Vulnerability Assessment Rating Matrix 2013 Update Frequently Asked Questions Industry Release
1. Why is the Defense Security Service (DSS) updating the Rating Matrix in September 2013?
Feedback from DSS field personnel and industry partners was gathered over the past year to refine a more transparent, consistent, objective process designed to identify and mitigate vulnerabilities while recognizing practices in place that enhance security programs beyond baseline NISPOM requirements.
The update does not drastically change the process - rather this builds upon the original implementation to further add clarity, drive consistency, and encourage more robust security programs. The matrix tool is still numerically based, quantifiable, and accounts for all aspects of a facility's involvement in the National Industrial Security Program (NISP).
2. When is the updated Rating Matrix process going to be implemented?
On 1 September 2013 facilities will have their vulnerability assessments scored using the updated Rating Matrix process.
3. How is DSS ensuring consistent application of the tool throughout the country?
For full transparency and consistency, one guidance document was developed covering the updated process and can be located here. This document clearly lays out vulnerability and enhancement definitions, to include the intent of enhancement categories and examples.
All DSS field offices have been trained on the application and use of the tool. Additionally, DSS will continue to internally share experiences and feedback on the tool in order to validate and assess the effectiveness of the tool. DSS will also continue to reach out to industry through a variety of forums to ensure that cleared contractors understand the process and intent of the tool.
4. How does DSS define "Vulnerabilities"?
If a contractor is not in compliance with the requirements of the NISPOM, DSS will identify the issue as either an "Acute Vulnerability", a "Critical Vulnerability" or a "Vulnerability".
The following further defines each category:
- Acute Vulnerability: Those vulnerabilities that put classified information at imminent risk of loss or compromise, or that have already resulted in the compromise of classified information. Acute vulnerabilities require immediate corrective action.
- Critical Vulnerability: Those instances of NISPOM non-compliance vulnerabilities that are serious, or that may foreseeably place classified information at risk or in danger of loss or compromise.
Once a vulnerability is determined to be Acute or Critical, it shall be further categorized as "Isolated", "Systemic", or "Repeat".
- Isolated - Single occurrence that resulted in or could logically lead to the loss or compromise of classified information.
- Systemic -Deficiency or deficiencies that demonstrate defects in an entire specific subset of the contractor's industrial security program (e.g., security education and awareness, AIS security) or in the contractor's overall industrial security program. A systemic critical vulnerability could be the result of the contractor not having a required or necessary program in place, the result of an existing process not adequately designed to make the program compliant with NISP requirements, or due to a failure of contractor personnel to comply with an existing and adequate contractor policy. These defects in either a subset or the overall program may logically result in either a security violation or administrative inquiry if not properly mitigated.
- Repeat - Is a repeat of a specific occurrence identified during the last DSS security assessment that has not been properly corrected. Note: Although some repeat vulnerabilities may be administrative in nature and not directly place classified information at risk to loss or compromise, it is documented as critical.
Vulnerability: All instances of non-compliance with the NISPOM that are not acute or critical vulnerabilities.
5. Are vulnerabilities which are corrected on the spot counted on the Vulnerability Assessment Rating Matrix tool?
Yes. All vulnerabilities identified by DSS will be documented, counted, and points subtracted on the Rating Matrix form to include those ‘corrected on the spot.’ It is important in the DSS assessment of contractor NISP programs that the steps taken to correct vulnerabilities and the measures implemented to prevent recurrence of those vulnerabilities are fully documented. Additionally, if the vulnerabilities prove to be ‘repeat' at subsequent DSS assessments, they are categorized as critical and additional point reductions will occur. DSS encourages contractors to correct all vulnerabilities expeditiously. DSS will appropriately note those items as COS in the security assessment report and a written response to DSS on corrective actions will not be required.
An enhancement directly relates to and enhances the protection of classified information beyond baseline NISPOM standards. Point credits are given for these procedures and factored into the overall assigned rating. Items to be documented as "NISP enhancements" must relate directly to the NISP, and do not include other commonplace security measures or best practices. NISP enhancements must be validated during the security assessment as having an effective impact on the overall NISP program in place at the company. This validation is usually accomplished through employee interviews and DSS review of processes/procedures. Credit for NISP enhancements will be granted for activities beyond baseline NISPOM requirements even if required by program/contract.
In order for an enhancement to be granted the facility must meet the baseline NISPOM requirements in that area. An enhancement directly related to a NISPOM requirement cited for a vulnerability may not be granted. In essence, as the core of the DSS vulnerability assessment is to ensure compliance with NISPOM requirements and that foundation must be in place before additional activities would be recognized. If there are other effective enhancement activities in a specific category unrelated to a specific vulnerability in that category the enhancement credit may still be granted. For example, one non-acute, non-critical marking vulnerability may not eliminate opportunity for Category 9 enhancement credit where a facility implements an Information Management System reflecting history of location and disposition for material in the facility for Secret and Confidential material, i.e. 100% inventory and accountability, paralleling requirements for Top Secret.
There are often positive areas or best practices of a security program that DSS identifies as noted improvements, but which are not necessarily related to a company's involvement with the NISP. Often these positive areas, or best practices, are enhanced processes implemented in order to adequately manage a security program due to the size or complexity of a facility. DSS will not be counting these items toward point calculation on the rating matrix worksheet as "NISP enhancements." However, DSS will recognize these improvements, efforts, and other notable best practices during the exit briefing with senior management and the FSO.
7. What are the definitions and intent of each NISP Enhancement Category?
DSS has established 10 NISP Enhancement categories. A breakdown of categories, definitions, and intent are provided below. For more information and examples please review the guidance document here
- Category 1: Company Sponsored Events - In addition to the annual required security refresher briefings, the cleared contractor holds company sponsored events such as security fairs, interactive designated security focused weeks, security lunch events, hosting guest speakers on security related topics, webinars with the security community, etc. Intent of this category is to encourage cleared contractors to actively set time aside highlighting security awareness and education. This should not be a distribution of a paper or email briefing, but rather some type of interactive in person activity.
- Category 2: Internal Educational Brochures/Products - A security education and awareness program that provides enhanced security education courses or products to employees beyond initial and annual refresher training requirements; i.e., CD/DVD, web based interactive tools, newsletters, security games/contests, international security alert system, etc. Intent of this category is to encourage cleared contractors to generate and distribute relevant security materials to employees who then incorporate the content into their activities.
- Category 3: Security Staff Professionalization - Security staff training exceeds NISPOM and DSS requirements and incorporates that knowledge into NISP administration. Intent of this category is to encourage security program’s key personnel to actively strive to learn more and further their professional security expertise beyond mandatory requirements.
- Category 4: Information & Product Sharing within Security Community - Facility Security Officer (FSO) provides peer training support within the security community and/or shares security products/services with other cleared contractors outside their corporate family. Intent of this category is to encourage cleared contractors to actively reach out to other cleared contractors to assist those who may not have the expertise or budget and provide them with security products, services, etc.
- Category 5: Active Membership in Security Community - Security personnel are members and actively participate with NISP/security-related professional organizations. Intent of this category is to encourage security programs to actively collaborate with their local security community to identify best practices to implement within their own NISP security programs.
- Category 6: Contractor Self-Review - Contractors sustain a thorough, impactful review of their security posture. Intent of this category is to encourage cleared contractors to maintain an effective, on-going self-review program to analyze and identify any threats or vulnerabilities within their program and coordinate with DSS to address those issues prior to the annual assessment.
- Category 7: Counterintelligence Integration - Contractors build a counterintelligence (CI) focused culture by implementing processes within their security program to detect, deter, and expeditiously report suspicious activities to DSS through submission of suspicious contact reports (SCR). Intent of this category is to encourage cleared contractors to develop vigorous and effective CI programs that thwart foreign attempts to acquire classified and sensitive technologies. Critical elements of a vigorous and effective CI program include timely reporting, understanding the threat environment, and agile and authoritative decision making to neutralize or mitigate vulnerabilities and threats.
Evidence of a vigorous and effective CI program is reporting to DSS resulting in the:
- Identification of actionable information leading to the initiation of investigations or activities by Other Government Agencies (OGA), or
- Implementation of measures to identify and prevent reoccurrence of reported suspicious activities, or
- Demonstration of immediate response to a suspicious or illegal act to neutralize or mitigate risks to targeted technologies and facilities.
