Vulnerability Assessment Rating Matrix - CI ENHANCEMENT UPDATE
1. Why is DSS updating the CI Enhancement?
In September 2013, the Defense Security Service (DSS) implemented an update to the Security Vulnerability Assessment Rating Matrix, and is working to further enhance this tool. Accordingly, the Counterintelligence (CI) enhancement was updated to improve the rating process by adding clarity, driving consistency, and properly identifying enhancements that have the most positive impact on contractor security programs.
2. When is the updated Rating Matrix update take effect?
All assessments concluding on or after 1 October 2014 will be scored using the updated Rating Matrix process.
3. What has been changed as a result of this update?
To further enhance the Security Vulnerability Assessment Rating Matrix, DSS updated the Counterintelligence (CI) enhancement (presently Category 7) by splitting it into two separate categories, focusing “process” and “performance,” respectively:
- Category 7a, “Threat Identification and Management”
- Category 7b, ““Threat Mitigation”
All other enhancement numbers will remain unchanged.
4. Will the new Category 7a replace the existing Category 7?
Yes, it will essentially replace the existing Category 7 enhancement. However, there were no substantial changes to this category. It was updated to further clarify enhancement implementation.
5. Does the new CI enhancement category (7b) replace today's Category 8: FOCI and International, or is it being added?
None will be eliminated. There will be 11 total enhancements, with the new CI enhancement being added to the existing, as Category 7b.
6. Will there be a scale change?
The scale will remain the same. The new enhancement (7b) will be added to the 10 existing enhancements, with no change to the scoring. Please see the Vulnerability Assessment Rating Matrix 2014 Update for an updated scoring sheet.
7. Will the new category be granted at a low percentage?
The new enhancement (7b) will be added to the 10 existing enhancements, with no change to the scoring. The new category will receive the same amount of points as all other enhancement categories.
8. Why must I be awarded 7a credit to qualify for 7b?
DSS is dedicated to rewarding a CI Program that protects our sensitive and classified data, systems, and personnel. In some instances, the lack of a CI program has led to open investigations. For this reason, DSS will only award the 7b enhancement if the company demonstrates its commitment to an effective CI program, as evidenced by being awarded 7a.
9. Why might failure to report suspicious contacts to DSS disqualify my program from the CI enhancement consideration?
The enhancement program is built rewarding those companies that meet the standard of the NISPOM, and then perform work that enhances the protection of sensitive or classified information. The NISPOM requires suspicious contact reporting to DSS and failure to meet the mandatory requirement will disqualify the company from achieving enhancement credit.
10. How can facilities obtain threat information tailored to their classified programs and technologies?
Since 2011, DSS has used the Homeland Security Information Network (HSIN) to share sensitive but unclassified (SBU) threat data with cleared industry. DSS threat products available through HSIN or your local CI Special Agent include (but are not limited to):
- Targeting U.S. Technologies: A Trend Analysis of Reporting from Cleared Industry
- Program Assessments (Bronze Dragon) Assessments that highlight foreign targeting of sensitive or classified information and technology
- Company Counterintelligence Threat Assessments (Gray Torch) Assessments
- DSS counterintelligence informational trifolds, posters, flyers, and mouse pads
- DSS Counterintelligence Computer-based Training
- Special Products/Analyst Initiatives Analytical products created to address priority production requirements, customer requests, or emerging threats
- Scarlet Sentinel An unclassified report created to increase knowledge about and understanding of the nature and scope of vulnerabilities and threats to cleared industry
- Counterespionage Branch Analysis Reports (CEBAR) A quarterly product analyzing information derived from Standard Form 86 Questionnaires for Nation Security Positions.
- Company Counterintelligence Snapshots (Gray Torch) Abbreviated assessments created to highlight reporting of foreign targeting of classified and sensitive information and technology resident in facilities of select cleared contractors
- Cyber Activity Bulletins Bi-weekly classified and unclassified summaries of information derived from cleared industry’s suspicious cyber activity reports
- Analytic Responses to Suspicious Contact Report
- Intelligence Information Reports
- DSS Case Studies Synopsis
- Threat Advisories Products prepared when there is an imminent intelligence or terrorist threat to a U.S. asset over which DSS has cognizance
In addition to HSIN threat data, cleared industry can request additional threat training through their assigned Industrial Security Representative (ISR) or CI Special Agent (CISA).
Ultimately, it is cleared industry that is in the best position to understand how their technology is being targeted (threat); what is most sought by our adversaries and most critical to protect (value); and the impact of the technologies lost (cost/consequence). DSS can provide indicators, warning, recommend tripwires, but a skilled risk manager must evaluate the unique threat to technology and apply CI techniques most likely to be effective against the threat.
11. Some CI elements within CAT 7a will be challenging to meet. Specifically, it may be difficult for larger organizations to advise DSS of incoming/outgoing foreign visitors, and implement a briefing/debriefing program for hosting employees, due to the high number of visits at some sites. How can they achieve credit in this category?
Cleared industry can increase the likelihood of OGA case activity by implementing CI reporting and response strategies that place importance on timeliness and thoroughness in terms of completely answering and reporting the basic interrogatories of who, what, when where, why and how. The success of law enforcement and intelligence community response is directly linked to how quickly they are able to engage with the threat. DSS understands that not all cleared industry will qualify for this enhancement, but cleared industry will be better prepared to recognize and mitigate current and future threats by creating a CI awareness and reporting culture now.
12. It is extremely rare for SCRs to result in case activity by a USG enforcement agency (FBI, ICE, etc.). Will all facilities be eligible for credit in Category 7b?
In the updated 2013 Vulnerability Assessment Rating Matrix process there are three scoring groups for facilities. These categories are computed based on the complexity and scope of a facility’s security program and level of involvement in the NISP. Facilities which possess classified material on-site are ranked from category "AA" (the largest and most complex industrial facilities) and descend by size/complexity through categories "A," "B," and "C" to category "D" (the lowest category ranking for a facility which possesses classified material on-site.) Facilities which do not possess classified material are category "E." For the purposes of Rating Matrix scoring, in the most straightforward terms, the first group (AA-B) can be thought of as “large possessors,” the second group (C-D) are “smaller possessors,” and the last group (E) are “non-possessors.” A facility category level will be indicated on the rating calculation worksheet provided with assessment results letter.
13. Will facilities with open operations (not just investigations) be awarded credit in Category 7b?
DSS recognizes the criticality of proactive operations against U.S. adversaries and in all instances when the FLE or IC agency is willing to provide sufficient detail of the operational contribution made by the CC, enhancement credit will be awarded. In cases where the FLE or IC agency is unable to provide details due to OPSEC and Need-to-Know rules, DSS will not be able to award credit until such time, such as at the conclusion of the operation or investigation, when the FLE or IC agency can provide details to support the recognition.
14. Why won’t facilities with SCRs resulting in IIRs be awarded credit in Category 7b?
DSS recognizes IIRs provide critical information to the intelligence community. DSS wants to reward direct engagement in the threat, and timely and thorough reporting leading to law enforcement or CI action is the appropriate measurement.
15. Is it possible to achieve credit in Category 7a if a facility uses electronic means of gathering the information from foreign travel debriefings?
DSS’s expectation is a skilled risk manager will identify foreign or domestic travel that poses the greatest risk to their personnel and technologies and tailor their program accordingly. For example, domestic travel to a symposium that includes foreign representatives from high risk countries would be considered high risk and require an aggressive response while foreign travel to a low threat country for personal reasons might require another response. Following a prescriptive checklist without consideration of the threat, vulnerability, and consequence/value does not advance our collective goal.
16. Will facilities be awarded credit for robust insider threat programs after Conforming Change 2 is released?
DSS does not award enhancement credit for those meeting basic requirements. If an Insider Threat program exceeds the requirements of the conforming change leading to reporting to DSS of potential insider threats, then the 7a enhancement could be considered.
17. Will credit be awarded in Category 7a if a facility can demonstrate an established process preparing employees for foreign travel, even if there has been no foreign travel during the current assessment period?
The intent of this enhancement is to encourage cleared contractors to build a counterintelligence focused culture by implementing strategies and processes within their security program to detect, deter, and report suspicious contacts to DSS. Effectiveness of implementation cannot be evaluated if a process is not executed. If employees are made aware of policy and understand the requirements, but the facility does not have OCONUS travel during the rated assessment cycle, this constitutes strong security education. As long as DSS is able to validate via interviews that there is comprehensive and ongoing CI awareness program tailored to the facility for all employees, credit should be given under CAT 2 (see examples under the revised “CAT 2 enhancement).
18. Will credit be awarded in Category 7a, if a facility can demonstrate an established process preparing employees for incoming foreign visitors, even if there have not been any incoming foreign visitors during the current assessment period?
The intent of this enhancement is to encourage cleared contractors to build a counterintelligence focused culture by implementing strategies and processes within their security program to detect, deter, and report suspicious contacts to DSS. Effectiveness of implementation cannot be evaluation if a process is not executed. If employees are made aware of policy and understand the requirements, but the facility does not have incoming foreign visitors during the rated assessment cycle, this constitutes strong security education. As long as DSS is able to validate via interviews that there is comprehensive and ongoing CI awareness program tailored to the facility for all employees, credit should be given under CAT 2 (see examples under the revised “CAT 2 enhancement).