Governance

What is the scope of an audit?

The scope of an audit refers to the specific areas, processes, or financials under review. It can include financial statements, compliance with laws and regulations, internal controls, or operational performance. The scope is typically defined during the initial stages of the audit to meet regulatory or business requirements.

How does Zayo ensure compliance with industry regulations?

To ensure consistency and compliance, Zayo follows the Unified Compliance Framework (UCF), which outlines a set of common control criteria that align with global standards, laws, regulations, directives, guidelines, and best practices (“requirements”). As new requirements emerge that impact our products and services, Zayo is committed to continuously improving our control environment to drive security maturity. Our compliance team continuously monitors changes in regulatory requirements and ensures our practices align with the latest standards. Regular internal audits, employee training, and external audits also play a key role in this process.

What happens if Zayo fails an audit or compliance check?

If an audit or compliance check reveals issues, Zayo logs them as issues for remediation as part of our Risk Management program. Corrective actions are assigned to appropriate operational teams as the 1st line of defense for remediation.

How do you handle sensitive data during an audit?

We take data privacy and security very seriously. All sensitive data is handled with the utmost care, in compliance with data protection regulations such as GDPR or HIPAA. Auditors are required to sign non-disclosure agreements (NDAs), and data is stored in secure environments with restricted access.

What are the key benefits of performing regular compliance audits?

Regular compliance audits help identify risks early, ensure legal compliance, improve operational efficiency and security, and provide confidence to stakeholders. They also allow Zayo to address issues before they escalate into costly problems or legal issues.

How does Zayo prepare for an audit?

To prepare for an audit, Zayo ensures that all relevant documents, records, and policies are up to date and easily accessible. We conduct internal reviews to identify and address any gaps in compliance, train key employees on audit processes, and ensure our internal controls are functioning.

What is the difference between internal and external audits?

An internal audit is conducted by employees within the Organization to assess risk management, compliance, and internal controls. External audits are carried out by third-party firms to provide an unbiased review of financial statements and compliance with legal or regulatory standards. External audits tend to be more formal and may be required by law, investors, or other stakeholders.

What is the Unified Compliance Framework (UCF)?

The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

What authoritative sources does Zayo consider in its common controls framework?

Zayo’s compliance team continuously monitors for new global regulations and requirements and incorporates authoritative sources as needed. Today, Zayo considers the following sources within its common controls framework:

• Regulation (EU) 2024/1689 of the European Parliament and of the Council – on Artificial Intelligence
• Cybersecurity Maturity Model Certification (CMMC) Level 1
• Colorado Revised Statutes, Title 6, Article 1 – Artificial Intelligence Act
• Directive (EU) 2022/2555 of the European Parliament and of the Council – on measures for a high common level of cybersecurity across the Union
• Regulation (EU) 2022/2554 of the European Parliament and of the Council – on digital operational resilience for the financial sector
• Regulation (EU) 2016/679 of the European Parliament and of the Council – General Data Protection Regulation (GDPR)
• FIPS Publication 140-2 – Security Requirements for Cryptographic Modules
• FedRAMP Security Controls – Moderate Baseline
• ISO 22301:2019 – Security and resilience – Business continuity management systems – Requirements
• ISO 45001:2018 – Occupational health and safety management systems – Requirements with guidance for use
• ISO 9001:2015 – Quality management systems – Requirements
• ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection – Information security controls
• ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements
• ISO/IEC 28394:2023 – Information technology – Information security management – Security requirements for service providers
• ISO/IEC 38507:2022 – Information technology – Governance of AI and autonomous systems – Overview of principles and practices
• NIST Special Publication 800-171 Revision 3 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• NIST AI 100-1 – Artificial Intelligence Risk Management Framework
• NIST Cybersecurity Framework (CSF) 2.0 – Framework for Improving Critical Infrastructure Cybersecurity
• NIST Special Publication 800-161 Revision 1 – Cybersecurity Supply Chain Risk Management Practices for Federal Information Systems and Organizations
• NIST Special Publication (SP) 800-53 Revision 5.1.1 – Security and Privacy Controls for Information Systems and Organizations
• NIST Special Publication 800-171 Revision 3 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
• Payment Card Industry Data Security Standard (PCI DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Public Company Accounting Reform and Investor Protection Act of 2002
• Statement on Standards for Attestation Engagements (SSAE) No. 18 – Attestation Standards: Clarification and Recodification
• SOC 2® – Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
• Web Content Accessibility Guidelines (WCAG) 2.1

Is Zayo in scope for the Digital Operations Resilience Act (DORA)?

DORA places significant responsibility on financial entities to manage and oversee their third party ICT providers. It emphasizes thorough due diligence, continuous monitoring, clear contracts, and incident management, all aimed at ensuring operational resilience in the face of disruptions or cyber risks. Financial institutions must be proactive in managing these risks to comply with DORA’s standards. DORA requirements for third-party ICT focus on managing risks arising from outsourcing critical ICT services, which could impact operational resilience.  

Zayo is not a financial services entity and has not been designated as a critical Information and Communications Technology (ICT) third party service provider, but Zayo acknowledges and appreciates the impact of DORA on financial services entities and includes DORA in its common controls framework as outlined by the Unified Compliance Framework (UCF). Our Organizational programs address DORA regulations as they apply to ICT third party service providers in the following areas:

• Risk Management
• Incident Reporting
• Resilience Testing
• Compliance with Security Standards
• Contractual Obligations
• Monitoring and Oversight

For more information, refer to International Regulatory Compliance.

What is Zayo’s approach to Europe’s new Network and Information Security 2.0 Directive (NiS2)?

NiS2 aims to enhance the cybersecurity landscape by introducing a Cyber Crisis Management Structure through the European Cyber Crisis Liaison Organization Network (EU-CyCLONe). It promotes harmonization of security requirements, encourages national strategies to address new areas such as supply chain and vulnerability management, and expands the sectors covered, thereby increasing the number of entities responsible for cybersecurity.

NiS2 significantly broadens the scope of compliance to include mid-sized and large companies across 18 critical sectors, such as energy, transport, and healthcare. Organizations classified as essential or important must establish incident-reporting processes for significant security breaches, guided by criteria related to location, size, and industry.

Zayo is proactively aligning its operations with NiS2 as an Essential Entity and includes NiS2 in its common controls framework as outlined by the Unified Compliance Framework (UCF). Under the guidance of the Chief Security Officer (CSO), Zayo is implementing safeguards as part of its security program to meet NiS2 requirements while ensuring compliance with other global regulations.

For more information, refer to International Regulatory Compliance.

Is Zayo compliant with the UK Telecommunications Security Act (TSA)?

The Telecommunications Security Act (TSA), effective March 31, 2025, introduces new security regulations for telecom providers in the United Kingdom (UK), responding to evolving geopolitical threats and increasing cybercriminal activity. The Act establishes a ‘Three Layer Framework’ and a tiering system that categorizes providers based on size and annual revenue, determining compliance requirements and timelines. The UK Office of Communications (Ofcom) is a regulatory body supervising the communications industry for the UK – TSA, passed into law on October 1, 2022, ushering in a number of new security requirements for public telecom providers.

Zayo, classified as a Tier 2 provider, is proactively aligning its operations with TSA requirements through its governance framework of common controls. Currently, the TSA authoritative source is not available in the UCF, however, Zayo has performed a gap analysis and an internal audit to determine the safeguards required within our common controls to meet initial compliance measures and continues to enhance its Security program with guidance from its Chief Security Officer (CSO).

For more information, refer to International Regulatory Compliance.

Is Zayo in scope for PCI?

With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

• Merchant: Zayo accepts credit card payments from customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded calls to redirect customers to engage directly with third-party payment processors. Third-party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis. 
• Service Provider: Zayo provides some services that may impact the security of customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

Does Zayo hold a valid information security/cybersecurity third-party attestation or certification? (e.g., ISO 27001, SOC 2 Type 2, CMMC Level 3-5, Cybersecurity Maturity Assessment, etc.)?

