August31,2016

DarylCromer

ChiefProductSecurityOfficer

Lenovo

1009ThinkPlace

Morrisville,NC27560

RE: LetterofAttestationforSupplyChainSecurityProgram

DearMr.Cromer:

Asrequested,ChainSecurityisprovidingLenovowiththisletterofattestationtoattest

thatChainSecurityhasreviewedcertainaspectsofLenovo’sproductsecurityprogram

(“Program”).Wedescribehereinourfindingsandconclusionsbasedonthisreview.

ChainSecurityisanoutsideadvisoryfirmretainedbyLenovo.Weanticipatethat

Lenovowillprovidethislettertocustomersandinterestedparties,andwearehappytobea

resourceforsuchpartieswhowishtogetourthird-partyviewonthestateofLenovo’s

Program.(AnoverviewofChainSecurity’squalificationsandexpertisecanbefoundin

AttachmentAtothisletter.)Weanticipatethatcustomersmayhavequestionsorwantmore

detailregardingthehigh-leveldescriptionscontainedherein,andChainSecuritywillsupport

Lenovotoprovidethoseadditionaldetailsanddescriptionsasneeded.

EXECUTIVESUMMARY

ChainSecurityhasgatheredinformationfromLenovothroughmultiplemeetings,

interviewsandtelephoneconversationswithLenovoofficersandemployees,aswellasfrom

reviewofdocumentationprovidedbyLenovo.ChainSecurityhasdirectedtheinformation

gatheringprocessandmadespecificrequeststoLenovoforinformationthatrelatesto

Lenovo’sProgram.ThisinformationgatheringprocesshasbeenguidedbyChainSecurity’s

expertiseandexperienceinsecurity-relatedmatters,stemmingfromserviceinU.S.

Governmentpositionsandseniormanagementandengineeringpositionsinthecommercial

sector,aswellasstrongengineeringandproductdevelopmentexpertise.Weassessthat

Lenovohasbeencooperativeandhasreadilyprovidedtherequestedinformation.

OurinquiryhasfocusedonthefollowingcomponentsoftheProgram:(1)Lenovo’s

corporatecommitmenttotheProgramanddelegationofauthorityfortheProgram

(“CorporateGovernance”);(2)integrationoftheProgramintoLenovo’soperationsand

processesgenerally(“SecurityProcesses”);(3)securityrelatedtoLenovo’scomponentand

subcomponentsuppliers(i.e.,traditionalsupplychain)andtheimplementationofLenovo’s

TrustedSupplierProgram(“TrustedSupplierProgram”);and(4)anintensiveinitiativeto

Mr.DarylCromer

August31,2016

Page2

scrutinizethesecurityofpre-loadedsoftwareassociatedwiththelatestreleaseoftheWindows

10operatingsystem,whichrunsonLenovoproducts(“Windows10Pre-Load”).

Thefollowingisanexecutivesummaryofourfindingsandconclusionsregardingthese

fourcomponentsoftheProgram:

CorporateGovernance• Lenovo’sCEOhasdirectedeachbusinessunittoimplementtheProgram,with

supportfromtheLenovoProductSecurityOffice(“PSO”),acrossLenovo’sglobal

operations,underthedirectionoftheChiefProductSecurityOfficer(“CPSO”).The

CPSOaswellasthePSOandallofitsemployeesarelocatedinMorrisville,North

Carolina,butthePSOdrawsoncompany-wideresources.

• Lenovo’sCEOhasdelegatedfullauthorityfortheProgramtotheCPSO.

• TheCPSOandthePSOareactivelypromulgatingandimplementingpoliciesand

proceduresforcomponentsoftheProgramandaretrainingLenovoemployeeson

theProgram.

SecurityProcesses• UndertheProgram,LenovoimplementssecurityrequirementsthroughitsOffering

DeliveryTeams(“ODT”),whichareresponsibleforthedesign,developmentand

productionofLenovoproducts.

• EachODTmustdevelopandcomplywithaProductSecurityProfileforeachproduct

theyproduce.TheProductSecurityProfileincludeseachcomponentoftheProgram

initsrequirements.

• ODTleadsareultimatelyresponsibleforsecuritycomplianceandareassistedbykey

ODTteammembers,andthePSO.ODTsmustreporttothePSOatkeyproduct

developmentprocessgatesorcheckpointsintheprocessregardingcompliancewith

theirProductSecurityProfilerequirements.

• LenovohasprovidedtrainingontheProgramandtherequirementforusingProduct

SecurityProfilesforallODTleadsforthefollowingproductlines:ThinkPad,

ThinkStation,ThinkCentre,LenovoNotebook,Desktop,andServers(ThinkServerand

Systemx).

• TheCPSOhasauthoritytostopshipmentonanyLenovoproductthathasnotmet

Programrequirements.

TrustedSupplierProgram• LenovohasdevelopedaTrustedSupplierProgram,wherebyeverysupplierof

“IntelligentComponents”thatareincludedinLenovoproductsmustbevettedand

approvedfromasecurityperspective.

• ThePSOandprocurementpersonnelsubmitsecurityquestionnairestoeach

prospectivesupplier.ThesuppliersmustprovideaccurateinformationtoLenovoon

Mr.DarylCromer

August31,2016

Page3

matterssuchasthelocationandownershipofthesupplierandthesupplier’s

internalsecuritypracticesandprocedures.

• Lenovohasdevelopedcontractuallanguageforsuppliersthatrequiressuppliersto

warrantandrepresentthattheinformationthatthesupplierhasprovidedis

accurate.

• ThePSOconductsariskanalysisoneachsupplierusingtheinformationprovided.

AnysupplierthatreceivesahighriskratingisexcludedfromLenovo’sTrusted

SupplierListunlesstheCPSO(ortheCPSO’sdesignee)grantsanexception.

• TheODTscanonlysourcecomponentsfromsuppliersontheTrustedSupplierList.

Windows10Pre-Load• InFebruary2015,Lenovoimplementedaprocesstoconductasecurityreviewof

everysoftwareapplicationthatwastobeincludedaspre-loadedsoftwarein

connectionwiththereleaseofproductscontainingtheWindows10operating

system(“Windows10Pre-Loads”),whichreachedthemarketinlatesummer2015.

Thisprocesswasimplementedtofulfilthe“CleanerandSafer”initiativethatwas

publicallyannounced.(http://news.lenovo.com/news-releases/lenovos-promise-for-

cleaner-safer-pc.htm)

• ThisWindows10securityreviewandpre-loadvettingprocess(“Win10Process”)

wasestablishedbyandfunctionsunderthedirectionoftheCPSO,withsupportfrom

thePSO.TheCPSOestablishedasoftwaresecurityreviewboard(“SSRB”)consisting

ofpersonnelfromLenovobusinessunitsthatproduceLenovoNotebooks,Desktops,

ThinkPads,ThinkCentresandThinkStations.

• Lenovoengagedtwoprominentthirdpartysoftwaresecurityfirmstoprovidethird

partyreviews.

• ThroughthefiscalyearendingMarch31,2016,Lenovohadsubjectedover430

softwareinternalandthird-partyapplicationstotheWin10Process.Firmwarewas

outsidethescopeofthereview.Aspartoftheprocess,Lenovoconductssecurity

reviewsincludingtheuseofinternalandexternaltoolsandsendssoftware

applicationswithhigh-levelsecurityvulnerabilitiesto3

rd

partysecuritygroupsfor

furtherreview.Allhighandmediumriskissuesidentifiedwereremediatedaspart

oftheprocess.Ifanyapplication’sriskcouldnotberemediated,thenthe

applicationwasremovedfromthepreloadorverylimitedexceptionswere

approved.

• UnderthedirectionoftheCPSOandthePSO,Lenovohasmanagedtheprocessof

screeningapplicationsforitsfinal“golden”pre-loadsoftwareimages(i.e.,theimage

senttomanufacturingtobeloadedontoharddrives)toincludeonlyapplications

thatwereapprovedintheWin10Process.

WehavealsoreviewedothercomponentsoftheProgramthatarestillindevelopment.

Forexample,LenovoisintheprocessofimprovingsecurityforLenovo’sfirmwareforitsbasic

Mr.DarylCromer

August31,2016

Page4

input/outputsystem(BIOS)andunifiedextensiblefirmwareinterface(UEFI)(“BIOSSecurity”).

Lenovoalsointendstopursueadditionalsecurityrequirementsgoverningthefullsoftware

lifecycleforallsoftwareloadedonLenovoproducts,beyondtheWindows10Pre-Loadeffort

(“SoftwareLifecycle”).ChainSecuritywillre-issuethisletterofattestationwithupdatesas

dictatedbyLenovo’sprogressonprogramssuchasBIOSSecurityandtheSoftwareLifecycle.

SCOPEOFREVIEW

Asofthedateofthisletter,ChainSecurityhasconductedin-depthinterviewswitha

widevarietyofLenovopersonnel,includingofficersandmanagersandtheirdirectreports,all

ofwhomarecurrentlylocatedatLenovo’sNorthAmericanheadquartersinMorrisville,North

Carolina.Theseinclude(butarenotlimitedto):

ChiefProductSecurityOfficer

ChiefQualityOfficer

ChiefSecurityOfficer

DirectorofSecurityArchitecture

DirectoroftheProductSecurityOffice

SeniorProgramManagerintheProductSecurityOffice

ProgramManagerforSecureDevelopment

ProgramManagerforSupplyChainSecurity

GlobalCommodityManagers

OfferingDeliveryTeamLeadsforspecificproducts

DirectorofSoftwareDevelopment/Pre-LoadManager

SSRBlead

WehavealsorevieweddocumentsprovidedbyLenovoandhavehadaccesstoandviewed

internalLenovonetworksanddatabases.Whilewebelievewehaveperformedsufficient

diligenceanddatagatheringtoprovidethisletterandtoreachthefindingsandconclusions

herein,ChainSecurityhasnotindependentlyverifiedeveryfactprovidedbyLenovo.Chain

SecurityandLenovohavebeenengagedindevelopingandimplementingtheProgramforover

twoyearsandcontemplateanongoingreviewandenhancementofLenovoprocessesoverthe

comingmonths.

PARAMETERSOFTHEATTESTATION ChainSecurityhasrequestedandreviewedinformationfromLenovoregardingits

productdevelopmentandsupplychainprocessesinconnectionwiththeProgram,withafocus

onthesecurityofthoseprocesses.Wearenotprovidinginthisletterafulldescriptionof

Lenovo’sprocessesnordoweattempttodetaileveryfactthatwehavegatheredduringthe

reviewprocess,butinsteadareattestingtoandrecountingonlythosehigh-levelfactsand

Mr.DarylCromer

August31,2016

Page5

conclusionsthat,inourprofessionaljudgment,arelikelytointerestLenovocustomers,

includingtheU.S.Government,whoarefocusedonthesecurityofLenovo’ssupplychainand

developmentprocesses.Asnotedabove,westandreadytoanswerquestionsandprovide

furtherdetailsasrequestedbyrelevantthirdparties.

ChainSecurityapplaudsLenovo’sfocusonsupplychainandproductdevelopment

security.WeencourageacomparisonofLenovotoothervendorsandcompetitors(including

U.S.-basedcompanies)onsupplychainandproductdevelopmentsecuritymatters.Weassess

thatLenovoislikelyaheadoftheindustryintermsofitsfocusonandcommitmenttothese

issues.

KEYFINDINGS

ThefollowingisasummaryofChainSecurity’skeyfindingsregardingtheProgram.As

notedabove,wearerecountinghereinonlyasummaryoffactsthatarerelevanttoour

findings:

CorporateGovernance

In2014,LenovocreateditsPSOtodevelopandimplementtheProgram,whichis

intendedtobeabroadproductsecurityprogramthatspansacrossLenovoproductlines.The

PSOisbasedinandstaffedbypersonnelinLenovo’sNorthAmericanheadquartersin

Morrisville,NorthCarolina.ThePSOworkswithanddrawsupontheexpertiseandresourcesof

productteamsthroughoutLenovo’sglobaloperations.

ThePSOisunderthedirectsupervisionofLenovo’sCPSO.Inaninternalpolicy

documentissuedonFebruary2,2016(CorporatePolicy#21–LenovoProductSecurityPolicy),

whichisattachedheretoasAttachmentB(“February2016Policy”),Lenovo’sChiefExecutive

OfficergrantedtheCPSOfullcorporateauthority,withtheresourcesofthePSO,toimplement

andberesponsibleforproductsecurityacrossLenovo’sglobaloperations(i.e.,toimplement

theProgram).TheFebruary2016Policystatesthat“[a]llLenovoemployeesandstakeholders

areexpectedtocomplywiththeProductSecurityProgram,andtoberesponsivetothe

Programrequirements.”ThePolicyalsostatesthatLenovo“expect[s]Partnersandsuppliersto

makecommitmentsinsupportoftheSecurityProgramasaconditionofdoingbusinesswith

[Lenovo].”ThisPolicyhasbeenmadeavailableoninternalLenovosystemstoLenovo

employeesandcurrentlygovernsLenovo’sglobaloperations.

OnAugust3,2016,Lenovo’sChiefExecutiveOfficerissuedarevisedversionof

CorporatePolicy#21–LenovoProductSecurityPolicy,whichisattachedheretoasAttachment

C(“August2016Policy”),followingcorporateorganizationalchanges.TheAugust2016Policy

reflectsthesamecommitmenttotheProductSecurityProgramasindicatedintheFebruary

Mr.DarylCromer

August31,2016

Page6

2016PolicyandcontinuestoplaceresponsibilityfortheProgramintheCPSO.Lenovo

anticipatesthattheAugust2016PolicywillbepubliclyavailablethroughLenovo’scompany

website.Thewebsiteiscurrentlybeingrevisedandupdated.OncetheAugust2016Policyis

postedonthewebsite,itwillreplacetheFebruary2016Policy.

BuildingontheFebruary2016Policy(andreiteratedbytheAugust2016Policy),inearly

August2016theCPSOissuedaLenovo-widepolicyregardingimplementationoftheProgram

(“ProgramPolicy”),whichisattachedheretoasAttachmentD.TheProgramPolicyhasbeen

madeavailabletoallLenovoemployeesandindicatesthatallLenovoemployeesarerequired

tocomplywiththepoliciesasabindingcorporatepolicy.TheProgramPolicystatesthat“[t]he

CPSO(withthesupportoftheProductSecurityOffice)hasauthorityandresponsibilityfor

ensuringfullimplementationoftheProductSecurityProgram.”

TheProgramPolicyindicatesthattheProgramitselfwillincludethefollowingspecific

components,eachofwhichwillbegovernedbyacomponentorprogrampolicythatwill

outlinespecificrequirements:

• ProductDevelopment,whichincludesPlatformDevelopmentandSecureSoftware

Development(LenovoSecureDevelopmentLifecycle,orLSDL)

• ProductSecurityGovernancethroughtheOfferingDevelopmentTeam(ODT),which

includesSecurityResponsibilitiesofallODTmembersandIntegrationintothe

IntegratedOfferingDelivery(IOD)process

• SupplyChain,whichincludestheTrustedSupplierProgram,theTrustedSupplierList,

PartsShipment,Manufacturing,andFinishedGoodsShipping

• ProductSecurityIncidentResponseTeam(PSIRT),whichincludesOrganizationand

ManagementSystemandIncidentInformation

ThePSOhasimplementedaLenovo-widetrainingprogram,primarilythroughonlinetraining

modules,toeducateLenovoemployeesontheirobligationsundertheProgramandonsupply

chainandproductsecuritymattersgenerally.Asofthedateofthisletter,fourbasictraining

courseshavebeenpublishedbythePSO,plusanintroductionintoLenovoSecureDevelopment

Lifecycleforsoftware,aswellasfivecoresoftwarecoursesfroma3

rd

party.Additional

advancedclassesarealsoavailable.AsofMay3,2016,Lenovoemployeeshavecompleted

over9,400coursesandhavepassedtestsattheendofeachcourse.Lenovoismaintaining

recordsofallcoursescompletedbyindividualemployees.

SecurityProcesses

LenovodevelopsproductsthroughanIntegratedOfferingDevelopmentprocess(“IOD”),

whereallsourcesanddisciplinesneededtotakeaproductallthewayfrommarketingand

customerrequirementstoafinishedanddeployedproductworkasanintegratedteamthrough

Mr.DarylCromer

August31,2016

Page7

theentireproductlifecycleprocess.AttherootoftheIODprocessistheplatformOffering

DeliveryTeam(“ODT”).

EveryproductproducedbyLenovohasitsgenesisandismanagedbyaproduct-specific

ODT.EachdisciplineneededforcompletionoftheproductisrepresentedontheODT.Each

ODThasateam“lead”whoisresponsibleformanagingtheteam’sprocesses.TheODTlead

reportsuptotheseniormanagersofspecificLenovobusinessunitsandbrandteams(e.g.,

Lenovo’sDataCenterProductGroup,whichproducesLenovoservers,orthePCandSmart

DeviceBusinessGroup,whichproducesLenovoThinkPadsandPCs).Thereareapproximately

100ODTsoperatingwithinLenovoatanygiventime.Forexample,forThinkPads,thereare

nineODTleads,allofwhomreporttoanODTmanagerwithintheThinkBusinessGroup—four

inMorrisville,NorthCarolina;fourinChina;andoneinJapan.Thereareapproximately30ODTs

workingonserverproducts.

