DSS Security Rating Matrix Update September 2013 Security Rating Process Overview A new security rating process was first implemented in November 2011. The current process was subsequently updated on September 1, 2013. Numerically based, quantifiable, and accounts for all aspects of a facility’s involvement in the National Industrial Security Program (NISP) More standardized and less subjective rating process. How Does the Rating Matrix Work? Uses a numerical based rating system All facilities start with the same score (700) Points are added for identified National Industrial Security Program (NISP) Enhancements by Category Points subtracted for vulnerabilities by NISPOM reference, not by number of occurrences Acute/Critical and Non-Acute/NonCritical vulnerabilities are weighed separately Points are subtracted for vulnerabilities by NISPOM reference Accounts for size and complexity of a facility Security Rating Process Overview Acute Vulnerability • Non-compliance with a NISPOM requirement that puts classified information at imminent risk of compromise. • Requires immediate corrective action • Will be further categorized as either “Isolated”, “Systemic”, or “Repeat”. Critical Vulnerability • Non-compliance with a NISPOM requirement that places classified information in danger of loss or compromise. • Will be further categorized as either “Isolated”, “Systemic”, or “Repeat”. Vulnerability • Non-compliance with a NISPOM requirement that does not place classified information in danger of loss or compromise Security Rating Process Overview A NISP enhancement directly relates to and enhances the protection of classified information beyond baseline NISPOM standards. • NISP enhancements will be validated during the assessment as having an effective impact on the overall security program which is usually accomplished through employee interviews and review of process/procedures. • DSS established NISP enhancement categories, based on practical areas, to simplify and ensure field consistency. • Full credit for a NISP enhancement will be given if a facility completes any action/item in a given category. Red Flag Items DSS considers some factors as “red flag areas” and the rating calculation score may not be applicable. • For example: • • • • • • Unmitigated or unreported FOCI Uncleared persons in KMP positions requiring clearance Intentional disregard of NISPOM regulations Acute or critical systemic vulnerabilities w/potential loss/compromise Any additional items which may result in invalidation of the FCL Matrix score leading to marginal or unsatisfactory rating Rating Matrix – Sep 2013 Update Rating Matrix update in effect as of September 1, 2013. Feedback from DSS field personnel and industry partners was gathered over the past year to refine the Rating Matrix into a more transparent, consistent, subjective process designed to identify and mitigate vulnerabilities while recognizing practices in place that enhance security programs beyond baseline NISPOM requirements. The update does not drastically change the process - rather this builds upon the original implementation to further add clarity, drive consistency, and encourage more robust security programs. Summary of RM Updates Revised Enhancement Definitions: − Categories now outline the intent of the enhancement allowing DSS and Industry to more easily identify items which may receive credit − Added additional enhancement examples and clarification of non-enhancements and best practices − Addresses FAQs from Industry and DSS employees Removed “Unless Contractually Required” Clause: − NISP enhancements that go beyond baseline NISPOM requirements but are required by program/contract will now be counted for credit 8 Summary of Updates (Continued) Current Rating Matrix Categories 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. SecEd: (Company Sponsored Events) SecEd: (Internal Educational Brochures/Products) SecEd: (Security Staff Professionalization) SecEd: (Information/Product Sharing w/in Community) Contractor Self Review Classified Material Controls/Physical Security Counterintelligence Integration/Cyber Security Information Systems FOCI International Membership/Attendance in Security Community Events Active Participation in the Security Community Personnel Security Updated Rating Matrix Categories 1. Company Sponsored Events 2. Internal Educational Brochures/Products 3. Security Staff Professionalization 4. Information/Product Sharing w/in Community 5. Active Membership in Security Community 6. Contractor Self-Review 7. Counterintelligence Integration 8. FOCI/International 9. Classified Material Controls/Physical Security 10. Information Systems 9 Rating Matrix – Sep 2013 Update Large Possessor Small Possessor NonPossessor Category 1: Company Sponsored Events Enhancement Definition and Intent: In addition to the annual required security refresher briefings, the cleared contractor holds company sponsored events such as security fairs, interactive designated security-focused weeks, security lunch events, hosting guest speakers on security-related topics, webinars with the security community, etc. Intent of this category is to encourage cleared contractors to actively set time aside highlighting security awareness and education. This should not be a distribution of a paper or email briefing, but rather some type of interactive