Iridium Satellite LLC and its subsidiaries and affiliates (collectively “Iridium”) requires its contractors, service providers, and suppliers (collectively “Supplier”) to implement and maintain cybersecurity standards with adequate physical, technical and organizational safeguards to protect Iridium Information that is processed, stored or transmitted (“Processed”) by Supplier. Iridium’s Supplier Cybersecurity Policy (the “Policy”) is intended to document the key security requirements Iridium expects its Suppliers to follow.

1.0. Purpose and objectives

1.1 Establish cybersecurity expectations: The purpose of this Policy is to establish the minimum cybersecurity requirements that a Supplier must implement and maintain to protect “Iridium Information, ” as defined below and in performance of Supplier’s agreement(s) for products and/or services with Iridium (the “Agreement”). This Policy specifies technical, physical and organizational safeguards to protect against unauthorized collection, access, use, disclosure, or destruction of Iridium Information Processed by Supplier. Capitalized terms have the meanings set forth below or in the Agreement.

1.2 Incorporation and conflicts: The Policy hereby is incorporated by reference into the Agreement and will form a part of the Agreement as if set forth therein in its entirety. To the extent that a requirement of this Policy directly conflicts with the Agreement, Supplier will promptly notify Iridium of the conflict and will comply with the requirement that is more protective of Iridium Information or as otherwise agreed to in writing by Supplier and Iridium.

2.0. Scope and applicability

This Policy applies to all Supplier personnel, affiliates, and subcontractors involved in Processing Iridium Information as well as the Supplier systems, applications, infrastructure, and personnel that Process, store, or transmit Iridium Information.

3.0. Governance and responsibilities

3.1 Assigned security responsibility: Supplier shall designate a Security Official who will serve as the primary point of contact for all security matters with Iridium.

3.2 Senior management commitment: Supplier’s senior management is committed to the success of this Policy by providing necessary resources, enforcing policies, and communicating their importance to Supplier personnel.

4.0. Policy Compliance and Standards

4.1 Compliance with recognized standards: Supplier will, at a minimum, comply with the most recent version of one or more of the following industry recognized standards:

a. International Organization for Standardization (“ISO”) 27001;
b. National Institute of Standards and Technology (“NIST”) Special Publication 800-53;
c. NIST Cybersecurity Framework (“CSF”) 2.0;
d. Center for Internet Security (“CIS”) Critical Security Controls;
e. The Defense Department’s Cybersecurity Maturity Model Certification (“CMMC”) Program; or
f. An alternate standard mutually agreed upon in writing by Supplier and Iridium.

4.2. Security safeguards for Iridium Information: In addition to adhering to one or more of the above standards, Supplier will maintain physical, administrative and technical safeguards and other security measures consistent with current industry best practices (e.g., ISO 27001, NIST CSF, CMMC) to ensure the confidentiality, integrity, and availability of all Iridium Information processed by Supplier.

4.3. Specific security controls: Supplier will implement and comply with the following requirements:

a. Firewall management: Supplier will install and maintain a working network firewall with a deny-by- default policy. The firewall must limit data access via the Internet, and all Iridium Information must be protected by the firewall at all times.

b. Zero trust security model: Supplier will implement strict identity verification, authorization and least privilege access to ensure only necessary permissions are granted to Supplier Systems Processing Iridium Information.

c. Network segmentation: Supplier will implement network segmentation to protect Iridium Information by logically and/or physically separating systems that process Iridium Information from all other networks.

d. Configuration and patch management: Supplier will keep all systems and software used to process Iridium Information up-to-date with the latest upgrades, updates and security patches, which will be applied in a timely and controlled manner following documented change management procedures that include approvals prior to production deployment.

e. Vulnerability management: Supplier will maintain a process to identify, prioritize and remediate known vulnerabilities in all systems. This includes remediating all critical and high-severity vulnerabilities, defined as a Common Vulnerability Scoring System (“CVSS”) score of 7.0 or higher (per CVSS version 4.0 or equivalent), within thirty (30) days of discovery.

f. Open source software management: Supplier will maintain an inventory of open-source software, freeware or publicly licensed software code used by or within Supplier Systems that Process Iridium Information. Supplier will ensure that no such software is used in a manner that would impose disclosure or redistribution requirements on Iridium Information, Iridium proprietary software or intellectual property.

g. Anti-malware protection: Supplier will use and maintain up-to-date anti-malware software on all Supplier Systems that Process Iridium Information. Supplier will ensure all software provided to Iridium is free of malicious code, viruses, backdoors, or other harmful components and will maintain processes to detect and mitigate related threats.

h. Data encryption: Supplier will encrypt Iridium Information at rest and in transit across open or untrusted networks using industry-standard, robust cryptographic protocols. Supplier must use current, non-deprecated encryption algorithms (e.g., AES-256) and avoid known weak algorithms (e.g., MD5, SHA-1). Cryptographic keys must be managed securely, rotated periodically, and access to keys must be limited to authorized personnel.

i. Secure protocol enforcement: Supplier will ensure all data transmissions use secure, encrypted protocols (e.g., HTTPS, SFTP, TLS 1.2+). All legacy or unencrypted protocols must be disabled, securely configured, or tunneled through secure channels.

j. Hardware security and inventory: Supplier will maintain an accurate and up-to-date inventory of all hardware systems that process Iridium Information. All hardware assets must be securely configured and hardened according to industry benchmarks, such as those from CIS.