TheODTprocessbeginswithaMarketingRequirementsDocument(“MRD”),aninitial

anddetailedOfferingDefinition(i.e.,thefeaturesandfunctionalitythatwillbeincludedinthe

product),andasourceplanwithakeycomponentslistwhichisultimatelytranslatedintoabill

ofmaterials(“SourcePlan”).Thesedocumentstogetherconstitutethefullsetof

“requirements”whichmustbemetinordertodesign,developandproducetheproduct.

UndertheProgram,theODTnowplaysapivotalroleinsecurityofeachproduct.Ina

policydocumententitled“IntegrationofProductSecurityWithinTheIODProcess,”issuedin

August2016bythePSO,undertheauthorityoftheCPSOandpublishedtoLenovo’sODTs

(“SecurityProcessPolicy”),theODTforeachproductmustcreateaProductSecurityProfile

(“Profile”).TheProfilelistseverysecurityrequirementoftheProgramthatmustbefollowed

and/orincludedintheproductitselfasaconditionoftheproductbeingmanufacturedandsold

tocustomers.TheODTleadisultimatelyresponsibleforensuringthateachsecurity

requirementintheProductSecurityProfileismet,orprovidejustificationonwhyitcannotbe

met.

TheODTleadsforthefollowingproductlineshaveundergonetrainingregardingthe

SecurityProcessPolicyandtherequirementforusingProfilestocheck-pointsecurity-related

matters:ThinkPad,ThinkStation,ThinkCentre,LenovoNotebook,Desktop,andServers

(ThinkServerandSystemx).

EachplatformODTincludesaSoftwarerepresentativewhoistheinterfaceintoall

softwareactivity.ThesoftwarerepinterfaceswiththevariousSoftwareODT’s,fromwhich

softwareapplicationsaredevelopedand/orprovidedforthesystem.Eachsoftwareapplication

hasaSoftwareArchitect,whowillworkwiththePSOtoensureapplicationsgothroughthe

reviewprocess.Whenanapplicationisapproved,itcanbeaddedtothelistofapproved

softwareforaplatform.ThislistisakeyparttotheProductSecurityProfileforthenew

Mr.DarylCromer

August31,2016

Page8

system.ThePSOprovidesresourcesandguidance/advicetotheODTasneededtohelpitmeet

thesecurityrequirements.

AtdefinedproductdevelopmentgatesorcheckpointsthroughtheODTprocess,the

ODTmustupdatethemanagementteam(stakeholders)regardingtheProductSecurityProfile.

Thekeycheckpointsare:ConceptExit(preliminaryProfile),PlanExit(committedProfile),and

SystemIntegrationTest(SIT)Exit(actualProfile).Theresultofthesecheckpointsisthatbefore

theproductcanmoveintomanufacturingandfinallybereleasedtocustomers,theODTlead

mustcertifytotheCPSOandthePSOthatallrequirementsoftheProfilehavebeenmet.The

CPSOhasauthorityundertheProgram,delegatedfromtheCEO,tostopshipmentonany

productthathasnotmettheProgramrequirementsandfulfilledeveryelementoftheProfile

forthatproduct.ODTleadscanpetitiontheCPSO(viathePSO)tomodifyorwaiveaparticular

Program/Profilerequirementforaparticularproductifthereisacompellingcommercialneed

todoso.TheCPSOhasultimatediscretionandauthoritywhethertograntawaiveror

exception.

PursuanttotheSecurityProcessPolicy,eachproductProfilemustincludeatleastthe

followingsecurityelements.AdditionalsecurityelementsoftheProgramwillbeaddedto

ProfilesasLenovo’simplementationoftheProgramcontinuestomature:

• AsreflectedintheMRDfortheproduct,anysecurity-relatedfunctionalityrequired

bycustomers(e.g.,biometricsecuritycontrols,customsoftwareimage),aswellas

legal/regulatoryrequirements(e.g.,TAAcompliance)

• Onlyintelligentcomponents(hardwareandsoftware)fromvendorsonthe“Trusted

SupplierList,”whichresultsfromtheTrustedSupplierProgram(seediscussion

below),areincludedintheSourcePlan(e.g.,nonon-approvedvendorisallowedto

provideanyintelligentcomponentfortheproduct)

• Longtermserviceandsupportplansthattakeintoaccountsecurityrequirements

(e.g.,geography-basedserviceteams)

• SigningofBIOSorUEFImanifestsbythePSO

1

• SoftwareapplicationsthathavebeenclearedthroughtheWindows10Pre-Load

process(seediscussionbelow)arepre-loadedontheproduct

Asofthedateofthisletter,everyODTwithinLenovofortheplatformsindicatedabove

hasbeeninformedthathe/sheisrequiredtomeetProfilerequirementsasaconditionof

offeringanyproducttocustomers.

1

TheBIOSSecurityprocessisacomponentoftheProgramthatiscontinuingtomatureasof

thedateofthisletterofattestation.FutureversionsofthisletterwilladdresstheBIOSSecurity

processinfurtherdetail.

Mr.DarylCromer

August31,2016

Page9

ODTleadswhooperateoutofLenovo’sNorthCarolinafacilitieshavereportedtoChain

SecuritythattheyareinfactimplementingProfiles(asrequiredbytheProgram)andare

interactingwiththePSOtoensuresecurityrequirementsaremet.

TheCPSOhasreportedstoppingshipmentonatleastoneproductbecauseProfile

requirementswerenotmet.

TrustedSupplierProgram

AspartofLenovo’sIODprocessfordevelopingproducts,engineeringteamsoneach

ODTcreateaSourcePlanthatidentifiesallcomponentstobeincludedintheultimatebillof

materials(“BOM”).Inaddition,theODTmustidentifyallsoftwarepre-loadsthatwillbe

includedontheproductatthetimeofsale.TheSourcePlanidentifiesnotonlyspecific

components,butalsopotentialsuppliersforthecomponents.

