Defense Security Services (DSS) has new guidance on
security enhancements and ratings that cleared defense contractors can earn.
According to the publication 2013 DSS Vulnerability Assessment Rating Matrix
Vulnerabilities and NISP Enhancement Categories there are 10 enhancements or
opportunities to demonstrate protection of classified information beyond
baseline National Industrial Security Program Operating Manual (NISPOM)
standards.
Before contractors can receive credit for NISP enhancements, there are a
few ground rules or fundamental areas that must be address.
Back to the basics
is a good mantra to follow here. A cleared defense contractor must first
demonstrate the capability of protecting classified information before earning
enhancements. For example, a cleared facility that has significant findings in
the topic of Export Control or Foreign Ownership Control and Influence (FOCI) will not get
enhancement credit in the FOCI topic until they overcome the deficiencies.
Another rule is that the NISP enhancement must relate
directly to the National Industrial Security Program. An example where a
security measure would not count is where the security office volunteers to
walk employees to their cars during hours of darkness. Though this is a great
service and goes to enhance the employees' quality of life and safety, it has
nothing to do with NISP and will not count as a NISP enhancement.
NISP enhancements must be validated during the security
assessment as having an effective impact on the overall NISP program in place
at the company. In other words, the NISP enhancement must be measurable and
documented at the point of the assessment. For example, a cleared facility
might having a policy requiring the
accountability of CONFIDENTIAL information might qualify as a NISP enhancement.
After all, in the collateral world, accountability is only required for TOP
SECRET. However, if in spite of this great accountability, several documents
can't be accounted for, there is no indication of the policy having an
effective impact.
Credit for NISP enhancements will be granted for
activities beyond baseline NISPOM requirements even if required by
program/contract. This means if a government or contractor customer requires
CONFIDENTIAL information to be transmitted with process reserved for TOP SECRET
information; the serving contractor gets the NISP enhancement. The motivation
doesn't matter here; it's the results that count.
An enhancement directly related to a NISPOM requirement
cited for a vulnerability may not be granted. In other words, if a security
weakness exists where a countermeasure is required to meet that weakness, the
countermeasure doesn't count. Back at our earlier example of using TOP SECRET controls
to protect CONFIDENTIAL information. This is a NISP enhancement as it goes
above and beyond NISPOM. However, if there is vulnerability requiring the
additional security measure, then it may not count as a NISP enhancement.
If there are other effective enhancement activities in a
specific category unrelated to a specific vulnerability in that category the
enhancement credit may still be granted. For example, developing procedures to
enforce need to know. NISPOM guidance does a lot to direct how to protect
classified information by protecting it according to classification level and
making it available to those with the proper clearance. Need to know is
mentioned but a few times. Access rosters, contract verification or other need
to know enforcing measures may just qualify as a NISP enhancement.
The DSS vulnerability assessment ensures that classified
information is protected according to the NISP. Once the baseline is
established, then credit for enhancements can be given. The cleared contractor
should be able to demonstrate that their security program meets the criteria.
The cleared contractor can then build upon that foundation to demonstrate going
above and beyond NISPOM requirements.
For more ideas on passing the DSS review and NISP enhancements see our book DoD Security Clearance and Contracts Guidebook.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment