DSS Security Ratings Matrix Steve Slocum, Manager Operations & Compliance Security Jeff Vaccariello, Industrial Security Rep March 14, 2012
Security Ratings Matrix DSS recognized the importance of a standardized, objective approach to issuing security ratings as part of its security oversight role. The new security rating process utilizes a calculation worksheet. The worksheet is a DSS tool, designed to standardize and improve consistency. Numerically based, quantifiable, and accounts for all aspects of a facility’s involvement in the NISP.
Security Ratings Matrix Uses a numerical based rating system All facilities start with the same score (700) Points are added for identified National Industrial Security Program (NISP) Enhancements by Category Points are subtracted for vulnerabilities by NISPOM reference Acute/Critical and Non-Acute/Non-Critical vulnerabilities are weighed separately Points subtracted by NISPOM reference, not by number of occurrences Accounts for size and complexity of a facility
Security Ratings Matrix Each ratings matrix comes with a “scoring key” that is based on the facility category
Security Ratings Matrix Acute Vulnerability is defined as non-compliance with a NISPOM requirement that puts classified information at imminent risk of compromise. Acute vulnerabilities require immediate corrective action. Critical Vulnerability is defined as non-compliance with a NISPOM requirement that places classified information in danger of loss or compromise. Once a vulnerability is determined to be acute or critical, it is further categorized as either “Isolated”, “Systemic”, or “Repeat”. All other Vulnerabilities are defined as non-compliance with a NISPOM requirement that does not place classified information in danger of loss or compromise.
Security Ratings Matrix A NISP enhancement directly relates to and enhances the protection of classified information beyond baseline NISPOM standards. NISP enhancements will be validated during the assessment as having an effective impact on the overall security program which is usually accomplished through employee interviews and review of process/procedures. DSS established 13 NISP enhancement Categories, based on practical areas, to simplify and ensure field consistency. Full credit for a NISP Enhancement (15 or 12 points depending on facility complexity) will be given if a facility completes any action/item in a given category. The facility will only receive a total of 15/12 points per category, regardless of how many NISP enhancements they have in a given category.
Ratings Matrix Categories Category 1 Security Education (Events) Category 2 Security Education (Products) Category 3 Security Education (Staff Training) Category 4 Security Education (Product Sharing) Category 5 Self Inspection Category 6 Physical Security/Controls Category 7 CI Integration/Cyber Security Category 8 Information Systems Category 9 FOCI Category 10 International Category 11 Security Organization Membership Category 12 Active Organization Participation Category 13 Personnel Security
How It Works Rating Matrix Company, Inc. Category C – Mid-Size Possessing Company Previous Rating: Commendable Recent Rating: Superior Vulnerabilities: 2 (Non Acute/Non Critical) NISP Enhancements: 9 Rating Calculation Score: 804 Now we will walk through an example. A Mid-Size, possessing company (category C) had a security assessment resulting in a Superior rating issued. We will discuss the vulnerabilities and NISP enhancements and ultimate final score/rating.
Sample Company
Sample Company Vulnerability: Document Marking Deficiency (Corrected on the Spot) 2 Points Deducted Vulnerability: An original SF312 was not forwarded to DISCO for retention 2 Points Deducted Vulnerability: Document marking deficiency (Corrected on the Spot) and an original SF312 was not forwarded to DISCO for retention.
Category 2: Security Education (Products) Sample Company Category 2: Security Education (Products) Facility provides monthly security updates/reminders to employees through the monthly corporate newsletter. 12 Points Added Enhancement: Category 2- Security Education (Products): Facility provides monthly security updates/reminders to employees through the monthly corporate newsletter.
Category 3: Security Education (Staff Training) Sample Company Category 3: Security Education (Staff Training) FSO has CPP certification. Security staff training exceeds NISPOM requirements as all security personnel have completed all training requirements for FSO Program Management through the STEPP website and continuously complete additional educational courses. 12 Points Added Enhancement: Category 3- FSO has CPP certification. Security staff training exceeds NISPOM requirements as all security personnel have completed all training requirements for FSO Program Management through the STEPP website and continuously complete additional educational courses.
Category 4: Security Education (Product/Information Sharing) Sample Company Category 4: Security Education (Product/Information Sharing) The FSO has developed a Protégé/Mentorship relationship with all subcontractors they sponsor into the NISP by reaching out to the newly sponsored facility and providing whatever advice and assistance they require. The FSO often visits with the new facility to provide training and experience to the new FSO. Additionally, the company participated in beta testing a future DSS/CDSE course. 12 Points Added Enhancement: Category 4- Security Education (Product/Information Sharing): The FSO has developed a Protégé/Mentorship relationship with all subcontractors they sponsor into the NISP by reaching out to the newly sponsored facility and providing whatever advice and assistance they require. The FSO often visits with the new facility to provide training and experience to the new FSO. Additionally, the company participated in beta testing a future DSS/CDSE course.
