Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
www.dss.mil
DSS: Changing the GameRegina Johnson
Regional Director, Southern Region
2
Government – Industry Partnership• The NISP is a government – industry partnership established to safeguard
classified information in the hands of industry.o Government establishes security requirements, advises, assists, and provides
oversighto Industry implements the security requirementso The Facility Security Officer plays a crucial role
FSO Key Roles
Facility Clearance Personnel Clearances
Security Education Safeguarding
Self‐Inspection Reporting
Classified Visits Insider Threat
Partnering with Industry to Protect National Security
3
FSO Is Key• The Facility Security Officer (FSO) is integral for ensuring the effective implementation
of a security program.
• National Industrial Security Program Operating Manual (NISPOM), 1‐201
o U.S. citizen cleared employee of the company, who is cleared as part of the facility clearance
o FSO will supervise and direct security measures necessary for implementing applicable requirements of the NISPOM and related Federal requirements
Partnering with Industry to Protect National Security
4
Need for Change at DSS
• The United States is facing the most significant foreign intelligence threat it has ever encountered
• Adversaries are successfully:o Attacking cleared industry at an unprecedented rate
o Stealing our national security information and technology
o Using multiple and varying avenues attack
o Prioritizing targeted information
o Shifting priorities based on needs
Partnering with Industry to Protect National Security
5
New Approach
Partnering with Industry to Protect National Security
• National Industrial Security Program (NISP) designed for vastly different time
• Moving to an intelligence‐led, asset‐focused, and threat‐driven approach that:
o Identifies assets that need protection
o Considers the threat & vulnerabilities
o Partners with cleared industry to develop tailored security programs
“We are changing the way we protect National Security Information & Technologies”
6Partnering with Industry to Protect National Security
DSS in Transition MethodologySecurity Baseline•Looks to Industry to identify assets•Includes security controls currently implemented by Industry •Provides for DSS review and establishes foundation for Tailored Security Plan
Security Baseline•Looks to Industry to identify assets•Includes security controls currently implemented by Industry •Provides for DSS review and establishes foundation for Tailored Security Plan
Security Review•Focuses on protection of assets identified in the Security Baseline•Assesses facility security posture, considers threats, and identifies vulnerabilities •Results in Summary Report and POA&M framework to develop the Tailored Security Plan
Security Review•Focuses on protection of assets identified in the Security Baseline•Assesses facility security posture, considers threats, and identifies vulnerabilities •Results in Summary Report and POA&M framework to develop the Tailored Security Plan
Tailored Security Plan (TSP)•Builds on Security Baseline, Summary Report, POA&M, and recommendations developed during TSP•Documents effectiveness of security controls •Applies countermeasures to TSP based on threat
Tailored Security Plan (TSP)•Builds on Security Baseline, Summary Report, POA&M, and recommendations developed during TSP•Documents effectiveness of security controls •Applies countermeasures to TSP based on threat
Continuous Monitoring•Establishes recurring reviews of TSPs by DSS and Industry•Provides recommendations from DSS based on changing threat environment•Ensures security controls documented in TSP are still effective
Continuous Monitoring•Establishes recurring reviews of TSPs by DSS and Industry•Provides recommendations from DSS based on changing threat environment•Ensures security controls documented in TSP are still effective
7Partnering with Industry to Protect National Security
• Broadens scope from compliance to protection of national security assets
• Identifies national security assets at cleared facility
• Provides targeted‐threat information on identified assets at cleared facilities
• Considers threat and develops appropriate course(s) of action
• Recognizes incorporated, implemented, and assessed countermeasures in TSPs
• Develops, implements, and monitors countermeasures
• Provides template and necessary guidance for initially developing a baseline (similar to SPP)
• Evaluates, validates, and continuously reviews TSPs
• Develops TSPs• Creates comprehensive and consolidated
understanding of security programs
DSS
Industry Industry Industry
DSS DSS
DSS Industry
Partnership Opportunities
8Partnering with Industry to Protect National Security
DSS in Transition is planning to:
Implement the new methodology integrated CONOPS through 2018
Increase connection with industry
Engage more actively with GCAs
Expand communications internally and externally
Next Steps
9
Facility Clearance Branch update
Partnering with Industry to Protect National Security
Top 5 deficiencies in Facility Clearance Requests:
• Incomplete/missing sponsorship information
• No GCA Authorization
• Inaccurate and/or incomplete DD254
• No justification for a valid need/requirement
• Mismatched information on DD254 and sponsorship
What can you do to reduce rejection of a Facility Clearance package :
• Ensure there is a valid need or requirement to access classified information
• Provide complete and accurate information on the sponsorship letter
• DD254 must be complete and accurately reflect requirements
• GCA authorization is obtained
• When in doubt, contact the DSS Knowledge Center Option #3 at 888‐282‐7682
The Facility Clearance Branch processes over 2,500 facility clearance (FCL)requests each year. Many are rejected for various reasons. Below is useful information when sponsoring a facility for a FCL.
