Risk-based Security Oversight (RISO)
The United States is now facing the most significant foreign intelligence threat it has ever encountered. Adversaries are successfully attacking cleared industry at an unprecedented rate. They are using multiple avenues of attack, varying their methods, and adjusting their priorities based on the targeted information they need. As a result, they are upgrading their military capabilities and competing against our economy using the very same information they stole from cleared industry.
To counter this threat, DCSA is partnering with U.S. industry to design, develop, and pilot an intelligence-led, asset-focused, and threat-driven approach to industrial security oversight. Called “DCSA in Transition” (DiT) in its pilot phase, this five-step approach is now called Risk-based Industrial Security Oversight, or RISO. RISO allows DCSA to apply cross-functional teams of experts toward securing the companies most at risk of attack and compromise. RISO will help the industrial base ensure that contracted capabilities, technologies, and services are delivered to the U.S. government uncompromised by adversaries.
The 5-Step Process
Many industry partners working on critical technologies have undergone the RISO Comprehensive Security Review (CSR), which results in a Tailored Security Plan (TSP). For those industry partners who have not yet undergone a CSR, there are actions you can take now to incorporate the new approach and enhance the protection of critical technologies. Below you will find information and resources on the 5-step process, from prioritization and a security baseline to a tailored security plan and active monitoring. The goal is for companies to better use finite security resources and put them where they are most needed. Upon completing an initial TSP, industry partners are encouraged to share the plan with DCSA for coordination and dialogue as industry partners continue to play a vital role in critical technology protection.