Zayo does not hold security certifications for its network transport products, as we do not collect, store, or process customer data. Beginning in 2025, Zayo has embarked on a strategic company-wide effort to achieve certifications for its other products and services across SOX, SOC 1, SOC 2, FedRAMP, ISOs 9001, 14001, 20243, 27001, and 45001, and Capability Maturity Model Integration (CMMI) accreditation programs beginning in 2025. We are also exploring additional certifications, to expand compliance capabilities in the US, Canada, European markets.

Zayo Europe is certified in ISO27001, ISO9001, ISO14001, and ISO45001. SOC 2 certification applies only to voice services in Canada. 

Does Zayo have a Business Continuity Plan (BCP) and a Disaster Recovery (DR) plan?

Zayo’s Incident Management Plan and Business Continuity Management Program program includes: Identification of a cyber security incident, investigation of the situation (including triage), taking appropriate action (e.g. containing the incident and eradicating its source), reporting to relevant stakeholders, and recovering from a cyber security incident. Zayo treats all events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

BC/DR plans enable recovery from the following events:

• Critical technology or software failure
• Critical technology supplier or utility failure
• Loss or corruption of any critical information
• Disclosure of critically sensitive information

Have Zayo Business Continuity (BCP) and Disaster Recovery (DR) plans been assessed, developed, and tested for large scale remote working?

The Organization’s Business Impact Analysis considers resource requirements during large scale remote working arrangements. BCP and DR strategies and runbooks are developed to address large scale remote working, and tabletop exercises and simulations include large scale remote working scenarios. Zayo tests its resiliency plans on an annual basis and as real world incidents occur.

What does the BC/DR exercise program include?

• Exercises are conducted and updated on a regular, planned basis
• Exercises cover all operations required to resume business
• Each exercise has a post-exercise report with recommendations for improvement
• All key personnel participate in BCP/DR plan exercises
• BCP/DR plan exercises include critical systems recovery

Does Zayo have a disaster response plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does Zayo’s Disaster Recovery plan include how to manage potential increases in frequency, severity, or duration of weather events?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Has Zayo conducted vulnerability assessments, risk assessment, or other calculations to identify what impact physical risks associated with climate related risks (e.g., increases in precipitation-driven flooding, extreme heat events, and inundation due to sea level rise and storm surge) might have on your assets, products, and/or services?

Yes.

Does the Organization have a Disaster Recovery plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does Zayo’s Disaster Recovery plan include how to manage potential increases in frequency, severity, or duration of weather events?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does the Disaster Recovery plan describe which assets, products, services would most significantly disrupt operations if they experienced short term acute damage (immediate failure, either temporary or catastrophic)?

Yes.

Does the disaster response plan describe which assets, products, services, would most significantly disrupt operations if they experienced gradual long-term cumulative damage (slower degradation; greater wear and tear)?

Yes.

What do Zayo backup processes cover?

• Applications
• Databases
• Endpoints
• Network Drives (including those used by individuals)
• Collaboration tools
• System configurations
• OT-related systems (if applicable)

What do Zayo backup processes include?

• Backup frequency is defined by business criticality
• Backup restores are performed at a frequency defined by business criticality
• Backup data is periodically audited for completeness and accuracy
• Backups are encrypted

Which cloud provider services are utilized by Zayo as part of the backup strategy to accelerate the recovery of data loss?

Zayo utilizes cloud solutions that offer cloud-based data storage and email.

Does Zayo have sufficient redundancies in place to ensure the availability of information processing facilities?

Redundancy is built into Zayo systems for failover events. Backups for power, operations centers, IT systems, and data are also in place. 

What kind of backup system is used for devices that connect remotely?

Backup of all data is enabled, performed locally and centrally at regularly scheduled intervals in alignment with data/security policies.

Does Zayo have a cybersecurity Incident Response Plan?

Yes. Zayo’s cybersecurity Incident Response Plan is in place and addresses the following:

• Identification of a cyber security incident
• Investigation of the situation (including triage)
• Taking appropriate action (e.g. containing the incident and eradicating its source)
• Reporting to relevant stakeholders
• Recovering from a cyber security incident

How often does Zayo review and update incident response plans?

Incident response plans are reviewed and updated at least annually.

Are tabletop exercises performed?