Oncesuppliershavebeenidentified,Lenovo’sGlobalCommodityManagers(“GCMs”)

mustnegotiateandenterintosupplycontractswiththesuppliers.Insomecases,Lenovomay

alreadyhaveanexistingrelationshipwiththesupplier.Inothercases,Lenovomustforgea

newsupplyrelationship.Lenovoandthesupplierwilltypicallyenterintoasupplyagreement,

whichisnegotiatedbyaGCM.

Lenovohashistoricallyhadanapprovalprocessforidentifyingandqualifyingsuppliers

basedonquality,performanceandprice.UndertheProgram,Lenovohasnowaddedsecurity

requirementstothesupplierqualificationprocess.Inapolicydocumententitled“Trusted

SupplierProgram,”approvedbytheCSPOonMarch15,2016(“TSP”),thePSOhas

implementedpoliciesandprocedurestoqualifysuppliersforinclusionontheTrustedSupplier

List(“TSL”).

InadditiontotheTSPbeingpartoftheProgram,asindicatedintheCEO’spolicy

documentandintheCPSO’sSecurityPolicy,theTSPfulfillsarequirementimposedintheCFIUS

AgreementinconnectionwiththepurchaseofIBM’sx86serverbusiness,specificallySection8

oftheAgreement.

Asindicatedabove,undertheSecurityPolicyandinconnectionwithsecurity

requirementsontheProfileforeachproduct,ODTleadsareprohibitedfromusinganysupplier

notincludedontheTSL.ODTteammemberswhohaveidentifiedasupplieraspartofthe

SourcePlanmustsubmitproposedsupplierstothePSOforvettingandinclusionontheTSL.

TheTSPdocumentationhasbeenprovidedtotheODTleadswithinLenovoaswellas

theGCMsforthefollowingproductlines:SystemX,ThinkServer,Notebooks,Desktop,

Thinkpad,ThinkCentre,andThinkStation.TheTSPandsupportingmaterials(describedmore

Mr.DarylCromer

August31,2016

Page10

fullybelow)arebeingtranslatedintoChineseforusebyChina-basedGCMsandODTs.Oneof

thetrainingsessionsmadeavailabletoLenovoemployeesregardingtheProgram(see

discussionabove)coverstheTSPandthesupplierqualificationprocessforinclusionontheTSL.

ThePSOiscoordinatingwithmanagerswithintheprocurementorganizationwhohave

responsibilityforGCMstoensurethatGCMsareimplementingtheTSPproperly.Thereare

currentlytwosuchmanagers—oneinLenovo’sNorthCarolinafacilityandoneinChina.The

PSOtrackstheperformanceofGCMsregardingtheTSPprocessandgivestrackingdatatothe

managers.ThePSOalsoregularlyupdatestheCPSOontrackingsupplierswhoaremoving

throughtheprocessofinclusionontheTSL.

ThefollowingisadescriptionoftheTSPandhowsuppliersareincludedontheTSL,as

wellashowODT’susetheTSLwhencreatingSourcePlansandfulfillingProfilerequirements:

UndertheTSP,theTSLislimitedtosupplierswhoareproviding“Intelligent

Components”forLenovoproducts.TheTSPdefinesIntelligentComponentsas“(a)any

hardware,softwareorfirmwareexecutableonanymicroprocessor,(b)themicroprocessor

itself,(c)anysemiconductordevicethathasprocessingability(d)anydevicethathasinternal

memory,(e)anycomponentordevicethatperformsacommunicationfunction,and(f)any

hardware,firmwareorsoftware(includingoperatingsystems)integratedintoorinstalledonan

IntelligentComponent.”IntelligentComponentscanincludecomponents,sub-assemblies,

wholeproductassemblies,firmware(includinginanycomponentorsub-assembly),and

softwareinstalledontotheproducts.

AlthoughbothhardwareandsoftwarecomponentsqualifyasIntelligentComponents,

asofthedateofthisletterofattestation,LenovohasonlyimplementedtheTSPinconnection

withhardware(includingfirmware).AsLenovo’sTSPmatures,softwaresupplierswillbeadded

(beyondtheprocessessurroundingWindows10Pre-Load,asdiscussedbelow).

EachsupplierofanIntelligentComponentisissuedasecurityquestionnairethathas

beendevelopedbythePSO.Thequestionnaireseeksdisclosuresfromsuppliersonawide

rangeofsecurity-relatedquestions,includingbutnotlimitedtolocationandownershipofthe

suppliers,security-relatedincidents,internalsecuritycontrolswithinthesuppliers’operations,

andvisibilityandtraceabilityintothesuppliers’ownsupplychains.Thequestionnairesare

providedtothesuppliersbytheGCMs.TheGCMsgatherthecompletedquestionnairesand

forwardthemtothePSOforreviewandanalysis.

ThePSOusesariskanalysismodelforassessingtheinformationprovidedonthe

securityquestionnaires.Theriskmodelassesses(1)threatposedbythesupplier,(2)

vulnerabilityassociatedwiththesupplier’sproduct/component/sub-assembly,(3)likelihoodof

exploitation,and(4)impactandconsequencesofexploitation.Eachelementoftheriskmodel

Mr.DarylCromer

August31,2016

Page11

isscoredas“nothreat/vulnerability,”“low,”“medium”or“high.”Theelementsarecombined

tocreateanoverallriskscore.Asupplierthatreceivesanoverall“low”riskisaddedtotheTSL.

Asupplierthatreceivesanoverall“medium”riskisaddedtotheTSLbutisflaggedwitha

caution,sothattheODTandultimatelythePSOareawarethattheremaybesecurityissuesto

address.ThePSOwillworkwiththeGCMtourgethesuppliertoimproveitssecurityposture.

Asupplierthatreceivesanoverall“high”riskcannotbeincludedontheTSLunlessthereare

compellingbusinessreasonstodosoandtheCPSOspecificallyauthorizestheinclusion,after

assessingtheoverallriskprofileofthesupplier.

