December 2013 Michael Campbell ViaSat, Inc.. NISPOM Requirements Interpretation ◦ Category Level ◦ Business Best Practices Available Tools Pre-Inspection.

Self-Inspection / Assessment Preparation

December 2013Michael Campbell

ViaSat, Inc.

NISPOM Requirements Interpretation

◦ Category Level◦ Business Best Practices

Available Tools Pre-Inspection Self-Inspection Post-Inspection Communication Preparation for formal assessment

Why Am I Here?

RISK

Asset

ThreatVulnerability

Our Day-to-Day Jobs

RISK

Asset

ThreatVulnerability RISK

Asset

Threat

Vulnerability

RISK

Asset

Threat

Vulnerability

RISK

Asset

ThreatVulnerability

NISPOM 1-206 (b)◦ Contractors shall review their

security system on a continuing basis and shall also conduct a formal self-inspection at intervals consistent with risk management principles.

What have we gotten ourselves into?!

What category is your facility?

◦ AA: Multi-Week assessment

◦ A: Large and complex facility with many programs, contracts, holdings, etc.

◦ B: First category requiring a team of Rep’s for the formal assessment

◦ C: Largest facility that allows 1 Rep assessments

◦ D: Smallest category with safeguarding

◦ E: Contracts and cleared personnel (no safegaurding)

What’s a Category?

Know your company Know your product lines Know your corporate structure Know your PM’s

KNOW YOUR COMPANY

What Do Your Folks Do?

MS Project SharePoint Gantt Charts SIMS Self-Inspection

Handbook for NISP Contractors

What Tools Will You Use?

What Do I Do?

Marking38%

Non Marking62%

2011 Marking Vulnerability Trends

Marking75%

Non Marking25%

2010 Marking Vulnerability Trends

Marking38%

Reporting15%

Education8%

IS23%

Personnel8%

Documentation8%

2011

Marking75%

IS25%

2010

Programmatic? Traditional? Unannounced? Assisted?

HAVE YOU HAD ANY “RED FLAGS”

What Strategy Will You Utilize?

Adopt the “verify and validate” mindset Create your inspection binder Review your SPP Explain the process of vulnerability

assessments following your employee interviews (this may be their first)

Ask open ended questions (ALWAYS)

General Business Best Practices

When will you begin? How long do you plan to take? Who will you interview? To whom and how will you communicate the

results? Do you plan on keeping metrics?

Where To Begin

Stick to your plan Use your tools how

you planned Record as much as

possible (you’ll make sense of your notes later)

Interview Interview Interview

Completing Your Strategy

Now What? Create

◦ Create a report format Analyze

◦ Review findings◦ Compile metrics◦ Record vulnerabilities

Prepare◦ Complete your report◦ Determine who will review it

Communicate◦ Alert your Rep and FCIS of your results

Have you communicated with them? Do they know your company? Do they know your programs?

What can you do to assist them?

Who Is Your Rep and FCIS?

Preparing For Your Assessment

Review your facility binder ◦ Is it organized?◦ Are all of your forms up to

date?◦ Does it have examples of

the forms you use?◦ Does it have your Sec Ed

information?◦ Do you have a copy of

your self-inspection report in it?

Remember That Binder?

Do you know your Rep and FCIS yet? Do you know when your assessment is

planned for? Do you know what strategy will be utilized? Do you know your facility’s Category? Do your employees know when they’ll see

suits in the building?

How Was That Communication?

NISP EnhancementsOLD NE

W

Security Rating Calculation Worksheet

Rating Calculation (Complete areas in yellow)*Note:For rating calculation purposes, treat multiple occurrences under the same NISPOM reference as one vulnerability.

Place or select "X" for each enhancement that applies to the program.

Select CAT:  

Starting Score à 700

NISP Enhancement 0 Other   Red Flags

Category 1: Security Education(Events)  

 Yes/No?  

Category 2: Security Education(Products)  

Category 3: Security Education(Staff Training)  

Category 4: Security Education(Community Information Sharing)  

Category 5: Contractor Self Review  

Category 6: Class Material Control  

Category 7: CI  

Category 8: Information Systems  

Category 9: FOCI  

Category 10: International  

Category 11: Community Membership  

Category 12: (↑) Active Participation  

Category 13: Personnel Security  

Vulnerabilities (Non-A/C) by Reference*   Other  

 Acute/Critical by Reference*   Other  

   FINAL SCORE à  

Rating:  

599 & Below = Unsatisfactory600 - 649 = Marginal650 - 749 = Satisfactory750 - 799 = Commendable

800 & Above = Superior

Facility Data Information

CAGE Code:  Company:  

Assessment Date:  Field Office:  

Team Assessment:  

Know your vulnerabilities

Re-Review the red flags◦ FOCI◦ KMP◦ Deliberate disregard of NISPOM or SPP◦ Unmitigated loss or compromise◦ Processing on an unaccredited information system

Enhancements must be EFFECTIVE

Very Important

Entrance:◦ Summarize your facility and the work that is

accomplished◦ Quickly review your self-inspection◦ Provide your Rep with a copy of your briefing and

NISP enhancements (their jobs are to trust, but verify)

◦ Keep it short and precise Exit:

◦ Take notes ◦ Ask questions

Briefings

Why?

Questions?

Michael CampbellSecurity ManagerEmail: [email protected]: (760) 476-2123