National Defense Industrial Association (NDIA) Meeting Industry Questions, May 2012

The Center for Development of Security Excellence (CDSE) training and education curriculum continues to develop within the DSS. Will the DSS ever offer a customizable training and education template that could be adapted as an industry standard for cleared contractors?

CDSE cannot provide a template at this time due to resource limitations and will reconsider in the future as resources become available.

Does the CDSE map their training and education programs to continuing education credits tied to professional certifications (e.g. Certified Information Systems Security Professional, Certified Protection Professional, Industrial Security Professional, etc.)?

Yes. Training and/or education courses (non-credit or certificate programs) consists of an organized series of planned learning experiences (instructor-led or self-paced) developed and delivered to aid participants in acquiring specific knowledge, skills, and/or competencies. These courses are associated with a topic area, or group of tasks that can be completed together and are delivered by an accredited training institution, and awards a certificate of completion to individuals who attend and/or participate in the course.

Conferees will receive one (1) Professional Development Unit (PDU) for each "contact" hour (or equivalent "seat time" hour) associated with an approved non-credit bearing training/education course or certificate program. The maximum number of allowable PDUs for each non-credit-bearing training/education course or certificate program is 45 PDUs for a defined two-year certification renewal cycle.

Will CDSE be in a position in the future to provide courses or training at contractor facilities (such as the mid-level SAP course) with sufficient enrollment?

CDSE solicits for mobile training requests each year and sets the schedule four to five months prior to the new fiscal year. The SAP Mid-Level course is only conducted in Linthicum, Md., due the specific accommodations required for the course.

Would DSS please describe the framework for a model counterintelligence program within a contractor facility?

The first step to establishing any effective counterintelligence program involves conducting a CI risk assessment at your facility to determine the threat of espionage activity against your company and the size and scope of the CI program or capabilities that are needed to address this threat. There are several considerations for laying the groundwork for an effective program, which include: (i) Ensuring senior leadership is aware of the threats, accepts the designed program and is willing to devote an appropriate level of corporate support and resources; (ii) Establishing a strong relationship among the company's security, information assurance, general counsel, human resources and other elements of the organization; (iii) Identifying the internal skills/capabilities required to protect your company's assets (training, analysis, reporting, liaison, etc.). To assist in these efforts, DSS is developing a CI Threat Course for Industry to assist FSO's in identifying and mitigating systemic and non-systemic vulnerabilities using the risk equation, where risk is a function of (threat, vulnerability and value). The course will further assist FSOs in the establishment of a comprehensive counterintelligence program within their respective facilities.

Has the DSS considered collocating counterintelligence staff with large, high risk facilities?

DSS has considered and continuously weighs the benefits that can be derived from the collocation of a CI asset within certain larger facilities that have identified higher CI threats against its programs. To some extent, many of the larger cleared facilities have in-house CI programs already implemented and that DSS has assessed as effective in providing internal CI training, effectively reporting appropriate CI-relevant information in a timely manner and monitoring internal systems for potential insider threats. It is DSS procedure, however, to devote more FCIS time to those facilities with identified higher threats and/or higher or more relevant reporting.

Can DSS provide a list of companies (to cleared contractors) that are fronts for known collectors?

DSS does not prepare or maintain a list of companies that are known fronts for foreign collectors. In addition, agencies that may have such a list do not, to our knowledge, share this information with private contractors. It is recommended that cleared companies utilize due diligence with regard to any activities or endeavors with other companies (whether they are subcontractors, suppliers, or requestors of information, etc.)

Given the changing threat environment and the DSS desire to do more in the threat identification arena, is the DSS resourced with the right numbers of personnel and requisite skill sets?

DSS CI has been very proactive in the past few years to develop as robust of a CI workforce as possible. This has included hiring personnel who possess the requisite CI skills to maximize performance and productivity. In addition, we exercise a continuous evaluation and phased training program to maintain and improve the professional development and technological skills of our employees. DSS strives to maximize efficiencies utilizing available resources.

Will DSS help enable secure communication/network capabilities such as SIPRNET to drive efficiency and expediency in sharing threat related classified material to contractors?

There are no plans for DSS to become sponsors for NISP contractor SIPRNet connections. However, NISP contractors with DOD CIO approved SIPRNet connections can access to receive threat information.

Has DSS seen an increase in and/or improved contractor security performance when cleared contractor sites incorporate continuous inspection or surveillance of their security program and measure same with quantifiable metrics?

DSS does not have a method to track or measure this. However, as with any effective ongoing oversight program, the expected outcome would be a more effective security program with positive vulnerability assessment results. Measurement of the anticipated outcome would be continuous favorable vulnerability assessment ratings.

Will the DSS identify additional opportunities for industry partnership working groups to enable greater collaborative engagement and how will industry participants be contacted or selected to participate? (e.g. Unclassified Network Protection Measures, Vulnerability Assessment Rating Matrix, etc.)

Yes, DSS fully supports a partnership with industry and will continue to involve contractors in appropriate potential working group opportunities. Requests for participation may be solicited via various methods such as the DSS website, through cognizant field offices or via email.

Has the DSS considered moving away from the vulnerability assessment matrix to a Pass/Fail system for vulnerability assessments?

No, not at this time. The current system encourages companies to go beyond the basic requirements of the NISPOM, resulting in more effective security programs which provide better protection to our classified information and materials.