ForanysupplierthatqualifiesforinclusionontheTSL,Lenovo(viatheGCM)negotiates

asupplieragreement.ThePSOhasdevelopedstandardcontractuallanguagetobeusedbythe

GCMinthisprocess.Thesuppliercontractrequiresthesuppliertowarrantandrepresentthat

thesecurity-relatedinformationonthequestionnaireiscorrect.Thesuppliercontractalso

givesLenovotherighttoconductsecurityauditsofthesupplier.Forlong-standingsupplier

contractsthatexistedbeforetheTSP,thePSOandGCMsareseekingtoamendexistingsupplier

contractstoincludethesecurity-specificprovisions.

TheTSLismaintainedbythePSOasa“livingdocument”thatreflectsongoingvettingof

suppliers.

ThePSOprovideseachODTwithaccesstothecurrentTSL,enablingtheODTstoreview

theSourcePlantoensurethateveryIntelligentComponentineachproduct’sBOMisbeing

suppliedbyasupplierontheTSL.ThecomparisonagainsttheTSLbytheODTisdonein

coordinationwiththePSO,whichservesasaresourcetotheODT.

ThePSOretainsarepositoryofallsecurityquestionnairessubmittedbysuppliers,which

canbereviewedifsecurity-relatedquestionsarise.

Todate,atleastonesupplierhasbeenrejectedbyLenovobecausetheywouldnot

providesufficientinformationonthesecurityquestionnairetoallowthePSOtoconductarisk

analysis.TheODTshavethereforebeenprohibitedfromusingthissupplier.Asofthedateof

thisletter,Lenovohasincluded168suppliersontheTSL.

Windows10Pre-Load

ThefollowingLenovoproductlinescomewithapre-loadedversionoftheMicrosoft

Windowsoperatingsystem:LenovoNotebook,Desktop,ThinkPad,ThinkCentreand

ThinkStation.InadditiontoWindowsitself,PCvendorssuchasLenovotypicallyalsopre-loada

varietyofsoftwareapplicationsthatareintendedtoassistthecustomerwithcertainfunction

(e.g.,customersupport)aswellastoearnLenovoadditionalrevenuebychargingthesoftware

vendorsforinclusioninthepre-load.

Mr.DarylCromer

August31,2016

Page12

ThenewestversionofWindows—Windows10—wasscheduledtobereleasedin

approximatelyJuly2015.Withitsrelease,Lenovowouldagainincludeavarietyofadditional

thirdpartyandLenovo-proprietarysoftwareaspartofthepre-loadpackagefornewWindows

10products(“Windows10Pre-Load”).

Inconnectionwithits“Cleaner,Safer”initiative,inFebruary2015,Lenovodetermined

toimplementasecurityreviewforeverysoftwareapplicationthatwaspartoftheWindows10

Pre-Load.Thedecisiontoconductthissecurityreviewwasmadebyseniorofficerswithin

LenovoandapprovedbyLenovo’sExecutiveCommittee.TheCPSOwaschargedwithcreating

andimplementingthesecurityprocessfortheWindows10pre-load.Ultimateauthorityforthe

Win10ProcessresideswiththeCPSO.ThePSOsupportstheprocess.

TheCPSOdirectedtheestablishmentofaSoftwareSecurityReviewBoard(“SSRB”)to

implementthesecurityreviewsandtomakesecurity-relateddeterminations.TheSSRB

consistsofamanagerandrepresentativesfromthePSOandtherelevantbusinessunits(“BU”).

DuringtheinitialstagesoftheWin10Process,therepresentativesofthePSOmanagedmostof

thesecurityreviewprocess,butincreasinglythePSOistrainingBUpersonneltoconductinitial

securitytesting,withthePSOservingasadvisorsandresources.

TheWin10ProcessbeganwithaninventoryingofallsoftwarewithinLenovothatwere

candidateapplicationstobeincludedintheWindows10Pre-Load.ThePSOandtheSSRB

directlycontactedeachLenovosoftwaredevelopmentteamwithintherelevantBUs(i.e.,those

producingNotebooks,Desktops,ThinkPads,ThinkCentresandThinkStations)foraninventory

ofallLenovo-developedsoftwareapplications.ThePSOandtheSSRBalsocontactedeach

softwareproductmanagerforeachproducttoidentifythirdpartyapplicationsthatwere

candidatesforinclusionintheWindows10Pre-Load.

LenovoengagedwithaprominentsoftwaresecurityfirmintheWashingtonD.C.areato

developaproprietarytoolforreviewingbasedontheLenovoprocesstoexpeditethebinary

analysisofsoftwareapplicationsforsecurityvulnerabilities.Thecriteriaforvulnerabilitieswas

setforthinaseriesofcontractsandstatementsofworkbetweenLenovoandthissecurityfirm.

Thetoolproducesareportofidentifiedpotentialsecurityissuesforeachapplication.The

reportranksthesecurityvulnerabilitiesonalow,mediumorhighscale.

ThePSOandtheSSRBobtainedabinaryversionofeachcandidateapplicationforthe

Windows10Pre-Loadandconductedsecurityassessmentsforeachapprovedapplication.

Applicationsthatscoreda“low”vulnerabilitybasedonthetoolwereeitherapprovedfor

Windows10Pre-LoadafterassessmentbytheSSRBandthePSO(withfinalapprovalbyCPSO)

orweresubjecttosecurityremediation.Amongthe“low”vulnerabilityapplicationsthat

receivedapprovalwithoutremediationwerecertainapplicationsthatarewidelyusedin

Mr.DarylCromer

August31,2016

Page13

industryandareproducedbycompaniesthatareviewedastrusted,suchthattheoverallrisk

associatedbytheapplicationwereacceptabletotheCPSO.Thoseapplicationsthatscoredasa

“low”vulnerabilitybutweredesignatedforremediation,aswellasanyapplicationthatscored

a“medium”or“high”vulnerability,weresenttooneofLenovo’stwosoftwaresecurityfirms

forfurthersecurityrevieworweresubjectedtointernalLenovosecurityremediation.The

securityfirmssentLenovoareportforeachsuchreviewonanapplication-by-applicationbasis

anddetailedfurtherfindingsregardingvulnerabilities.

