We are optimistic that the United States can strengthen critical infrastructure cybersecurity through a government-industry partnership that builds a robust Cybersecurity Framework, shares threat data, and collaborates on achieving national cyber goals. Although we don’t discount the challenges of bringing together such large and diverse groups of stakeholders, we believe that emerging cyber technologies and capabilities have created opportunities for success that did not exist 15 years ago when government first initiated "whole of government" efforts similar to the Executive Order.

1. by
Mike McConnell
mcconnell_mike@bah.com
Sedar Labarre
labarre_sedar@bah.com
David Sulek
sulek_david@bah.com
Marcia McGowan
mcgowan_marcia@bah.com
The Cybersecurity Executive Order
Exploiting Emerging Cyber Technologies and Practices for Collaborative Success

3. 1
The Cybersecurity Executive Order
Exploiting Emerging Cyber Technologies and Practices for Collaborative Success
Executive Order (EO) 13636, “Improving Critical
Infrastructure Cybersecurity,” calls for government to
collaborate more closely with critical infrastructure owners
and operators to strengthen cybersecurity, particularly
by sharing information about cyber threats and jointly
developing a framework of cybersecurity standards and
best practices. Elements of the framework may later be
incorporated into government regulations or voluntarily
adopted by industry. Many owners and operators recognize
the value of these efforts but worry that the EO will result in
burdensome regulation rather than strengthened security.
They are cautiously supportive, waiting to see how the EO
will differ from previous efforts to improve government-
industry collaboration. Others question if the EO goes far
enough, suggesting cybersecurity legislation is required to
make a difference.
At Booz Allen Hamilton, we believe the EO offers reason
for optimism. While it is true that the general concepts
and goals of the EO are similar to earlier initiatives, such
as the 1998 Presidential Decision Directive 63 and the
2003 Homeland Security Presidential Directive 7, cyber
technologies and practices have evolved in significant
ways since those directives were issued. For example,
new continuous monitoring capabilities ensure that
government and industry collect enormous amounts of
data that enhance the value of information sharing. The
development of powerful analytics makes that data even
more valuable because of the potential insights that can be
gleaned by sharing intelligence and data. In addition, cyber
professionals have developed stronger cybersecurity skills
and better understand how to exploit the accumulating
threat and network data. And cyber experts have used their
experience to identify cybersecurity best practices and
create standards and maturity models that can be applied
across critical infrastructure sectors.
These changes offer government and industry opportunities
to strengthen cybersecurity. We have identified five key
steps for exploiting these new technologies and practices to
achieve collaborative success:
• Establish flexible, risk-based cybersecurity standards
of practice (such as a Cybersecurity Framework) that
provide a foundation for measuring the growing maturity
of an organization’s security program
• Accelerate the adoption of continuous monitoring and
data analytics
• Create an information sharing broker (or brokers) to
help government and industry share threat information
efficiently and effectively
• Revitalize the public-private partnership based on
shared interests
• Explore and develop norms guiding the use of “active
cyber defense”
We don’t discount the challenges of bringing together
a diverse group of critical infrastructure stakeholders;
however, we believe that emerging cyber technologies and
capabilities have created opportunities for collaborative
success that did not exist 15 years ago when government
first initiated "whole-of-government" efforts similar to the
EO. By building on their common interests, government and
industry can build a partnership that grows and matures to
counter cyber threats today and into the future.