Category 5: Self Inspection Sample Company Category 5: Self Inspection The facility conducts and records two self-inspections annually. One is completed by the FSO and security staff. The other is conducted as a peer to peer review with the FSO or other security staff member from another location conducting the review. 12 Points Added Enhancement: Category 5- Self Inspection: The facility conducts and records two self-inspections annually. One is completed by the FSO and security staff. The other is conducted as a peer to peer review with the FSO or other security staff member from another location conducting the review.
Category 6: Classified Material Controls Sample Company Category 6: Classified Material Controls The FSO and AFSO conduct semi-annual, 100% inventory of all classified holdings and maintains records of the inventories. Their information management system indefinitely reflects history of location and disposition for material in facility at all levels of classified (100% accountability). 12 Points Added Enhancement: Category 6- Classified Material Controls: The FSO and AFSO conduct semi-annual, 100% inventory of all classified holdings and maintains records of the inventories. Their information management system indefinitely reflects history of location and disposition for material in facility at all levels of classified (100% accountability).
Category 7: CI Integration Sample Company Category 7: CI Integration All employees going on foreign travel for business are required to be briefed by the Security prior to departure and are debriefed upon return. 12 Points Added Enhancement: Category 7- CI Integration: All employees going on foreign travel for business are required to be briefed by the Security prior to departure and are debriefed upon return.
Category 11: Security Organization Membership Sample Company Category 11: Security Organization Membership The FSO and AFSO are both members of NCMS and a local ISAC. 12 Points Added Enhancement: Category 11- Security Organization Membership: The FSO and AFSO are both members of NCMS and a local ISAC.
Category 12: Active Security Organization Participation Sample Company Category 12: Active Security Organization Participation The FSO takes a positive leadership role in the local ISAC and was elected to be the corporate Co-Chairperson. 12 Points Added Enhancements: Category 12- Active Security Organization Participation: The FSO takes a positive leadership role in the local ISAC and was elected to be the corporate Co-Chairperson.
Category 13: Personnel Security Sample Company Category 13: Personnel Security The facility manages a corporate wide call center established to support questions and issues related to JPAS and EQIP from other branch/division offices throughout the country. 12 Points Added Enhancement: Category 13- Personnel Security: The facility manages a corporate wide call center established to support questions and issues related to JPAS and EQIP from other branch/division offices throughout the country.
Sample Company FINAL Score 804 = Superior Vulnerability: Document marking deficiency (Corrected on the Spot) and an original SF312 was not forwarded to DISCO for retention Enhancements: Category 2: Facility provides monthly security updates/reminders to employees through the monthly corporate newsletter. Category 3: Security staff training exceeds NISPOM requirements as all security personnel have completed all training requirements for FSO Program Management through the STEPP website. FSO has CPP certification. Category 4: The FSO has developed a Protégé/Mentorship relationship with all subcontractors they sponsor into the NISP by reaching out to the newly sponsored facility and providing whatever advice and assistance they require. The FSO often visits with the new facility to provide training and experience to the new FSO. Additionally, the company participated in beta testing a future DSS/CDSE course. Category 5: The facility conducts and records two self-inspections annually. One is completed by the FSO and security staff. The other is conducted as a peer to peer review with the FSO or other security staff member from another location conducting the review. Category 6: The FSO and AFSO conduct semi-annual, 100% inventory of all classified holdings and maintains records of the inventories. Their information management system indefinitely reflects history of location and disposition for material in facility at all levels of classified (100% accountability). Category 7: All employees going on foreign travel for business are required to be briefed by the Security prior to departure and are debriefed upon return. Category 11: The FSO and AFSO are both members of NCMS and a local ISAC. Category 12: The FSO takes a positive leadership role in the local ISAC and was elected to be the corporate Co-Chairperson. Category 13:The facility manages a corporate wide call center established to support questions and issues related to JPAS and EQIP from other branch/division offices throughout the country.
