Self-Inspection / Assessment Preparation
December 2013Michael Campbell
ViaSat, Inc.
NISPOM Requirements Interpretation
◦ Category Level◦ Business Best Practices
Available Tools Pre-Inspection Self-Inspection Post-Inspection Communication Preparation for formal assessment
Why Am I Here?
RISK
Asset
ThreatVulnerability
Our Day-to-Day Jobs
RISK
Asset
ThreatVulnerability RISK
Asset
Threat
Vulnerability
RISK
Asset
Threat
Vulnerability
RISK
Asset
ThreatVulnerability
NISPOM 1-206 (b)◦ Contractors shall review their
security system on a continuing basis and shall also conduct a formal self-inspection at intervals consistent with risk management principles.
What have we gotten ourselves into?!
What category is your facility?
◦ AA: Multi-Week assessment
◦ A: Large and complex facility with many programs, contracts, holdings, etc.
◦ B: First category requiring a team of Rep’s for the formal assessment
◦ C: Largest facility that allows 1 Rep assessments
◦ D: Smallest category with safeguarding
◦ E: Contracts and cleared personnel (no safegaurding)
What’s a Category?
Know your company Know your product lines Know your corporate structure Know your PM’s
KNOW YOUR COMPANY
What Do Your Folks Do?
MS Project SharePoint Gantt Charts SIMS Self-Inspection
Handbook for NISP Contractors
What Tools Will You Use?
What Do I Do?Marking
38%
Non Marking62%
2011 Marking Vulnerability Trends
Marking75%
Non Marking25%
2010 Marking Vulnerability Trends
Marking38%
Reporting15%
Education8%
IS23%
Personnel8%
Documentation8%
2011
Marking75%
IS25%
2010
Programmatic? Traditional? Unannounced? Assisted?
HAVE YOU HAD ANY “RED FLAGS”
What Strategy Will You Utilize?
Adopt the “verify and validate” mindset Create your inspection binder Review your SPP Explain the process of vulnerability
assessments following your employee interviews (this may be their first)
Ask open ended questions (ALWAYS)
General Business Best Practices
When will you begin? How long do you plan to take? Who will you interview? To whom and how will you communicate the
results? Do you plan on keeping metrics?
Where To Begin
Stick to your plan Use your tools how
you planned Record as much as
possible (you’ll make sense of your notes later)
Interview Interview Interview
Completing Your Strategy
Now What? Create
◦ Create a report format Analyze
◦ Review findings◦ Compile metrics◦ Record vulnerabilities
Prepare◦ Complete your report◦ Determine who will review it
Communicate◦ Alert your Rep and FCIS of your results
Have you communicated with them? Do they know your company? Do they know your programs?
What can you do to assist them?
Who Is Your Rep and FCIS?
Preparing For Your Assessment
Review your facility binder ◦ Is it organized?◦ Are all of your forms up to
date?◦ Does it have examples of
the forms you use?◦ Does it have your Sec Ed
information?◦ Do you have a copy of your
self-inspection report in it?
Remember That Binder?
Do you know your Rep and FCIS yet? Do you know when your assessment is
planned for? Do you know what strategy will be utilized? Do you know your facility’s Category? Do your employees know when they’ll see
suits in the building?
How Was That Communication?
NISP EnhancementsOLD NE
WSecurity Rating Calculation Worksheet
Rating Calculation (Complete areas in yellow)*Note:For rating calculation purposes, treat multiple occurrences under the same NISPOM reference as one vulnerability.
Place or select "X" for each enhancement that applies to the program.
Select CAT: Starting Score à 700
NISP Enhancement 0 Other Red Flags
Category 1: Security Education(Events)
Yes/No?
Category 2: Security Education(Products)
Category 3: Security Education(Staff Training)
Category 4: Security Education(Community Information Sharing) Category 5: Contractor Self Review Category 6: Class Material Control Category 7: CI Category 8: Information Systems Category 9: FOCI Category 10: International Category 11: Community Membership Category 12: (↑) Active Participation Category 13: Personnel Security
Vulnerabilities (Non-A/C) by Reference* Other
Acute/Critical by Reference* Other
FINAL SCORE à Rating:
599 & Below = Unsatisfactory600 - 649 = Marginal650 - 749 = Satisfactory750 - 799 = Commendable
800 & Above = Superior
Facility Data InformationCAGE Code:
Company: Assessment Date:
Field Office:
Team Assessment:
Know your vulnerabilities
Re-Review the red flags◦ FOCI◦ KMP◦ Deliberate disregard of NISPOM or SPP◦ Unmitigated loss or compromise◦ Processing on an unaccredited information system
Enhancements must be EFFECTIVE
Very Important
Entrance:◦ Summarize your facility and the work that is
accomplished◦ Quickly review your self-inspection◦ Provide your Rep with a copy of your briefing and
NISP enhancements (their jobs are to trust, but verify)
◦ Keep it short and precise Exit:
◦ Take notes ◦ Ask questions
Briefings
Why?
Questions?
Michael CampbellSecurity ManagerEmail: [email protected]: (760) 476-2123
Top Related