Yes. Tabletop exercises are performed with the following requirements:

• Tabletop exercises are based on emerging risks and threats
• Tabletop exercises involve stakeholders listed in an incident response plan
• Tabletop exercises involve senior management
• Lessons learned/improvement actions are documented after tabletop exercises

Has Zayo partnered with any incident response security vendors?

Yes. Zayo has partnered with incident response security vendors for the following purposes:

• Notification & Monitoring
• Breach Prevention

Do you have a documented incident response process and a dedicated incident response team?

Yes.

What is Zayo’s process for reviewing and exercising the resiliency plan?

Zayo continuously tests its resiliency protocols and exercises the plans annually and during real-world events that are managed and escalated appropriately.

What is Zayo’s process to ensure customers and external entities (such as government agencies) are notified of an incident when a product or service is impacted?

Customers and external entities are notified by email when an impactful incident occurs. Zayo is also implementing a system of notification in the online Trust Center.

Does Zayo have processes or procedures to recover full functionality, including integrity verification, following a major cybersecurity incident?

Yes.

Do you insure for financial harm from a major cybersecurity incident (e.g., self-insure, third party, parent company, etc.)?

Yes.

Does coverage include financial harm to Zayo customers resulting from a cybersecurity breach which has impacted your company?

Yes, to the extent of Zayo’s liability. Zayo is not the controller of customer data.

What is the difference between a risk and an issue?

A risk is a potential event or condition that, if it occurs, could impact Zayo’s ability to achieve its business objectives. A risk represents uncertainty about what may or may not happen in the future. A risk rarely goes away, but the level of risk may change based mitigation strategies to lower the impact to the business and likelihood of it occurring.

An issue is is a current problem or situation that is affecting the Organization right now. It’s something that has already occurred or is currently happening and requires resolution.

Does collaboration exist between relevant related functions including Internal Audit, Information Technology, Security, Legal / Compliance, Risk Management, and Business Continuity to measure and manage cyber risks?

Yes, there is formal and consistent collaboration between functions. Zayo’s Risk Management program aligns with the Three Lines of Defense model, consisting of operational units (1st line), risk management and compliance functions (2nd line), and internal audit (3rd line). This multi-layered defense model enhances our ability to identify and address risks and promotes accountability, transparency, and resiliency across the Organization.

How is the senior cyber security leader engaged during reviews of strategic decisions including significant capital investment, new market entry, new product development, or M&A activity?

• Provides insight into risks before a decision is made
• Provides insight into risks after a decision has been made
• Assists in evaluating commercial impact to the business risk profile
• Provides recommendations for risk remediation strategies and action plans once a decision is made

How are risks identified?

The 1st line of defense, our operational managers and staff, is responsible for identifying risks and issues within their areas and ensuring that the processes and activities are controlled.

How are risks assessed?

The risk assessment process is coordinated by the 2nd line of defense, our Risk Management and Compliance teams. When a risk is identified by the 1st line of defense, the 2nd line ensures the risk is added to the Risk Register. The risk is then assigned to the appropriate 1st line operational unit, who then formally assesses the risk to determine a risk rating based on impact and likelihood.

How are risks treated?

Once a risk has been identified and assessed, one or more risk treatment options is then applied to the risk:

Treatment: Response from 1st line on how they will manage the risk
Accept	Accept risk within risk tolerance levels without the need for additional action. Where the risk acceptance relates to non-compliance with a policy or standard, a policy exception is completed to document the risk acceptance.
Avoid	Apply responses to ensure that the risk does not occur. Avoiding a risk may be the best option if there is not a cost-effective method for reducing the risk to an acceptable level. The cost of lost opportunity associated with such a decision is considered as well.
Mitigate	Apply actions (controls) that reduce the threats, vulnerabilities, and impacts of a given risk to an acceptable level. Responses may include those that help prevent a loss or limit such a loss by decreasing the amount of damage and liability.
Transfer	For risks that fall outside of the tolerance levels, the level of risk may be reduced to an acceptable level by sharing a portion of the consequences with another party. While some of the financial consequences may be transferable, there are often consequences that cannot be transferred.

Does Zayo have processes relating to remediation of security risks and vulnerabilities, and how does Zayo intend to use these processes to remediate any security-related issues discovered in relation to systems holding or processing customer data? 

