DSS Security Rating Matrix Updated, September 2013

advertisement
DSS Security Rating Matrix Update
September 2013
Security Rating Process Overview
A new security rating process was first implemented
in November 2011. The current process was
subsequently updated on September 1, 2013.
Numerically based, quantifiable, and accounts for all aspects of a
facility’s involvement in the National Industrial Security Program (NISP)
More standardized and less subjective rating process.
How Does the Rating Matrix Work?
Uses a numerical based
rating system
All facilities start with the
same score (700)
Points are added for
identified National Industrial
Security Program (NISP)
Enhancements by Category
Points subtracted for
vulnerabilities by NISPOM
reference, not by number of
occurrences
Acute/Critical and
Non-Acute/NonCritical
vulnerabilities are
weighed separately
Points are
subtracted for
vulnerabilities by
NISPOM reference
Accounts for size and
complexity of a facility
Security Rating Process Overview
Acute Vulnerability
• Non-compliance
with a NISPOM
requirement that
puts classified
information at
imminent risk of
compromise.
• Requires
immediate
corrective action
• Will be further
categorized as
either “Isolated”,
“Systemic”, or
“Repeat”.
Critical
Vulnerability
• Non-compliance
with a NISPOM
requirement that
places classified
information in
danger of loss or
compromise.
• Will be further
categorized as
either “Isolated”,
“Systemic”, or
“Repeat”.
Vulnerability
• Non-compliance
with a NISPOM
requirement that
does not place
classified
information in
danger of loss or
compromise
Security Rating Process Overview
A NISP enhancement
directly relates to and
enhances the
protection of classified
information beyond
baseline NISPOM
standards.
• NISP enhancements will be validated during the
assessment as having an effective impact on
the overall security program which is usually
accomplished through employee interviews and
review of process/procedures.
• DSS established NISP enhancement
categories, based on practical areas, to simplify
and ensure field consistency.
• Full credit for a NISP enhancement will be given
if a facility completes any action/item in a given
category.
Red Flag Items
DSS considers some factors as “red flag
areas” and the rating calculation score may
not be applicable.
• For example:
•
•
•
•
•
•
Unmitigated or unreported FOCI
Uncleared persons in KMP positions requiring clearance
Intentional disregard of NISPOM regulations
Acute or critical systemic vulnerabilities w/potential loss/compromise
Any additional items which may result in invalidation of the FCL
Matrix score leading to marginal or unsatisfactory rating
Rating Matrix – Sep 2013 Update
Rating Matrix update in effect as of September 1, 2013.
Feedback from DSS field personnel and industry partners was gathered
over the past year to refine the Rating Matrix into a more transparent,
consistent, subjective process designed to identify and mitigate
vulnerabilities while recognizing practices in place that enhance security
programs beyond baseline NISPOM requirements.
The update does not drastically change the process - rather this builds
upon the original implementation to further add clarity, drive consistency,
and encourage more robust security programs.
Summary of RM Updates

Revised Enhancement Definitions:
− Categories now outline the intent of the
enhancement allowing DSS and Industry to more
easily identify items which may receive credit
− Added additional enhancement examples and
clarification of non-enhancements and best
practices
− Addresses FAQs from Industry and DSS
employees

Removed “Unless Contractually Required” Clause:
− NISP enhancements that go beyond baseline
NISPOM requirements but are required by
program/contract will now be counted for credit
8
Summary of Updates
(Continued)
Current Rating Matrix Categories
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
SecEd: (Company Sponsored Events)
SecEd: (Internal Educational
Brochures/Products)
SecEd: (Security Staff Professionalization)
SecEd: (Information/Product Sharing w/in
Community)
Contractor Self Review
Classified Material Controls/Physical
Security
Counterintelligence Integration/Cyber
Security
Information Systems
FOCI
International
Membership/Attendance in Security
Community Events
Active Participation in the Security
Community
Personnel Security
Updated Rating Matrix Categories
1.
Company Sponsored Events
2.
Internal Educational
Brochures/Products
3.
Security Staff Professionalization
4.
Information/Product Sharing w/in
Community
5.
Active Membership in Security
Community
6.
Contractor Self-Review
7.
Counterintelligence Integration
8.
FOCI/International
9.
Classified Material Controls/Physical
Security
10. Information Systems
9
Rating Matrix – Sep 2013 Update
Large
Possessor
Small
Possessor
NonPossessor
Category 1: Company Sponsored Events
Enhancement Definition and Intent:

In addition to the annual required security refresher briefings, the cleared
contractor holds company sponsored events such as security fairs,
interactive designated security-focused weeks, security lunch events,
hosting guest speakers on security-related topics, webinars with the security
community, etc.

