In this data-driven world, efficiently protecting technology assets and the information they contain is one of the most important responsibilities of technology teams. To achieve this, Booz Allen is rapidly maturing corporate and client data discovery, protection, and governance capabilities. Those include enforcing our data policy, adapting to new threats, and maintaining compliance with continually evolving legal frameworks for data protection.
The cyber threat landscape is dynamic and evolving. These threats have compounded as connectivity grows between physical and digital systems. Cyber threats can compromise critical information, disrupt operations, undermine national security, and even put lives in jeopardy. Our clients entrust information to us that is essential to national security and global stability. Because of the importance of this information and its relationship to the overall success of our business, all information owned by or entrusted to Booz Allen must be handled with care and in accordance with industry-standard policies and procedures.
The work of our Enterprise Cybersecurity team is guided by three strategic priorities: protect data and infrastructure, manage cyber risks to the business, and build operational excellence and resiliency. With these in mind, the team fulfills its mission of protecting our firm's data and infrastructure while enabling us to adapt for continued business growth and evolving client requirements. In FY23, Booz Allen renewed its focus on data protection tools, such as sensitivity labels, and internal processes, such as data loss prevention (DLP).
In FY23, Booz Allen continued to build operational excellence and resiliency by maintaining a “SHIELDS UP!” posture, reflecting U.S. Cybersecurity and Infrastructure Security Agency (CISA) guidance in response to Russia's invasion of Ukraine. The Enterprise Cybersecurity team uses information from the government, private information-sharing organizations, paid commercial sources, and open-source intelligence to inform preventative controls, detection capabilities, and response procedures and to brief leaders throughout the firm. The team closely monitors the firm's attack surface to ensure vulnerabilities are identified, mitigated, and remediated before attackers can exploit them, remediating well over 1 million vulnerabilities during FY23. It also conducts frequent, unannounced Red Team operations (offensive security experts who engage in exercises to attack an organization's cybersecurity defenses) against our cyber defenders to validate detection and response procedures while using automated adversary emulation to validate security controls.
We take steps to ensure suppliers will protect Booz Allen information and entrusted information in compliance with applicable legal, regulatory, and contractual requirements. We include provisions in our supplier agreements that incorporate applicable information security requirements, and we require our suppliers to confirm their compliance with these requirements. Depending on the nature of a supplier's work and the sensitivity of the Booz Allen and entrusted information provided to the supplier, we require suppliers to complete our security questionnaires (based on data categorization) and provide evidence of security accreditations (e.g., ISO 27001, SOC 2 Type 2), and we evaluate supplier compliance with security requirements using internal and third-party resources.
Our cybersecurity program is designed to protect assets, such as our networks and data centers and the information they transmit and store. As a member of the Defense Industrial Base (DIB), Booz Allen is subject to mandatory assessment by the Defense Contract Management Agency (DCMA). In FY23, we prepared for the assessment, which was completed in June 2023 at a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Confidence Level.
Given the highly sensitive nature of much of our client work, we prioritize cybersecurity. Our people utilize technology and best practices to help protect our networks, systems, and data assets. Further, we work closely with our suppliers to minimize cybersecurity risks and, as appropriate, flow down applicable laws and regulations.
Rapidly evolving global regulations and the growth in the volume and use of personal data have advanced the need to consider privacy rights and practices in all aspects of our work. Beyond applicable regulatory requirements, we carefully assess the impact our work has on individuals and strive to use information in proportional and appropriate ways. To do this, we monitor and educate ourselves on the most current privacy laws and regulatory requirements, industry best standards, and ethical considerations; participate actively in legal, ethics, and compliance organizations; and apply the legal, ethical, and risk implications of laws and industry standards to Booz Allen data protection practices and technologies. Our monitoring extends to U.S. state and federal, regional, and international laws as well as industry best standards. In FY23, we invested in technology and services to enhance our ability to monitor and educate ourselves on new laws as well as how current laws are modified or applied to new technologies.
We focused our FY23 efforts on developing and modifying policies and procedures, updating vendor and client data privacy exhibits, and educating our people through a new intranet privacy library and other enterprise-wide communications. We also purchased a tool that automates privacy program processes and can work in conjunction with other automated compliance tools Booz Allen uses, in turn supporting our VoLT strategy. Through our processes, we continually reach out to the enterprise and client sector teams to perform privacy impact analyses, implement privacy risk management and governance, provide privacy guidance related to risk and privacy by design, and utilize our contractual data privacy exhibits and data transfer agreements to protect the information we collect and process.
In FY23, we engaged a third party to assess our data privacy program, as we periodically do, and we will incorporate their feedback into the FY24 privacy strategic plan. Also in FY23, we initiated discussion and planning for an enterprise-wide outreach and oversight program that will become part of the FY24 plan.
All Booz Allen people receive training on handling personal data, and we provide role-based training on regulated data types and best practices when applicable. In FY23, we rolled out a new privacy training for all employees, and we identified additional enterprise teams for annual role-based privacy training, adding the information to our learning management system to alert employees of the requirement and track compliance.
We believe in using personal data for legally permissible and specified purposes, and only for as long as necessary. Our FY23 efforts included assessments and adjustments to evaluate and confirm our use of robust data minimization and least-access/privilege practices. Our philosophy is to provide clear notice when we use personal data and limit its use to clear business needs, consistent with the expectations of the individuals and clients whose data we protect.
We protect our assets by training our people, building a strong security posture across the firm by regularly updating our people with relevant, tailored training and awareness building.
All employees must complete annual information security training. The training covers Information Security Policy content, including sensitivity labeling and handling different types of data, protecting physical and IT assets, and security best practices.
One of the most prevalent threats today and in the recent past is phishing. We're proud to report that Booz Allen has remained below the 12% industry click rate for phishing susceptibility for three consecutive years, which is due to our continuous awareness reports and end-user training. Users we identify as susceptible to cyber threats become part of a list of at-risk users and receive training opportunities throughout the year. We partner with the Cyber Threat Intel (CTI) team to ensure our phishing simulations emulate real cyber threats. Those real threats become templates to test users' ability to identify and correctly report phishing emails. We also regularly post cyber awareness advisories to internal communication platforms to reduce susceptibility to cyber risks.