k. Hardware and media protection: Policies and procedures are implemented to protect hardware and electronic media containing Iridium Information when moving them into, within, and out of Supplier facilities.

l. Data sanitization: Policies and procedures for the sanitization of Iridium Information on Supplier Systems or media are in place and will be conducted in accordance with NIST Special Publication 800-88 Revision 1 or equivalent industry-accepted clear, purge and destroy method to render Iridium Information inaccessible.

m. Security measures for systems: No Iridium Information is downloaded or otherwise Processed on Supplier Systems unless subject to protective measures, including encryption at-rest and up-to-date anti-malware detection and prevention software.

n. Lifecycle management: Supplier will not procure or use any hardware or software platforms for Processing Iridium Information that are at or beyond their end-of-life (“EOL”) or no longer supported by the manufacturer.

o. Security testing: Supplier will regularly test and evaluate its security systems and protocols to ensure they meet the requirements of this Policy. Testing methodologies must include vulnerability scanning and may include penetration testing.

p. Access controls: Supplier will implement and enforce strict access controls to secure Iridium Information, including the following:

1. Unique user identifiers: Each individual or service account with electronic access to Iridium Information is assigned a unique ID.
2. Least privilege: Access to Iridium Information is restricted to only those individuals with a legitimate “need-to-know” based on the principle of least privilege.
3. Access review: A formal review of all user and administrator accounts with access to Iridium Information is performed at least once every ninety (90) days to ensure access is still required.
4. Strong password policy: Supplier will mandate and enforce the use of system-enforced strong passwords for all Supplier Systems. Passwords must meet the following minimum criteria: (i) contain at least twelve (12) characters; (ii) contain a combination of uppercase, lowercase, numbers, and special characters; (iii) not be reused; and (iv) be changed whenever a compromise is suspected or has occurred.
5. Account lockout: Supplier will maintain and enforce an “account lockout” rule that disables accounts after no more than five (5) consecutive incorrect password attempts.
6. Data isolation: Iridium Information will be isolated from Supplier’s and any third-party information unless expressly authorized by Iridium in writing.
7. Physical security: Supplier will implement and use secure physical access control measures for facilities processing Iridium Information.
8. Logging and monitoring: Supplier will provide Iridium, on an annual basis or otherwise upon written request, logs of all use of Iridium accounts or credentials. This includes detailed logs concerning any attempted impersonation. Supplier will regularly review Supplier System audit logs for signs of anomalous activity.
9. Third-party and subcontractor management: Supplier remains responsible for the full performance of its obligations under this Policy, regardless of its use of subcontractors. Supplier must ensure that its subcontractors and their personnel comply with this Policy by flowing down this Policy to subcontractors or by executing agreements with subcontractors that contain requirements that are at least as robust and restrictive as this Policy. Supplier is responsible for all acts and omissions of its subcontractors.
10. Secure remote access: All remote access to systems that Process Iridium Information require multi-factor authentication (“MFA”). This access must occur through an enterprise-managedVirtual Private Network (“VPN”) that uses strong, current encryption (e.g., AES-256 over IPsec or SSL).
11. Supplier personnel requirements: Iridium may condition Supplier personnel access to Iridium Information on execution of a nondisclosure agreement (“NDA”). If an NDA is required, Supplier will obtain and deliver signed NDAs for all Supplier personnel with access to Iridium Information. Upon request, Supplier will provide Iridium with a list of all Supplier personnel who have accessed or received Iridium Information and will promptly remove access for any employee no longer requiring such access.
12. Business continuity/Disaster recovery: Supplier has policies and procedures in place to respond to outages, disruptions, hacking or emergencies that could adversely affect Iridium Information. This includes data backup and a disaster recovery plan. Annual technical testing should be conducted on contingency plans to ensure the recoverability of backups.

5.0. Cybersecurity Incident Procedures

Incident detection, notification and response: Supplier has established policies and procedures to detect, respond to, and otherwise address Security Incidents. Supplier will notify Iridium by email at SOC@iridium.com within 72 hours when Supplier has credible evidence of an actual or suspected Cybersecurity Incident. Supplier will reasonably cooperate with Iridium on Cybersecurity Incident investigation, notifications, remediation, or other obligations required under applicable law.

6.0. Definitions

6.1. Aggregate: To combine or store Iridium Information with any data or information of Supplier or any third party.

6.2. Anonymize: To use, collect, store, transmit, or transform data in a manner that does not identify or permit the identification of a user, device identifier, source, product, service, or Iridium.

6.3 Supplier System: Any network, computer, device, facilities, cloud storage or application, software or application used by or on behalf of Supplier to perform the Agreement or to Process Iridium Information.

6.4 Cybersecurity Incident: Credible evidence of any actual or suspected compromise of Supplier Systems that Process Iridium Information. A Cybersecurity Incident can be an intentional attack, like malware or phishing, or an unintentional human or machine error, leading to a data breach, system outage, or violation of security policies.

6.5 Iridium Information: Individually and collectively, this includes:
a. Iridium non-public proprietary and confidential business or financial information as well as information defined in the Agreement or protected under a non-disclosure agreement.
b. All other data, records, files, content, or information, in any form, acquired, accessed, collected, received, stored, or maintained by Supplier on behalf of Iridium in connection with the Agreement.

6.6. Processing (and derivatives): Any operation or set of operations which is performed on Iridium Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.