Aftereachremediation,allapplicationsweresubjectedtoretestingtoensurethe

vulnerabilityhadbeenaddressed.Ifavulnerabilitycouldnotberemediated,theSSRB(withthe

assentofthePSO)excludedtheapplicationfromtheWindows10Pre-LoadunlesstheCPSO

agreedthattheoverallriskassociatedwiththeapplicationwasacceptable.

SinceimplementingtheWin10Process,Lenovohasimplementedapolicyofnot

shippinganyNotebook,Desktop,ThinkPad,ThinkCentreorThinkStationwithanyPre-Load

softwareunlessthesoftwarehasbeenvettedthroughtheWin10Processandhasbeen

assessedtopassLenovo’ssecurityparameters.Thatpolicyhasbeeneffectivelyimplemented

withtheexceptionofaverysmallsetofapplicationsthatinadvertentlyslippedthroughthe

processandwereshippedwithoutsecurityreviews.Oncetheseomissionswereidentified,the

applicationswereimmediatelyrunthroughtheWin10Process,whereitwasconfirmedthat

therewerenounmitigatedsecurityrisksassociatedwiththeseapplications.TheWin10Process

hasnotbeenextendedtoincludeallfirmwareloadedonsuchproducts.

ForthefiscalyearendingMarch31,2016,Lenovosubjected436applicationstothe

Win10Process.Ofthose,283wereapprovedandincludedintheWindows10Pre-Load,with

153beingrejectedand/orstillundergoingfurtherremediationandtesting.TheWindows10

Pre-Loadprocessisongoing.

WithinLenovoThinkPadpre-loadteams,anysoftwareapplicationthatisgoingtobe

pre-loadedonaproductmustbesentinbinaryformfromtheLenovoproductteamstoapre-

loadteamthatismanagedbyapre-loadmanager.Thepre-loadmanagerisresponsiblefor

assemblingallpre-loadapplicationsplustheoperatingsystemitself(Windows10)ina“golden”

softwareimagethatisreadytobeloadedontoaproduct’sharddriveduringthemanufacturing

process.Thegoldenimageisstoredona“goldenserver”thatismanagedbythepre-load

managerandhis/herteam.Lenovo’smanufacturingfacilitiesandcontractmanufacturespull

thegoldenimagefromthegoldenserver.Thepre-loadmanagerhasultimateauthorityand

administrativerightstomanagewhocanhaveaccesstothepre-loadserver.Thepre-load

team,underthedirectionofthepre-loadmanager,keepsaninventoryofeveryapplicationin

anygoldenimage.Goldenimagesareretainedinanarchiveonthegoldenservers.Thepre-

loadmanageralsomaintainsalogofthesource(byname)ofeachsoftwareapplication

submittedforinclusioninagoldenimage.

Mr.DarylCromer

August31,2016

Page14

DuringtheWin10Process,theSSRBandPSOkeptaninventoryofthefilenames,

versions,andhashnumbersassociatedwitheachapplicationthathadbeenreviewedand

approvedforinclusionintheWindows10Pre-Load.Thisinventorywasgiventothepre-load

managersforuseinassemblingthegoldenimagesforeachWindows10product.Thepre-load

teamsmanuallyinspectedandcomparedthefilenames,versionsandhashnumbersofeach

applicationsubmittedbyproductteams(forinclusioninthegoldenimage)againstthelisted

providedbytheSSRBandthePSO.

Thepre-loadmanagersrepresentedtoChainSecuritythattheyhadcertaintythatonly

approvedsoftwareapplicationswereincludedinthegoldenimageforWindows10Pre-Loaded

products,otherthan(asmentionedabove)thesmallsetofapplicationsthatinadvertently

slippedthroughtheprocess.Pre-loadmanagershaveidentifiedapplicationssubmittedfor

inclusioninthegoldenimagethatwerenotapprovedintheWin10Processandrejectedthose

submissions.Thepre-loadteamsdigitallysignedeachgoldenimagewiththeirownunique

digitalsignatureafterconfirmingthatonlyapprovedsoftwareapplicationswereincluded.

TheCPSOandthePSOintendtofurtherstreamlinetheWin10Processforfuture

softwaresecurityreviews,includingplacingmoreresponsibilityontheBUstoconductand

supportthesecuritytesting.ThePSOwillremainaresource.

TheinitialSSRBisbasedinNorthCarolina,butLenovohasjustcreatedasecondSSRBin

ChinathatwillfocusonspecificproductsfortheChinesemarket,withChinesesecurity

standardstogovernthesecurityreview.TheChineseSSRBwilllikelymirrortheinitialSSRB.

TheChineseSSRBisusingtheresourcesofthePSOandisstillsubjecttofinalauthorityofthe

CPSO,whohasglobalsecurityresponsibilitiesforLenovoproducts.

CONCLUSIONS ChainSecuritybelievesthatLenovo’simplementationofthefouridentifiedcomponents

oftheProgram—CorporateGovernance,SecurityProcesses,TrustedSupplierProgramand

Windows10—meetorexceedindustrystandardsfromasupplychainandproduct

developmentsecurityperspectiveandlikelyareatorabovethelevelofitspeers,including

companiesthatareheadquarteredintheUnitedStatesandcurrentlyprovideproductstothe

U.S.Government.Inaddition,Lenovoappearsanxiousandmotivatedtocontinuetoimprove

itsprocesses,andChainSecurityisassistingthemtodoso,includingwiththeimplementation

ofBIOSSecurityandSoftwareLifecycleprocesses.

Weareavailabletodiscussthecontentsofthisletterwithyouand/orotherappropriate

thirdparties.Pleasedonothesitatetocontactmeat571.344.9625

Mr.DarylCromer

August31,2016

Page15

(mobile)/csimkins@chainsec.comorJeffSternat408.608.8184(mobile)/jstern@chainsec.com.

