DSS: Changing the Game Regina Johnson Regional Director ... Changing the Game.pdf · Total: 3,936 Total: 38,932. FY17 by the Numbers Top 10 Vulnerabilities Meaningful Engagements

www.dss.mil

DSS: Changing the GameRegina Johnson

Regional Director, Southern Region

2

Government – Industry Partnership• The NISP is a government – industry partnership established to safeguard

classified information in the hands of industry.o Government establishes security requirements, advises, assists, and provides

oversighto Industry implements the security requirementso The Facility Security Officer plays a crucial role

FSO Key Roles

Facility Clearance Personnel Clearances

Security Education Safeguarding

Self‐Inspection Reporting

Classified Visits Insider Threat

Partnering with Industry to Protect National Security

3

FSO Is Key• The Facility Security Officer (FSO) is integral for ensuring the effective implementation

of a security program.

• National Industrial Security Program Operating Manual (NISPOM), 1‐201

o U.S. citizen cleared employee of the company, who is cleared as part of the facility clearance

o FSO will supervise and direct security measures necessary for implementing applicable requirements of the NISPOM and related Federal requirements


4

Need for Change at DSS

• The United States is facing the most significant foreign intelligence threat it has ever encountered

• Adversaries are successfully:o Attacking cleared industry at an unprecedented rate

o Stealing our national security information and technology

o Using multiple and varying avenues attack

o Prioritizing targeted information

o Shifting priorities based on needs


5

New Approach


• National Industrial Security Program (NISP) designed for vastly different time

• Moving to an intelligence‐led, asset‐focused, and threat‐driven approach that:

o Identifies assets that need protection

o Considers the threat & vulnerabilities

o Partners with cleared industry to develop tailored security programs

“We are changing the way we protect National Security Information & Technologies”

6Partnering with Industry to Protect National Security

DSS in Transition MethodologySecurity Baseline•Looks to Industry to identify assets•Includes security controls currently implemented by Industry •Provides for DSS review and establishes foundation for Tailored Security Plan

Security Baseline•Looks to Industry to identify assets•Includes security controls currently implemented by Industry •Provides for DSS review and establishes foundation for Tailored Security Plan

Security Review•Focuses on protection of assets identified in the Security Baseline•Assesses facility security posture, considers threats, and identifies vulnerabilities •Results in Summary Report and POA&M framework to develop the Tailored Security Plan

Security Review•Focuses on protection of assets identified in the Security Baseline•Assesses facility security posture, considers threats, and identifies vulnerabilities •Results in Summary Report and POA&M framework to develop the Tailored Security Plan

Tailored Security Plan (TSP)•Builds on Security Baseline, Summary Report, POA&M, and recommendations developed during TSP•Documents effectiveness of security controls •Applies countermeasures to TSP based on threat

Tailored Security Plan (TSP)•Builds on Security Baseline, Summary Report, POA&M, and recommendations developed during TSP•Documents effectiveness of security controls •Applies countermeasures to TSP based on threat

Continuous Monitoring•Establishes recurring reviews of TSPs by DSS and Industry•Provides recommendations from DSS based on changing threat environment•Ensures security controls documented in TSP are still effective

Continuous Monitoring•Establishes recurring reviews of TSPs by DSS and Industry•Provides recommendations from DSS based on changing threat environment•Ensures security controls documented in TSP are still effective


• Broadens scope from compliance to protection of national security assets

• Identifies national security assets at cleared facility

• Provides targeted‐threat information on identified assets at cleared facilities

• Considers threat and develops appropriate course(s) of action

• Recognizes incorporated, implemented, and assessed countermeasures in TSPs

• Develops, implements, and monitors countermeasures

• Provides template and necessary guidance for initially developing a baseline (similar to SPP)

• Evaluates, validates, and continuously reviews TSPs

• Develops TSPs• Creates comprehensive and consolidated

understanding of security programs

DSS

Industry Industry Industry

DSS DSS

DSS Industry

Partnership Opportunities


DSS in Transition is planning to:

Implement the new methodology integrated CONOPS through 2018

Increase connection with industry

Engage more actively with GCAs

Expand communications internally and externally

Next Steps

9

Facility Clearance Branch update


Top 5 deficiencies in Facility Clearance Requests:

• Incomplete/missing sponsorship information

• No GCA Authorization

• Inaccurate and/or incomplete DD254

• No justification for a valid need/requirement

• Mismatched information on DD254 and sponsorship

What can you do to reduce rejection of a Facility Clearance package :

• Ensure there is a valid need or requirement to access classified information

• Provide complete and accurate information on the sponsorship letter

• DD254 must be complete and accurately reflect requirements

• GCA authorization is obtained

• When in doubt, contact the DSS Knowledge Center Option #3 at 888‐282‐7682

The Facility Clearance Branch processes over 2,500 facility clearance (FCL)requests each year. Many are rejected for various reasons. Below is useful information when sponsoring a facility for a FCL.

