Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
(a) As discussed in Item 1A, Risk Factors, we face risks associated with security breaches and other significant disruptions of our IT networks and related systems that are essential to our business operations. Due to our Defense/IT strategy and the nature of the customers and activities it serves, we may have a heightened likelihood of being targeted for cyber-attacks or -intrusions, including by governments, organizations or persons hostile to the USG.
Our cybersecurity risk management efforts are informed by a cyber risk assessment, a continuous evaluation of our risks and vulnerabilities and risk tolerances. Our processes for assessing, identifying and managing cybersecurity risks are led by our Vice President – Information Technology and Chief Information Officer (our “CIO”), a management-level position reporting directly to our Executive Vice President and Chief Financial Officer (our “CFO”). Our CIO, a Certified Information Systems Security Professional (“CISSP”) with over 20 years of information systems and information security leadership experience, leads our information technology team (“IT team”) members, many of whom have USG security clearances (including our CIO) and include one additional CISSP team member, in supporting our cybersecurity risk management efforts. This team’s efforts are further informed through their participation in external cybersecurity-related panels, industry presentations and advisory boards, tabletop exercises and information-sharing collaborations and partnerships.
Our IT team executes a series of preventive, detective and responsive measures aimed towards managing our cybersecurity risks, including the following:
>administering a series of processes and automated tools to monitor and alert for potentially malicious activities and vulnerabilities on our network, systems, applications and devices, with the ability to terminate processes and isolate potential vulnerabilities;
>employing tools and controls to support our efforts in identity and access management, device and user management, and authentication;
>ongoing cybersecurity maintenance activities, including scheduled maintenance time windows for comprehensive system updates to occur, with additional ad hoc updates, monitoring of all Company devices for timeliness of security updates and pushing time-sensitive updates to our system infrastructure and devices, as appropriate;
>recurring, redundant backups of our applications, servers and data, with replication to remote storage locations;
>assessing audit reports issued on controls of certain outsourced, or externally-hosted, systems or applications; and
>periodically evaluating our readiness by performing testing of our process and system for responding to cyber events, including our ability to recover following such events.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our cybersecurity risk management efforts are informed by a cyber risk assessment, a continuous evaluation of our risks and vulnerabilities and risk tolerances. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
Our CIO routinely apprises our CFO regarding cyber risk management activities and provides updates and data, as needed, to our executive team to facilitate decisions regarding our cyber risk posture and related considerations regarding our enterprise risk management assessment. Our CIO and CFO provide to the Audit Committee of our Board of Trustees: quarterly updates on our cybersecurity risk management strategy and related activities; annual reviews of our cyber risk assessment; and other information as needed to facilitate the committee’s oversight of our cybersecurity risk. Two members of this committee possess technology and cybersecurity experience, which we believe brings valuable insight and perspective to our risk management strategy. Our CIO and CFO also provide an annual review of our cyber risk assessment to our full Board of Trustees.
While to date, we have not experienced cybersecurity events that were individually, or in the aggregate, material, we have developed a cyber-incident response playbook that sets forth our process for responding in the event of certain defined cyber incidents. Under our response protocols, following identification of such an incident, our CIO or other members of the IT team would notify our executive team, which then would notify the Chairman of our Board of Trustees and assemble an Incident Management Team, comprised of certain defined management team members and external consultants, who collectively would assess and monitor the situation and manage internal and external communications.