Partnering with Industry to Protect National Security 10
The Field Integration initiative leverages the expertise of the Personnel Security Specialists (PSS) within PSMO by assigning a PSS to each Field Office to serve as a liaison and a conduit through which field personnel can get real time answers and assistance with addressing the intersections of PCLs and FCLs.
PCL InformationSubject specific information as needed to mitigate risk and assess compliance
Best PracticesAnswer questions from the field on PCL related procesess
Risk MitigationInformation sharing to close gaps and manage population*Russian Passport
KMP AssistanceImmediate KMP assistance as needed
Incident Report TriageImmediate triage of unreported adverse found by the Rep
PCL TrendsAdverse information reports
Field Integration
10,960
10,5748,868
8,530Capital
Northern
Southern
Western7,454
4,558
123 31
Top Secret
Secret
Confidential
None
540
806
2,552
14 20 4
Superior
Commendable
Satisfactory
Marginal
Unsatisfactory
Pending
1,324
1,264
719
629
Capital
Southern
Northern
Western
FY17 by the NumbersSecurity Vulnerability Assessments Conducted Security Ratings
FCL Level of Current Facilities Total Advise and Assist Actions
11
Total : 12,166
Total: 3,936 Total: 3,936
Total: 38,932
FY17 by the NumbersTop 10 Vulnerabilities
Meaningful Engagements
12
122
122
138
166
169
230
295
323
385
687
01‐304 Individual Culpability Reports
02‐212 Consultants
02‐200 ‐ PERSONNEL SECURITY CLEARANCES ‐ General
03‐107 Initial Security Briefings
03‐102 FSO Training
03‐103 Insider Threat Training
01‐207B Contractor Reviews
10‐706 NATO Briefings
03‐108 Refresher Training
02‐200B JPAS Maintenance & Deny Access for D/R/LOJ PCLs
Total: 26,804
2986117165186355610
20363936
444514839
IS AccreditationTargeted Engagement Strategy (with vulnerabilities identified)
Communication Strategy (with vulnerabilities identified)Continuous Monitoring (with vulnerabilities identified)
CCRIInitial Compliance Contact
Targeted Engagement StrategyContinuous Monitoring
Vulnerability AssessmentCommunication StrategyFCL Changed Condition
13
NISP Authorization Office update
Partnering with Industry to Protect National Security
• Risk Management Framework (RMF)
o Effective January 1, 2018, Industry is required to execute the RMF Assessment and Authorization process for all classified systems authorizations and utilize the DSS Assessment and Authorization Process Manual (DAAPM) Version 1.2.
o Industry should regularly visit the RMF Information and Resources site at www.dss.mil/rmf. The site contains current artifacts, resources, templates and job aids.
o Use of Common controls. Common controls are security controls that can support multiple systems efficiently and effectively as a common capability. Examples would be an organization’s parent corporation and the controls inherited to the facilities in which systems are located.
14Partnering with Industry to Protect National Security
• Enterprise Mission Assurance Support Service (eMASS) for Cleared Industry
o DSS is planning to migrate to the eMASS application and replace the ODAA Business Management System (OBMS) in October 2018, as it is more suited to authorization actions.
o eMASS is a DoD web‐based application that automates the RMF process. It includes reporting capabilities required by the RMF process. A primary goal of eMASS is to allow the sharing of data regarding authorizations to promote reciprocity.
o Simplifies the RMF workflow process.
NISP Authorization Office update
15
• Foreign Intelligence Entities (FIE) use many methods to compromise sensitive &
classified U.S. technologies
The Cyber/Non-Cyber Relationship
o 14% Exclusive Cyber*
o 16% Non-Cyber
o 70% Blend – some Cyber component
* A Human is behind every cyber incident
Cyber Threat
Cyber is an essential part of an FIE’s campaign
Partnering with Industry to Protect National Security
16
• NISPOM Change 2 outlines minimum standards that include:o Establish and maintain an insider threat programo Designate Insider Threat Program Senior Officialo Gather, integrate, and reporto Conduct of self‐assessments of insider threat programo Insider threat trainingo Monitoring network activityo Classified Banners
Insider Threat in Cleared Industry
Partnering with Industry to Protect National Security
• Current Status (as of Jan. 2018)o ITPSO’s Appointed: 12,161 (99%)o Insider Threat Plans Certified: 11,637 (95%)o Industry Course Completions
Establish an Insider Threat Program: 13,875 Employee Awareness: 223,254
• During Security Reviews, DSS Verifies:o An Insider Threat Program Senior Official is appointed and cleared in
connection with the FCLo An Insider Threat Program Plan is in place and meets minimum requirements o Awareness training is provided to all cleared employees o Necessary controls are in place on classified information systems
Insider Threat Program Development
• Evaluating Program Effectivenesso DSS has started to develop a process for evaluating the effectiveness of cleared industry’s
insider threat programso Goal is to develop a consistent approach for evaluating different insider threat programs
across the NISPo Industry involvement throughout the development process
• Industry Table Top Exerciseo Held at DSS HQ in February 2018o Four takeaways
Process must be consistent and simple Reporting is not the only indicator of an effective program Size and complexity considerations Local/corporate program knowledge may vary
• Way Aheado Pilots planned in mid‐2018o Development of internal guidance and job aideso Internal trainingo Socialization to industry
Insider Threat Program Effectiveness
19
ITPSO and Insider Threat Program Partners
Partnering with Industry to Protect National Security
Facility Security Officer
Info Systems Security Manager
Information Assurance
Insider Threat
Program
Human Resources
LegalInsider Threat
Program Senior Official
Ethics
Information Technology
Security
ITPSO
20
PSMO-I Updates
Partnering with Industry to Protect National Security
10kIncident Reports
80K
Interim Clearance Determinations
220K
e‐QIPS Submitted
30k
Overdue PRs
100kKnowledge Center Calls
40k
RRU Requests
1,112,000CE Population
80kCE Alerts
16kValid Alerts
Cleared Population
814k
Cleared Contractors (Eligible)
740k
Cleared Contractors
(In Access)
PCL Metrics Adverse InformationCustomer Service New Mission!