Ourofficenumberis571.354.0068.

Sincerely,

ChristopherP.Simkins

ChainSecurity,LLC

11490CommerceParkDrive,Suite200

Reston,VA20191

571.306.2929(direct)

csimkins@chainsec.com

Mr.DarylCromer

August31,2016

Page16

ATTACHMENTAQualificationsofChainSecurity,LLC

CapabilitiesSummary

Overview Chain Security is based in theWashington, DC area, with strong ties to Silicon

Valley. Our teamhasdeep technical andoperationalexperience ingovernment

and commercial sectors. Our senior team members have built successful

technology start-up companies and worked in government agencies,

telecommunication carriers and defense contracting companies. Our technical

expertsandengineering teamhavehands-onexperiencedesigning,buildingand

operating government and commercial programs and systems. We understand

the full lifecycle of technology development, from design to sourcing to

manufacture todeploymentand customer support.Ourexperienceallowsus to

assess the role particular technologies play in U.S. Government systems and

operations and to understand how U.S. Government and critical infrastructure

entities may view interactions of businesses operating in the U.S. with foreign

owners,managers,investors,employees,vendorsandsubcontractors.

ChainSecurityalsoprovidessupplychainintelligenceandanalyticsthroughits

ChainSecurityIntelligenceservices.Throughouranalysisofsupplychainsandproductdevelopmentorganizations,ChainSecurityIntelligenceproducesdata-intensive supply chainmodels (usingcommercial visualization tools) that can

showthecommercial“chainofcustody”forintelligentcomponents(software

and hardware) for specific technologies, from R&D all the way to deployed

systems.

Leadership ChristopherP.Simkins,Co-FounderandCEO:csimkins@chainsec.com;571.344.9625(mobile);571.306.2929(directoffice)

Former Senior Official in U.S. Dept. of Justice (DOJ); investigator/prosecutor in

DOJ’s Counterespionage Section; reviewed over 200 transactions as DOJ’s

representativetoCFIUS;CFIUSnegotiatorinanumberofprominenttransactions

reviewwherenationalsecuritymitigationagreementswereimplemented;former

senior corporate lawyer and current entrepreneur and consultant; breadth of

experiencehelpingU.S.andforeigncompaniesdobusinessandinteractwithUSG

interestsandcomplywithU.S.regulations(e.g.,CFIUS,exportcontrol,NISPOM)

JeffreyStern,Co-FounderandCOO:jstern@chainsec.com;408.608.8184(mobile)

Former Senior Vice President – Government Solutions, TerreStar Networks;

technology executive with broad engineering, sales & marketing experience in

mobile network design and emergency communications; executive leadership

experienceinbothSiliconValleyandWashington,DCsettings;multiplesuccessful

exits for start-up technology companies; co-founder Independence Technologies

(BEA/Oracle); co-founder GoBeam, a Business VoIP SaaS pioneer (Covad

Communications); consultant to multiple companies providing technical and

operationalsolutionstoU.S.Governmentcustomers

Mr.DarylCromer

August31,2016

Page17

ATTACHMENTBLenovoCorporatePolicy#21–LenovoProductSecurityPolicy(February2,2016)

Mr.DarylCromer

August31,2016

Page18

CorporatePolicy#21–LenovoProductSecurityPolicyAugust3,2016Lenovoiscommittedtoofferingproductsthatmeetorexceedindustrystandardsforsecurity.OurcustomersmustbeabletouseLenovo’sproductswithconfidencethattheyhavethetoolsthatenablethemtoprotecttheirdata,andthatourproductsminimizetheriskofvulnerabilitytomaliciousorunauthorizeduseorattackbyanythirdparty.Wedeliveronthesecommitmentsbydoingthefollowing:

1. Includingsecurityasadesignfeatureinallourproducts,2. Adoptingrobustsecuritypractices3. Appropriatelymanaging,implementing,andvalidatingsecuritypracticesandprocesses

throughouttheentirelifecycleofourproducts.

Werequireouremployeesandstakeholders,aswellasoursuppliers,tosupportthesecommitments.Infurtheranceofthesesecuritycommitments,Lenovohastakenthefollowingsteps:• Establishedacomprehensiveproductsecurityprogram(“ProductSecurityProgram”)managed

bytheCorporateProductSecurityOffice(PSO),whichreportsdirectlytotheChiefProductSecurityOfficer(CPSO).Thisprogramencompassescriticalsecurityprocessesandpracticesbeingimplementedacrossproductlines.LenovoemployeesandstakeholdersarerequiredtocomplywiththeProductSecurityProgram,andtoberesponsivetotheProgramrequirements.Inaddition,LenovorequiressupplierstomakecommitmentsinsupportoftheSecurityProgramasaconditionofdoingbusinesswithus.

• IdentifiedthecorporateChiefProductSecurityOfficer(CPSO),anddesignatedtheCPSOastheLenovoofficialresponsiblefordeveloping,implementing,andenforcingProductSecurityProgramsandprocessesacrossLenovo.TheProductSecurityOfficeundertheCPSOhastheauthorityandresourcestocarryouttheseresponsibilities.

• AuthorizedthePSOtodevelopandimplementindustryleadingsecuritybestpracticesInadditiontotheaboveitems,BusinessUnitsmayincorporateadditionalcontrolstomeetspecificregulatoryorcustomerrequirements.ItisclearthatthesecurityofourproductsisakeyfactorinourcustomerschoosingLenovoastheirsupplierofITequipment.YuanqingYangChairman&CEOLenovo

ATTACHMENTCLenovoCorporatePolicy#21(revised)–LenovoProductSecurityPolicy(August3,2016)

Mr.DarylCromer

August31,2016

Page19

ATTACHMENTDProgramPolicyIssuedbyChiefProductSecurityOfficer

Mr.DarylCromer

August31,2016

Page20

(ATTACHMENTDcont.)