Intent of this category is to encourage cleared contractors to actively set
time aside highlighting security awareness and education. This should not
be a distribution of a paper or email briefing, but rather some type of
interactive in-person activity.
Examples:
Enhancements

Facility hosts company sponsored events such as
security fairs, interactive designated security
focused weeks, security lunch events, etc.

Training events conducted at off-site customer
locations
Best Practices / Not Enhancements

FCIS accompanies ISR during security
vulnerability assessment and provides advice and
assistance on suspicious contract reporting
11
Category 2: Internal Educational
Brochures/Products
Enhancement Definition and Intent:

A security education and awareness program that provides enhanced
security education courses or products to employees beyond initial and
annual refresher training requirements; i.e., CD/DVD, web-based interactive
tools, newsletters, security games/contests, international security alert
system, etc.

Intent of this category is to encourage cleared contractors to generate and
distribute relevant security materials to employees who then incorporate the
content into their activities.
Examples:
Enhancements


Relevant NISP security education content is
generated by the facility or sourced elsewhere
(i.e. home office provides branch locations,
government activities) and the local workforce
incorporates the information into their activities.
Security staff delivers security briefing products to
uncleared employees that specifically addresses
the FCL and effect on the employee; i.e., SCR,
adverse information, how to recognize classified
unprotected and need to report to the FSO, etc.
Best Practices / Not Enhancements

Forwarding the monthly DSS Newsletter. The
newsletter is primarily policy, knowledge required
by the FSO, or training opportunities and does
not equate to an educational tool

Trained 100% of the cleared employees within
one year on NISPOM required topics

Completion of PII training
12
Category 3: Security Staff Professionalization
Enhancement Definition and Intent:

Security staff training exceeds NISPOM and DSS requirements and
incorporates that knowledge into NISP administration.

Intent of this category is to encourage security program’s key personnel to
actively strive to learn more and further their professional security expertise
beyond mandatory requirements.
Examples:
Enhancements
Best Practices / Not Enhancements

Obtaining and maintaining professional
certifications such as CPP, SPeD Certification,
CISSP, etc.

Currently possess a certification but has not
taken training or ongoing certification
maintenance within the assessment cycle

Partial completion of a training program (beyond
base training requirements per NISPOM 3-102
and 8-101b) if accomplished security relevant
courses applicable to one’s duties

Taking additional security courses but has not
completed required training to date (i.e. an FSO
who has not completed required FSO training
would not receive credit for additional training)
13
Category 4: Information & Product Sharing
within Security Community
Enhancement Definition and Intent:

Facility Security Officer (FSO) provides peer training support within the
security community and/or shares security products/services with other
cleared contractors outside their corporate family.

Intent of this category is to encourage cleared contractors to actively reach
out to other cleared contractors to assist those who may not have the
expertise or budget and provide them with security products, services, etc.
Examples:
Enhancements

Sharing classified destruction equipment to the
local security community. Classified should be
properly handled, per NISPOM requirements

Cleared contractor serves as a source for
fingerprinting employees from other cleared
contractors

ISSM or FSO mentors ISSMs or FSOs at other
cleared contractors
Best Practices / Not Enhancements

Sharing or providing products/services to
companies or agencies that are not participating
in the National Industrial Security Program
14
Category 5: Active Membership
in Security Community
Enhancement Definition and Intent:

Security personnel are members and actively participate with NISP/security-related
professional organizations.

Intent of this category is to encourage security programs to actively collaborate with
their local security community to identify best practices to implement within their own
NISP security programs.
Further Clarification:

Verification of enhancement should be aimed at asking what were the take-aways from
events, how do they apply to the facility’s security program and how is the security staff
implementing any take-away information.

Security personnel unable to attend meetings on a regular basis can collaborate
virtually via the organization’s websites, email etc.
Examples:
Enhancements

Cleared contractor hosts security events on
behalf of security/NISP-related professional
organizations

Cleared contractor security staff is a guest
speaker at a security event provided by a
security-related professional organization
Best Practices / Not Enhancements

Any security groups or events not directly related
to the National Industrial Security Program
(NISP). For example, a President of a cleared
facility speaks at an event hosted by a university,
but the audience is not familiar with or part of the
NISP
15
Category 6: Contractor Self-Review
Enhancement Definition and Intent:

Contractors sustain a thorough, impactful review of their security posture.

