Zofia Buzz

Defense Security Service to Tackle DOD CUI Program

In a recent public meeting, Defense Security Service (DSS) confirmed they will not only be taking over the majority of government background investigations, they will also be taking the DoD CUI program. Public details are still forthcoming, but we presume the audit process will get started over the next year or two and be similar to their existing audit and risk management review process. The overall goal is to ensure all products and services delivered to the USG are “uncompromised.” #DeliverUncompromised

There will also be a push from DoD, stated the Director DSS, for a “4th pillar” of evaluation for contract awards. This means that in addition to cost, performance and schedule – “Security” will become a strong factor of evaluation. The goal is to reward companies that have established and effective security and risk management programs. The Director also stated that there will be heavier penalties exacted for contractor failures to maintain security compliance and oversight on their systems during the contract periods.

An initial self-assessment for CUI compliance is the first of many steps in a thorough risk management program that we presume DSS will audit, and is only one component of the overall information security picture. Any assessment should be complemented with a robust information security program within the organization. A single report cannot reveal all types of security weaknesses, and should not be the sole means of determining an organization’s security posture.

An initial assessment may not provide a detailed architectural analysis of the network or a detailed network hardware/software configuration review. An initial self-assessment is not substitute for in-depth analysis of control system vulnerabilities as performed by trained professionals.

Periodic onsite reviews and inspections must still be conducted using a holistic approach including facility walk downs, interviews, and observation and examination of facility practices. Consideration should also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non-production systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety.

Dangers of DIY: http://www.dodig.mil/reports.html/Article/1481961/logical-and-physical-access-controls-at-missile-defense-agency-contractor-locat/