DSS has announced new Vulnerability Assessment Rating Matrix 2013 Update. The matrix does provide a good way to gauge the security program. Even though the threat, vulnerability and impact are already identified, an FSO should still use a risk assessment model. The way to get to good evaluations and enhanced measures is to analyze the protection of classified information and demonstrate how the NISPOM is implemented. A risk analysis provides that answer.
The NISPOM and other guidance make our jobs easy. For example, if it’s classified lock it up in a GSA approved container and limit access to those with clearance and need to know. The above is simplified for discussion purposes, but it makes the point, there is another piece to protection; analysis.
You might be familiar with the terms susceptibility, vulnerability and risk analysis. These are analyses that we in the defense industry should be regularly practicing, but as demonstrated above, NISPOM makes it easy for us to get by without analysis.
Let’s look at the terms in ways we can apply them. Susceptibility is the evaluation of assets on hand and prioritizing them for protection. However, there is no defined threat. For example, I am susceptible to malaria. However, I do not have to take any countermeasures as long as I don’t become exposed to someone who has malaria or travel to an area that is known for malaria outbreaks, I need to take precaution.
Suppose, a contractor makes helicopter harnesses. Their assets are proprietary processes, harnessing material, know how, customer drawings, inventory and facilities. For susceptibility, a security manager would work with shareholders and customers to prioritize the assets and determine which is more valuable and worthy of the most security effort. The security manager would then implement best practices to protect those efforts against general threats. We don’t know who the bad guys are or what they want, we just want to make the product hard to get. Security might put sensitive items under lock, key and alarm, limit access to sensitive information and issue employee badges to keep non employees out of the work area.
Vulnerability is susceptibility in presence of a threat. I am susceptible to malaria, but now I’m going on a trip to Nepal where malaria is documented. I now have documented evidence of a threat and impact; I could become very sick and possibly die. Now I am vulnerable to a threat.
Back to the contractor making harnesses for helicopters. The project manager has just learned that employees from other contracts are “borrowing” inventory to fulfill their customer requirements. This team is vulnerable to not having enough resources to meet customer requirements. We now have documented evidence of a valid threat with the impact of the possible shift in schedule.
A risk analysis looks at the identified vulnerability and applies tailored countermeasures to reduce the threat activity. I don’t want to die so I conduct a risk analysis. I could take the risk adverse direction and just not go to Nepal, but that’s out of the question. Another option is to accept all the risk and take my chances that I could be one of the fortunate ones. However I could go the doctor and get a treatment to prevent malaria even as I am exposed to it. My further risk assessment would include the different kinds of treatment with the various dosage schedules and side effects.
The contractor making helicopter harnesses should conduct similar risk analysis. He could become risk averse and move his employees to a dedicated area and control access exclusively, but the cost would outweigh the risk. He could accept all the risk and continue as before, but the threat would reduce his capability. He could also conduct further analysis and come up with lost cost/no cost solutions to address the threat. These solutions would be to move inventory bin to a better location to be observed. Inform the program managers of other programs of their employees’ unacceptable behavior and etc.
A risk analysis begins with susceptibility analysis and ends with ensuring adequate countermeasures exist to prevent loss. Even though the NISPOM addresses requirements for operating under the National Industrial Security Program, the FSO should address susceptibility, vulnerability and risk for all assets at the cleared facility. Each cleared contractor works with classified information in varying environments and degrees of difficulty. The NISPOM can’t address every situation but risk analysis can.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: “Insider’s Guide to Security Clearances” and “DoD Security Clearances and Contracts Guidebook”, “ISP Certification-The Industrial Security Professional Exam Manual”, and NISPOM/FSO Training”.