It was previously understood that with the new rating matrix inspection out briefs would include the issuing of the overall rating at the time of the out brief. There was also an understanding that occasionally additional scrutiny may be required to finalize the rating. Some facilities have waited for over a month for a final rating; can DSS explain why such a delay is necessary or justified?

In general, the security rating, all identified vulnerabilities and required corrective actions, NISP enhancements, and suggested improvements shall be briefed at the completion of an assessment. In the case where an overall security rating is not provided during the exit briefing, the IS Rep has identified vulnerabilities of significance. A facility senior management official WILL be informed at the conclusion of the assessment of any acute or critical vulnerability and required corrective action. It is important that DSS management have the opportunity to review the identified vulnerabilities, to ensure that appropriate remedial action is being taken and assist the IS Rep with ensuring that the security assessment rating is consistent with the level of the vulnerability. Once DSS management completes a review of the vulnerabilities and rating, a formal exit briefing will be scheduled.

Current guidance regarding the implementation and roll out of Controlled Unclassified Information has created some confusion. Can DSS please clarify the expectations of DIB members regarding timing and compliance with this?

DSS has no insight or additional information to provide on the implementation or roll out of Controlled Unclassified Information.

Many cleared contractors are contemplating or implementing a "Bring Your Own Device" policy as it pertains to personal mobile devices used in the workplace. Does DSS have a position or opinion on "Bring Your Own Device"?

Personal mobile devices may not be used to access classified information, may not be used to connect to any information system to be used for classified information, and may not be used to connect to any Government information system.

Otherwise, DSS has no position or opinion on a contractor's policy pertaining to "bring your own device". That is a business and legal matter for the company.

When can cleared contractors expect to receive a working copy of the new NISPOM Chapter 10?

The Office of the Under Secretary for Intelligence (OUSD(I)) has the responsibility to write the NISPOM, including Chapter 10 on International Programs. Reference the May 22, 2012, posting on the DSS website regarding the status of the NISPOM revision.

Is a foreign visit request required if the information is Unclassified and already approved for public release or in the public domain?

Refer to NISPOM paragraph 10-507 which clearly states that "Requests for visits by foreign national that involve only commercial programs and related unclassified information may be submitted directly to the contractors. It is the contractor's responsibility to ensure that an export authorization is obtained, if applicable."

Is a foreign visit request required if the information is Unclassified technical information related to a U.S. Government classified program which is releasable under an approved export license?

Yes. Refer to NISPOM paragraph 10-507.

I have a Top Secret cleared employee who considers herself a dual citizen (Germany). She is naturalized and did not renew her passport. With a Top Secret security clearance can she have access to information such as NOFORN?

A dual citizen is a U.S. citizen. A cleared U.S. citizen may have access to NOFORN.

Will the DSS please offer one or two tangible examples of how a small company can achieve success in the vulnerability assessment enhancement category 13?

Yes. The following is an example which is applicable to any cleared facility. A company can voluntarily complete enhanced on-going security, personnel & adverse information record checks when submitting E-QIP packages to verify accuracy and completeness, that go beyond typical open source company record checks.

Would the DSS consider adding points or making other adjustments to the vulnerability assessment rating matrix for NISP enhancements that do not apply (e.g. FOCI or Personnel Security)?

There are some NISP enhancement categories that are not applicable to all facilities (e.g. FOCI, International, or Information System) and points are not granted. Conversely, because the facility does not have involvement in these categories, they are not required to comply with NISPOM requirements in these areas. Therefore there are fewer opportunities for vulnerability deductions. In order to continually improve the rating process, DSS is gathering lessons learned and quality trend data which will be used for future rating matrix revisions, to include NISP enhancement category revisions. Stay tuned to for future rating matrix refinements.

Are there any plans to change the rating matrix to enhance smaller cleared contractor's opportunity to achieve Commendable or Superior ratings?

DSS is tracking rating trends (i.e. ratings, NISP enhancements, and vulnerabilities) to ensure consistency. There have been no significant changes in rating distribution nationally since implementation of the rating matrix. Additionally, data reflects that both the larger and smaller facilities can and are achieving Commendable and Superior ratings since the rating matrix was implemented. In order to continually improve the rating process, DSS is gathering lessons learned and quality trend data which will be used for future rating matrix revisions. Stay tuned to for future rating matrix refinements.

Could a formal risk assessment using the DSS/STEPP Risk Management methodology be considered a vulnerability assessment enhancement?

At this point in time, this is not an item that would receive NISP enhancement credit on the Rating Matrix. During fall 2012, as we begin moving into Phase 2 of the Rating Matrix process, we will be exploring the NISP enhancement categories and will be sure to consider this in future NISP enhancements.

Will DSS consider partnerships with organizations such as the International Organization for Standardization (ISO) to drive Capability Maturity Model integration (CMMI) into the National Industrial Security Program?

Yes, future DSS efforts will focus on process improvement approaches. Partnering with other organizations to gain knowledge/insight will be essential as we continue to improve our processes, standardization and consistency.

Would DSS please provide a brief update on the progress of a DoD Central Adjudication Facility?

The Deputy Secretary of Defense signed a memo on May 03, 2012, which directs the complete consolidation of the resources and assets of Army, Navy, Air Force, Joint Chiefs of Staff, Washington Headquarters Services, Defense Industrial Security Clearance Office, and Defense Office of Hearings and Appeals adjudication functions that are presently co-located at Fort Meade, MD. (DoD CAF Consolidation does not include the National Geospatial Agency, the National Security Agency, or the Defense Intelligence Agency.)

There will be a phased implementation of the consolidation. This process will begin in October 2012.