DCSA’s role as the National Industrial Security Program, or NISP, cognizant security office for the Department of Defense (DOD) is to provide Government Contracting Activities (GCAs) with assurance that contractors are eligible for access to classified information and have systems in place to properly safeguard the classified information both in their possession and to which they have access. The continuing process of providing these assurances to the GCA depends upon DCSA’s knowledge of internal processes and security procedures established and maintained by contractor facilities. One of the primary means DCSA obtain this knowledge is through the recurring security review process.
During the security review process, DCSA subject matter experts review internal processes to evaluate NISPOM compliance and identify potential gaps in security controls; discuss approach vectors applicable to the facility and determine if measures are in place to counter potential threats; and advise the contractor on how to achieve and maintain an effective security program. DCSA personnel also assess corrective actions taken by the facility to ensure that previously identified vulnerabilities are fully mitigated. Using the information and knowledge from the security review, DCSA coordinates a formal security rating of superior, commendable, satisfactory, marginal, or unsatisfactory that reflects the facility’s effectiveness in protecting classified information.
The security rating process is compliance-first based on a whole-company approach spanning four security posture categories: NISPOM Effectiveness, Management Support, Security Awareness, and Security Community. Contractors operating in a state of general conformity (99% of NISP facilities) receive, at a minimum, a satisfactory security rating. General conformity indicates the facility had no critical vulnerabilities, systemic vulnerabilities, or serious security issues identified during the security review.
The security review and rating process is a collaborative effort with an emphasis placed on problem solving and classified information protection. All NISP contractors are subject to a security review on a recurring basis and contractor participation is required to maintain an FCL.
For more information, check out the tabs below.