Processing and/or storage of personal data transferred by customers is limited to contact information (e.g., names, addresses, contact details, IP addresses) of customer employees, representatives, contractors or agents who are involved or interact with Zayo in the provision of services by Zayo to the customer under the agreement.  Zayo is not the controller of customer data. The risk assessment process is coordinated by the Security Team, identification of threats and vulnerabilities is performed by asset owners, and assessment of consequences and likelihood is performed by risk owners. Risk treatment is implemented in response to each risk and is conducted by the teams relevant to the risk.  

What is the Unified Compliance Framework (UCF)?

The UCF is one of the largest frameworks for aggregating Authority Documents into a collective whole. It then aligns and harmonizes the requirements within set of de-duplicated common controls. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

How is Zayo’s Security Governance Framework structured?

Using a Common Control Framework (CCF) based upon the UCF, Zayo is able to ensure compliance with regulatory requirements, industry best practices, and other authoritative sources as defined by various leading global organizations. The Organization’s CCF is structured around various control families or domains, with each family representing a group of related controls from multiple regulations or standards, aligning them based on their common objectives and functional areas. This ensures the Organization’s compliance with a multitude of global industry standards, regulations, and best practices.

Does Zayo share its governance documentation with customers?

No. Zayo does not share governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards.

Is there a process used to verify that information is categorized according to legal, regulatory, or internal sensitivity requirements?

Yes. Information is categorized using data classification standards and document retention policies. 

Do you follow operational standards or frameworks for managing Information Security/Cybersecurity?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. For more information about the UCF, refer to https://www.unifiedcompliance.com/home.

Do you have company-wide, publicly available security policies in place covering privacy?

Yes. You can find publicly available policies under the Governance category of the Trust Center. For privacy information, please refer to Zayo’s Privacy Policy.

What mechanisms are in place to ensure Zayo policy and standards are enforced within your supply chain?

Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Addendums (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. All third parties are assessed and re-assessed as service agreements change. If violations of contractual Third Party Risk Management (TPRM) requirements or TPRM-related incidents occur, remediation activities are managed as issues. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization. 

Do the Board and Executive Management establish a clear ‘tone from the top’ on the importance of cybersecurity?

There is a distinct ‘tone from the top’ from the Board and Executive Management that is consistent, visible, and achieved on a sustained basis.

Does a relevant Board Committee (with risk management oversight or audit responsibilities) receive cybersecurity reports?

Yes. Reports include:

• Key threats and associated cyber security activities
• Cyber incidents and underlying causes
• Ownership responsibilities and accountabilities
• Roadmaps, action plans, and progress
• Key Risk Indicators, tolerances and financial thresholds / limits
• Cyber security performance metrics and trends
• Information on emerging threats

How often does the Board receive reporting on Zayo’s cyber risk profile?

Board reporting occurs quarterly or more frequently as needed.

Is there an executive-level sponsor (e.g., CTO, CIO, CISO, GC) to promote cybersecurity or dedicated roles with accountability for cyber security?

Yes. Zayo’s CIO, CFO, and CSO act as executive-level sponsors to promote Zayo’s security programs and posture.

Does Zayo have a formal process for ensuring supply chain resilience as part of its product offering TPRM practices?

Yes.

Does Zayo consider non-technical supply chain resilience threats such as weather, geo-political instability, epidemic outbreak, volcanic, earthquakes, etc.?

Yes.

Does Zayo maintain a formally trained and dedicated crisis management team, including on-call staff, assigned to address catastrophic or systemic risks to your supply chain or manufacturing processes?

Yes.

Does Zayo require and audit key suppliers for their ability to be prepared for unexpected supply chain disruptions?

Yes.

Do Zayo service deliverables outline which services can be done remotely and which cannot?

Yes, and these are documented in Service Level Agreements (SLAs) or Terms and Conditions.

Does Zayo consider supplier diversity to avoid single sources and to reduce the occurrence of suppliers being susceptible to the same threats to resilience?

Yes.

Does Zayo consider alternate offering delivery channels to mitigate extended supplier outages to include cloud, network, telecommunication, transportation, and packaging?

Yes.

Do you maintain inventory of key suppliers with access to systems or data?