We also are subject to legal and regulatory requirements that affect our response to cybersecurity-risk management, including the Sarbanes-Oxley Act, state data breach notification requirements and certain requirements under our leases with tenants.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our CIO routinely apprises our CFO regarding cyber risk management activities and provides updates and data, as needed, to our executive team to facilitate decisions regarding our cyber risk posture and related considerations regarding our enterprise risk management assessment. Our CIO and CFO provide to the Audit Committee of our Board of Trustees: quarterly updates on our cybersecurity risk management strategy and related activities; annual reviews of our cyber risk assessment; and other information as needed to facilitate the committee’s oversight of our cybersecurity risk. Two members of this committee possess technology and cybersecurity experience, which we believe brings valuable insight and perspective to our risk management strategy. Our CIO and CFO also provide an annual review of our cyber risk assessment to our full Board of Trustees. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our CIO routinely apprises our CFO regarding cyber risk management activities and provides updates and data, as needed, to our executive team to facilitate decisions regarding our cyber risk posture and related considerations regarding our enterprise risk management assessment. Our CIO and CFO provide to the Audit Committee of our Board of Trustees: quarterly updates on our cybersecurity risk management strategy and related activities; annual reviews of our cyber risk assessment; and other information as needed to facilitate the committee’s oversight of our cybersecurity risk. Two members of this committee possess technology and cybersecurity experience, which we believe brings valuable insight and perspective to our risk management strategy. Our CIO and CFO also provide an annual review of our cyber risk assessment to our full Board of Trustees. |
| Cybersecurity Risk Role of Management [Text Block] |
Our cybersecurity risk management efforts are informed by a cyber risk assessment, a continuous evaluation of our risks and vulnerabilities and risk tolerances. Our processes for assessing, identifying and managing cybersecurity risks are led by our Vice President – Information Technology and Chief Information Officer (our “CIO”), a management-level position reporting directly to our Executive Vice President and Chief Financial Officer (our “CFO”). Our CIO, a Certified Information Systems Security Professional (“CISSP”) with over 20 years of information systems and information security leadership experience, leads our information technology team (“IT team”) members, many of whom have USG security clearances (including our CIO) and include one additional CISSP team member, in supporting our cybersecurity risk management efforts. This team’s efforts are further informed through their participation in external cybersecurity-related panels, industry presentations and advisory boards, tabletop exercises and information-sharing collaborations and partnerships.
Our IT team executes a series of preventive, detective and responsive measures aimed towards managing our cybersecurity risks, including the following:
>administering a series of processes and automated tools to monitor and alert for potentially malicious activities and vulnerabilities on our network, systems, applications and devices, with the ability to terminate processes and isolate potential vulnerabilities;
>employing tools and controls to support our efforts in identity and access management, device and user management, and authentication;
>ongoing cybersecurity maintenance activities, including scheduled maintenance time windows for comprehensive system updates to occur, with additional ad hoc updates, monitoring of all Company devices for timeliness of security updates and pushing time-sensitive updates to our system infrastructure and devices, as appropriate;
>recurring, redundant backups of our applications, servers and data, with replication to remote storage locations;
>assessing audit reports issued on controls of certain outsourced, or externally-hosted, systems or applications; and
>periodically evaluating our readiness by performing testing of our process and system for responding to cyber events, including our ability to recover following such events.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our cybersecurity risk management efforts are informed by a cyber risk assessment, a continuous evaluation of our risks and vulnerabilities and risk tolerances. Our processes for assessing, identifying and managing cybersecurity risks are led by our Vice President – Information Technology and Chief Information Officer (our “CIO”), a management-level position reporting directly to our Executive Vice President and Chief Financial Officer (our “CFO”). |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CIO, a Certified Information Systems Security Professional (“CISSP”) with over 20 years of information systems and information security leadership experience, leads our information technology team (“IT team”) members, many of whom have USG security clearances (including our CIO) and include one additional CISSP team member, in supporting our cybersecurity risk management efforts. This team’s efforts are further informed through their participation in external cybersecurity-related panels, industry presentations and advisory boards, tabletop exercises and information-sharing collaborations and partnerships. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Under our response protocols, following identification of such an incident, our CIO or other members of the IT team would notify our executive team, which then would notify the Chairman of our Board of Trustees and assemble an Incident Management Team, comprised of certain defined management team members and external consultants, who collectively would assess and monitor the situation and manage internal and external communications. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |