HomeMission CentersCritical Technology ProtectionRisk-Based Security Oversight (RISO)

Risk-based Security Operations (RISO)

The United States is now facing the most significant foreign intelligence threat it has ever encountered. Adversaries are successfully attacking cleared industry at an unprecedented rate. They are using multiple avenues of attack, varying their methods, and adjusting their priorities based on the targeted information they need. As a result, they are upgrading their military capabilities and competing against our economy using the very same information they stole from cleared industry.

To counter this threat, DCSA is partnering with U.S. industry to design, develop, and pilot an intelligence-led, asset-focused, and threat-driven approach to industrial security oversight. Called “DCSA in Transition” (DiT) in its pilot phase, this five-step approach is now called Risk-based Industrial Security Operations, or RISO. RISO allows DCSA to apply cross-functional teams of experts toward securing the companies most at risk of attack and compromise. RISO will help the industrial base ensure that contracted capabilities, technologies, and services are delivered to the U.S. government uncompromised by adversaries.

Information

The 5-Step Process

Over 300 industry partners working on critical technologies have participated in security reviews applying the new RISO methodology. For those industry partners who have not been able to benefit from one of these enhanced reviews, there are actions you can take now to incorporate the new approach and improve the protection of critical technologies. Below you will find information and resources on the 5-step process, from prioritization and a security baseline to a security plan and active monitoring. The goal is for companies to better use finite security resources and apply them where they are most needed. Upon completing an initial security plan, industry partners are encouraged to share the plan with DCSA for coordination and dialogue. DCSA continues to review the tools and training materials available to our industry partners as together we improve critical technology protection.

While DCSA allocates its resources and prioritizes its activity based on national security information, industry partners can proactively begin activities that will lead to a RISO based security plan. Industry partners, through real-time knowledge of classified contracts and programs, should start the process by identifying critical assets and developing awareness of threats related to those assets.

 

Asset Identification

Industrial Base Technology List

Critical Program Information Security Short

 

Threat Awareness

Idustrial Base Technology List

Critical Program Information Security Shorts

Case Studies

Counterintelligence Awareness Toolkit

MCMO Video

After identifying assets and incorporating threat awareness, industry should leverage the Security Baseline to compile information related to those assets and their protection.

 

Asset Identification

Asset ID Guide

Asset ID Desktop Tool

PIEFAO-S Job Aid with Fishbone Diagram

FSO Toolkit: Asset Identification / Security Baseline

Asset Identification and Your Security Review

Industry partners should enhance the self-assessments of their security programs to ensure comprehensive controls of identified assets. To do this, they should conduct not only the standard self-inspection but also incorporate supply-chain risk management (SCRM) as well as reviews for other potential vulnerabilities related to identified assets.

 

Vulnerability Identification

Self-Inspection Handbook

CDSE Risk Management Student Guide

What's different about my Security Review now?

 

Supply Chain Risk Management (SCRM)

CDSE SCRM Job Aid

USASMDC / ARSTRAT Technology Center “SCRM” Handout

NCSC “Exploitation of Global Supply Chain” Document

NIST “Notional Supply Chain Risk Management Practices” Report

After participating in a corporate or DCSA security review the next step is to document the findings and remedial actions needed to improve your security program. As depicted by the wheel-shaped RISO graphic this is a cyclic process where improvements lead to new opportunities and back to updated prioritization. Key in the cycle is to make substantive changes to avoid repeating past weaknesses.

The Security Plan documents actions to be taken, responsibilities for performing that work, and standards by which to measure completion and effectiveness of the remediation. Ensuring that actions taken are integrated into the facility security program and overall corporate operations will achieve lasting benefit to industrial security.

 

Security Plan Materials

Standard Practices & Procedures (SPP) - webinar

RISO Slick Sheet - TSP

The Security Plan is a living document. As companies complete and commence contracts, as threats evolve, and as new vulnerabilities emerge, industry partners must actively continue to conduct the actions related to the new methodology and update their Security Plans as necessary.

As depicted by the circular RISO graphic, Active Monitoring flows naturally into updated planning as facilities return to the Prioritization stage to accommodate threat, environmental, corporate, operational, and contractual changes. Key to effective monitoring is to establish relevant metrics and data review governance processes.

 

Active Monitoring

What is Active Monitoring

RISO Tools

For more industry tools, resources, and training, click here.