A vendor list mechanism exists, covers all vendors, and is updated as the Organization changes.

Is the company ownership of suppliers of critical ICT components verified?

Yes. Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Agreements (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization.

Are suppliers of critical ICT components under U.S. ownership?

Not all. Zayo is a global corporation and rigorously assesses all Suppliers by strictly enforcing Inherent Risk Questionnaires (IRQs), Office of Foreign Assets Control (OFAC) and Committee on Foreign Investment in the United States (CFIUS) reviews, and Data Processing Agreements (DPAs). Agreements with Suppliers must include requirements to address the information security risks associated with information and communications technology services and the Organization’s product supply chain, which includes cloud computing services. It is the responsibility of Users to work with Suppliers to understand the information and communication technology supply chain so that the Organization knows the components that could have an important impact on the products and services being provided.  Supplier agreements state that Suppliers must adhere to the security requirements specified in the Supplier Relationships Policy they are required to sign, security requirements and practices specified are propagated throughout the supply chain, and relevant Organization teams associated with the Supplier and Supplier contract must ensure that monitoring is in place for validating that delivered information and communication technology products and services are adhering to the stated security requirements. Associated Organization teams must obtain assurance that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features. Information that Users share with a Supplier must only be shared based on a need-to-know and need-to-use basis throughout the supply chain, and this method of information sharing must be used by the Supplier in the case that the Supplier uses any other Suppliers for the services provided to the Organization.

If distributors will be used to provide products/services to the Government, is a threat analysis performed for each distributor?

Yes. Zayo’s Third Party Risk Management (TPRM) program identifies each of its suppliers, the products/services of which they supply, the risks and controls and assesses their strengths.

Are Basic Security Requirements (not Derived Security Requirements) implemented for the fourteen families in Chapter Three of NIST SP 800-171 R3, Protecting Controlled Unclassified Information in Nonfederal Systems?

Yes. Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. The program’s policies and standards are managed and published internally. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

Do you perform due diligence on third parties to align with your own corporate policies and/or industry best practice?

Every Supplier that has logical access, physical access, or access to the Organization’s data must complete the Organization’s security requirements assessment, which must reference the logical, physical, and data controls that must be followed. The Supplier must fill out the Security Requirements assessment upon receipt and indicate if an inability to follow any of the Security Requirements exists. 

A review by the  Committee on Foreign Investment in the United States (CFIUS) is also required under the following circumstances, and may take up to 45 days:

• Classify suppliers into risk categories (e.g., low, medium, high) based on business impact and criticality to operations.
• Suppliers who have access to physical Corporate locations or sensitive personal data of US citizens and pose potential national security risks 
• Suppliers perform transactions that may involve the transfer of critical technologies or sensitive information to foreign persons
• Suppliers perform transactions in Corporate locations which are in close proximity to sensitive government facilities
• Those whose transactions may have direct or indirect involvement by foreign governments
• Conduct risk-based due diligence for all suppliers before engagement, considering factors such as data security, regulatory compliance, financial stability, and reputational risks.

All third parties are assessed and re-assessed as service agreements change.

Do you conduct business continuity and disaster recovery audits on your third-party providers?

All third parties are included in business continuity and disaster recovery audits including exercises after organizational changes.

Do you perform an evaluation on the commercial impact for cyber risks associated with third parties?

Evaluations are performed through formal analysis utilizing modeling of potential financial impacts.

Do you use defined threshold and escalation processes that help determine the application of appropriate cyber security strategies for identified third parties?

A formal approach, using multiple metrics, consistent management strategies, and involving senior management helps determine appropriate cyber security strategies for third parties.

Is a formal process documented for ensuring supply chain resilience as part of Zayo product offering Third Party Risk practices?

Zayo’s TPRM program includes procedures for verification meeting contractual terms and conditions.

Do you contractually require third parties to align with pre-defined services and Service Level Agreements (SLAs)?

All third parties are contractually required to align with pre-defined services and SLAs which are updated as services change.

Do you contractually require third parties to maintain insurance/other indemnification for any losses caused by the third party?

All third parties are contractually obligated to maintain insurance/other indemnification for any losses, and terms are updated as services change.

Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officers?

Yes.

