO”) and has direct access to the CEO regarding information technology and cybersecurity related matters. The Chief Information Security Officer (“CISO”) reports to the CIO and has direct access to the CEO regarding cybersecurity matters. The CISO is responsible for our Company’s information security strategy, policy, security engineering, operations and cyber threat detection and response. Our current CIO and CISO have extensive information technology, cybersecurity and project management experience. Our CIO is a cyber defense, operations and communications officer as a U.S. Navy information professional. Our CISO has over 35 years in various information technology roles, including experience with three other public companies and is a certified information systems security professional (“CISSP”) and DoD information systems security manager. The CISO manages a team of cybersecurity professionals with broad experience and expertise, and have an average of over 15 years in various roles involving information technology, including security and compliance. The corporate cybersecurity and compliance department manages and continually enhances our enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The Chief Information Security Officer (“CISO”) reports to the CIO and has direct access to the CEO regarding cybersecurity matters. The CISO is responsible for our Company’s information security strategy, policy, security engineering, operations and cyber threat detection and response. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our current CIO and CISO have extensive information technology, cybersecurity and project management experience. Our CIO is a cyber defense, operations and communications officer as a U.S. Navy information professional. Our CISO has over 35 years in various information technology roles, including experience with three other public companies and is a certified information systems security professional (“CISSP”) and DoD information systems security manager. The CISO manages a team of cybersecurity professionals with broad experience and expertise, and have an average of over 15 years in various roles involving information technology, including security and compliance. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] |
The Company maintains policies and procedures to ensure timely and appropriate notifications to relevant parties and regulators as required for cybersecurity threats and data breaches. A designated incident response team is responsible for the execution of Redwire’s data breach response plan. Comprised of Company officers who serve across several functions, the incident response team includes the Company’s CISO, CIO, General Counsel, CFO, Chief Accounting Officer, Cybersecurity Manager and cybersecurity professionals or other employees from the Company’s information technology, finance, compliance and human resources functions support the incident response team, including with respect to diagnosing and mitigating cybersecurity events.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |