scope:

Introduction

Note: Nothing in this standard supercedes applicable laws and regulations.

Note: In the event of conflict between the English and domestic language, the English language shall take precedence.

Purpose. See also, CG5617, Section I Purpose.

The purpose of this document is to define the minimum-security requirements Third Parties must follow to ensure the secure exchange, and protection of, GM Information and to minimize third party business interruptions due to security incidents that can adversely impact GM's ability to conduct business. For purposes of this document, a Third Party is defined as a person, company, business, organization, or group that 1) conducts business with, provides goods or services to, directly or indirectly, or is a customer of General Motors or 2) is a competitor of General Motors. Third Party includes but is not limited to dealers, Alliance Partners, consultants, professional service providers and business partners. These entities may create, collect, manage, process, access, store or transmit GM Information or represent GM in the course of business.

Applicability. See also, CG5617, Section II Applicability.

These requirements generally apply to all Third Parties who:

• Create, collect, process, manage, access, store or transmit GM Information, external to the GM computing environment; or

• Require the ability to access GM information, via a direct connection into GM's internal computing environment, to deliver agreed upon services; or

• Provide data, custom software, or other electronic components for use in GM's internal computing environment or in vehicle systems; or

• Provide vital or critical business services to GM (e.g., single source provider), the loss of which would have an adverse impact on GM's ability to conduct business or on GM's brand image); or

• Are government agencies buying products or services from GM or participating in an industry consortium; or

• Are Cloud Service Providers who provide Software as a Service, Infrastructure as a Service or Platform as a Service.

These Third Party requirements generally do not apply to:

• Government agencies exercising regulatory controls, or engaged in litigation proceedings involving GM (e.g., EPA standards, IRS, NHTSA, Congressional inquiries)

• Third Parties exempted by the GM CISO

In certain circumstances, alternate GM or other policies apply, in place of these Third Party requirements:

• Joint Ventures and Alliance Partners or their related Third Party Suppliers

• Dealers

• Subsidiaries to GM (e.g., GM Financial, Cruise Automation, etc.)

• Third Parties, Contract Workers, and others who access the GM computing environment must follow the GM User Information Security Policy.

Remarks. None.