Partnering with Industry to Protect National Security 10

The Field Integration initiative leverages the expertise of the Personnel Security Specialists (PSS) within PSMO by assigning a PSS to each Field Office to serve as a liaison and a conduit through which field personnel can get real time answers and assistance with addressing the intersections of PCLs and FCLs.

PCL InformationSubject specific information as needed to mitigate risk and assess compliance

Best PracticesAnswer questions from the field on PCL related procesess

Risk MitigationInformation sharing to close gaps and manage population*Russian Passport

KMP AssistanceImmediate KMP assistance as needed

Incident Report TriageImmediate triage of unreported adverse found by the Rep

PCL TrendsAdverse information reports

Field Integration

10,960

10,5748,868

8,530Capital

Northern

Southern

Western7,454

4,558

123 31

Top Secret

Secret

Confidential

None

540

806

2,552

14 20 4

Superior

Commendable

Satisfactory

Marginal

Unsatisfactory

Pending

1,324

1,264

719

629

Capital

Southern

Northern

Western

FY17 by the NumbersSecurity Vulnerability Assessments Conducted Security Ratings

FCL Level of Current Facilities Total Advise and Assist Actions

11

Total : 12,166

Total: 3,936 Total: 3,936

Total: 38,932

FY17 by the NumbersTop 10 Vulnerabilities

Meaningful Engagements

12

122

122

138

166

169

230

295

323

385

687

01‐304 Individual Culpability Reports

02‐212 Consultants

02‐200 ‐ PERSONNEL SECURITY CLEARANCES ‐ General

03‐107 Initial Security Briefings

03‐102 FSO Training

03‐103 Insider Threat Training

01‐207B Contractor Reviews

10‐706 NATO Briefings

03‐108 Refresher Training

02‐200B JPAS Maintenance & Deny Access for D/R/LOJ PCLs

Total: 26,804

2986117165186355610

20363936

444514839

IS AccreditationTargeted Engagement Strategy (with vulnerabilities identified)

Communication Strategy (with vulnerabilities identified)Continuous Monitoring (with vulnerabilities identified)

CCRIInitial Compliance Contact

Targeted Engagement StrategyContinuous Monitoring

Vulnerability AssessmentCommunication StrategyFCL Changed Condition

13

NISP Authorization Office update


• Risk Management Framework (RMF)

o Effective January 1, 2018, Industry is required to execute the RMF Assessment and Authorization process for all classified systems authorizations and utilize the DSS Assessment and Authorization Process Manual (DAAPM) Version 1.2.

o Industry should regularly visit the RMF Information and Resources site at www.dss.mil/rmf. The site contains current artifacts, resources, templates and job aids.

o Use of Common controls. Common controls are security controls that can support multiple systems efficiently and effectively as a common capability. Examples would be an organization’s parent corporation and the controls inherited to the facilities in which systems are located.


• Enterprise Mission Assurance Support Service (eMASS) for Cleared Industry

o DSS is planning to migrate to the eMASS application and replace the ODAA Business Management System (OBMS) in October 2018, as it is more suited to authorization actions.

o eMASS is a DoD web‐based application that automates the RMF process. It includes reporting capabilities required by the RMF process. A primary goal of eMASS is to allow the sharing of data regarding authorizations to promote reciprocity.

o Simplifies the RMF workflow process.

NISP Authorization Office update

15

• Foreign Intelligence Entities (FIE) use many methods to compromise sensitive &

classified U.S. technologies

The Cyber/Non-Cyber Relationship

o 14% Exclusive Cyber*

o 16% Non-Cyber

o 70% Blend – some Cyber component

* A Human is behind every cyber incident

Cyber Threat

Cyber is an essential part of an FIE’s campaign


16

• NISPOM Change 2 outlines minimum standards that include:o Establish and maintain an insider threat programo Designate Insider Threat Program Senior Officialo Gather, integrate, and reporto Conduct of self‐assessments of insider threat programo Insider threat trainingo Monitoring network activityo Classified Banners

Insider Threat in Cleared Industry


• Current Status (as of Jan. 2018)o ITPSO’s Appointed: 12,161 (99%)o Insider Threat Plans Certified: 11,637 (95%)o Industry Course Completions

Establish an Insider Threat Program: 13,875 Employee Awareness: 223,254

• During Security Reviews, DSS Verifies:o An Insider Threat Program Senior Official is appointed and cleared in

connection with the FCLo An Insider Threat Program Plan is in place and meets minimum requirements o Awareness training is provided to all cleared employees o Necessary controls are in place on classified information systems