4. 2
Introduction
Executive Order (EO) 13636, “Improving Critical
Infrastructure Cybersecurity,” is designed to provide
critical infrastructure owners and operators with
assistance to address cyber threats and manage risks,
but owners and operators are wary. Among its major
goals, the EO calls for government to collaborate more
closely with industry by sharing information about
cyber threats and jointly developing a framework of
cybersecurity standards and best practices. Elements
of the framework may later be incorporated into
government regulations or voluntarily adopted by
industry. Owners and operators recognize the value
of public-private partnership, information sharing,
and security practices, but many worry that the EO
will result in burdensome regulation rather than
strengthened security. Others regard the EO as offering
little new over existing processes for government-
industry collaboration, saying the order has raised but
not resolved previous controversies surrounding how
best to implement cybersecurity protections. Even
supporters view the order as a modest first step that
will require cybersecurity legislation and additional
guidance to make progress. As a result, many are
taking a wait-and-see approach before fully committing
to the new EO.
At Booz Allen, we believe there is much greater reason
for optimism. While it is true that the general concepts
and goals of the EO are similar to earlier initiatives,
such as the 1998 Presidential Decision Directive 63
and the 2003 Homeland Security Presidential Directive
7 (HSPD-7), the cyber environment has evolved in
significant ways since those directives were issued.
For example, the rise and maturing of continuous
monitoring and automated threat-detection capabilities
mean that government and industry are now collecting
enormous amounts of data that enhance the value of
information sharing. The simultaneous development of
powerful analytics makes that data even more valuable,
because of the potential insights that government and
industry can glean by sharing intelligence and data.
At the same time, cyber professionals have developed
stronger cybersecurity skills over the past decade and
better understand how to exploit the accumulating
threat and network data. They have also used their
experience and skills to identify cybersecurity best
practices and create standards and maturity models—
with many already in use by some critical infrastructure
owners and operators—that can now be used across
the critical infrastructure sectors. Although many of
the issues that previously hindered collaboration
still remain, government and industry now have
much greater incentive to find solutions because the
potential value of collaboration is so much greater.
We believe the EO can, in fact, provide a
strong foundation for improving critical
infrastructure cybersecurity.
Finding the right balance in the proposed partnership
and reaching agreement on new processes for
information sharing, the cybersecurity framework,
and other EO provisions will not be easy. The issues
are admittedly complex, and disagreement persists
among stakeholders. Nevertheless, we believe the EO
can, in fact, provide a strong foundation for improving
critical infrastructure cybersecurity—if government and
industry take advantage of new cyber technologies and
practices that create opportunities for collaborative
success. This viewpoint will examine how government
and industry can use the EO to achieve their
cybersecurity goals.
The Cybersecurity Executive Order
The White House issued the EO to counter growing
threats to the nation’s 16 critical infrastructure
sectors from state and non-state actors, hacktivists,
organized crime, extremists, and others. “Repeated
cyber intrusions into critical infrastructure demonstrate

5. 3
1 Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” February 12,
2013, Section 1, Policy.
the need for improved cybersecurity,” the February 12
order states. “The cyber threat to critical infrastructure
continues to grow and represents one of the most
serious national security challenges we must
confront. The national and economic security of the
United States depends on the reliable functioning
of the Nation's critical infrastructure in the face of
such threats.”1
One of the EO’s main goals is to improve government
information sharing with critical infrastructure owners
and operators regarding cyber threats, including attack
signatures and other technical data. The EO directs
the US Department of Homeland Security (DHS),
the Department of Justice, and the Office of the
Director of National Intelligence to produce and share
unclassified and classified cyber threat reports that
identify specific targeted and victim entities. DHS will
expand the Enhanced Cyber Security Initiative to all
critical infrastructure sectors, thereby making classified
cyber threat data and technical information available
to eligible critical infrastructure owners and operators.
DHS will also expand programs that provide security
clearances to private sector employees of critical
infrastructure and bring private sector subject matter
experts into the US federal government.
Another major goal is to develop a Cybersecurity
Framework of standards and best practices for
reducing risk to critical infrastructure. Under the EO,
the National Institute of Standards and Technology
(NIST) will work with the Sector-Specific Agencies
(SSAs), Sector Coordinating Councils (SCCs), and other
stakeholders to develop the Cybersecurity Framework.
NIST officials want owners and operators to actively
participate in this process.
The EO also calls for DHS to establish a voluntary
program for framework adoption by owners and
operators. As part of this program, the SSAs will
work with their respective SCCs to review the
Cybersecurity Framework and develop implementation
guidance to support its voluntary adoption. DHS will
use a similar consultative process to identify the
high-priority critical infrastructure using a risk-based
approach. Finally, DHS and the US Departments of
Treasury and Commerce will recommend incentives
to promote industry’s participation in these efforts.
Overall, the EO emphasizes the importance of
government-industry collaboration in protecting critical
assets, systems, networks, and functions from cyber
attacks, stating, “We can achieve these goals through
a partnership with the owners and operators of critical
infrastructure to improve cybersecurity information
sharing and collaboratively develop and implement risk-
based standards.”2
In tandem with the EO, the White House issued the
complementary Presidential Policy Directive 21 (PPD-
21) on Critical Infrastructure Security and Resilience,
which replaces HSPD-7. The EO and PPD-21 contain
ambitious milestones for implementing the planned
cybersecurity initiatives. For example, within 120 days,
DHS and other named agencies must recommend
2 Executive Order 13636, Section 1, Policy.

6. 4
incentives for obtaining the private sector’s voluntary
participation in the Critical Infrastructure Cybersecurity
Program and adoption of cybersecurity practices. Within
180 days, agencies must develop the baseline data
and system requirements for a framework to facilitate
information exchange among government agencies and
critical infrastructure owners and operators. NIST must
develop a preliminary Cybersecurity Framework within
240 days, and a final framework within a year.
The chief challenge facing government and industry is
finding common ground to achieve meaningful results
in such short timeframes. On the industry side, owners
and operators are concerned that the government will
create and then impose a one-size-fits-all Cybersecurity
Framework. Many prefer instead that each sector
develop for itself the strategy and techniques best
suited to its unique business model and requirements.
Moreover, some sectors have already put in place
rigorous controls and they worry about getting locked
into a framework that complicates rather than
enhances security. But while industry wants to proceed
with caution, government is pressed to move quickly
to meet established deadlines. Consequently, given
the complexity of the issues and the many differing
voices regarding how best to proceed, the danger is
that government and industry will settle on solutions
that do little to change the status quo or substantially
improve cybersecurity in order to keep activities
progressing toward fast-approaching deadlines.
The Changing Cyber Landscape
Many of industry’s questions and concerns are the
same as those that hindered previous efforts to forge
a stronger government-industry partnership. Although
the essential issues have not changed, the cyber
environment in which government and industry operate
has changed in important ways. These changes create
new opportunities for meaningful collaboration:
• Continuous Monitoring. Continuous monitoring
uses powerful algorithms to constantly scan for
anomalies, analyze them, and then communicate
them through automatic, immediate warnings
and alerts. By removing the human element,
the automatic warnings significantly improve the