Intent of this category is to encourage cleared contractors to maintain an effective, ongoing self-review program to analyze and identify any threats or vulnerabilities within
their program and coordinate with DSS to address those issues prior to the annual
assessment.
Further Clarification:

Taking into account the size and complexity of the facility, if vulnerabilities were
identified during the self-review and documented as mitigated, but during the DSS
assessment vulnerabilities were found in these areas, then the mitigating process put
in place was not effective and this enhancement should not be granted.
Examples:
Enhancements


Best Practices / Not Enhancements
Cleared contractor provides DSS a detailed report
of their self-review to include identified threats or
vulnerabilities, analysis, and countermeasures to
mitigate vulnerabilities, and collaborates with DSS
to correct prior to the annual assessment

Sending a copy of their self-review checklist only
without a comprehensive analysis to DSS for
review

Uses CDSE Self-Inspection Handbook for
Contractors
Multiple documented self-reviews providing an
on-going, continuous evaluation of the security
program

Only develops corrective action plan for
vulnerabilities and does not follow-up to mitigate
those vulnerabilities
16
Category 7: Counterintelligence Integration
Enhancement Definition and Intent:

Contractors build a counterintelligence (CI) focused culture by implementing processes
within their security program to detect, deter, and expeditiously report suspicious
activities to DSS through submission of suspicious contact reports (SCR).

Intent of this category is to encourage cleared contractors to develop vigorous and
effective CI programs that thwart foreign attempts to acquire classified and sensitive
technologies. Critical elements of a vigorous and effective CI program include timely
reporting, understanding the threat environment, and agile and authoritative decision
making to neutralize or mitigate vulnerabilities and threats.



Identification of actionable information leading to the initiation of investigations or activities by Other
Government Agencies (OGA), or
Implementation of measures to identify and prevent reoccurrence of reported suspicious activities, or
Demonstration of immediate response to a suspicious or illegal act to neutralize or mitigate risks to targeted
technologies and facilities.
Examples:
Enhancements
 Foreign travel pre-briefings and de-briefings
conducted in-person or telephonically designed to
identify contacts or activities displaying potential
espionage indicators (See 2 / 3)
 Implement an effective Insider Threat program
designed to identify employees displaying potential
espionage indicators (See 2)
 Effective cooperation with Intel and LE communities
when pursuing potential penetrators (See 1 / 3)
Best Practices / Not Enhancements
 Contractor provides sterile travel laptops with full
disk encryption for employees travelling
OCONUS
 Contractor provides pre/post domestic
conference briefings
 Contractor utilizes a centralized mailbox to collect
potential SCR notifications
17
Category 8: FOCI / International
Enhancement Definition and Intent:


Cleared contractor implements additional effective procedures to mitigate risk to
export controlled items and/or FOCI. Intent of this category is to encourage cleared
contractors to implement an enhanced export control program increasing the
effectiveness.
For FOCI mitigated facilities, intent is to encourage activities above mitigation
instrument requirements to further minimize foreign influence at the facility.
Further Clarification:

Items which are requirements of the mitigation instrument may not be counted as
enhancements.
Examples:
Enhancements
 Facility maintains an enhanced ongoing export
control self-inspection program
Best Practices / Not Enhancements
 Effective briefing and debriefing program for
persons hosting foreign visitors
 Facility maintains a list of export controlled items
the facility works and it is shared with relevant
employees to ensure awareness across the
workforce
 Implements and maintains system for automatic
designation of emails to/from foreign
parent/affiliates
 FOCI mitigation instruments are effectively
deployed prior to the formal requirements being
communicated
18
Category 9: Classified Material Controls
And Physical Security
Enhancement Definition and Intent:

Facility has deployed an enhanced process for managing classified
information and/or has implemented additional Physical Security measures,
with built-in features to identify anomalies.

Intent of this category is to encourage security programs to maximize the
protection and accountability of classified material on-site by implementing
effective processes, regardless of quantity of classified holdings.
Examples:
Enhancements
 Information Management System reflects history of
location and disposition for material in the facility
for Secret and Confidential material
 Safe custodian performs 100% check-in/check-out
of materials, reviews material for appropriate
markings and classification
Best Practices / Not Enhancements
 Added video monitors of high theft areas
 Establishment of documented tracking system for
inspections of areas above and below false
ceilings/floors in Closed Areas
 Combination changes more frequently than
required
19
Category 10: Information Systems
Enhancement Definition and Intent:

Incorporating process enhancements and leveraging tools to expand the
overall security posture of accredited information systems.