- Category 8: FOCI / International - Cleared contractor implements additional effective procedures to mitigate risk to export controlled items and/or FOCI. Intent of this category is to encourage cleared contractors to implement an enhanced export control program increasing the effectiveness. For FOCI mitigated facilities, intent is to encourage activities above mitigation instrument requirements to further minimize foreign influence at the facility.
- Category 9: Classified Material Controls/Physical Security - Facility has deployed an enhanced process for managing classified information and/or has implemented additional Physical Security measures, with built-in features to identify anomalies. Intent of this category is to encourage security programs to maximize the protection and accountability of classified material on-site by implementing effective processes, regardless of quantity of classified holdings.
- Category 10: Information Systems - Incorporating process enhancements and leveraging tools to expand the overall security posture of accredited information systems. Intent of this category is to encourage security programs to maximize protection of classified information on IS.
8. Why were NISP enhancements further broken down by Category?
NISP enhancements were broken down into Categories, based on practical areas, to simplify and enable consistency of application of this tool by DSS personnel. The result is to give credit to the true impact of the security enhancements, rather than to attempt to consistently break-down each individual isolated event. The intent is for a company to receive full credit for a NISP Enhancement (15 or 17 points depending on facility complexity) if a facility completes any action/item in a given category. The facility will only receive a total of 15 or 17 points per category, regardless of how many NISP enhancements they have in a given category.
9. Will DSS provide a copy of the Vulnerability Assessment Rating Matrix worksheet and scoring at the completion of the assessment?
Yes. DSS will release the populated worksheet attached to the assessment results letter given to the FSO. Full transparency on how DSS arrived at a rating, (e.g. break-down in vulnerabilities and positive NISP enhancements identified) will be provided. The assessment rating of record will be discussed with the FSO and senior management official during the exit briefing. The exit briefing discussion will focus on identifying the security vulnerabilities and required corrective actions, NISP enhancements, and on providing suggested improvements where possible.
10. Will DSS provide a listing of what is considered a NISP Enhancement?
A list of examples is shown here. Note, this list is not all-inclusive. Please review the enhancement definitions and intent to evaluate if an activity might fall under a certain enhancement category and discuss with your Industrial Security Representative. DSS will periodically provide cleared industry notices with identified trends analysis of both NISP enhancements and security vulnerabilities.
11. Are there any variables that would impact the final assessment rating outside of the assessment rating calculation worksheet?
Yes. There are a number of items to be considered as "red flags" which, if identified, may have a significant impact on the final rating and possibly the status of the facility clearance. Therefore if such vulnerabilities are identified, the rating matrix score may not be applicable. The assigned Industrial Security Representative (ISR) will review with his or her DSS supervisor the final rating of record to be issued, before it is issued to the cleared company "Red flag" items include, but are not limited to, unreported/unmitigated FOCI, appointment of a senior management official without required eligibility for access to classified information, deliberate disregard for security requirements, acute and critical systemic vulnerabilities that lead to the potential or actual loss or compromise of classified information and any additional items that may result in the invalidation of the FCL.
12. What does category level on the rating calculation worksheet mean?
In the updated 2013 Vulnerability Assessment Rating Matrix process there are three scoring groups for facilities. These categories are computed based on the complexity and scope of a facility’s security program and level of involvement in the NISP. Facilities which possess classified material on-site are ranked from category "AA" (the largest and most complex industrial facilities) and descend by size/complexity through categories "A," "B," and "C" to category "D" (the lowest category ranking for a facility which possesses classified material on-site.) Facilities which do not possess classified material are category "E." For the purposes of Rating Matrix scoring, in the most straightforward terms, the first group (AA-B) can be thought of as “large possessors,” the second group (C-D) are “smaller possessors,” and the last group (E) are “non-possessors.” A facility category level will be indicated on the rating calculation worksheet provided with assessment results letter.
13. If vulnerabilities are identified at my company during a security assessment, what is the next step?
DSS will request that the company provide a written response outlining procedures or policies put in place to correct any identified vulnerabilities. If an acute or critical vulnerability is identified, immediate corrective actions must be taken. DSS may also schedule a follow-up visit to the company to validate the effectiveness of the corrective actions taken.