7. 5
speed and effectiveness of responses and provide
decision-makers with information on the current
health of their networks, effectiveness of certain
controls, and areas of risk. In addition, near
real-time monitoring of the threat environment
is enabling organizations to predict and prevent
attacks. Such processes are generating enormous
amounts of data about threats, vulnerabilities, and
other network activities that could provide significant
value if it were shared and then combined and
analyzed with other data within sectors, across
sectors, and across government.
• Data Analytics. Powerful analytical tools not
only enable organizations to conduct continuous
monitoring of their own activities, but they also
enable them to sift through volumes of open source
data to uncover timely insights. For example,
intelligence tools can quickly analyze global news
sources, social media feeds, malicious databases,
etc., to enhance situational awareness and identify
rising threats, attack vectors, trends, and other
valuable information. In addition, sophisticated
text analytics, sentiment analysis, and language
processing technologies can provide insight into an
organization’s own unique environment and help
prioritize response activities before threats escalate.
And using modern computational capabilities,
organizations can scale their analytic processes
beyond their own network data to include nearly
limitless amounts of threat data gathered by partner
organizations in government and industry. The data
generated through continuous monitoring and data
analytics provide a powerful incentive for information
sharing and collaboration.
• Cybersecurity Human Capital Skills. Data and data
analytics are much more valuable today because
the cyber professionals who work with the data
are so much smarter. Cyber experts have greater
knowledge and expertise in analyzing network data,
spotting trends, and developing analytic programs
and tools than they did a decade ago. And, this
trend is predicted to continue. A recent study
found that “information security is a stable
and growing profession [and] the number of
professionals is projected to continuously grow
more than 11 percent annually over the next
five years.”3 Cyber professionals develop skills
across multiple systems and environments, and
work together in cybersecurity communities and
associations to identify needed skills, share best
practices, and promote the highest standards of
training and certification. Their skills enhance the
value of collaboration.
• Cybersecurity Maturity Models. Just as
cybersecurity human capital skills have improved,
so too have the models and approaches that
organizations use to protect their networks and
systems and manage risk. Organizations and
sectors are beginning to embrace cyber risk
management approaches that allow organizations
to ascertain the maturity of an enterprise's
security posture within the context of the business
and, in some cases, across the dimensions of
people, process, and technology. New risk-based
models in both government and industry provide
proven frameworks for measuring, managing, and
systematically maturing cybersecurity, helping
organizations to allocate cyber resources efficiently
while continuously improving security. Proven
maturity models now exist to inform the planned
Cybersecurity Framework.
Keys to Success
These four changes, along with related developments
within the cyber environment, have important
implications for strengthening critical infrastructure
cybersecurity. They not only enhance the potential
benefits of industry-government collaboration—in
sharing information, creating a Cybersecurity
Framework, and other EO activities, but they also make
3 Frost Sullivan and Booz Allen Hamilton, The 2013 (ISC)2 Global Information Security
Workforce Study, p. 3.

8. 6
those benefits easier to obtain. Equally important, an
understanding of these changes provides insight into
how government and industry can work together to
implement the EO and improve cybersecurity. These
actions are key to collaborative success:
1. Establish flexible, risk-based cybersecurity
standards of practice (e.g., Cybersecurity
Framework) that provide a foundation
for measuring the growing maturity of an
organization’s security program. The standards
of practice should be flexible to guide strategy
and approach rather than prescribing specific
technologies and solutions. This will give owners
and operators the flexibility to adopt measures that
best suit their sectors and business imperatives,
as well as the agility to adjust quickly to evolving
threats, vulnerabilities, and risks. The standards
of practice should be risk-based to guide the
effective allocation of resources. It is impossible for
organizations to protect all assets, systems, and
functions, particularly when the threat landscape
is constantly evolving. Consequently, rather than
relying solely on checklists of required technologies
or references to national and international
standards, a risk-based approach will be informed
by business priorities and tied to overall enterprise
risk. And, they will use quantitative measures and
controls to assess risk and allocate resources
proactively to mitigate that risk.
A risk-based approach also supports a maturity-
based framework that defines the expected security
practices for a given maturity level. This enables
managers to readily ascertain the maturity of an
enterprise’s cybersecurity posture across the
dimensions of people, processes, and technology,
and then to develop custom-tailored solutions to
improve maturity and mitigate risk. Additionally,
a risk-based approach lends itself to repeatable
measures, thus enabling the organizations to
assess the effectiveness of current security controls
against identified threats (again, across multiple
dimensions) as they relate to business goals,
objectives, and risk tolerance.
In addition to being flexible and adaptive to the
individual requirements of each sector, the new
standards of practice should also be broad enough
to incorporate the entire cyber ecosystem, thus
recognizing the wider connections among the public-,
private-, and civil communities within the ecosystem.
In this way, the risk-based approach will include
enterprise-wide, sector-wide, and ecosystem risks,
as opposed to traditional models that focus narrowly
on system risks. Finally, the standards of practice
can provide a foundation for developing agreed-upon
international cybersecurity standards, which would
eliminate duplicative and conflicting requirements
across multiple countries.
Overall, the standards of practice embody a
common understanding of risk from the perspective
of multiple stakeholders and provide a basis for
determining how effectively a cybersecurity program
is protecting the business, as opposed to merely
protecting information technology systems.
The standards of practice can provide a
foundation for developing agreed-upon
international cybersecurity standards, which
would eliminate duplicative and conflicting
requirements across multiple countries.
A focus on risk will also help organizations visualize
and prepare for the full spectrum of cyber threats.
It enables organizations to respond with agility to
changing threats and incorporate new strategies,
technologies, and approaches into the framework.
Moreover, a framework of standards of practice
will have the ability to “learn” and adapt to
an evolving cyber landscape. In this way, the

