How to Prepare for a DSS Vulnerability Assessment
By John Rutherford | Harkcon's Facility Security Officer
Many Facility Security Officers (FSO) unnecessarily dread Defense Security Service (DSS) vulnerability assessments. Yes, preparing for an assessment is a lot of work, and yes, there is the possibility that you’re Industrial Security Representative (ISR) may find a vulnerability that reflects poorly on your facility. However, when viewed correctly, vulnerability assessments can be a valuable tool in helping a cleared company establish and maintain a high-quality security program with the objective of protecting classified information, people, and resources.
The DSS conducts vulnerability assessments every 12 to 18 months in accordance with NISPOM paragraph 1-207, Security Reviews. The focus of the assessment is to ensure that your facility is compliant with NISPOM requirements such as Foreign Ownership, Control, and Interest (FOCI), Key Management Personnel, procedures for safeguarding classified information, reporting procedures, record keeping procedures, adequacy of your training program, and your company’s insider threat program.
DSS generally provides notification about 30 days in advance and will provide a list of documents (e.g., DD-441, SF-328, DD-254, and KMP List) that have to be sent to your ISR at least five days in advance of the inspection.
The biggest mistake that many FSOs make is that they start preparing for their vulnerability assessments only after they receive notification from DSS that an assessment has been scheduled.
Here are a few tips on how to prepare for an assessment.
Start preparing early.
If your company has never had an assessment, you should start preparing as soon as possible. If your company has had an assessment, your preparation for the next review should have started the day after your last assessment.
Take advantage of the training provided by DSS.
DSS has a 30-minute webinar that discusses the basics of how to prepare for an assessment. The recorded version of the webinar can be found at,http://www.cdse.edu/catalog/webinars/industrial-security/security-vulnerabilities.html. There is also a 1.5-hour course offered by CDSE. A description of the course and STEPP registration can be found at, http://www.cdse.edu/catalog/elearning/IS036.html.
Carefully review the DSS Vulnerability Rating Matrix.
The Vulnerability Rating Matrix, along with the training, will provide you valuable guidance and the criteria that DSS will use to evaluate your facility. You can find the Vulnerability Rating Matrix at, http://www.dss.mil/documents/facility-clearances/VulnAssm_RatingMatrix_2016Update.pdf. It will also provide you insights on what is important to DSS. Better yet, it will provide you valuable tips on how to set up your security program to meet NISPOM requirements. Remember, DSS will inspect the most important elements of protecting classified information and your security program.
Conduct your company’s self-inspections well ahead of your vulnerability assessment.
Self-inspections are required under the NISPOM, and they will help you identify and correct deficiencies and potential vulnerabilities before your assessment. DSS recommends that you conduct your self-inspection six months before your vulnerability assessment. More information and training about self-inspections can be found on DSS’s website at, http://www.cdse.edu/toolkits/fsos/inspections-assessments.html.
Have information at your fingertips during your assessment.
For example, in every assessment my ISRs have asked to see our DD-441, SF-328, KMP List, and DD-254s. I have all of those forms well organized, in protective covers, and within reach so I can hand them to the representative quickly. Being well organized during your assessment may make a positive impression upon your ISR. Being disorganized may be seen as a reflection upon how well your company protects classified information.
Have examples of your training program available.
Having an effective training program is essential to a security program and is one of the DSS inspection points. At Harkcon, we take pride in our training program which consists of eight training components ranging from quarterly instructor-led training to security newsletters. We display all of our training materials during the assessment and have received many complements from our ISRs.
If you want your company to receive a rating higher than just “satisfactory,” you have to pay attention to the enhancements found on the Rating Matrix. An enhancement directly relates to and enhances the protection of classified information beyond baseline NISPOM standards. Know the enhancements and incorporate them into your security program, not just to get a better score, but to improve your company’s ability to protect sensitive information and the overall quality of your program. An example that has been extremely important to Harkcon’s program, is being an active member in the secuirty community (NIPS Enhancement 5). I have learned so much from my peers and DSS through various local and national security organizations. Almost all of the information I have learned has been incorporated into our program to improve it.
Learn from your previous inspections.
First, correct any deficiencies or vulnerabilities that were identified during the assessment. Make notes after every assessment of what did and did not go well, questions that the ISR asked, what documents and procedures were reviewed, ideas for how to make your program better, and things you need to do to make your next assessment go well. I have always found the ISRs to be helpful and honest during our inspections. They will ask some tough questions to test your knowledge, however you should not have any issues with proper preparation.
If you would like to contact the author of this blog, send an email to email@example.com
and reference the title, “How to Prepare for a Vulnerability Assessment."