Intent of this category is to encourage security programs to maximize
protection of classified information on IS.
Examples:
Enhancements
 Development and use of a formalized SOP and a
comprehensive checklist to augment a detailed
weekly audit review process which describes what
is performed during the review of large, complex IS
(LANs/WANs) with multiple Operating Systems
 Use of a file or scripts that tracks downloaded files
and/or compares generation records for
unauthorized classified downloads and
review/auditing of report outputs.
 Use of a file or scripts that tracks and/or block
unauthorized USB connections and review/auditing
of report outputs.
Best Practices / Not Enhancements
 Employing a color coded labeling system for
components for both classified and unclassified
networks (switches, routers, network jacks) when
co-located in the same secure area to further
identify and deter unauthorized or inadvertent
system connections
 Developed reports to give ample notification on
when a system is due for re-accreditation.
 Utilize scripts to apply and maintain antivirus
definition updates.
20
Commonly Asked Questions & Answers
Frequently Asked Questions
Answers
What is the purpose of the
updated Rating Matrix?
The revisions to the matrix are intended to further improve the
rating process incorporating DSS and Industry feedback and give
credit for enhancements that have the most positive impact on
contractor security programs.
Why have the number of
Rating Matrix Categories
decreased?
The decrease in Rating Matrix Categories further clarifies the
intent of each enhancement and allows DSS and Industry to
identify the purpose behind the category and more easily identify
examples. Specific updates were made for the following purposes:
 Merging “Membership/Attendance in Security Community
Events” with “Active Participation in the Security Community”
eliminates overlap, reinforces active participation in security
groups and provides smaller sites additional opportunities for
enhancement credits.
 Merging “International” and “FOCI” eliminates overlap and
expands enhancement opportunities and attainability.
 Removal of “Personnel Security” Category eliminates elements
considered best practices and levels the playing field as smaller
companies lacked attainability.
21
Commonly Asked Questions & Answers Continued
Frequently Asked Questions
Answers
If a corporate wide
organization participates in
the Partnership With Industry
(PWI) programs, can this be
counted as NISP
enhancements for each
cleared facility within the
organization?
Generally no, the intent of the PWI program is to generate a
shared perspective between DSS and Industry as it relates to NISP
oversight responsibilities. However, involvement or participation
by the given facility in this or similar programs can be assessed to
determine if the facility will be granted NISP enhancement credit
based on how the experience has been incorporated to improve
the facility’s security program.
If a large facility has
segmented departments
independently implementing a
NISP enhancement can it be
counted if it is NOT
implemented throughout the
entire facility?
No. The enhancement can only be counted if it impacts the entire
facility. Recognize the specific departments implementing the
enhancements when applicable and use this as an opportunity to
suggest incorporating these enhancements facility-wide.
22
Enhancement or Best Practice?
Enhancement

Security staff develops security briefing products to be
delivered to uncleared employees that specifically address the
company’s Facility Security Clearance and its effect on the
employee

Forwarding the monthly DSS Newsletter.

Additional CDSE courses, STEPP courses, NCMS “brown bag”
training sessions
Currently possess a certification but has not taken any training
or ongoing certification maintenance within the assessment
cycle



Conducting part of a self-review over an extended period of
time but only completing the one required formal self-review
Cleared contractor provides DSS a detailed report of their selfreview to include identified threats or vulnerabilities, analysis,
and countermeasures to mitigates vulnerabilities, and
collaborates with DSS to correct prior to the annual assessment
Best Practice
23
Enhancement or Best Practice?
Enhancement




Best Practice
Use of a file or scripts that track and/or block unauthorized
USB connections and review/auditing of report outputs
Employing a color coded labeling system for components for
both classified and unclassified networks (switches, routers,
network jacks) when co-located in the same secure area to
further identify and deter unauthorized or inadvertent system
connections
Effective foreign travel pre-briefings and de-briefings
conducted in-person or telephonically designed to identify
contacts or activities displaying potential espionage indicators
Contractor conducts pre and post domestic conference
briefings
24
Security Assessment Rating Results
Rating Matrix – Sep 2013 Update
Most notably, in the interest
of transparency and clarity
a one-stop product is
being issued to all FSOs
covering the assessment
process, vulnerabilities,
and enhancement
categories.
Enhancements include the
definition, intent, and
examples.
Questions?
Rating.Matrix@dss.mil
Download