Sample Company
Presentation of Enhancements Must be presented at the beginning of the assessment Show how each item enhances the local cage code DSS must be able to validate the enhancement i.e. Self Inspection must be documented www.dss.mil Industrial Security Industry Tools Security Matrix Tool and Frequently Asked Questions
Category 1: Security Education (Company Sponsored Events) The facility holds company sponsored events such as: Security fairs Interactive designated security focused weeks Security lunch events Hosting guest speakers on security related topics Webinar with security community Lunch and Learn Video Teleconference (VTC) Security Day OPSEC awareness events
Category 2: Security Education: Internal Educational Brochures/Products A security education and awareness program that provides enhanced security education courses or products to the entire employee population: CD/DVD, web-based interactive tools newsletters security games/contests international security alert system may include uncleared employees Facility provides monthly security updates/reminders to employees through the monthly corporate newsletter.
Category 2: Security Education: Internal Educational Brochures/Products Porcelain Press Security Post Internal security education brochures Education pamphlets E-Learning system with security education topics Facility provides monthly security updates/reminders to employees through the monthly corporate newsletter.
Category 3: Security Education: Security Staff Professionalization Security staff training exceeds NISPOM and DSS requirements to include obtaining on-going professional certifications and incorporating the knowledge through the program. Certified Protection Professional (CPP) SPeD Certification additional CDSE courses Computer Information Systems Security Professional (CISSP), etc.) ISP (NCMS Prep Course) Complete courses through the STEPP system
Category 4: Security Education: Information/Product Sharing within Community Facility Security Officer (FSO) provides peers training support within the security community and/or shares security products/services with other organizations both within and outside their corporate family. Presentation at FISWG Mentoring Let local security community utilize the classified destruction equipment You also provide fingerprinting services for local contractors
Category 5: Contractor Self Review Effective documented self reviews designed to provide an on-going, continuous evaluation of the security program, and promptly sharing the contractor self review results with DSS, which encourages open dialogue of identified issues and possible resolutions prior to the DSS scheduled assessment. Multiple reviews of your facility Must be documented Conducting a review at another facility
Category 6: Classified Material Controls/Physical Security Facility has deployed an enhanced process for managing classified information which has built in countermeasures to identify significant anomalies. Examples include: 100% inventory on random basis or Information Management System (IMS) indefinitely reflects history of location and disposition for material in facility of all classification (100% accountability) Inventory on a semi-annual or random basis
Category 6: Classified Material Controls/Physical Security Access card readers Vehicle plaza CCTV Guards
Category 7: Counterintelligence Integration/Cyber Security Foreign travel pre-briefings and debriefings conducted (when not a contractual requirement) or implementation of quality assurance efforts to check and verify training on suspicious contact reporting (SCR), and employee knowledge (e.g., setting up appropriate exercises to validate employee knowledge/situational awareness of SCR reporting process)
Category 8: Information Systems Developing and implementing significant and effective (LAN/WAN based) Information System audit trail reduction/collection or analysis tools/scripts internally and sharing these across the corporation or NISP community at large. Audit Reduction Tools VAST (Validate Audit Summary Tool) SAST (Security Audit Summary Tool) Automated System Configuration Tools
Category 9: FOCI Facilities under FOCI only! Security programs that perform significant trend analysis of internal governance processes and interactions with the foreign parent company. (Companies that utilize trend analysis and follow-on audit programs to proactively identify and report attempts of undue influence, identify weaknesses, best practices, and areas for improvement) Monitor all emails, phone calls, etc. Track everything, not just a random sampling
Category 10: International Facility voluntarily conducts, or has outside experts conduct, ongoing export compliance audit and shares the results with interested U.S. Government Agencies. Program briefing specific to International customers Extra Training Strengthen ITAR program
Category 11: Membership/Attendance in Security Community Events Security staff are members of and attend meetings of professional NISP or other security organizations such as Industrial Security Awareness Councils, professional societies and associations for security professionals, FOCI working groups, etc. FISWG NCMS ASIS
Category 12: Active Participation in the Security Community The FSO or other key security personnel or key management personnel actively participates in and contributes to security related professional organizations beyond merely being a member of the organizations such as being elected on security community boards (i.e., President of ISAC Chapter, committee/board member of ISAC, etc.)
Category 12: Active Participation in the Security Community Steve Abounader, Chair of FISWG Betty Haynes, NCMS President Steve Slocum presenting at March 2012 Fall FISWG Active member of a committee in NCMS
Category 13: Personnel Security Implementation of a corporate wide call center or centralized process established to support employee questions and issues related to Cognizant Security Agency (CSA) designated databases (JPAS, EQIP, etc.) Your FSO and AFSO conduct an on-going records check of the PCL's and employees working under this cage code both servicing and owning
Questions?