SelfInspection Assessment Preparation December 2013 Michael Campbell Via
Self-Inspection / Assessment Preparation December 2013 Michael Campbell Via. Sat, Inc.
Why Am I Here? � NISPOM Requirements � Interpretation ◦ Category Level ◦ Business Best Practices � Available Tools � Pre-Inspection � Self-Inspection � Post-Inspection � Communication � Preparation formal assessment
Our Day-to-Day Jobs Asset RISK Vulnera bility Threat RISK Asset RISK Vulnera bility Asset Vulnerability Vulnera bility Threat Asset Threat RISK Vulnera bility Threat
What have we gotten ourselves into? ! � NISPOM 1 -206 (b) ◦ Contractors shall review their security system on a continuing basis and shall also conduct a formal selfinspection at intervals consistent with risk management principles.
What’s a Category? � What category is your facility? ◦ AA: Multi-Week assessment ◦ A: Large and complex facility with many programs, contracts, holdings, etc. ◦ B: First category requiring a team of Rep’s for the formal assessment ◦ C: Largest facility that allows 1 Rep assessments ◦ D: Smallest category with safeguarding ◦ E: Contracts and cleared personnel (no safegaurding)
What Do Your Folks Do? � Know your � KNOW company product lines corporate structure PM’s YOUR COMPANY
What Tools Will You Use? � MS Project � Share. Point � Gantt Charts � SIMS � Self-Inspection Handbook for NISP Contractors
What Do I Do? 2011 Marking Vulnerability Trends Documentation Personnel 8% 8% Marking 38% IS 23% Education 8% Marking 38% Reporting 15% 2010 Personnel Documentation 0% 0% IS 25% Reporting Education 0% Non Marking 62% Marking 75% Non 2010 Marking Vulnerability Trends Marking 25% Marking 75%
What Strategy Will You Utilize? � Programmatic? � Traditional? � Unannounced? � Assisted? � HAVE YOU HAD ANY “RED FLAGS”
General Business Best Practices � Adopt the “verify and validate” mindset � Create your inspection binder � Review your SPP � Explain the process of vulnerability assessments following your employee interviews (this may be their first) � Ask open ended questions (ALWAYS)
Where To Begin � When will you begin? � How long do you plan to take? � Who will you interview? � To whom and how will you communicate the results? � Do you plan on keeping metrics?
Completing Your Strategy � Stick to your plan � Use your tools how you planned � Record as much as possible (you’ll make sense of your notes later) � Interview
Now What? � Create ◦ Create a report format � Analyze ◦ Review findings ◦ Compile metrics ◦ Record vulnerabilities � Prepare ◦ Complete your report ◦ Determine who will review it � Communicate ◦ Alert your Rep and FCIS of your results
Who Is Your Rep and FCIS? � Have you communicated with them? � Do they know your company? � Do they know your programs? � What can you do to assist them?
Preparing For Your Assessment
Remember That Binder? � Review binder your facility ◦ Is it organized? ◦ Are all of your forms up to date? ◦ Does it have examples of the forms you use? ◦ Does it have your Sec Ed information? ◦ Do you have a copy of your self-inspection report in it?
How Was That Communication? � Do you know your Rep and FCIS yet? � Do you know when your assessment is planned for? � Do you know what strategy will be utilized? � Do you know your facility’s Category? � Do your employees know when they’ll see suits in the building?
NISP Enhancements D L O W E N Security Rating Calculation Worksheet Rating Calculation (Complete areas in yellow) *Note: For rating calculation purposes, treat multiple occurrences under the same NISPOM reference as one vulnerability. Place or select "X" for each enhancement that applies to the program. Select CAT: Starting Score à NISP Enhancement 700 Other 0 Category 2: Security Education (Products) Category 3: Security Education (Staff Training) Category 4: Security Education (Community Information Sharing) Category 5: Contractor Self Review Category 6: Class Material Control Category 7: CI Category 8: Information Systems Category 9: FOCI Category 10: International Category 11: Community Membership Category 12: (↑) Active Participation Category 13: Personnel Security Vulnerabilities (Non-A/C) by Reference* Other Acute/Critical by Reference* Other FINAL SCORE à Rating: 599 & Below 600 - 649 650 - 749 750 - 799 800 & Above = = = Unsatisfactory Marginal Satisfactory Commendable Superior Facility Data Information CAGE Code: Company: Assessment Date: Field Office: Team Assessment: Red Flags Yes/No? Category 1: Security Education (Events)
Very Important � Know your vulnerabilities � Re-Review ◦ ◦ ◦ the red flags FOCI KMP Deliberate disregard of NISPOM or SPP Unmitigated loss or compromise Processing on an unaccredited information system � Enhancements must be EFFECTIVE
Briefings � Entrance: ◦ Summarize your facility and the work that is accomplished ◦ Quickly review your self-inspection ◦ Provide your Rep with a copy of your briefing and NISP enhancements (their jobs are to trust, but verify) ◦ Keep it short and precise � Exit: ◦ Take notes ◦ Ask questions
Why?
Questions? Michael Campbell Security Manager Email: michael. campbell@viasat. com Phone: (760) 476 -2123
- Slides: 22