Partnering with Industry to Protect National Security 21
2007
2008
Joint Reform Team
E.O. 13467
2015
Performance Accountability Council (PAC) Goal 225K
PAC Goal 500K
2017
PAC Goal 1M
2014
Pentagon Review of Washington Navy Yard: Immediately Implement CE
2016
DNI CE Phased Implementation and Options for Automated
Records Checks
DoD Continuous Evaluation
Partnering with Industry to Protect National Security 22
• DISA (NBIS Team) – provide technical solution ARC/Mirador and DISS to support CE Alert process and operational metrics
• DoD CAF and OGC ‐ solve reciprocity on unresolved DEROG cases and Revocations (T3C and T5C)
• USD/I and CAPE – provide FY19 resources and CAF realignment of personnel to support Cross‐Functional Team
• In Planning for potential expansion to include entire DoD cleared population
Continuous Evaluation Way Ahead
23
E-QIP Rejections
Partnering with Industry to Protect National Security
How you can reduce delays in processing PSI‐Is:
• Ensure e‐QIP is actually required • Encourage the applicant to review
information in the e‐QIP for completeness and accuracy prior to submitting
• FSO, conduct thorough review of e‐QIP for completeness prior to submission to PSMO‐I
• Use Click to Sign for all forms associated with the e‐QIP
• Capture and submit fingerprints electronically. Submit fingerprints uponrelease of e‐QIP to PSMO‐I in JPAS.
Change From PR To Initial/FP Req
24%
Unable To Grant Interim TS
17%Unable ToGrant Interim
Secret11%
Current Open Inv.7%Cohab Info
6%
Unemployment/Self‐Employment Verification
5%
Spouse SSN4%
Cleared Through Another Agency
4%
Other22%
Top e‐QIP Rejection ReasonsQ2 FY17
24
Cyber VulnerabilitiesTop 5 deficiencies we’re seeing in System Security Plans:
• SSP was incomplete or missing attachments
• Inaccurate or incomplete configuration diagram
• Sections in general procedures contradict protection profile
• Integrity & availability not properly addressed
• SSP was not tailored to the system
Top 5 vulnerabilities we’re seeing during visits:
• Inadequate auditing controls
• Security Relevant Objects not protected
• Inadequate configuration management
• Improper session controls
• Identification & authentication controls
Partnering with Industry to Protect National Security
25
NISP Contract Classification System (NCCS)
Partnering with Industry to Protect National Security
• Reached Full Operational Capability in December 2016
• Currently supports 37 agencies and 131 industry partners
• Currently a phased implementation (Phase 6: Jan‐Apr 2018)
• Enables a central repository of DD Form 254 information that supports government processes and sharing of information across acquisition, intelligence, and security
• Additional information http://www.dss.mil/is/nccs.html
26
Security Education and Training Products
Partnering with Industry to Protect National Security
Method Benefit Student Time Investment Required
Current information and resources are easy to access online and through an app
Security professionals can easily refresh their knowledge on a critical topic or quickly access information needed for a specific job
Webinars can be developed relatively quickly to keep pace with current events, and content can be archived for viewing at a later date
Shorts can be used and shared as needed, with a low time investment for learning
Students can access tools when they want them, anywhere inthe world
Students can engage with each other and instructors in a classroom setting and can virtually submit coursework in a flexible timeframe
Students can interact directly, in-person with other students and the instructor
Instructor‐ledCourses
eLearning
Virtual Instructor‐led
Courses
Toolkits
Job Aids
Webinars
Shorts
HIGH
MEDIUM
HIGH
LOW
LOW
LOW
LOW
Questions & Answers
www.dss.mil
27Partnering with Industry to Protect National Security