DSS RATING MATRIX amp COGSWELL AWARD Security Rating Matrix Provides a standardized approach to issuing security ratings throughout the Defense Security Service DSS Provides a quantitative ID: 772545
Download Presentation The PPT/PDF document "DSS RATING MATRIX" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
DSS RATING MATRIX & COGSWELL AWARD
Security Rating MatrixProvides a standardized approach to issuing security ratings throughout the Defense Security Service (DSS)Provides a quantitative approach to assessing facilities utilizing a standard worksheetThe worksheet is a DSS tool, designed to standardize and improve consistencyNumerically based, quantifiable, and accounts for all aspects of a facility’s involvement in the National Industrial Security Program (NISP) 2
Security Rating MatrixPoints-based rating systemAll facilities start with the same score (700)Points are added for identified NISP enhancementsPoints are subtracted for vulnerabilities by NISP Operating Manual (NISPOM) reference Acute/Critical and Non-Acute/Non-Critical vulnerabilities are weighted separatelyPoints are subtracted by NISPOM reference, not by number of occurrencesAccounts for size and complexity of a facility 3
4Rating Matrix
5Rating Matrix (Cont’d)
VulnerabilitiesAcute Vulnerability – Vulnerabilities that put classified information at imminent risk of loss or compromise, or that have already resulted in the compromise of classified information. Acute vulnerabilities require immediate corrective actionCritical Vulnerability – Those instances of NISPOM non-compliance vulnerabilities that are serious, or that may place classified information at risk or in danger of loss or compromise Once a vulnerability is determined to be Acute or Critical, it is further categorized as either “Isolated”, “Systemic”, or “Repeat” All other vulnerabilities are defined as non-compliance with a NISPOM requirement that does not place classified information in danger of loss or compromise 6
Common VulnerabilitiesFailure to initiate a preliminary inquiry upon notification of a report of loss, compromise, or suspected compromise of classified informationFailure to appropriately mark classified information and materialRetaining classified information from an expired contract beyond the authorized two-year retention period without obtaining written retention authority from the government contracting activityFailure to change safe combinations to closed areas/containers when employees having access were terminated Operating an information system that is or will process classified information without appropriate approvalFailure to perform audits on classified systemsLack of anti-virus softwareUnreported facility clearance (FCL) change conditions Periodic reinvestigations out of scope 7
EnhancementsA NISP enhancement directly relates to and enhances the protection of classified information beyond baseline NISPOM requirementsDirectly related to the NISP and does not include other commonplace security measures or best practicesNISP enhancements will be validated during the assessment as having an effective impact on the overall security programIn order for an enhancement to be granted, the facility must meet the baseline NISPOM requirements in that areaAn enhancement directly related to a NISPOM requirement cited for a vulnerability may not be granted If there are other effective enhancement activities in a specific category unrelated to a specific vulnerability in that category, the enhancement credit may still be granted 8
Rating Matrix CategoriesCategory 1: Company Sponsored EventsCategory 2: Internal Educational Brochures/Products Category 3: Security Staff ProfessionalizationCategory 4: Information & Product Sharing within Security CommunityCategory 5: Active Membership in Security Community Category 6: Contractor Self-Review Category 7a: Threat Identification and Management 7b: Threat Mitigation Category 8: FOCI / International Category 9: Classified Material Controls/Physical Security Category 10: Information Systems 9
Enhancement validated during the assessmentProvide documentation supporting enhancements to the DSS representativeDSS must be able to validate the enhancementMake the validation as easy as possibleIdentify the enhancements that you believe you qualify for and state why you feel your program qualifies for itProvide all supporting documentationKeep it neat, organized, and conciseConsider using a binder, folder, or some other mechanism to provide all supporting information in one place 10 Presentation of Enhancements
EnhancementsFor complete information and examples of what qualifies as an enhancement, please see the DSS 2016 Vulnerability Assessment Rating Matrix Vulnerabilities and NISP Enhancement Categories Guide 11
COGSWELL AWARD What is the Cogswell Award? Backward Glances of Facility Selections 2015/2016 Cogswell Numbers and Companies Selected Nomination Process Selection Process General Keys to Success My Keys to being Nominated/Selected 12
Cogswell Award Established1966 in honor of the late Air Force Col James S. Cogswell First chief of the unified office of Industrial Security Created the basic principles forming the National Industrial Security Program (NISP) Places emphasis on the need for a true partnership between industry and government to ensure the protection of classified information, materials, and programs 13
Outstanding Industrial Security Achievement Award Presented to c ompanies that understand the complexity of the security environment Companies go above and beyond the minimum requirements expected of them Winning facilities r epresent the “best of the best” Their security p rograms stand as models for others to emulate Awarded on an annual b asis DSS partners with NCMS to host the Cogswell Award presentations during its annual training conference Awards are presented by DSS Director Stan Sims 14 What is the Cogswell Award?
