Amendment 38, dated July 10, 2023, to Special Business Provisions BCA-MS ###-###-####, dated June 16, 2005, between The Boeing Company and Spirit AeroSystems, Inc

THIS AMENDMENT NUMBER 38 (“Amendment No. 38”) to Special Business Provisions BCA-MS ###-###-#### is made as of the last date executed below (the “Effective Date”) by and between Spirit AeroSystems, Inc., a Delaware corporation having its principal office in Wichita, Kansas (“Spirit”) and The Boeing Company, a Delaware corporation, acting by and through its division, Boeing Commercial Airplanes (“Boeing”). Hereinafter, Spirit and Boeing may be referred to jointly as the “Parties”.

A.The Parties have entered into the General Terms Agreement, GTA BCA ###-###-####, dated June 16, 2005 as amended from time to time (the “GTA”) and the Special Business Provisions, BCA-MS ###-###-####, dated June 16, 2005 as amended from time to time (the "SBP") and now desire to again amend the SBP.

B.This Amendment No. 38 deletes SBP Section 12.4 “Electronic Access, Communications and Data Exchange Via Telecommunications” and replacing it in its entirety with a new SBP Section 12.4 “Electronic Access/Terms of Use” .

NOW, THEREFORE, in consideration of the foregoing and the mutual agreements contained herein, and for other good and valuable consideration, the value, receipt, and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:

1.The SBP is hereby amended by adding the SBP Table of Amendments Page 5, attached hereto as Exhibit 1.

2.The SBP is hereby amended by deleting SBP Section 12.4 “Electronic Access, Communications and Data Exchange Via Telecommunications” and replacing it in its entirety with a new SBP Section 12.4, attached hereto as Exhibit 2.

3.Entire Agreement. Except as otherwise indicated in this Amendment No. 38, all terms defined in the GTA or SBP shall have the same meanings when used in this Amendment No. 38. This Amendment No. 38 constitutes the complete and exclusive agreement between the Parties with respect to the subject matter of this Amendment No. 38, and this Amendment No. 38 supersedes all previous agreements between the Parties relating to the subject matter of Amendment No. 38, whether written or oral. The GTA and SBP shall remain in full force and effect and are not modified, revoked, or superseded except as specifically stated in this Amendment No. 38.

IN WITNESS WHEREOF, the duly authorized representatives of the Parties have executed this Amendment No. 35 as of the last date of execution set forth below.

SBP BCA-MS ###-###-####, Amendment No. 35 Exhibit 1

SBP BCA-MS ###-###-####, Amendment No. 38 Exhibit 2

The following provisions in this Section 12.4 set forth the requirements for Spirit's Electronic Access to the Boeing Systems.

The definitions set forth below will only apply to this Section 12.4 (inclusive of all its subsections).

A.“Access Controls” is defined as procedures, mechanisms, and/or measures that limit access to Boeing Systems to authorized persons or applications.

B.“Boeing Systems” is defined as any electronic information systems operated by Boeing or operated by a third party on behalf of Boeing, including without limitation: facilities, network communications systems, telecommunications systems, software, and applications.

C."Contract" or “Agreement” used interchangeably means any agreement between Spirit and Boeing into which these Terms of Use of Boeing Electronic Systems (“ToU”) are incorporated.

D.“Electronic Access” is defined as access by authorized Spirit Personnel to the Boeing Systems with the ability or the means necessary to read, write, modify, or communicate information, or otherwise use authorized system resources.

E.“Malware” means malicious computer software that interferes with normal computer functions or causes information leakage to unauthorized parties.

F."Materials" means all information and data, text, graphics, animation, audio and/or digital video components that are stored or hosted by Spirit in relation to a Contract or that are accessible through Boeing Systems.

G."Security Breach(es)" means any confirmed compromise of an information system, including accidental or unauthorized use, disclosure, destruction, loss, alteration, transmission, or access to Boeing Materials that are stored or otherwise processed by Spirit in relation to an Agreement.

H.“Spirit Personnel” is defined as any of Spirit’s employees, contract labor, consultants, advisers, or other representatives who have a need to access the Boeing Systems for Spirit to perform under a Contract.

I.“Spirit Systems” is defined as any and all electronic information systems operated by Spirit or operated by a third party on behalf of Spirit, including without limitation: facilities, network communications systems and telecommunications

systems, inclusive of the software, applications, information and data contained therein.