in-person activity. Examples: Enhancements Facility hosts company sponsored events such as security fairs, interactive designated security focused weeks, security lunch events, etc. Training events conducted at off-site customer locations Best Practices / Not Enhancements FCIS accompanies ISR during security vulnerability assessment and provides advice and assistance on suspicious contract reporting 11 Category 2: Internal Educational Brochures/Products Enhancement Definition and Intent: A security education and awareness program that provides enhanced security education courses or products to employees beyond initial and annual refresher training requirements; i.e., CD/DVD, web-based interactive tools, newsletters, security games/contests, international security alert system, etc. Intent of this category is to encourage cleared contractors to generate and distribute relevant security materials to employees who then incorporate the content into their activities. Examples: Enhancements Relevant NISP security education content is generated by the facility or sourced elsewhere (i.e. home office provides branch locations, government activities) and the local workforce incorporates the information into their activities. Security staff delivers security briefing products to uncleared employees that specifically addresses the FCL and effect on the employee; i.e., SCR, adverse information, how to recognize classified unprotected and need to report to the FSO, etc. Best Practices / Not Enhancements Forwarding the monthly DSS Newsletter. The newsletter is primarily policy, knowledge required by the FSO, or training opportunities and does not equate to an educational tool Trained 100% of the cleared employees within one year on NISPOM required topics Completion of PII training 12 Category 3: Security Staff Professionalization Enhancement Definition and Intent: Security staff training exceeds NISPOM and DSS requirements and incorporates that knowledge into NISP administration. Intent of this category is to encourage security program’s key personnel to actively strive to learn more and further their professional security expertise beyond mandatory requirements. Examples: Enhancements Best Practices / Not Enhancements Obtaining and maintaining professional certifications such as CPP, SPeD Certification, CISSP, etc. Currently possess a certification but has not taken training or ongoing certification maintenance within the assessment cycle Partial completion of a training program (beyond base training requirements per NISPOM 3-102 and 8-101b) if accomplished security relevant courses applicable to one’s duties Taking additional security courses but has not completed required training to date (i.e. an FSO who has not completed required FSO training would not receive credit for additional training) 13 Category 4: Information & Product Sharing within Security Community Enhancement Definition and Intent: Facility Security Officer (FSO) provides peer training support within the security community and/or shares security products/services with other cleared contractors outside their corporate family. Intent of this category is to encourage cleared contractors to actively reach out to other cleared contractors to assist those who may not have the expertise or budget and provide them with security products, services, etc. Examples: Enhancements Sharing classified destruction equipment to the local security community. Classified should be properly handled, per NISPOM requirements Cleared contractor serves as a source for fingerprinting employees from other cleared contractors ISSM or FSO mentors ISSMs or FSOs at other cleared contractors Best Practices / Not Enhancements Sharing or providing products/services to companies or agencies that are not participating in the National Industrial Security Program 14 Category 5: Active Membership in Security Community Enhancement Definition and Intent: Security personnel are members and actively participate with NISP/security-related professional organizations. Intent of this category is to encourage security programs to actively collaborate with their local security community to identify best practices to implement within their own NISP security programs. Further Clarification: Verification of enhancement should be aimed at asking what were the take-aways from events, how do they apply to the facility’s security program and how is the security staff implementing any take-away information. Security personnel unable to attend meetings on a regular basis can collaborate virtually via the organization’s websites, email etc. Examples: Enhancements Cleared contractor hosts security events on behalf of security/NISP-related professional organizations Cleared contractor security staff is a guest speaker at a security event provided by a security-related professional organization Best Practices / Not Enhancements Any security groups or events not directly related to the National Industrial Security Program (NISP). For example, a President of a cleared facility speaks at an event hosted by a university, but the audience is not familiar with or part of the NISP 15 Category 6: Contractor Self-Review Enhancement Definition and Intent: Contractors sustain a thorough, impactful review of their security posture. Intent of this category is to encourage cleared contractors to maintain an effective, ongoing self-review program to analyze and identify any threats or vulnerabilities within their program and coordinate with DSS to address those issues prior to the annual assessment. Further Clarification: Taking into account the size and complexity of the facility, if vulnerabilities were identified during the self-review and documented as mitigated, but during the DSS assessment vulnerabilities were found in these areas, then the mitigating process put in place was not effective and this enhancement should not be granted. Examples: Enhancements Best Practices / Not Enhancements Cleared contractor provides DSS a detailed report of their self-review to include identified threats or vulnerabilities, analysis, and countermeasures to mitigate vulnerabilities, and collaborates with DSS to correct prior to the annual assessment Sending a copy of their self-review checklist only without a comprehensive analysis to DSS for review Uses CDSE Self-Inspection Handbook for Contractors Multiple documented self-reviews providing an on-going, continuous evaluation of the security program Only develops corrective action plan for vulnerabilities and does not follow-up to mitigate those vulnerabilities 16 Category 7: Counterintelligence Integration Enhancement Definition and Intent: Contractors build a counterintelligence (CI) focused culture by implementing processes within their security program to detect, deter, and expeditiously report suspicious activities to DSS through submission of suspicious contact reports (SCR). Intent of this category is to encourage cleared contractors to develop vigorous and effective CI programs that thwart foreign attempts to acquire classified and sensitive technologies. Critical elements of a vigorous and effective CI program include timely reporting, understanding the threat environment, and agile and authoritative decision making to neutralize or mitigate vulnerabilities and threats. Identification of actionable information leading to the initiation of investigations or activities by Other Government Agencies (OGA), or Implementation of measures to identify and prevent reoccurrence of reported suspicious activities, or Demonstration of immediate response to a suspicious or illegal act to neutralize or mitigate risks to targeted technologies and facilities. Examples: Enhancements Foreign travel pre-briefings and de-briefings conducted in-person or telephonically designed to identify contacts or activities displaying potential espionage indicators (See 2 / 3) Implement an effective Insider Threat program designed to identify employees displaying potential espionage indicators (See 2) Effective cooperation with Intel and LE communities when pursuing potential penetrators (See 1 / 3) Best Practices / Not Enhancements Contractor provides sterile travel laptops with full disk encryption for employees travelling OCONUS Contractor provides pre/post domestic conference briefings Contractor utilizes a centralized mailbox to collect potential SCR notifications 17 Category 8: FOCI / International Enhancement Definition and Intent: Cleared contractor implements additional effective procedures to mitigate risk to export controlled items and/or FOCI. Intent of this category is to encourage cleared contractors to implement an enhanced export control program increasing the effectiveness. For FOCI mitigated facilities, intent is to encourage activities above mitigation instrument requirements to further minimize foreign influence at the facility. Further Clarification: Items which are requirements of the mitigation instrument may not be counted as enhancements. Examples: Enhancements Facility maintains an enhanced ongoing export control self-inspection program Best Practices / Not Enhancements Effective briefing and debriefing program for persons hosting foreign visitors Facility maintains a list of export controlled items the facility works and it is shared with relevant employees to ensure awareness across the workforce Implements and maintains system for automatic designation of emails to/from foreign parent/affiliates FOCI mitigation instruments are effectively deployed prior to the formal requirements being communicated 18 Category 9: Classified Material Controls And Physical Security Enhancement Definition and Intent: Facility has deployed an enhanced process for managing classified information and/or has implemented additional Physical Security measures, with built-in features to identify anomalies. Intent of this category is to encourage security programs to maximize the protection and accountability of classified material on-site by implementing effective processes, regardless of quantity of classified holdings. Examples: Enhancements Information Management System reflects history of location and disposition for material in the facility for Secret and Confidential material Safe custodian performs 100% check-in/check-out of materials, reviews material for appropriate markings and classification Best Practices / Not Enhancements Added video monitors of high theft areas Establishment of documented tracking system for inspections of areas above and below false ceilings/floors in Closed Areas Combination changes more frequently than required 19 Category 10: Information Systems Enhancement Definition and Intent: Incorporating process enhancements and leveraging tools to expand the overall security posture of accredited information systems. Intent of this category is to encourage security programs to maximize protection of classified information on IS. Examples: Enhancements Development and use of a formalized SOP and a comprehensive checklist to augment a detailed weekly audit review process which describes what is performed during the review of large, complex IS (LANs/WANs) with multiple Operating Systems Use of a file or scripts that tracks downloaded files and/or compares generation records for unauthorized classified downloads and review/auditing of report outputs. Use of a file or scripts that tracks and/or block unauthorized USB connections and review/auditing of report outputs. Best Practices / Not Enhancements Employing a color coded labeling system for components for both classified and unclassified networks (switches, routers, network jacks) when co-located in the same secure area to further identify and deter unauthorized or inadvertent system connections Developed reports to give ample notification on when a system is due for re-accreditation. Utilize scripts to apply and maintain antivirus definition updates. 20 Commonly Asked Questions & Answers Frequently Asked Questions Answers What is the purpose of the updated Rating Matrix? The revisions to the matrix are intended to further improve the rating process incorporating DSS and Industry feedback and give credit for enhancements that have the most positive impact on contractor security programs. Why have the number of Rating Matrix Categories decreased? The decrease in Rating Matrix Categories further clarifies the intent of each enhancement and allows DSS and Industry to identify the purpose behind the category and more easily identify examples. Specific updates were made for the following purposes: Merging “Membership/Attendance in Security Community Events” with “Active Participation in the Security Community” eliminates overlap, reinforces active participation in security groups and provides smaller sites additional opportunities for enhancement credits. Merging “International” and “FOCI” eliminates overlap and expands enhancement opportunities and attainability. Removal of “Personnel Security” Category eliminates elements considered best practices and levels the playing field as smaller companies lacked attainability. 21 Commonly Asked Questions & Answers Continued Frequently Asked Questions Answers If a corporate wide organization participates in the Partnership With Industry (PWI) programs, can this be counted as NISP enhancements for each cleared facility within the organization? Generally no, the intent of the PWI program is to generate a shared perspective between DSS and Industry as it relates to NISP oversight responsibilities. However, involvement or participation by the given facility in this or similar programs can be assessed to determine if the facility will be granted NISP enhancement credit based on how the experience has been incorporated to improve the facility’s security program. If a large facility has segmented departments independently implementing a NISP enhancement can it be counted if it is NOT implemented throughout the entire facility? No. The enhancement can only be counted if it impacts the entire facility. Recognize the specific departments implementing the enhancements when applicable and use this as an opportunity to suggest incorporating these enhancements facility-wide. 22 Enhancement or Best Practice? Enhancement Security staff develops security briefing products to be delivered to uncleared employees that specifically address the company’s Facility Security Clearance and its effect on the employee Forwarding the monthly DSS Newsletter. Additional CDSE courses, STEPP courses, NCMS “brown bag” training sessions Currently possess a certification but has not taken any training or ongoing certification maintenance within the assessment cycle Conducting part of a self-review over an extended period of time but only completing the one required formal self-review Cleared contractor provides DSS a detailed report of their selfreview to include identified threats or vulnerabilities, analysis, and countermeasures to mitigates vulnerabilities, and collaborates with DSS to correct prior to the annual assessment Best Practice 23 Enhancement or Best Practice? Enhancement Best Practice Use of a file or scripts that track and/or block unauthorized USB connections and review/auditing of report outputs Employing a color coded labeling system for components for both classified and unclassified networks (switches, routers, network jacks) when co-located in the same secure area to further identify and deter unauthorized or inadvertent system connections Effective foreign travel pre-briefings and de-briefings conducted in-person or telephonically designed to identify contacts or activities displaying potential espionage indicators Contractor conducts pre and post domestic conference briefings 24 Security Assessment Rating Results Rating Matrix – Sep 2013 Update Most notably, in the interest of transparency and clarity a one-stop product is being issued to all FSOs covering the assessment process, vulnerabilities, and enhancement categories. Enhancements include the definition, intent, and examples. Questions? Rating.Matrix@dss.mil