Risk-Based Security Oversight (RISO)

Risk-based Security Oversight (RISO)

The United States is now facing the most significant foreign intelligence threat it has ever encountered. Adversaries are successfully attacking cleared industry at an unprecedented rate. They are using multiple avenues of attack, varying their methods, and adjusting their priorities based on the targeted information they need. As a result, they are upgrading their military capabilities and competing against our economy using the very same information they stole from cleared industry.

To counter this threat, DCSA is partnering with U.S. industry to design, develop, and pilot an intelligence-led, asset-focused, and threat-driven approach to industrial security oversight. Called “DCSA in Transition” (DiT) in its pilot phase, this five-step approach is now called Risk-based Industrial Security Oversight, or RISO. RISO allows DCSA to apply cross-functional teams of experts toward securing the companies most at risk of attack and compromise. RISO will help the industrial base ensure that contracted capabilities, technologies, and services are delivered to the U.S. government uncompromised by adversaries.

Information

RISO Overview: PowerPoint Presentation (August 2019), Information Sheet (updated July 2018), and “Slick Sheet” (January 2019)
RISO Webinars: 2019 DiT Webinar Series (archived)
DCSA Director's letter to industry dated Jan. 19, 2018: Provides an update on the status of the DiT initiative.
Voice of Industry Newsletters with updates relevant to RISO (DiT) are available under Industry Tools

The 5-Step Process

Many industry partners working on critical technologies have undergone the RISO Comprehensive Security Review (CSR), which results in a Tailored Security Plan (TSP). For those industry partners who have not yet undergone a CSR, there are actions you can take now to incorporate the new approach and enhance the protection of critical technologies. Below you will find information and resources on the 5-step process, from prioritization and a security baseline to a tailored security plan and active monitoring. The goal is for companies to better use finite security resources and put them where they are most needed. Upon completing an initial TSP, industry partners are encouraged to share the plan with DCSA for coordination and dialogue as industry partners continue to play a vital role in critical technology protection.

Overview
Prioritization
Security Baseline
Security Review
Tailored Security Plan (TSP)
Active Monitoring

While DCSA allocates its resources and prioritizes its activity based on national security information, industry partners can proactively begin activities that will lead to a TSP. Industry partners, through real-time knowledge of classified contracts and programs, should start the process by identifying critical assets and developing awareness of threats related to those assets.

Asset Identification

Industrial Base Technology List

Critical Program Information Security Short

Threat Awareness

Idustrial Base Technology List

Critical Program Information Security Shorts

Case Studies

Counterintelligence Awareness Toolkit

MCMO Video

After identifying assets and incorporating threat awareness, industry should leverage the Security Baseline to compile information related to those assets and their protection.

Asset Identification

Asset ID Guide

Asset ID Desktop Tool

PIEFAO-S Job Aid with Fishbone Diagram

FSO Toolkit: Asset Identification / Security Baseline

Asset Identification and Your Security Review

Industry partners should enhance the self-assessments of their security programs to ensure comprehensive controls of identified assets. To do this, they should conduct not only the standard self-inspection but also incorporate supply-chain risk management (SCRM) as well as reviews for other potential vulnerabilities related to identified assets.

Vulnerability Identification

Self-Inspection Handbook

CDSE Risk Management Student Guide

What's different about my Security Review now?

Supply Chain Risk Management (SCRM)

CDSE SCRM Job Aid

USASMDC / ARSTRAT Technology Center “SCRM” Handout

NCSC “Exploitation of Global Supply Chain” Document

NIST “Notional Supply Chain Risk Management Practices” Report

After identifying vulnerabilities based on threats related to assets, industry partners should develop appropriate countermeasures. The security controls listed on the Security Baseline should be updated to reflect any new or enhanced countermeasures. This updated Security Baseline constitutes an initial TSP.

Industry partners also may want to codify and expand on countermeasures through a Standard Practice Procedures (SPP) document.

A new Tailored Security Plan (TSP) Template is available through your NISS account. Open the Knowledge Base and search for “TSP Template.”

Tailored Security Plan Materials

Tailored Security Plan (TSP) - webinar

RISO Slick Sheet - TSP

The TSP is a living document. As companies complete and commence contracts, as threats evolve, and as new vulnerabilities emerge, industry partners must actively continue to conduct the actions related to the new methodology and update TSPs as necessary.

Active Monitoring

What is Active Monitoring

RISO Tools

For more industry tools, resources, and training, click here.

Critical Technology Protection

Facility Security Officers

Field Locations

National Industrial Security Program (NISP)

NISP Authorization Office

Facility Clearances

Foreign Ownership, Control or Influence (FOCI) - +

Risk Based Industrial Security Oversight (RISO)

Controlled Unclassified Information (CUI)

Industry Tools

Cogswell Award

National Access Elsewhere Security Oversight Center (NAESOC) - +

International Programs - +

Special Programs - +

Risk-based Security Oversight (RISO)