Saturday, September 21, 2013

Vulnerability Assessment Rating Matrix 2013 Update

In case you haven't seen the release,, DSS has announced new Vulnerability Assessment Rating Matrix 2013 Update. This matrix provides DSS with a way to gauge a cleared defense contractor's compliance with NISPOM. But, it also gives the contractor a methodology to evaluate their own performance. Think of it as a way to enhance your own self-inspection.

But let’s go back to DSS, what are they looking for in this analysis?

During the annual review, DSS will look at a cleared facility and run through a consistent and reliable process to determine whether or not procedures are in place to adequately protect classified information. As mentioned earlier, the threat and impact are already identified. So, vulnerability is simply a reflection of the proscribed protection measures outlined in NISPOM and the inspection and not an analysis conducted by the FSO.

Vulnerability per DSS occurs when a contractor is not in compliance with the requirements of the NISPOM. Then DSS categorizes the vulnerability as either an "Acute Vulnerability", a "Critical Vulnerability" or a "Vulnerability".
Per the DSS website, the following further defines each category:

*Acute Vulnerability: Those vulnerabilities that put classified information at imminent risk of loss or compromise, or that have already resulted in the compromise of classified information. Acute vulnerabilities require immediate corrective action.
*Critical Vulnerability: Those instances of NISPOM non-compliance vulnerabilities that are serious, or that may foreseeably place classified information at risk or in danger of loss or compromise. 

Once a vulnerability is determined to be Acute or Critical, it shall be further categorized as "Isolated", "Systemic", or "Repeat".

*Isolated - Single occurrence that resulted in or could logically lead to the loss or compromise of classified information.
*Systemic -Deficiency or deficiencies that demonstrate defects in an entire specific subset of the contractor's industrial security program (e.g., security education and awareness, AIS security) or in the contractor's overall industrial security program. A systemic critical vulnerability could be the result of the contractor not having a required or necessary program in place, the result of an existing process not adequately designed to make the program compliant with NISP requirements, or due to a failure of contractor personnel to comply with an existing and adequate contractor policy. These defects in either a subset or the overall program may logically result in either a security violation or administrative inquiry if not properly mitigated.
*Repeat - Is a repeat of a specific occurrence identified during the last DSS security assessment that has not been properly corrected. Note: Although some repeat vulnerabilities may be administrative in nature and not directly place classified information at risk to loss or compromise, it is documented as critical.
Vulnerability: All instances of non-compliance with the NISPOM that are not acute or critical vulnerabilities.

But what can you do as a cleared defense contractor? Do you have to sit back and wait for an inspection? Do you just implement the NISPOM without thought into the security program? Well, you could, but…

In the case of NISPOM and DSS, vulnerability is already identified. We already know what the threat is, unauthorized access to classified information. We already know what impact is, potential damage to national security. We already know what the risk analysis recommendation is; follow the proscribed practices in NISPOM. If you just do that, you might get by. But what if you went the distance to conduct a risk analysis? Think enhancement as you implement risk analysis in the following steps

Susceptibility analysis: We know what assets are, we know what the threat is and we know what impact of loss is. We might be tempted to skip this step. However, what if you could demonstrate that you not only had a program for protecting classified information, but you also a program to identify proprietary information, processes, export controlled information, FOUO and etc equally important, but not covered in NISPOM.

Vulnerability analysis: We know what the assets are from the susceptibility analysis, but we might not have a clear threat. There are other places we can go to identify a general threat: State Department, Department of Justice, FBI, DSS and other agencies have reports dedicated to documented theft of contractor information. This is enough to get an idea of who bad guys might be and what they want. You just have to identify the impact of loss or compromise. Do you lose a product, does an audit team descend on you, do you get a fine from the State Department or Commerce Department?

Risk Analysis: Weigh threat and impact and determine whether or not you need to implement protective measures that are more stringent than best practices.

DSS has announced new Vulnerability Assessment Rating Matrix 2013 Update. The matrix does provide a good way to gauge the security program. Even though the threat, vulnerability and impact are already identified, an FSO should still use a risk assessment model. The way to get to good evaluations and enhanced measures is to analyze the protection of classified information and demonstrate how the NISPOM is implemented. A risk analysis provides that answer. See our next article for more tailored ways to set up risk analysis.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: