Defense Security Service. DSS Update DSS Changing With A Changing Security Environment.

Slides:



Advertisements
Similar presentations
State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.
Advertisements

BENEFITS OF SUCCESSFUL IT MODERNIZATION
File Management Tips and Suggestions FISWG/NCMS Winter Training Event December 17 th, 2014 Dela Williams Facility Security Officer.
What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.
Defense Security Service Facility Clearance Branch (FCB)
Defense Security Service. DSS Update DSS Changing With A Changing Security Environment.
What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,
UPDATE: “Military & Defense Sector” OEA Grant and Defense Industry Adjustment Program Presentation to the Washington Economic Development Association 4.
INDUSTRIAL SECURITY FACILITIES DATABASE (ISFD)
1 Office of the Designated Approving Authority (ODAA) April 2008.
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
UNCLASSIFIED Foreign Ownership, Control, or Influence (FOCI) August 2009.
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ODAA Update Agenda ODAA Business Management System (OBMS) Deployment
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
1 Creating a Joint Personnel Adjudication System (JPAS) Analysis Report Michael S. Campbell Industrial Security Specialist Defense Security Service San.
Providing Practical Solutions Winning the Talent Wars for Recruiting and Retaining 21 st Century Cyber Engineers Jeff Kubik, PMP, CISSP Sr PM, Praxis Engineering.
Office 365: Efficient Cloud Solutions Wednesday March 12, 9AM Chaz Vossburg / Gabe Laushbaugh.
Personnel Security Management Office for Industry
Navigating the Maze How to sell to the public sector Adrian Farley Chief Deputy CIO State of California
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil March 20, 2015 UNCLASSIFIED Industrial Security.
Defense Security Service New Rating Process Current as of 10/19/2011.
OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil August 12, 2014 UNCLASSIFIED NISPOM Update.
EEye Digital Security    On the Frontline of the Threat Landscape: Simple configuration goes a long way.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
DISTRIBUTION IMPLEMENTATION EXAMPLES AND TOOLS David Sandidge Director, Responsible Care American Chemistry Council June 1, 2011.
Steven Burke Industrial Security Supervisor Lockheed Martin
GSA Expo 2010 DoD Travel Programs Customer Assistance Tools and Services Mr. Joe Ward and Ms. Margaret Hebert GSA Expo May 2010.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
“Integrating Property Management with Emergency Recovery” Ivonne Bachar, CPPM CF Director, Property Management Office Stanford University
EPA Geospatial Segment United States Environmental Protection Agency Office of Environmental Information Enterprise Architecture Program Segment Architecture.
Federal Aviation Administration By: Giles Strickler, UCS Program Manager Procurement Policy (AJA-A11) Date:September 22, 2010 Unified Contracting System.
Sample only Order at Security Awareness Training A threat awareness briefing. A defensive security briefing. An overview of the.
Last Updated 1/17/02 1 Business Drivers Guiding Portal Evolution Portals Integrate web-based systems to increase productivity and reduce.
Creating an Insider Threat Program.
Microsoft Belgium Security Summit Georges Ataya S olvay B usiness S chool, ISACA Belux Detlef Eckert Microsoft EMEA.
MG 302: Management Information Systems (MIS)
SECURITY BRIEFING A threat awareness briefing A defensive security briefing An overview of the security classification system Employee reporting obligations.
NISPOM Update for Dulles ISAC
Defense Security Service Joint Industrial Security Awareness Council March 20, 2015.
NISPOM Chapter 1 Basics General Requirements Reporting Responsibilities Steven Rivera, FSO July 10, 2013.
Personnel Security Update January 2016
Latest Strategies for IT Security Margaret Myers Principal Director, Deputy CIO United States Department of Defense North American Day 2006.
| 1 Weapon System Acquisition Reform- Product Support Assessment DAU SYMPOSIUM 13 April 2010 Presented by: Basil Gray Where Innovation.
Protecting Against Cyber Challenges Pacific Operational Science & Technology Conference 15 March 2011 Rob Wolborsky Chief Technology Officer Space and.
How To Conduct An Administrative Inquiry (AI) Due To A Security Violation
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Safeguarding CDI - compliance with DFARS
ISO 9001:2008/ AS9100 Registered Management Systems Registration
Team 1 – Incident Response
Introduction to the Federal Defense Acquisition Regulation
AN OVERVIEW OF THE INDUSTRIAL SECURITY PROGRAM
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Sachiko A. Kuwabara, PhD, MA
Microsoft Data Insights Summit
IT Management Services Infrastructure Services
In the attack index…what number is your Company?
OU BATTLECARD: Oracle Identity Management Training
OU BATTLECARD: Oracle WebCenter Training
Presentation transcript:

Defense Security Service

DSS Update DSS Changing With A Changing Security Environment

DSS Update FY13 in Review Conducted 7,300 security vulnerability assessments 1,565 new Interim and Final Facility Clearances granted Over 14,000 Accredited Systems in Industry 26 Federal Partners >1 Million active cleared contractors