Do Supply Chain Risk Management (SCRM) requirements exist in contracts with critical ICT?

Yes. Agreements with Suppliers must include, based on the need, the requirements to address the information security risks associated with information and communications technology services. Based on the security requirements agreed upon when signing the Supplier contract, the Organization reserves the right to conduct formal and regular reviews of the adherence to the specified requirements, which can include Supplier review and product validation. All third parties are assessed and re-assessed as service agreements change. If violations of contractual SCRM requirements or SCRM-related incidents occur, remediation activities are managed as issues as part of Zayo’s Risk and Issue Management program.

Is there a process to verify that suppliers are meeting SCRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers?

Yes. Zayo Group’s TPRM program includes procedures for verification meeting contractual terms and conditions.  

What provisions for auditing are included within supplier contracts?

The Organization reserves the right to audit Suppliers to validate compliance against MSAs and the Organization’s Corporate Supplier Requirements. The right to audit is a standard clause in all supplier contracts. Zayo reviews supplier contracts during onboarding and contract renewals, and security due diligence assessments are repeated annually.  

Do you revise your written TPRM requirements regularly to include needed provisions?

Yes.

Do you have policies for your suppliers to notify you when there are changes to their subcontractors or their offerings (components, products, services, or support activities)?

Yes. The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements. Appropriate action must be taken when deficiencies in the service delivery are observed.

Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers?

Yes, all suppliers must agree to and abide by Zayo policy and standards. 

Are policies/processes in place to ensure timely notification of updated risk management information previously provided to the Contracting Officer and Contracting Officer’s Information Communications Technology (ICT) Supply Chain Management?

Yes. The Zayo representative assigned to the customer organization is notified of any changes that occur and is responsible for communicating these changes with the customer/customer management. Customers are notified within 24-48 hours or any changes that may have occurred.

Is there a documented Quality Management System (QMS) based on an industry standard or framework for the Organization’s Information and Communications Technology (ICT) supply chain operation? 

Yes. Zayo’s Quality Management System (QMS) is defined as a set of policies, processes, and procedures required for planning and execution in the core business areas of the Organization.  In the EU, the QMS is based on the ISO9001:2015 Plan, Do, Check, Act Model. In the US, the QMS is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. This framework and its supporting policies and standards are managed and published internally. For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

Do you have an organization-wide strategy for managing end-to-end supply chain risks (from development, acquisition, life cycle support, and disposal of systems, system components, and to system services)?

Yes. Our strategy is to Identify, Analyze, Evaluate, Treat, and Monitor. Actionable issues are created as necessary and assigned appropriately for risk throughout each stage of the lifecycle. Third-party intake, risk identification, measurement and assessment, mitigation, reporting and monitoring, compliance, and governance tasks also include periodic third-party risk audits and assessments.

Is there a process to verify that suppliers are meeting TPRM contractual terms and conditions, including, where applicable, requirements to be passed down to sub-suppliers? 

Yes. Zayo Group’s TPRM program includes procedures for verification meeting contractual terms and conditions.

Are hardware/software products or services integrity and End of Life requirements passed down to second and third party suppliers?

Yes, all suppliers must agree to and abide by Zayo policy and standards. 

Are processes in place for addressing reuse and/or recycle of hardware products?

Yes.

Do you have a policy or process to ensure that none of your suppliers or third-party components are on any banned list?

Yes.

For hardware components included in the product offering, do you only buy from original equipment manufacturers or licensed resellers?

Yes.

Do you control the integrity of your hardware/software (HW/SW) development practices by using Secure Development Lifecycle practices?

Yes.

How do you manage the conformance of your third parties to your procedures?

The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements. Appropriate action must be taken when deficiencies in the service delivery are observed. Open source code provided by a third party is scanned for integrity purposes prior to, during, and post deployment..

Do you monitor third-party HW/SW products or services for defects?

Yes.

What are your processes for managing third-party products and component defects throughout their lifecycle?

As part of Zayo’s Risk and Issue Management program, defects are logged as issues for remediation.

What policies and procedures are in place to protect the integrity of the data provided through cloud services?

