XML 51 R34.htm IDEA: XBRL DOCUMENT v3.26.1
Cybersecurity Risk Management and Strategy Disclosure
12 Months Ended
Apr. 30, 2026
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

Our cybersecurity program is designed to identify, detect, protect against, respond to, and recover from cyber risks and incidents. Our cybersecurity program is part of our internal risk management processes, and we improve our cybersecurity practices as new threats and vulnerabilities emerge.

Our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) / Vice President of Cybersecurity, both within our CIO organization, are responsible for protecting the company from cybersecurity threats. Incidents are triaged, contained and remediated pursuant to our Incident Response Plan and playbooks. This process also includes leadership and members of our IT, Legal, Security, Marketing and Communications, and other departments responsible for supporting the technologies and processes to protect against, detect, contain, mitigate, and recover from cybersecurity incidents.

Our cybersecurity team proactively hunts for cyber threats and vulnerabilities in our networks and information systems as part of our cyber risk management program. This includes monitoring our networks and systems for indicators of compromise (“IOCs”), active intrusion attempts, and other suspicious activity, including insider threat risks. The Security Operations Center team evaluates and assigns severity levels to cybersecurity incidents and, based on the severity, escalates and engages incident response teams to respond to and mitigate the risks. The cybersecurity team stays apprised of existing and emerging cybersecurity threats through commercial threat intelligence feeds and by partnering and data sharing with third parties such as the U.S. government, law enforcement agencies, customers, and other Defense Industrial Base (“DIB”) participants. We also engage third parties to conduct evaluations of our cybersecurity controls by performing penetration testing and controlled cybersecurity framework audits. We also review the cybersecurity practices of our third-party service providers and suppliers.

We require our employees to take cybersecurity-related training regularly to promote awareness of how to detect, report, and respond to cybersecurity threats. Employees with certain roles and responsibilities are also assigned cyber training for their specific functions. We also maintain an Insider Threat program, headed by our CISO, to identify, assess, and deal with potential risks from within our company, including cybersecurity risks.

We have aligned our cybersecurity program to the Cybersecurity Maturity Model Certification (“CMMC”) program. Given the diverse nature of our U.S. business and foreign business, other frameworks and requirements may also be used and may impose compliance demands beyond those currently anticipated. We are also subject to numerous legal requirements, including those governing privacy and data protection requirements and others pursuant to the Federal Acquisition Regulation (“FAR”), agency supplements to the FAR, such as the Defense Federal Acquisition Regulation Supplement (“DFARS”), other regulatory requirements imposing controls for protecting information, including U.S. government Controlled Unclassified Information (“CUI”), International Traffic in Arms Regulations (“ITAR”), as well as requirements for reporting cybersecurity incidents to the relevant regulators.

If we fail to achieve or maintain CMMC certification ahead of contract awards from the DoD, or if we fail to achieve the level required for a particular contract, we will be unable to bid on new contracts or follow-on efforts containing CMMC clauses, which could adversely impact the success of our operations. Due to the evolving nature of CMMC and other regulatory requirements, changing customer guidance on data designations, acquisitions, unexpected environments, and the potential for new cybersecurity requirements, there is a risk that we may not meet these new requirements and be unable to bid on certain contracts or be eligible for renewals of existing contracts. Government or business decisions could change which areas of the business need to be compliant, which can incur costs or delays in eligibility for the associated contracts. Failure to adhere to cybersecurity requirements during the performance of government contracts could also subject us to liability for such non-compliance. Additionally, our subcontractors and certain vendors may need to obtain CMMC or other certifications, and we may be negatively impacted if they are not compliant with these requirements.

Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Our cybersecurity program is designed to identify, detect, protect against, respond to, and recover from cyber risks and incidents. Our cybersecurity program is part of our internal risk management processes, and we improve our cybersecurity practices as new threats and vulnerabilities emerge.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Our CIO and CISO / VP of Cybersecurity, each with 20+ years of related experience, are responsible for the day-to-day management of our cybersecurity program and cybersecurity risks. Our CISO and team are primarily responsible for our overall cybersecurity risk management program and supervise both internal and external resources to identify, protect against, detect, respond to, and recover from cybersecurity risks, threats, and incidents.

We have monthly meetings of our internal Configuration Control Board to help communicate and manage changes to our enterprise cybersecurity strategy and ensure it is implemented across the business, as well as to maintain awareness of events and changes occurring throughout the business.

The CISO / VP of Cybersecurity reports cybersecurity incidents to members of the company’s senior management, including the CIO, Chief Executive Officer (“CEO”), and the Board of Directors based on the severity and type of the incident to ensure proper external reporting is completed thoroughly and timely.

Pursuant to its charter, the Cybersecurity Committee of our Board of Directors is responsible for reviewing, discussing, and making recommendations to the full board regarding cybersecurity matters. Our CIO and CISO / VP of Cybersecurity provide presentations to the Cybersecurity Committee on our cybersecurity program at each of the committee’s regularly scheduled quarterly meetings. These briefings include assessments of the cyber risk and threats landscape, updates on incidents, policies and procedures, and our investments and plans in cybersecurity risk mitigation and governance. The Cybersecurity Committee also meets with the CIO and CISO to discuss various aspects of our cybersecurity program between regular meetings. All members of the Board of Directors are invited to attend all meetings of the Cybersecurity Committee, and the committee regularly briefs the entire board regarding its oversight of our cybersecurity program.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Board of Directors
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Our CIO and CISO / VP of Cybersecurity provide presentations to the Cybersecurity Committee on our cybersecurity program at each of the committee’s regularly scheduled quarterly meetings. These briefings include assessments of the cyber risk and threats landscape, updates on incidents, policies and procedures, and our investments and plans in cybersecurity risk mitigation and governance. The Cybersecurity Committee also meets with the CIO and CISO to discuss various aspects of our cybersecurity program between regular meetings. All members of the Board of Directors are invited to attend all meetings of the Cybersecurity Committee, and the committee regularly briefs the entire board regarding its oversight of our cybersecurity program.
Cybersecurity Risk Role of Management [Text Block] Our CISO and team are primarily responsible for our overall cybersecurity risk management program and supervise both internal and external resources to identify, protect against, detect, respond to, and recover from cybersecurity risks, threats, and incidents
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] CIO and CISO / VP of Cybersecurity
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CIO and CISO / VP of Cybersecurity, each with 20+ years of related experience, are responsible for the day-to-day management of our cybersecurity program and cybersecurity risks.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

We have monthly meetings of our internal Configuration Control Board to help communicate and manage changes to our enterprise cybersecurity strategy and ensure it is implemented across the business, as well as to maintain awareness of events and changes occurring throughout the business.

The CISO / VP of Cybersecurity reports cybersecurity incidents to members of the company’s senior management, including the CIO, Chief Executive Officer (“CEO”), and the Board of Directors based on the severity and type of the incident to ensure proper external reporting is completed thoroughly and timely.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true