J."Unauthorized Use" is defined as any use, reproduction, distribution, transfer, disposition, disclosure, possession, memory input, alteration, erasure, damage or other activity involving Materials, that is not expressly authorized under the ToU.

Boeing grants to Spirit a limited, nontransferable, nonexclusive, revocable (at Boeing’s discretion) right to access the Boeing Systems electronically solely during the term of a Contract and solely to the extent authorized in writing by Boeing in support of work to be performed by Spirit pursuant to a Contract. Without limiting the foregoing, Spirit Personnel shall not (i) knowingly introduce any Malware into Boeing Systems (whether through a laptop computer or other access device or otherwise); (ii) use the Boeing Systems for nonbusiness purposes including, without limitation, Unauthorized Use; and/or (iii) take actions calculated to disrupt Boeing Systems.

Any communications or data transiting or stored on Boeing Systems may be monitored, intercepted, recorded, and searched at any time and for any lawful purpose, and may be used or disclosed as required by applicable law.

Spirit may request, and Boeing may provide in its sole discretion for Spirit’s support of the Contract, Electronic Access for Spirit Personnel on a "need to know" basis. When Electronic Access is provided to Spirit, these Section 4 terms apply:

12.4.4.1 Accounts and Access Controls

Prior to obtaining Electronic Access, authorized Spirit Personnel will be required to obtain from Boeing an Electronic Access account per individual, including Boeing Access Controls that may come from Boeing, third parties designated by Boeing or alternate controls subject to Boeing approval. Boeing reserves the right, without notice and in its sole discretion, to terminate and/or block the access of any individual or entity to the Boeing Systems. Spirit acknowledges that the Access Controls are for specific individual use of Spirit Personnel only, are not transferable, and shall be maintained in confidence by Spirit. Spirit shall:

(i)ensure that all Spirit Personnel review and agree to abide by this ToU prior to being granted Electronic Access;

(ii)assign a single focal to initiate requests for Electronic Access for Spirit Personnel and maintain records of Spirit Personnel granted electronic access, available for validation upon request of Boeing;

(iii)prevent the loss, disclosure, reverse engineering, sharing with unauthorized Spirit Personnel or compromise of Access Controls;

(iv)be responsible for the acts and omissions of all Spirit Personnel with respect to their Electronic Access, including without limitation, Spirit Personnel’s use or disclosure of Proprietary Information and Materials obtained through such Electronic Access, or Spirit Personnel’s actions while in possession of such Proprietary Information and Materials;

(v)promptly notify Boeing if any Access Control has been compromised;

(vi)review at least every three (3) months each Spirit Personnel's Electronic Access requirements; and

(vii)promptly submit a written request with name and BEMS ID(s) to Boeing to terminate Electronic Access upon any reassignment resulting in Spirit Personnel no longer needing Electronic Access and upon resignation, or termination of any Spirit Personnel with Electronic Access.

12.4.4.2 Spirit System Protection

Prior to connecting to Boeing’s internal network (either directly at Boeing’s site, remotely via SSLVPN or connect.boeing.com, or other secure method approved by Boeing), Spirit shall take reasonable steps to protect the confidentiality, integrity and availability of Boeing Systems and information by implementing and maintaining industry best practice controls on all Spirit equipment used to connect to Boeing Systems including, without limitation:

(i)Patched and current operating systems and applications shall be evaluated for compatibility and mitigate negative potential impacts to the production system – Spirit shall subscribe to and apply the vendor's relevant updates;

(ii)Anti-malware – Spirit devices shall have up-to-date anti-virus protection running with the latest signature files;

(iii)Intrusion Detection/Prevention Technology – Spirit shall use intrusion detection/prevention technology to manage current versions of software, signature files, and firewall configurations to limit ports/protocols to only those necessary;

(iv)Access Controls – Spirit shall use an account and password or token and PIN to access or unlock computing devices; and

(v)Encryption - Whole disk or file and folder encryption shall be used to protect Materials that are being stored locally on the Spirit’s mobile devices.

12.4.4.3 Virtual Office Work

Spirit Personnel may access Boeing Systems virtually provided Spirit Personnel access through the Spirit network.

12.4.5.1In order to comply with applicable U.S. export control statutes and regulations, Boeing shall be required to obtain information concerning identity and citizenship, including dual or third country national status, if applicable, or place of birth of Spirit Personnel with Electronic Access. Where access is granted, Spirit shall be responsible for obtaining all export authorizations required, including where applicable, export authorizations related for Spirit Personnel. If, related to Electronic Access, export authorization(s) are required to allow such Spirit Personnel to perform the work to which he or she is assigned, Spirit must obtain such authorizations and Spirit shall comply with any additional export control restrictions as required by applicable U.S. export control statutes and regulations.

12.4.5.2TECHNICAL DATA AND SOFTWARE ACCESSED FROM BOEING ELECTRONIC SYSTEMS MAY BE SUBJECT TO UNITED STATES GOVERNMENT EXPORT CONTROL REGULATIONS IN ACCORDANCE WITH THE DEPARTMENT OF STATE, INTERNATIONAL TRAFFIC IN ARMS REGULATIONS (“ITAR”), OR DEPARTMENT OF COMMERCE, EXPORT ADMINISTRATION REGULATION (“EAR”), AND MAY NOT BE EXPORTED, RELEASED OR DISCLOSED TO FOREIGN PERSONS, WHETHER LOCATED INSIDE OR OUTSIDE THE U.S. WITHOUT PRIOR APPROVAL FROM THE U.S. GOVERNMENT. VIOLATIONS OF EXPORT LAWS INVOKE SEVERE FINES AND PENALTIES FOR BOTH INDIVIDUALS AND THE COMPANIES THEY REPRESENT.

12.4.6.1In order to comply with applicable international trade control statutes and regulations, Boeing shall be required to obtain information concerning identity and citizenship, including dual or third country

national status, if applicable, or place of birth of Spirit Personnel with Electronic Access. Where access is granted, Spirit shall be responsible for obtaining all trade control authorizations required, where applicable, for all Spirit Personnel, including to allow such Spirit Personnel permission to perform the work assigned, and Spirit shall comply with any additional trade control restrictions as required by applicable jurisdiction export control statutes and regulations.

12.4.6.2TECHNICAL DATA AND SOFTWARE ACCESSED FROM BOEING ELECTRONIC SYSTEMS MAY BE SUBJECT TO GOVERNMENT TRADE CONTROLS IN ACCORDANCE WITH IMPORT AND EXPORT REGULATIONS IN AFFECTED JURISDICTIONS AND MAY NOT BE IMPORTED, EXPORTED, RELEASED OR DISCLOSED TO UNAUTHORIZED PERSONS, WITHOUT PRIOR APPROVAL FROM THE AFFECTED GOVERNMENT. VIOLATIONS OF TRADE CONTROL LAWS INVOKE SEVERE FINES AND PENALTIES FOR BOTH INDIVIDUALS AND THE COMPANIES THEY REPRESENT.

Spirit shall implement and maintain reasonable controls to prevent any Unauthorized Use, Security Breaches, or loss of Materials. Without limiting the foregoing, Spirit shall:

(i)have implemented for Spirit Systems a policy that adopts Information Security Management principles in accordance with NIST 800-53;

(ii)implement and maintain security controls no less comprehensive than either of the latest two versions of the CIS Controls for Effective Cyber Defense as found at https://www.cisecurity.org/critical-controls.cfm;

(iii)comply with Boeing requirements in the use of and strength of encryption, but use no less than that required by law, regulation, or government standard, based on the sensitivity of the Materials involved in the Contract;

(iv)perform background checks on Spirit Personnel;

(v)provide Spirit Personnel with current and relevant security education with respect to their obligations hereunder; and

(vi)use at least the same effort that Spirit uses to protect its own proprietary and confidential information, and in no event less than a reasonable amount of effort, to enforce Spirit’s obligations under this Section 12.4.7 against current and former employees.

12.4.8.1Within thirty (30) days of the effective date of the ToU, Spirit shall (i) contact Boeing Information Security at suppliercybersecurity@boeing.com for access to the Exostar Cybersecurity Questionnaire (“CSQ”) described at www.exostar.com/PIM/Cybersecurity; (ii) complete the CSQ; and (iii) authorize Boeing to review any CSQ completed by Spirit.

12.4.8.2Spirit grants Boeing, and its authorized representatives, permission to view, reports, records, procedures, and information related to or about the security of Spirit Systems, once per calendar year or within one hundred eighty (180) days of a Security Breach involving Boeing Materials and with reasonable advance notice, in order to assess Spirit’s compliance with this ToU (“Assessment”).

12.4.8.3If (i) Boeing determines in connection with any Assessment that a material vulnerability exists in the Spirit facilities or the Spirit Systems or that Spirit has otherwise failed to perform any of its obligations under the ToU; and (ii) Boeing notifies Spirit in writing of such vulnerability or Spirit's breach of the ToU, then Spirit shall promptly develop a corrective action plan. Any such corrective action plan shall be created in cooperation with Boeing and is subject to Boeing's written approval, not to be unreasonably withheld, conditioned, or delayed. Spirit shall implement the corrective action plan at its sole expense.

Spirit hereby warrants, that except in support of products or services provided under a Contract (or unless otherwise specifically authorized in writing by Boeing) that Spirit and Spirit’s Personnel shall not:

(i)Export or save any Materials from the Boeing Systems;

(ii)Make any derivative uses of Boeing Systems or Materials;

(iii)Use any malicious or unauthorized “data mining,” robots, or similar data gathering and extraction methods;

(iv)Use any frame or framing techniques to enclose any Materials provided or found on the Boeing Systems;

(v)Allow use of an assigned access credential by any person not specifically associated to that credential;

(vi)Access or attempt to access any Boeing Materials;

(vii)Access or attempt to access any restricted portions of a Boeing Systems;

(viii)Remove any restrictive markings from Boeing Materials;

(ix)Access the Boeing Systems through any mechanism other than the authorized Access Controls.

Spirit hereby represents, warrants and covenants that it is and shall remain in compliance with all applicable laws that require notification of Security Breaches.

12.4.10.1Spirit will assign a Spirit information security focal to coordinate with Boeing regarding Security Events (defined herein as investigation required beyond normal log monitoring) or confirmed Security Breaches.

12.4.10.2For any Security Breach, Spirit shall promptly notify Boeing of such Security Breach and notify Boeing of Boeing Materials involved, if known.

12.4.10.3If Boeing’s Materials were in the possession of Spirit when Spirit discovers or is notified of a Security Breach, Spirit shall:

(i)investigate and take reasonable steps to cure the Security Breach;

(ii)except with respect to Security Breaches that were caused by Boeing, provide Boeing with a mutually agreeable mitigation action plan;

(iii)take any other reasonable steps related to the incident as mutually determined by Spirit and Boeing; and

(iv)assist Boeing in investigating, remedying, and taking any other mutually agreed action Boeing reasonably deems necessary to address such Security Breach, including related to any dispute, inquiry, or claim related to such Security Breach.

12.4.10.4Spirit shall make the notification required in this Section 12.4.10 by promptly complying with the notice requirements in the Contract, and sending an email message to abuse@Boeing.com setting forth the information required in this Section 12.4.10. The Spirit shall copy the Boeing procurement agent on all related email notifications.

12.4.10.5Any material breach of this Section 12.4.10 by Spirit may be considered a default for which Boeing may suspend or revoke Electronic Access.

12.4.10.6Spirit acknowledges that any attempts by Spirit or any Spirit Personnel to circumvent any security measures designed to prevent unauthorized access to the Boeing Systems may be subject to criminal or civil penalties under the U.S. Federal Computer Fraud and Abuse Act and other applicable laws and regulations. In addition to any other remedy available to Boeing under the Contract, or available to Boeing under law or equity, Spirit and Boeing hereby agree that Boeing shall be entitled to injunctive relief because a breach of any provision related to Electronic Access may result in irreparable harm to Boeing or its affiliates, for which monetary damages may not provide a sufficient remedy.

Spirit Software/Code Security applies to all forms of Cyber Services where Code is provided for use on Boeing Systems. Spirit agrees that:

(i)Spirit shall not deliver any Code to Boeing prior to the code assessment completion;

(ii)Spirit shall conduct assessments natively within application development tools to ensure code defects are detected and addressed for all code, software, and applets delivered to Boeing;

(iii)Spirit shall not deliver Code containing defects that exceed a Common Vulnerability Scoring System (CVSS), score of medium or higher;

(iv)Spirit shall begin remediation of Spirit Code defects from time of either self-discovery, public disclosure, or Boeing notification to Spirit, whichever occurs first.

(v)Security defects discovered after initial product delivery are remediated for the life of the software contract using the following timelines or by an alternative timeframe approved in writing by Boeing:

•seventy two (72) hours to deliver patch for any CVSS score of critical

•seventy two (72) hours to deliver patch for any critical Remote Code Execution (RCE) vulnerability

•thirty (30) days to deliver patch for vulnerability of CVSS score of high

12.4.12.1For the purpose of this Section 12.4, “Boeing” includes The Boeing Company, its divisions, subsidiaries, the assignees of each, subcontractors, suppliers and affiliates, and their respective directors, officers, employees and agents.”