9. 7
community avoids both a one-size-fits-all approach
and a strict regulatory regime, which tends to create
a focus on checklists and compliance rather than
genuine security.
2. Accelerate the adoption of continuous monitoring
and data analytics. Government and industry
already have access to enormous amounts of data
related to the protection of critical infrastructure, but
they currently lack the capability to fully process and
analyze this data to address complex cybersecurity
challenges. Organizations can improve their analytic
capabilities by tapping into emerging cloud-based
analytics. Such capabilities would enhance
significantly the value of information sharing among
stakeholders because they would be able to quickly
analyze data and respond to threats. Similarly,
continuous monitoring capabilities would generate
even more data regarding the health of networks
within a sector and rapid responses based on data,
as opposed to fear or premonitions about potential
threats. While it is true that an individual sector
could create these capabilities on its own, sharing
capabilities and information across sectors, as well
as across government agencies, provides much
greater value. This is the goal that government and
industry should be striving for, and federal initiatives
such as the Big Data Research and Development
Initiative, Digital Government Strategy, and the
Cloud First Strategy directly support a movement
in this direction. Agencies that have embraced
these efforts are building the capacity to more
effectively monitor their networks and exploit
cybersecurity data.
3. Create an information-sharing broker (or brokers).
Both government and industry need help sharing
information efficiently and effectively. The owners
and operators want data that can help them
address their cybersecurity challenges, but they do
not have the resources to sift through mountains
of information unrelated to the threats they face.
They need information that is delivered in a way
that helps them understand why the information
is relevant to businesses within their sector and
how they can use it. However, the government
agencies that collect this information do not have
the resources to create this context—that is,
address these questions—for each stakeholder. An
information broker could provide these services for
both government and industry.
An information broker could take many forms and
serve a number of essential functions. For example,
the broker could serve as a “trusted aggregator” of
threat data with the expertise to address privacy,
security, and other issues that often hinder data
sharing. It could also provide “risk ratings,”
evaluating the level of risk that a reported threat
posed to the company (or sector) receiving the
report. Such a broker would refine and sharpen
data to reduce substantially the friction in data
sharing processes, thus making the data easier for
government to share and more valuable for industry
to receive. And because the information-sharing

10. 8
4 Office of the Press Secretary, “Executive Order on Improving Critical Infrastructure
Cybersecurity,” February 12, 2013.
broker is focused on providing this service, it would
continuously improve its own capabilities and the
value of the data as it flows between government
and industry.
4. Revitalize the public-private partnership based on
shared interests. When issuing the EO, the White
House said, “The Executive Order strengthens
the US Government’s partnership with critical
infrastructure owners and operators to address
cyber threats.”4 However, many in industry are
skeptical of the term “partnership,” uncertain of
its precise meaning and wary of its implications for
moving forward. Consequently, government
and industry should use the EO and PPD-21
as an opportunity to clearly define roles,
responsibilities, and processes for collaboration
among major stakeholders.
The starting place is finding common ground.
Too often, discussions focus on the unique
requirements or issues separating stakeholders,
and they lose sight of the overlapping vital interests
that have brought them together. For example, both
government and industry have a shared interest
in ensuring that networks are up and running at
all times. All agree on the value of continuous
monitoring in protecting networks and on the value
of sharing threat data derived from continuous
monitoring and other sources. Most would probably
agree on the value of creating a robust framework
that could be applied consistently across all
sectors. These and other shared interests provide
opportunities for collaboration and leadership.
An approach that focuses on common interests also
helps to shape the adoption of key components of
the EO. For example, in developing a Cybersecurity
Framework, government and industry will want to
create a framework at a high enough conceptual
level to address the requirements of all sectors.
Moreover, the framework must be flexible to adapt
to both a changing cyber environment and a more
mature understanding of common interests.
This approach also suggests that the current
partnership model should be expanded to include
the civil sector—that is, cyber and risk management
experts from academia, think tanks, and others
among the general public—because government
and industry also have shared interests with the
civil sector. The civil society has always played
an important role in developing and shaping
the Internet, and its members can contribute
many useful ideas, as well as valuable data and
intelligence necessary to predict, prevent, and
respond to cyber threats. By viewing the cyber
ecosystem as a collection of communities,
rather than a limited number of sectors, the EO can
strengthen both the partnership among stakeholders
and the security of critical infrastructure. In fact,
this is how cyber adversaries come together and
operate: As communities with similar interests
that share tactics and resources. A strong public-
private-civil sector partnership can build an
effective network to defeat the adversary's network.

