Amendment 6, dated July 10, 2023, to General Terms Agreement BCA ###-###-####, dated June 17, 2005, between The Boeing Company and Spirit AeroSystems, Inc

This Amendment Number 6 (“Amendment No. 6”) to General Terms Agreement BCA ###-###-#### is entered into, as of the date of the last signature below, between The Boeing Company, a Delaware Corporation ("Boeing"), and SPIRIT AEROSYSTEMS, INC, a Delaware Corporation with its principal office in Wichita, Kansas (“Seller”). Boeing and Seller sometimes are referred to herein individually as a “Party” and collectively as the “Parties.”

A.The Parties entered into General Terms Agreement BCA ###-###-#### (“GTA”) on June 17, 2005.

B.The most recent amendment to the GTA is Amendment No. 5, entered into on January 30, 2022.

C.The Parties wish to amend the GTA as set forth herein.

NOW THEREFORE, the Parties agree as follows:

1.Agreement:

1.1The GTA is hereby amended by deleting the existing GTA Table of Amendments in its entirety and replacing it with a new Table of Amendments as follows:

The following provisions in this Section 40.0 set forth the requirements for Seller's Electronic Access to the Boeing Systems.

The definitions set forth below will only apply to this Section 40.0 (inclusive of all its subsections).

A.“Access Controls” is defined as procedures, mechanisms, and/or measures that limit access to Boeing Systems to authorized persons or applications.

B.“Boeing Systems” is defined as any electronic information systems operated by Boeing or operated by a third party on behalf of Boeing, including without limitation: facilities, network communications systems, telecommunications systems, software, and applications.

C."Contract" or “Agreement” used interchangeably means any agreement between Seller and Boeing into which these Terms of Use of Boeing Electronic Systems (“ToU”) are incorporated.

D.“Electronic Access” is defined as access by authorized Seller Personnel to the Boeing Systems with the ability or the means necessary to read, write, modify, or communicate information, or otherwise use authorized system resources.

E.“Malware” means malicious computer software that interferes with normal computer functions or causes information leakage to unauthorized parties.

F."Materials" means all information and data, text, graphics, animation, audio and/or digital video components that are stored or hosted by Seller in relation to a Contract or that are accessible through Boeing Systems.

G."Security Breach(es)" means any confirmed compromise of an information system, including accidental or unauthorized use, disclosure, destruction, loss, alteration, transmission, or access to Boeing Materials that are stored or otherwise processed by Seller in relation to an Agreement.

H.“Seller Personnel” is defined as any of Seller’s employees, contract labor, consultants, advisers, or other representatives who have a need to access the Boeing Systems for Seller to perform under a Contract.

I.“Seller Systems” is defined as any and all electronic information systems operated by Seller or operated by a third party on behalf of Seller, including without limitation: facilities, network communications systems and telecommunications systems, inclusive of the software, applications, information and data contained therein.

J."Unauthorized Use" is defined as any use, reproduction, distribution, transfer, disposition, disclosure, possession, memory input, alteration, erasure, damage or other activity involving Materials, that is not expressly authorized under the ToU.

Boeing grants to Seller a limited, nontransferable, nonexclusive, revocable (at Boeing’s discretion) right to access the Boeing Systems electronically solely during the term of a Contract and solely to the extent authorized in writing by Boeing in support of work to be performed by Seller pursuant to a Contract. Without limiting the foregoing, Seller Personnel shall not (i) knowingly introduce any Malware into Boeing Systems (whether through a laptop computer or other access device or otherwise); (ii) use the Boeing Systems for nonbusiness purposes including, without limitation, Unauthorized Use; and/or (iii) take actions calculated to disrupt Boeing Systems.

Any communications or data transiting or stored on Boeing Systems may be monitored, intercepted, recorded, and searched at any time and for any lawful purpose, and may be used or disclosed as required by applicable law.

Seller may request, and Boeing may provide in its sole discretion for Seller’s support of the Contract, Electronic Access for Seller Personnel on a "need to know" basis. When Electronic Access is provided to Seller, these Section 4 terms apply:

40.4.1Accounts and Access Controls

Prior to obtaining Electronic Access, authorized Seller Personnel will be required to obtain from Boeing an Electronic Access account per individual, including Boeing Access Controls that may come from Boeing, third parties designated by Boeing or alternate controls subject to Boeing approval. Boeing reserves the right, without notice and in its sole discretion, to terminate and/or block the

access of any individual or entity to the Boeing Systems. Seller acknowledges that the Access Controls are for specific individual use of Seller Personnel only, are not transferable, and shall be maintained in confidence by Seller. Seller shall:

(i)ensure that all Seller Personnel review and agree to abide by this ToU prior to being granted Electronic Access;

(ii)assign a single focal to initiate requests for Electronic Access for Seller Personnel and maintain records of Seller Personnel granted electronic access, available for validation upon request of Boeing;

(iii)prevent the loss, disclosure, reverse engineering, sharing with unauthorized Seller Personnel or compromise of Access Controls;

(iv)be responsible for the acts and omissions of all Seller Personnel with respect to their Electronic Access, including without limitation, Seller Personnel’s use or disclosure of Proprietary Information and Materials obtained through such Electronic Access, or Seller Personnel’s actions while in possession of such Proprietary Information and Materials;

(v)promptly notify Boeing if any Access Control has been compromised;

(vi)review at least every [****] each Seller Personnel's Electronic Access requirements; and

(vii)promptly submit a written request with name and BEMS ID(s) to Boeing to terminate Electronic Access upon any reassignment resulting in Seller Personnel no longer needing Electronic Access and upon resignation, or termination of any Seller Personnel with Electronic Access.

40.4.2Seller System Protection

Prior to connecting to Boeing’s internal network (either directly at Boeing’s site, remotely via SSLVPN or [****], or other secure method approved by Boeing), Seller shall take reasonable steps to protect the confidentiality, integrity and availability of Boeing Systems and information by implementing and maintaining industry best practice controls on all Seller equipment used to connect to Boeing Systems including, without limitation:

(i)Patched and current operating systems and applications shall be evaluated for compatibility and mitigate negative potential impacts to the production system – Seller shall subscribe to and apply the vendor's relevant updates;

(ii)Anti-malware – Seller devices shall have up-to-date anti-virus protection running with the latest signature files;

(iii)Intrusion Detection/Prevention Technology – Seller shall use intrusion detection/prevention technology to manage current versions of software, signature files, and firewall configurations to limit ports/protocols to only those necessary;

(iv)Access Controls – Seller shall use an account and password or token and PIN to access or unlock computing devices; and

(v)Encryption - Whole disk or file and folder encryption shall be used to protect Materials that are being stored locally on the Seller’s mobile devices.

40.4.3Virtual Office Work

Seller Personnel may access Boeing Systems virtually provided Seller Personnel access through the Seller network.

40.4.4Export Control (U.S. Trade Control)

40.4.4.1In order to comply with applicable U.S. export control statutes and regulations, Boeing shall be required to obtain information concerning identity and citizenship, including dual or third country national status, if applicable, or place of birth of Seller Personnel with Electronic Access. Where access is granted, Seller shall be responsible for obtaining all export authorizations required, including where applicable, export authorizations related for Seller Personnel. If, related to Electronic Access, export authorization(s) are required to allow such Seller Personnel to perform the work to which he or she is assigned, Seller must obtain such authorizations and Seller shall comply with any additional export control restrictions as required by applicable U.S. export control statutes and regulations.

40.4.4.2TECHNICAL DATA AND SOFTWARE ACCESSED FROM BOEING ELECTRONIC SYSTEMS MAY BE SUBJECT TO UNITED STATES GOVERNMENT EXPORT CONTROL REGULATIONS IN ACCORDANCE WITH THE DEPARTMENT OF STATE, INTERNATIONAL TRAFFIC IN ARMS REGULATIONS (“ITAR”), OR DEPARTMENT OF COMMERCE, EXPORT ADMINISTRATION REGULATION (“EAR”), AND MAY NOT BE EXPORTED, RELEASED OR DISCLOSED TO FOREIGN PERSONS, WHETHER LOCATED INSIDE OR OUTSIDE THE U.S. WITHOUT PRIOR APPROVAL FROM THE U.S. GOVERNMENT. VIOLATIONS OF EXPORT LAWS INVOKE

SEVERE FINES AND PENALTIES FOR BOTH INDIVIDUALS AND THE COMPANIES THEY REPRESENT.

40.4.5Export Control (Non-U.S. Trade Control)

40.4.5.1In order to comply with applicable international trade control statutes and regulations, Boeing shall be required to obtain information concerning identity and citizenship, including dual or third country national status, if applicable, or place of birth of Seller Personnel with Electronic Access. Where access is granted, Seller shall be responsible for obtaining all trade control authorizations required, where applicable, for all Seller Personnel, including to allow such Seller Personnel permission to perform the work assigned, and Seller shall comply with any additional trade control restrictions as required by applicable jurisdiction export control statutes and regulations.

40.4.5.2TECHNICAL DATA AND SOFTWARE ACCESSED FROM BOEING ELECTRONIC SYSTEMS MAY BE SUBJECT TO GOVERNMENT TRADE CONTROLS IN ACCORDANCE WITH IMPORT AND EXPORT REGULATIONS IN AFFECTED JURISDICTIONS AND MAY NOT BE IMPORTED, EXPORTED, RELEASED OR DISCLOSED TO UNAUTHORIZED PERSONS, WITHOUT PRIOR APPROVAL FROM THE AFFECTED GOVERNMENT. VIOLATIONS OF TRADE CONTROL LAWS INVOKE SEVERE FINES AND PENALTIES FOR BOTH INDIVIDUALS AND THE COMPANIES THEY REPRESENT.

Seller shall implement and maintain reasonable controls to prevent any Unauthorized Use, Security Breaches, or loss of Materials. Without limiting the foregoing, Seller shall:

(i)have implemented for Seller Systems a policy that adopts Information Security Management principles in accordance with [****];

(ii)implement and maintain security controls no less comprehensive than either of the latest two versions of the [****] as found at [****];

(iii)comply with Boeing requirements in the use of and strength of encryption, but use no less than that required by law, regulation, or government standard, based on the sensitivity of the Materials involved in the Contract;

(iv)perform background checks on Seller Personnel;

(v)provide Seller Personnel with current and relevant security education with respect to their obligations hereunder; and

(vi)use at least the same effort that Seller uses to protect its own proprietary and confidential information, and in no event less than a reasonable amount of effort, to enforce Seller’s obligations under this Section 40.5 against current and former employees.

40.6.1Within thirty (30) days of the effective date of the ToU, Seller shall (i) contact Boeing Information Security at [****] for access to the [****] described at [****]; (ii) complete the [****]; and (iii) authorize Boeing to review any [****] completed by Seller.

40.6.2Seller grants Boeing, and its authorized representatives, permission to view, reports, records, procedures, and information related to or about the security of Seller Systems, once per calendar year or within one hundred eighty (180) days of a Security Breach involving Boeing Materials and with reasonable advance notice, in order to assess Seller’s compliance with this ToU (“Assessment”).

40.6.3If (i) Boeing determines in connection with any Assessment that a material vulnerability exists in the Seller facilities or the Seller Systems or that Seller has otherwise failed to perform any of its obligations under the ToU; and (ii) Boeing notifies Seller in writing of such vulnerability or Seller's breach of the ToU, then Seller shall promptly develop a corrective action plan. Any such corrective action plan shall be created in cooperation with Boeing and is subject to Boeing's written approval, not to be unreasonably withheld, conditioned, or delayed. Seller shall implement the corrective action plan at its sole expense.

Seller hereby warrants, that except in support of products or services provided under a Contract (or unless otherwise specifically authorized in writing by Boeing) that Seller and Seller’s Personnel shall not:

(i)Export or save any Materials from the Boeing Systems;

(ii)Make any derivative uses of Boeing Systems or Materials;

(iii)Use any malicious or unauthorized “data mining,” robots, or similar data gathering and extraction methods;

(iv)Use any frame or framing techniques to enclose any Materials provided or found on the Boeing Systems;

(v)Allow use of an assigned access credential by any person not specifically associated to that credential;

(vi)Access or attempt to access any Boeing Materials;

(vii)Access or attempt to access any restricted portions of a Boeing Systems;

(viii)Remove any restrictive markings from Boeing Materials;

(ix)Access the Boeing Systems through any mechanism other than the authorized Access Controls.

Seller hereby represents, warrants and covenants that it is and shall remain in compliance with all applicable laws that require notification of Security Breaches.

40.8.1Seller will assign a Seller information security focal to coordinate with Boeing regarding Security Events (defined herein as investigation required beyond normal log monitoring) or confirmed Security Breaches.

40.8.2For any Security Breach, Seller shall promptly notify Boeing of such Security Breach and notify Boeing of Boeing Materials involved, if known.

40.8.3If Boeing’s Materials were in the possession of Seller when Seller discovers or is notified of a Security Breach, Seller shall:

(i)investigate and take reasonable steps to cure the Security Breach;

(ii)except with respect to Security Breaches that were caused by Boeing, provide Boeing with a mutually agreeable mitigation action plan;

(iii)take any other reasonable steps related to the incident as mutually determined by Seller and Boeing; and

(iv)assist Boeing in investigating, remedying, and taking any other mutually agreed action Boeing reasonably deems necessary to

address such Security Breach, including related to any dispute, inquiry, or claim related to such Security Breach.

40.8.4Seller shall make the notification required in this Section 40.8 by promptly complying with the notice requirements in the Contract, and sending an email message to abuse@Boeing.com setting forth the information required in this Section 40.8. The Seller shall copy the Boeing procurement agent on all related email notifications.

40.8.5Any material breach of this Section 40.8 by Seller may be considered a default for which Boeing may suspend or revoke Electronic Access.

40.8.6Seller acknowledges that any attempts by Seller or any Seller Personnel to circumvent any security measures designed to prevent unauthorized access to the Boeing Systems may be subject to criminal or civil penalties under the U.S. Federal Computer Fraud and Abuse Act and other applicable laws and regulations. In addition to any other remedy available to Boeing under the Contract, or available to Boeing under law or equity, Seller and Boeing hereby agree that Boeing shall be entitled to injunctive relief because a breach of any provision related to Electronic Access may result in irreparable harm to Boeing or its affiliates, for which monetary damages may not provide a sufficient remedy.

Seller Software/Code Security applies to all forms of cyber services where code is provided for use on Boeing Systems. Seller agrees that:

(i)Seller shall not deliver any code to Boeing prior to the code assessment completion;

(ii)Seller shall conduct assessments natively within application development tools to ensure code defects are detected and addressed for all code, software, and applets delivered to Boeing;

(iii)Seller shall not deliver code containing defects that exceed a [****], score of [****] or [****];

(iv)Seller shall begin remediation of Seller code defects from time of either self-discovery, public disclosure, or Boeing notification to Seller, whichever occurs first.

(v)Security defects discovered after initial product delivery are remediated for the life of the software contract using the following timelines or by an alternative timeframe approved in writing by Boeing:

•[****] to deliver patch for any [****] score of [****]

•[****] to deliver patch for any [****] vulnerability

•[****] to deliver patch for vulnerability of [****] score of [****]

40.10.1For the purpose of this Section 40.10, “Boeing” includes The Boeing Company, its divisions, subsidiaries, the assignees of each, subcontractors, suppliers and affiliates, and their respective directors, officers, employees and agents.”

2.Miscellaneous.

2.1All other provisions of the GTA shall remain unchanged and in full force and effect.

2.2This Amendment No. 6 constitutes the complete and exclusive agreement between the Parties with respect to the subject matter hereof and cancels and supersedes all previous agreements between the Parties relating thereto, whether written or oral.

3.Governing Law.

This Amendment No. 6 shall be governed by the internal laws of the State of Washington without reference to any rules governing conflict of laws.

EXECUTED in duplicate as of the last date set forth below by the duly authorized representatives of the Parties.