Insider Threat Program Development

• Evaluating Program Effectivenesso DSS has started to develop a process for evaluating the effectiveness of cleared industry’s

insider threat programso Goal is to develop a consistent approach for evaluating different insider threat programs

across the NISPo Industry involvement throughout the development process

• Industry Table Top Exerciseo Held at DSS HQ in February 2018o Four takeaways

Process must be consistent and simple Reporting is not the only indicator of an effective program Size and complexity considerations Local/corporate program knowledge may vary

• Way Aheado Pilots planned in mid‐2018o Development of internal guidance and job aideso Internal trainingo Socialization to industry

Insider Threat Program Effectiveness

19

ITPSO and Insider Threat Program Partners


Facility Security Officer

Info Systems Security Manager

Information Assurance

Insider Threat

Program

Human Resources

LegalInsider Threat

Program Senior Official

Ethics

Information Technology

Security

ITPSO

20

PSMO-I Updates


10kIncident Reports

80K

Interim Clearance Determinations

220K

e‐QIPS Submitted

30k

Overdue PRs

100kKnowledge Center Calls

40k

RRU Requests

1,112,000CE Population

80kCE Alerts

16kValid Alerts

Cleared Population

814k

Cleared Contractors (Eligible)

740k

Cleared Contractors

(In Access)

PCL Metrics Adverse InformationCustomer Service New Mission!


2007

2008

Joint Reform Team

E.O. 13467

2015

Performance Accountability Council (PAC) Goal 225K

PAC Goal 500K

2017

PAC Goal 1M

2014

Pentagon Review of Washington Navy Yard: Immediately Implement CE

2016

DNI CE Phased Implementation and Options for Automated

Records Checks

DoD Continuous Evaluation


• DISA (NBIS Team) – provide technical solution ARC/Mirador and DISS to support CE Alert process and operational metrics

• DoD CAF and OGC ‐ solve reciprocity on unresolved DEROG cases and Revocations (T3C and T5C)

• USD/I and CAPE – provide FY19 resources and CAF realignment of personnel to support Cross‐Functional Team

• In Planning for potential expansion to include entire DoD cleared population

Continuous Evaluation Way Ahead

23

E-QIP Rejections


How you can reduce delays in processing PSI‐Is:

• Ensure e‐QIP is actually required • Encourage the applicant to review

information in the e‐QIP for completeness and accuracy prior to submitting

• FSO, conduct thorough review of e‐QIP for completeness prior to submission to PSMO‐I

• Use Click to Sign for all forms associated with the e‐QIP

• Capture and submit fingerprints electronically. Submit fingerprints uponrelease of e‐QIP to PSMO‐I in JPAS.

Change From PR To Initial/FP Req

24%

Unable To Grant Interim TS

17%Unable ToGrant Interim

Secret11%

Current Open Inv.7%Cohab Info

6%

Unemployment/Self‐Employment Verification

5%

Spouse SSN4%

Cleared Through Another Agency

4%

Other22%

Top e‐QIP Rejection ReasonsQ2 FY17

24

Cyber VulnerabilitiesTop 5 deficiencies we’re seeing in System Security Plans:

• SSP was incomplete or missing attachments

• Inaccurate or incomplete configuration diagram

• Sections in general procedures contradict protection profile

• Integrity & availability not properly addressed

• SSP was not tailored to the system

Top 5 vulnerabilities we’re seeing during visits:

• Inadequate auditing controls

• Security Relevant Objects not protected

• Inadequate configuration management

• Improper session controls

• Identification & authentication controls


25

NISP Contract Classification System (NCCS)


• Reached Full Operational Capability in December 2016

• Currently supports 37 agencies and 131 industry partners

• Currently a phased implementation (Phase 6: Jan‐Apr 2018)

• Enables a central repository of DD Form 254 information that supports government processes and sharing of information across acquisition, intelligence, and security

• Additional information http://www.dss.mil/is/nccs.html

26

Security Education and Training Products


Method Benefit Student Time Investment Required

Current information and resources are easy to access online and through an app

Security professionals can easily refresh their knowledge on a critical topic or quickly access information needed for a specific job

Webinars can be developed relatively quickly to keep pace with current events, and content can be archived for viewing at a later date

Shorts can be used and shared as needed, with a low time investment for learning

Students can access tools when they want them, anywhere inthe world

Students can engage with each other and instructors in a classroom setting and can virtually submit coursework in a flexible timeframe

Students can interact directly, in-person with other students and the instructor

Instructor‐ledCourses

eLearning

Virtual Instructor‐led

Courses

Toolkits

Job Aids

Webinars

Shorts

HIGH

MEDIUM

HIGH

LOW

LOW

LOW

LOW

Questions & Answers

www.dss.mil
