Risk-based Security Operations (RISO)
The United States is now facing the most significant foreign intelligence threat it has ever encountered. Adversaries are successfully attacking cleared industry at an unprecedented rate. They are using multiple avenues of attack, varying their methods, and adjusting their priorities based on the targeted information they need. As a result, they are upgrading their military capabilities and competing against our economy using the very same information they stole from cleared industry.
To counter this threat, DCSA is partnering with U.S. industry to design, develop, and pilot an intelligence-led, asset-focused, and threat-driven approach to industrial security oversight. Called “DCSA in Transition” (DiT) in its pilot phase, this five-step approach is now called Risk-based Industrial Security Operations, or RISO. RISO allows DCSA to apply cross-functional teams of experts toward securing the companies most at risk of attack and compromise. RISO will help the industrial base ensure that contracted capabilities, technologies, and services are delivered to the U.S. government uncompromised by adversaries.
Information
The 5-Step Process
Over 300 industry partners working on critical technologies have participated in security reviews applying the new RISO methodology. For those industry partners who have not been able to benefit from one of these enhanced reviews, there are actions you can take now to incorporate the new approach and improve the protection of critical technologies. Below you will find information and resources on the 5-step process, from prioritization and a security baseline to a security plan and active monitoring. The goal is for companies to better use finite security resources and apply them where they are most needed. Upon completing an initial security plan, industry partners are encouraged to share the plan with DCSA for coordination and dialogue. DCSA continues to review the tools and training materials available to our industry partners as together we improve critical technology protection.