Backward Glances of Facility Selections 2010 9 Facilities Selected 2011 17 Facilities Selected 2012 26 Facilities Selected 2013 24 Facilities Selected 2014 40 Facilities Selected 2015 41 Facilities Selected 2016 42 Facilities Selected 15
2015 Cogswell Numbers by Facility 41 Facilities Selected Alliant Techsystems-Minn BAE Systems Land-Calif BAE Systems Technology-RI Batelle Colonial Place-Va Batelle Memorial Institute-Va Charles Stark Draper-Mass Crowell & Moring LLP-DC DCS Corporation-Fla DRS ICAS LLC-Ohio DRS Power Technology-Mass DRS Sensors & Targeting Sys-Calif Force 3-Md General Dynamics Advanced-Va General Dynamics C4-Ariz General Dynamics IT-Pa General Dynamics IT-Va Honeywell International-Minn iGov Technologies-FL Jacobs Technology-Tenn Jacobs Technology-Ohio L-3 Communications Integrated-Texas L-3 Systems Company-NJ L-3 Unidyne-RI LexisNexis Special Services-DC Lockheed Martin Systems-Colo Lockheed Martin Mission &Sys-Fla Lockheed Martin Missiles Fire Control-Fla Lockheed Martin Sippicon-Mass Logistics Management Institute-Va The Protective Group Inc-Fla Raytheon Company-Ariz Raytheon Company-Calif Raytheon Company-Fla Raytheon Company-Va Raytheon/Lockheed Martin Javelin-Ariz Saab Defense and Security-NY Scientific Research Corp-Ga Stanley Associates-Fla Texas A&M University-Texas University of Rhode Island-RI Vencore Services & Solutions-Ohio 16
2015 Cogswell Numbers by State Florida 7Virginia 6 California 3 Rhode Island 3 Massachusetts 3 Ohio 3 Arizona 3 Minnesota 2 District of Columbia 2 Texas 2 Maryland 1 Pennsylvania 1 Tennessee 1 New Jersey 1 Colorado 1 New York 1 Georgia 1 17
2016 Cogswell Numbers by Facility 42 Facilities Selected Advanced Technology International-S.C. Aerospace Corporation-Colo. BAE Systems Technology Solutions-Cal. Carnegie Mellon University –Penn DRS Sustainment Systems, Inc.-Mo DRS Training & Control Systems, LLC- Md. EOIR Technologies, Inc.- Va. General Dynamics C4 Systems-Mass General Dynamics Mission Systems-N.C. General Dynamics Ordnance & Tactical Systems-Ark Harris Corporation-N.Y. Honeywell International Inc. Aerospace-N.M Honeywell International Inc. Aerospace-Minn. Honeywell Technology Solutions-Md. Infinity Systems Engineering, LLC-Md. Infinity Systems Engineering, LLC-Colo. L-3 Coleman Aerospace-Fla L-3 Communications Electron Devices-Cal L-3 Communications Integrated Systems-Fla L-3 SPD Electrical Systems-Penn Linde LLC, Technical Center-N.J. Lockheed Martin Corp Missiles & Fire Control-Texas Lockheed Martin Corp Missiles & Fire Control Operations Support- Va Matthews Group-Va. Mercury Systems, Inc.-N.H. Morpho Trust USA, LLC-Mass NAVSYS Corporation-Colo. Northrop Grumman, Aircraft Integration Center-Cal. Northrop Grumman, Aircraft Integration Center-Fla. 18
2016 Cogswell Numbers by Facility (Cont) Oshkosh Corporation-Wis. PAE Applied Technologies-Md. ProLogic Inc.-Va. Quest Software Public-Md. Raytheon Company-Colo. Raytheon Company EWS Self Protect Systems-Cal. Raytheon Company Raytheon Vision Systems-Cal. SES Government Solutions-Va. Ultra Electronics Advanced Tactical Systems, Inc.-Texas Ultra Electronics Secure Intelligence Systems Inc.-Va. University of New Mexico-N.M. Virginia Polytechnic Institute and State University-Va. Wiley Wilson-Va. 19
2016 Cogswell Numbers by State Virginia 8California 5 Maryland 5 Colorado 4 Florida 3 Pennsylvania 2 Massachusetts 2 New Mexico 2 Texas 2 South Carolina 1 Missouri 1 North Carolina 1 Arkansas 1 New York 1 Minnesota 1 New Jersey 1 New Hampshire 1 Wisconsin 1 20
Nomination/Selection ProcessDSS Industrial Security Representative nominates the facility Facility must have two consecutive superior ratings to be considered Of the 12,800-plus cleared facilities, approximately 8% receive superior ratings each year Two consecutive superior ratings demonstrates a facility’s commitment to security over time Once Nominated Facility enters an eight month DSS internal review process Includes a National Review Team of DSS Regional directors and representatives from across DSS who consider each nomination National Review T eam vets all nominations with 30 external agencies and makes recommendations to DSS senior leaders for a final decision 21
Criteria Final Decision Is Based UponOverall Security Program/Company Procedures Documented, formal SOP, EAP, TCP Comprehensive, published and disseminated to the employee population Senior Management Support Resources, time, training, etc. Including security staff and company personnel Security Vulnerability Assessments History Company history of not just meeting but exceeding NISP requirements Violations – D oes the company have a history of negligence? Has the company been culpable for the violations? Security Education and Awareness Facility Security Officer (FSO) and S ecurity S taff L evel of Experience Classified Material Controls 22
