Thursday, February 6, 2014

NISP Enhancements Revisited

Defense Security Services (DSS) has new guidance on security enhancements and ratings that cleared defense contractors can earn. According to the publication 2013 DSS Vulnerability Assessment Rating Matrix Vulnerabilities and NISP Enhancement Categories there are 10 enhancements or opportunities to demonstrate protection of classified information beyond baseline National Industrial Security Program Operating Manual (NISPOM) standards.

Before contractors can receive credit for NISP enhancements, there are a few ground rules or fundamental areas that must be address. 

Back to the basics is a good mantra to follow here. A cleared defense contractor must first demonstrate the capability of protecting classified information before earning enhancements. For example, a cleared facility that has significant findings in the topic of Export Control or Foreign Ownership Control and Influence (FOCI) will not get enhancement credit in the FOCI topic until they overcome the deficiencies. 

Another rule is that the NISP enhancement must relate directly to the National Industrial Security Program. An example where a security measure would not count is where the security office volunteers to walk employees to their cars during hours of darkness. Though this is a great service and goes to enhance the employees' quality of life and safety, it has nothing to do with NISP and will not count as a NISP enhancement. 

NISP enhancements must be validated during the security assessment as having an effective impact on the overall NISP program in place at the company. In other words, the NISP enhancement must be measurable and documented at the point of the assessment. For example, a cleared facility might having a  policy requiring the accountability of CONFIDENTIAL information might qualify as a NISP enhancement. After all, in the collateral world, accountability is only required for TOP SECRET. However, if in spite of this great accountability, several documents can't be accounted for, there is no indication of the policy having an effective impact.

Credit for NISP enhancements will be granted for activities beyond baseline NISPOM requirements even if required by program/contract. This means if a government or contractor customer requires CONFIDENTIAL information to be transmitted with process reserved for TOP SECRET information; the serving contractor gets the NISP enhancement. The motivation doesn't matter here; it's the results that count.

An enhancement directly related to a NISPOM requirement cited for a vulnerability may not be granted. In other words, if a security weakness exists where a countermeasure is required to meet that weakness, the countermeasure doesn't count. Back at our earlier example of using TOP SECRET controls to protect CONFIDENTIAL information. This is a NISP enhancement as it goes above and beyond NISPOM. However, if there is vulnerability requiring the additional security measure, then it may not count as a NISP enhancement.

If there are other effective enhancement activities in a specific category unrelated to a specific vulnerability in that category the enhancement credit may still be granted. For example, developing procedures to enforce need to know. NISPOM guidance does a lot to direct how to protect classified information by protecting it according to classification level and making it available to those with the proper clearance. Need to know is mentioned but a few times. Access rosters, contract verification or other need to know enforcing measures may just qualify as a NISP enhancement.

The DSS vulnerability assessment ensures that classified information is protected according to the NISP. Once the baseline is established, then credit for enhancements can be given. The cleared contractor should be able to demonstrate that their security program meets the criteria. The cleared contractor can then build upon that foundation to demonstrate going above and beyond NISPOM requirements. 

For more ideas on passing the DSS review and NISP enhancements see our book DoD Security Clearance and Contracts Guidebook.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: