The procurement cyber security process and the procurement business are closely interconnected. The procurement cyber security process aims to make sure both Huawei Cloud and its suppliers thoroughly understand the requirements and have a common understanding that cyber security requires joint efforts. Huawei manages procurement security through processes including supplier security certification, material security testing, supplier security review and audit, performance management, risk assessment, vulnerability management, emergency response, and traceability processes. Huawei also requires suppliers to sign security agreements to clarify the responsibilities of both parties.

Procurement cyber security requires that suppliers and their security be managed. Supplier management includes procurement requirement, strategy, certification, fulfillment, and acceptance management. Supplier security management includes:

• Supplier and material security certification

• Security agreement and fulfilment

• Supplier security audit and emergency response

• Security testing and acceptance

• Supplier security and contract termination

Procurement security has been incorporated into the production material procurement and engineering service procurement processes, as well as into other two supporting processes: supplier management and material management processes. Procurement security has also been integrated into other Huawei processes: Integrated Product Development (IPD), Lead to Cash (LTC), supply chain, service delivery (SD), and other processes related to R&D, production, service, and marketing. So Huawei's security controls are well implemented from end to end. These security controls have become an indispensable part of Huawei's cyber security assurance system.

Huawei has developed a security system certification approach for material, engineering service, logistics, EMS, device service, and software outsourcing suppliers.

In the supplier certification phase, Huawei incorporates cyber security requirements into four key steps: Request for Information (RFI), supplier system self-check, supplier system certification, and mandatory terms and clauses in security agreements. Huawei has a strict supplier certification system. Only suppliers that meet Huawei's security requirements have the opportunities to become Huawei's suppliers.

Huawei also values supplier material security certification. Huawei has incorporated cyber security requirements into material specifications and security risk assessment in technical quality risk assessment. Cyber security requirements along with cyber security testing have also been incorporated into the material testing and verification process. These help ensure that Huawei purchases only materials that have the lowest security risks and have passed security tests and verification.

After earning supplier system certification and before becoming a Huawei supplier, all prospective suppliers must sign cyber security agreements with Huawei. Huawei's supplier security agreements cover varied related fields, including product security requirements, service security requirements, system security requirements, and liabilities for breaches of the security agreements.

Huawei has also developed a security agreement for engineering service subcontractors. All engineering subcontractors related to cyber security have signed this agreement. The agreement includes service security requirements, system security requirements, and liabilities for breaches of the agreement. Huawei has developed specific security agreements for logistics, EMS, software outsourcing, and device service suppliers. All these types of suppliers have signed security agreements with Huawei and promised to work together with Huawei to reduce cyber security risks.

Huawei uses a hierarchical system to manage its suppliers based on assessments of supplier security risk levels, security issue reviews, and measured improvement. A scorecard is used to measure a supplier's security performance, vulnerability notifications, and emergency responses. The scorecard contains 6 elements and 11 assessment items. Huawei assesses and prioritizes suppliers' security performance every year, and reduces or terminates cooperation with suppliers who demonstrate poor security.

Huawei uses supplier cyber security risk assessment tools to assess suppliers' security risk levels and formulates a list of suppliers with low, medium, and high risks. Huawei manages suppliers in a hierarchical manner based on this assessment. Huawei requires suppliers with any risks to conduct sell-checks first. Huawei will then perform a two-day on-site audit for high-risk suppliers, and a half-day audit for low-risk suppliers.

At Huawei, supplier security vulnerability notification and emergency response is an extension of supplier security management measures by Huawei Product Security Incident Response Team (PSIRT). Huawei requires suppliers to release vulnerability notifications and respond to vulnerabilities in a timely manner. This ensures that vulnerabilities in third-party software are well controlled.

If a security vulnerability is found in a product, the supplier must notify Huawei PSIRT in writing in accordance with Huawei's vulnerability notification service level agreement (SLA). Suppliers must develop new versions or patches to fix vulnerabilities in a timely manner and notify Huawei through formal version release channels.