FY13 in Review DMDC assumed call center activities (JPAS, DCII, iIRR, and SWFT) on June 1, 2013 Updates to Security Vulnerability Assessment Matrix being implemented September 2013 Release ISFO Process Manual --- Fall 2013 (15 May 2014 requirement) Web-based ISFD going to CAC/PKI enabling --- ready for 2014 deployment Initiate full DSS CCRI team reviews --- late 2013 DISCO merged into the DoDCAF  Stand-up of Personnel Security Management and Oversight for Industry (PSMO-I) DSS Update

FY13 in Review Just launched new Voice of Industry survey  Over 10,000 FSO responses  Initial feedback cites Cyber and Insider Threats as the biggest concerns  Opportunity to provide feedback  Feedback currently being analyzed for avenues to enhance industry partnerships Partnership with Industry  18 exchanges in FY13  17 active industry partners  Program was suspended due to sequestration  Anticipate re-launching in CY14  DSS Update

f Threat, Vulnerability Assessments IT Accreditations CCRIs Security Clearance Process Vulnerability, Suspicious Contact Reports IIRs Referrals for Action Cyber\Threat Notifications Risk Based Prioritization Company Assessments Program Assessments FOCI Analysis CFIUS Reviews Risk Consequence Value Managing Risk … Cleared Industry = { { Security Education Security Training Security Professionalization

FOCI Mitigation Transmission Export Control Technology Control Plans Foreign Intelligence Potential Espionage Indicators Insider Threat Awareness Classified Management Security Awareness Reporting Requirements SIPRNet Accredited WAN/LAN Trusted Download Electronic Control Plans Closed Areas Personnel Security Secure Storage Security Violations Classified Visits Acquisitions & Mergers Traditional / Physical Information Systems FOCI International Security Education THREAT Vulnerability Assessments

Assessment Ratings FY12 vs FY13 Vulnerability Assessments

Top Ten Acute/Critical Vulnerabilities (59% of total): Audit Capability (incl A 3 Audit Trail Analysis) PERSONNEL SECURITY CLEARANCES - General (incl B Deny Access for Deny Revoke or Suspension PCLs) Accreditation Reports to be Submitted to the CSA (incl G Change Conditions Affecting the FCL) PCLs Required in Connection with the FCL Investigative Requirements Malicious Code Reports of Loss, Compromise, or Suspected Compromise Configuration Management Changing Combinations (incl B Employee with Knowledge Combination Change) Vulnerability Assessments

Top five deficiencies we’re seeing in System Security Plans: SSP was incomplete or missing attachments Inaccurate or incomplete configuration diagram Sections in general procedures contradict protection profile Integrity & availability not properly addressed SSP was not tailored to the system Top five vulnerabilities we’re seeing during visits: Inadequate auditing controls Security Relevant Objects not protected Inadequate configuration management Improper session controls Identification & authentication controls IT Vulnerabilities

CI Award 20% of industry is reporting – Only 10% reporting “actionable” SCRs  Goal is 40% of industry reporting “actionable” SCRs Cyber Incident reporting has doubled, still ~ three (3) percent New CI awareness and analytical products Better define the threat More timely, focused products -- individual company assessments Expanded distribution of products Pushing classified threat, including cyber Deeper look into supply chain and unclassified subcontract vulnerabilities CI course, Thwarting the Enemy 40,000 course completions in first year CI Integration

Two curriculum tracks for FSOs American Council on Education (ACE) Credit Equivalency recommendations for several courses Two new awareness courses available outside of STEPP Professionalization – SPeD Certification FSO Toolkit Education and Training  An on-line tool with a variety of security resources  Information is designed to be modified or adapted to each facility  Go to and click on Facility Security Officers (FSOs) under Toolkits.

Looking ahead New automation  ODAA BMS  DD 254 Database  PKI Requirements  NISS Webinars Clearance Reform? Budget?

NISS Program  Environment  Persistent threats to the Defense Industrial Base (NIB)  Dispersed, complex, labor intensive oversight mission  Budget restrictions  Limited DSS personnel  Stovepiped, legacy information systems  National Industrial Security System (NISS) Solution  Modernizes business processes and tools to maximize efficiency  New, highly automated business information capability:  Replaces the legacy Industrial Security Facility Database (ISFD)  Incorporates additional functionality  Broader user base across the Government and Industry  Implements National Industrial Security Program (NISP) System Architecture vision NISS vision is for a data-driven, collaborative, automated, online environment accessible to government and industry users that delivers industrial security services, training, and oversight with interoperability and efficiency. 14

NISS Concept Summary  NISS is key to realize a Proactive, Risk-Based NISP Oversight Strategy  Integrating the NIB Threats, Vulnerabilities, and Assets/Consequences  NISS will be the ubiquitous go-to system interface for DSS, Industry, and Government interaction as it relates to the NISP.  NISS enables DoD enterprise decision making and analysis (Acquisition, IC, etc.) Users DSS Industry Government Access Computer or Mobile Device Single Point of Entry NCAISS (PKI/CAC) Login Interface One Web or App Interface Role Based Privileges and Access Analytics, Automated Business Management, Workflows Systems DSS Systems ISFD Replacement ODAA BMS NCCS (DD254) STEPP e-FCL Cross-Domain Solution External Data JPAS / DISS e-QIP / SWFT FPDS / SAM SEC Filings Commercial Data 15

16 Like Us on facebook at DSS.stakeholders

17 Questions?