The world is rapidly changing and DSS is changing too. Where the agency once concentrated on schedule-driven National Industrial Security Program Operating Manual (NISPOM) compliance, DSS is now moving to an intelligence-led, asset-focused, and threat-driven approach to industrial security oversight.
The need for change is clear. The United States is now facing the most significant foreign intelligence threat it has ever encountered. Adversaries are successfully attacking cleared industry at an unprecedented rate. They are using multiple avenues of attack, varying their methods, and adjusting their priorities based on the targeted information they need. As a result, they are upgrading their military capabilities and competing against our economy using the very same information they stole from cleared industry.
DSS has recognized this fact and is now moving forward in partnership with industry to design, develop, and pilot a multidimensional approach to industrial security oversight. Our goal is to help cleared industry ensure that contracted capabilities, technologies, and services are delivered uncompromised.
Voice of Industry Newsletters: DSS provides DiT updates in its monthly newsletter to industry. Links to current and archived copies of the newsletter reside on the “Industry Tools” page.
Protecting Critical Technology in Today’s Environment
Through DSS in Transition (DiT), some industry partners have undergone a Comprehensive Security Review (CSR), which employs the new methodology and results in a Tailored Security Plan (TSP). For those industry partners who have not yet undergone a CSR, there are actions you can take now to incorporate the new approach and enhance the protection of critical technologies.
By clicking through the tabs above the DiT process the graphic below, you will find information and resources to assist you with taking action. Starting with prioritization, you will be able to work through the process and develop an initial TSP. The goal is for you to take your limited security resources and put them where they are most needed.
Industry partners continue to play a vital role in critical technology protection. DSS seeks to assist you with this important activity, and we hope you find these resources useful. Upon completing an initial TSP, Industry partners are encouraged to share the plan with DSS for coordination and dialogue.
While DSS allocates its resources and prioritizes its activity based on national security information, Industry partners can commence activities that will lead to a TSP. Industry partners, through real-time knowledge of classified contracts and programs, should start the process by identifying critical assets and developing awareness of threats related to those assets.
Industrial Base Technology List
Critical Program Information Security Short
Idustrial Base Technology List
Critical Program Information Security Shorts
Counterintelligence Awareness Toolkit
After identifying assets and incorporating threat awareness, industry should leverage the Security Baseline to compile information related to those assets and their protection.
Asset ID Guide
Asset ID Desktop Tool
PIEFAO-S Job Aid with Fishbone Diagram
FSO Toolkit: Asset Identification / Security Baseline
Asset Identification and Your Security Review
Industry partners should enhance the self-assessments of their security programs to ensure comprehensive controls of identified assets. To do this, they should conduct not only the standard self-inspection but also incorporate supply-chain risk management (SCRM) as well as reviews for other potential vulnerabilities related to identified assets.
DSS CDSE Risk Management Student Guide
What's different about my Security Review now?
Supply Chain Risk Management (SCRM)
DSS CDSE SCRM Job Aid
USASMDC / ARSTRAT Technology Center “SCRM” Handout
DSS/NCSC “Exploitation of Global Supply Chain” Document
NIST “Notional Supply Chain Risk Management Practices” Report
After identifying vulnerabilities based on threats related to assets, industry partners should develop appropriate countermeasures. The security controls listed on the Security Baseline should be updated to reflect any new or enhanced countermeasures. This updated Security Baseline constitutes an initial TSP.
Industry partners also may want to codify and expand on countermeasures through a Standard Practice Procedures (SPP) document.
A new Tailored Security Plan (TSP) Template is available through your NISS account. Open the Knowledge Base and search for “TSP Template.”
Tailored Security Plan (TSP)- webinar
RISO Slick Sheet - TSP
The TSP is a living document. As companies complete and commence contracts, as threats evolve, and as new vulnerabilities emerge, industry partners must actively continue to conduct the actions related to the new methodology and update TSPs as necessary.
What is Active Monitoring
July 2, 2019 – Resources Update
Added links to new TSP Template and updated multiple resource links
May 21, 2019 – Resources Update
Added resources to assist industry partners with independently conducting DiT activity, developing initial TSPs, and enhancing critical technology protection.
November 5, 2018 – Resources Update
Added link to DSS website page containing Voice of Industry newsletters
June 8, 2018 – Resources Update
Added link to DSS CI Countermeasures Matrix interactive tool