11. 9
Each partner, through data analytics and continuous
monitoring, has richer data to inform collaborative
efforts and determine what needs to be done to
address systemic risks, which have the potential to
adversely impact all.
A new type of leadership is needed to galvanize
strategic connectivity and unity of effort among
these diverse partners. The National Preparedness
Leadership Initiative (NPLI) at Harvard developed
a framework and practice around meta-
leadership, which offers insight into the leadership
skills required to foster collaboration among
interdependent entities in the pursuit of shared
goals. NPLI characterizes meta-leaders as those who
lead advances down into their own group, but who
also lead up to gain their leaders’ support. Although
team players, meta-leaders are not afraid to speak
“truth to power,” if necessary, to those more senior.
They also lead across agencies, extending their
influence among stakeholder organizations, and
they develop situational awareness to create a path
forward, often in the face of incomplete information.
Meta-leaders think beyond personal, bureaucratic,
or business interests to achieve a higher purpose.
They recognize that optimizing effectiveness and
achieving high performance demand a spirit of
collaboration, combined with tangible mechanisms
that activate collaboration and partnership.
Meta-leaders think beyond personal,
bureaucratic, or business interests to achieve a
higher purpose.
A partnership forged on shared interests and
guided by meta-leadership will create a stronger
Cybersecurity Framework, develop more effective
information sharing processes, and implement
more meaningful changes to strengthen critical
infrastructure cybersecurity. And these efforts will, in
turn, strengthen the partnership.
5. Explore and develop norms guiding the use of
“active cyber defense.” Private sector organizations
are developing the capability to identify more
precisely the source of cyber attacks using honey
pots to attract and study threats and advanced
forensics to track down attackers. The ability
to identify attackers provides an opportunity for
organizations to go beyond simply preventing or
deterring attacks to actually striking back at an
attacker’s networks and systems. An organization
might engage in active cyber defense through
collective action with other sector members or by
turning to other communities of interest to address
the threat. Such action might be especially tempting
if the government were seen as unable or unwilling
to protect the organization.
The concept and potential use of active cyber
defense is another area of compelling shared
interest between government and industry.
Employing active cyber defenses against attackers is
already being widely discussed among cybersecurity
professionals as an option, given the severity of
the threats and the risks they pose. However, such
activities could create a “Wild West” environment
of vigilantism, attacks on innocent parties, and
escalating attacks that draw the US government
into conflict, potentially beyond cyberspace.
Consequently, as government and industry
collaborate on sharing information and building
security frameworks, they also should address this
emerging area of cyber policy and strategy.

12. 10
Conclusion
We are optimistic that the United States can
strengthen critical infrastructure cybersecurity through
a government-industry partnership that builds a
robust Cybersecurity Framework, shares threat
data, and collaborates on achieving national cyber
goals. Although we don’t discount the challenges
of bringing together such large and diverse
groups of stakeholders, we believe that emerging
cyber technologies and capabilities have created
opportunities for success that did not exist 15
years ago when government first initiated whole of
government efforts similar to the EO. In particular,
continuous monitoring, data analytics, a more
expert cybersecurity workforce, and a maturing of
cybersecurity standards and models provide a much
stronger foundation for collaboration. The potential
gains resulting from partnership are significantly
greater; and, if efforts fail, the potential damage to
the nation’s economy and security is significantly
greater as well. These two facts provide compelling
incentive for stakeholders to work together to improve
critical infrastructure cybersecurity. By building on their
common interests, government and industry can create
a partnership that grows and matures to counter cyber
threats today and into the future.

13. 11

14. Contact Information
12
Mike McConnell
Vice Chairman
mcconnell_mike@bah.com
703-984-1812
Sedar Labarre
Principal
labarre_sedar@bah.com
202-346-9201
David Sulek
Principal
sulek_david@bah.com
703-984-0798
Marcia McGowan
Senior Associate
mcgowan_marcia@bah.com
703-984-3715

15. About Booz Allen
To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton
publications, visit www.boozallen.com.
Booz Allen Hamilton has been at the forefront of
strategy and technology consulting for nearly a
century. Today, Booz Allen is a leading provider of
management and technology consulting services
to the US government in defense, intelligence, and
civil markets, and to major corporations, institutions,
and not-for-profit organizations. In the commercial
sector, the firm focuses on leveraging its existing
expertise for clients in the financial services,
healthcare, and energy markets, and to international
clients in the Middle East. Booz Allen offers clients
deep functional knowledge spanning strategy and
organization, engineering and operations, technology,
and analytics—which it combines with specialized
expertise in clients’ mission and domain areas to
help solve their toughest problems.
The firm’s management consulting heritage is
the basis for its unique collaborative culture and
operating model, enabling Booz Allen to anticipate
needs and opportunities, rapidly deploy talent and
resources, and deliver enduring results. By combining
a consultant’s problem-solving orientation with deep
technical knowledge and strong execution, Booz Allen
helps clients achieve success in their most critical
missions—as evidenced by the firm’s many client
relationships that span decades. Booz Allen
helps shape thinking and prepare for future
developments in areas of national importance,
including cybersecurity, homeland security, healthcare,
and information technology.
Booz Allen is headquartered in McLean, Virginia,
employs approximately 25,000 people, and had
revenue of $5.86 billion for the 12 months ended
March 31, 2012. For over a decade, Booz Allen’s
high standing as a business and an employer has
been recognized by dozens of organizations and
publications, including Fortune, Working Mother,
G.I. Jobs, and DiversityInc. More information is
available at www.boozallen.com. (NYSE: BAH)
13

16. www.boozallen.com
The most complete, recent list of offices and their addresses and telephone numbers can be found on
www.boozallen.com
Principal Offices
Huntsville, Alabama
Montgomery, Alabama
Sierra Vista, Arizona
Los Angeles, California
San Diego, California
San Francisco, California
Colorado Springs, Colorado
Denver, Colorado
District of Columbia
Pensacola, Florida
Sarasota, Florida
Tampa, Florida
Atlanta, Georgia
Honolulu, Hawaii
O’Fallon, Illinois
Indianapolis, Indiana
Leavenworth, Kansas
Radcliff, Kentucky
Aberdeen, Maryland
Annapolis Junction, Maryland
Lexington Park, Maryland
Linthicum, Maryland
Rockville, Maryland
Troy, Michigan
Kansas City, Missouri
Omaha, Nebraska
Red Bank, New Jersey
New York, New York
Rome, New York
Fayetteville, North Carolina
Cleveland, Ohio
Dayton, Ohio
Philadelphia, Pennsylvania
Charleston, South Carolina
Houston, Texas
San Antonio, Texas
Abu Dhabi, United Arab Emirates
Alexandria, Virginia
Arlington, Virginia
Chantilly, Virginia
Charlottesville, Virginia
Falls Church, Virginia
Herndon, Virginia
McLean, Virginia
Norfolk, Virginia
Stafford, Virginia
Seattle, Washington
©2013 Booz Allen Hamilton Inc.
BA13-051