General Keys to SuccessEducation awareness and training p rograms W ell o rganized Strong partnership and open dialogue with DSS/CI/IA representatives Full compliance with the NISPOM requirements Management support is imperative Membership groups (NCMS, Industrial Security Awareness Council) Be committed to your role in security Attend security e vents (NCMS, FISWG) 23
Personal Keys to Success Create Separate Binders: Binder #1 DSS Master Documents 441 441-1 SF328 FOCI Prime DD254s Facility Clearance Letter/ISFD Printout Appointment Letters Organizational Charts/Company Business Structure Binder #2 Training Binder/Training Spreadsheet Initial COMSEC Insider Threat Refresher Active Shooter Classified EAP CI Safe Room Data Spill Plan OPSEC Classified Wrapping/Mailing Cyber Sectera vIPer Secure Phone 24
Personal Keys to Success Create Separate Binders: Binder #3, 4, 5, 6 (Contracts that you support) Prime DD254 Handout, brochure, flyers, statement about the contract Subcontractor DD254 ISFD printouts for subcontractors Statement of Work (SOW) Security Classification Guide (SCG) Binder #7 Counterintelligence Info Listing of all individuals that went on foreign travel during that SVA period Foreign travel b riefing s tatements Return suspicious c ontact briefing Foreign travel l ogs for exiting and r eturning Copy of suspicious c ontact emails sent to CI representative Defensive briefing example Training conducted for CI, Cyber, OPSEC Annual CI briefing s ign in sheets Copy of Technology Control Plan; Appointment Letter for TCP/ITAR representative Monthly Newsletter with CI articles 25
Personal Keys to Success Create Separate Binders: Binder #8 Enhancements Category 1: Company Sponsored Events Monthly Security Luncheon Hosted Counterintelligence Event Briefing CBT Training Online Classes Category 2: Internal Education Brochures/Products Monthly Security Newsletter Security Web Site for DSS Brochures/Pamphlets Category 3: Security Staff Professionalization FSO Training Certificates Briefing at FISWG Briefing at NCMS Memberships in NCMS, Federal IT Security Institute (FITSI) 26
Personal Keys to Success Create Separate Binders: Binder # 8 Enhancements Category 4: Information/Product Sharing within Security Community Guest speaker at 2014 FISWG NCMS mentor Assisted COMNAVSPECWARCOM with SIPRNet connection process Category 5: Active Membership in Security Community Guest speaker at NCMS 2014 Attended FISWG, DSS Outreach, NCMS Cybersecurity USF Category 6: Contractor Self-Inspection Thorough documented self-inspections Provide DSS detailed reports Completed DSS self-inspection t raining Several inspections conducted throughout the year 27
Personal Keys to SuccessCreate Separate Binders: Binder #8 Enhancements Category 7a: Threat Identification and Management Annual CI briefing conducted by DSS CI representative All employees completed Thwarting the Enemy training Established TCP, OPSEC Category 7B: Threat Mitigation Active Suspicious Contact Report submitted to CI Category 8: Foreign Ownership Control or Influence FOCI TCP Plan Foreign visitors color-coded b adges 30 Day notification required Copy of Foreign travel briefings Out & Returning 28
Personal Keys to SuccessCreate Separate Binders: Binder #8 Enhancements Category 9: Classified Material Control/Physical Security Enhanced process for managing c lassified i nformation Built-in c ountermeasures to identify anomalies 100% inventory conducted on a random b asis Information Management System Limited Access Access Controlled Category 10: Information Systems Process enhancements and leveraging tools to expand the overall security posture of accredited information systems SOP Additional IS oversight processes put in place to enhance security of classified information residing on IS 29
Additional EnhancementsColor Badges/Holders Identify Security Clearance Level Red No Clearance/Escort RequiredBrown Trusted Individual (No Clearance) Yellow Secret Blue Top Secret Green Top Secret/SCI Purple Foreign Visitor Six-Part, Color-Coded Security Personnel Folders See JPAS Personnel Summary SF86 & Notification Letter of Review for SF86 Adequacy & Completeness Training Acknowledgement Sheets SF312 Nondisclosure Agreement (see JPAS) Clearance Justification letter, Visit Request Letters, SCI Nomination Letters Network User A greement, Hiring Notification 30