defense security service new rating process current as of 10/19/2011
TRANSCRIPT
Defense Security Service New Rating Process
Current as of 10/19/2011
2
DSS recognized the importance of a standardized, objective approach to issuing security ratings as part of its security oversight role.
DSS is committed to your success and to the success of the National Industrial Security Program (NISP).
The new security rating process utilizes a calculation worksheet.
The worksheet is a DSS tool, designed to standardize and improve consistency.
Numerically based, quantifiable, and accounts for all aspects of a facility’s involvement in the NISP.
New Security Rating Process
3
New Security Rating Process
Uses a numerical based rating system
All facilities start with the same score (700)
Points are added for identified National Industrial Security Program (NISP) Enhancements by Category
Points are subtracted for findings by NISPOM reference
Serious and Administrative findings weighed separately
Points subtracted by NISPOM reference, not by number of occurrences
Accounts for size and complexity of a facility
4
Rating Calculation (Complete areas in grey) *Note:For rating calculation purposes, treat multiple occurrences under the same NISPOM reference as one finding
CAT AA, A, B, C CAT D, E
Starting Score 700 Starting Score 700
Items Exceeding Baseline NISPOM Requirements
X 12 + X 15 +
Admin. Findings by Reference* X 2 - X 4 -
Serious Findings by Reference* X 12 - X 20 -
FINAL SCORE FINAL SCORE
599 & Below = Unsatisfactory 600 - 649 = Marginal 650 - 749 = Satisfactory 750 - 799 = Commendable 800 & Above = Superior
New Security Rating Process
Each ratings matrix comes with a “scoring key” that is based on the facility category
5
New Security Rating Process
Serious finding is defined as non-compliance with a NISPOM requirement that may place or has placed classified information at risk to loss or compromise. Once a finding is determined to be serious, it is further categorized as either “Isolated”, “Systemic”, or “Repeat”.
Administrative finding is defined as non-compliance with a NISPOM requirement that does not place classified information at risk to loss or compromise.
6
A NISP enhancement directly relates to and enhances the protection of classified information beyond baseline NISPOM standards.
NISP enhancements will be validated during the inspection as having an effective impact on the overall security program which is usually accomplished through employee interviews and review of process/procedures.
We have established 13 NISP enhancement Categories, based on practical areas, to simplify and ensure field consistency.
Full credit for a NISP Enhancement (15 or 12 points depending on facility complexity) will be given if a facility completes any action/item in a given category. The facility will only receive a total of 15/12 points per category, regardless of how many NISP enhancements they have in a given category.
New Security Rating Process
7
Category 1 Security Education (Events) Category 2 Security Education (Products) Category 3 Security Education (Staff Training) Category 4 Security Education (Product Sharing) Category 5 Self Inspection Category 6 Physical Security/Controls Category 7 CI Integration/Cyber Security Category 8 Information Systems Category 9 FOCI Category 10 International Category 11 Security Organization Membership Category 12 Active Organization Participation Category 13 Personnel Security
NISP Enhancements
8
New Security Rating Process
DSS considers some factors as “red flag areas” and the rating calculation score may not be applicable.
EXAMPLES include:
Unmitigated or unreported FOCI Uncleared persons in KMP positions requiring clearance Intentional disregard of NISPOM regulations Serious systemic findings w/potential loss/compromise Any additional items which may result in invalidation of the FCL Matrix score leading to marginal or unsatisfactory
9
Example- How It Works
Rating Matrix Company, Inc.Category C – Mid-Size Possessing Company
Previous Rating: Commendable
Recent Rating: Superior
Findings: 2 Administrative
NISP Enhancements: 9
Rating Calculation Score: 804
10
9 12
XXXXXX
XXX
2 2
0 12
Starting Score
FINAL SCORE 804
700
Category 4: Security Education
Category 5: Self Inspection
108
Category 8: Information Systems
Category 1: Security Education
Category 2: Security Education
Category 3: Security Education
NISP Enhancement
Category 6: Class Material Control
Category 7: CI
Select CAT: C
Category 9: FOCI
Category 10: International
Category 11: Community Membership
Category 12: (↑) Active Participation
Category 13: Personnel Security
Serious Findings by Reference*
Admin. Findings by Reference* 4
0
Security Rating Matrix Company, Inc
=====800 & Above
CommendableSatisfactory
Superior750 - 799
MarginalUnsatisfactory
600 - 649650 - 749
599 & Below
11
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Administrative Finding:
Document Marking Deficiency (Corrected on the Spot)
2 Points Deducted
Administrative Finding:
An original SF312 was not forwarded to DISCO for retention
2 Points Deducted
12
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 2: Security Education (Products)
Facility provides monthly security updates/reminders to employees through the monthly corporate newsletter.
12 Points Added
13
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 3: Security Education (Staff Training)
FSO has CPP certification. Security staff training exceeds NISPOM requirements as all security personnel have completed all training requirements for FSO Program Management through the STEPP website and continuously complete additional educational courses.
12 Points Added
14
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 4: Security Education (Product/Information Sharing)
The FSO has developed a Protégé/Mentorship relationship with all subcontractors they sponsor into the NISP by reaching out to the newly sponsored facility and providing whatever advice and assistance they require. The FSO often visits with the new facility to provide training and experience to the new FSO. Additionally, the company participated in beta testing a future DSS/CDSE course.
12 Points Added
15
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 5: Self Inspection
The facility conducts and records two self-inspections annually. One is completed by the FSO and security staff. The other is conducted as a peer to peer review with the FSO or other security staff member from another location conducting the review.
12 Points Added
16
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 6: Classified Material Controls
The FSO and AFSO conduct semi-annual, 100% inventory of all classified holdings and maintains records of the inventories. Their information management system indefinitely reflects history of location and disposition for material in facility at all levels of classified (100% accountability).
12 Points Added
17
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 7: CI Integration
All employees going on foreign travel for business are required to be briefed by the Security prior to departure and are debriefed upon return.
12 Points Added
18
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 11: Security Organization Membership
The FSO and AFSO are both members of NCMS and a local ISAC.
12 Points Added
19
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 12: Active Security Organization Participation
The FSO takes a positive leadership role in the local ISAC and was elected to be the corporate Co-Chairperson.
12 Points Added
20
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
Category 13: Personnel Security
The facility manages a corporate wide call center established to support questions and issues related to JPAS and EQIP from other branch/division offices throughout the country.
12 Points Added
21
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
FINAL Score
804 = Superior
22
9 12
XXXXXX
XXX
2 2
0 12
Superior
Serious Findings by Reference*
Admin. Findings by Reference* 4
Category 9: FOCI
Category 10: International
Category 11: Community Membership
Category 12: (↑) Active Participation
Category 13: Personnel Security
C
NISP Enhancement
Category 6: Class Material Control
Category 7: CI
Select CAT:
0
700
Category 4: Security Education
Category 5: Self Inspection
108
Category 8: Information Systems
Category 1: Security Education
Category 2: Security Education
Category 3: Security Education
Starting Score
FINAL SCORE Rating:
804
Rating Company, Inc
=====
600 - 649650 - 749
599 & BelowMarginal
Unsatisfactory
800 & AboveCommendable
Satisfactory
Superior750 - 799
23
Questions?