To protect the integrity of data provided through cloud services, the Organization:

• Uses secure communication channels (https/SSL/TLS) to encrypt data between the Organization and cloud service providers
• Ensures that data stored in the cloud is encrypted to protect it from unauthorized access
• Implements strong access controls using the principle of least privilege to only provide Users and systems with the minimum level of access required to perform their tasks.
• Uses Multi-Factor Authentication as an extra layer of security
• Utilizes network security best practices, such as firewalls, intrusion detection/prevention systems, and network segmentation, to safeguard the flow of data to and from the cloud
• Sets up logging and monitoring to detect any unusual activities or potential security incidents, and regularly reviews logs and audit trails
• Conducts periodic security assessments and audits to identify and address vulnerabilities
• Understands and complies with relevant data protection laws and regulations
• Ensures cloud service providers comply with the necessary certifications and standards.
• Implements a robust data backup and recovery strategy to ensure that critical data can be restored in case of accidental deletion, data corruption, or other incident
• Develops and regularly tests an incident response plan to ensure a swift and coordinated response to security incidents
• Establishes communication channels and contacts with the Organization’s cloud service providers to report and address security incidents
• Evaluates the security practices of the Organization’s cloud service providers and understand their security measures, certifications, and compliance with industry standards
• Educates teams on security best practices regarding the use of cloud services and make them aware of potential risks and how to mitigate them
• Keeps cloud infrastructure, operating systems, and applications up to date with the latest security patches to address known vulnerabilities

How do you manage the shared responsibility for cloud service integrity requirements with your suppliers?

The responsibility for managing Supplier relationships must be assigned to a designated individual or management team responsible for the Supplier. In addition, the individual at the Organization that is designated to work with the Supplier must ensure that Suppliers assign responsibilities for reviewing compliance and enforcing the requirements of the agreements. Their Supplier resources must have sufficient technical skills and availability to monitor the requirements of the agreement, in particular the information security requirements.

What mechanisms are in place for direct employees and contracted workers to ensure applicable training has been completed?

Security awareness training is administered, monitored, and reported upon hire and on an annual basis.

Does Zayo have processes to evaluate prospective third-party suppliers’ product integrity during initial selection?

Yes.

What processes or procedures, if any, are in place to ensure that prospective suppliers have met Zayo’s product integrity requirements?

Zayo’s TPRM program identifies each of its suppliers, the products/services of which they supply, risks and controls, and assessments. Per business practice, the TPRM program provides thoroughly vetted suppliers prior to onboarding.

How do Zayo policies or procedures ensure appropriate management/leadership input on supplier selection decisions?

Zayo’s TPRM program identifies each of its suppliers, the products/services of which they supply, risks and controls, and assessments. Per business practice, the TPRM program provides thoroughly vetted suppliers prior to onboarding.

What provisions for auditing are included within supplier contracts?

Agreements with Suppliers must include, based on the need, the requirements to address the information security risks associated with information and communications technology services as follows:

• A description of the information to be provided or accessed and methods of providing or accessing the information
• The classification of information according to the Organization’s classification scheme; if necessary, also mapping between the Organization’s own classification scheme and the classification scheme of the Supplier
• Legal and regulatory requirements for the data being processed and the protection of the data as well as a description of how these requirements are met
• A list of Supplier personnel authorized to access or receive the Organization’s information and a receipt of the information given to the Supplier personnel
• Security policies relevant to the specific contract
• Incident management requirements and procedures, including the training and awareness requirements associated
• Relevant regulations for sub-contracting
• Screening requirements, if any, for the Supplier’s personnel to ensure that its staff has reasonable and necessary experience to perform the work. Background verification checks on all Supplier’s personnel must be carried out in accordance with relevant laws, regulations and ethics and must be proportional to the business
• Right to audit the Supplier processes and controls related to the agreement: The Organization reserves the right to audit
• Suppliers to validate compliance against MSA and the Organization’s Corporate Supplier Requirements
• Supplier’s obligation to periodically deliver an independent report on the effectiveness of controls and agreement on timely correction of relevant issues raised in the report
• Supplier’s obligations to comply with the Organization’s security requirements

How do you pass down HW/SW products or services integrity requirements to third party suppliers?

Requirements are outlined in contractual language and Data Processing Addendums.