DCSA Security Review and Rating Process


DCSA’s role as the National Industrial Security Program, or NISP, cognizant security office for the Department of Defense (DOD) is to provide Government Contracting Activities (GCAs) with assurance that contractors are eligible for access to classified information and have systems in place to properly safeguard the classified information both in their possession and to which they have access. The continuing process of providing these assurances to the GCA depends upon DCSA’s knowledge of internal processes and security procedures established and maintained by contractor facilities. One of the primary means we obtain this knowledge is through our recurring security review process.

During the security review process, DCSA subject matter experts review internal processes to evaluate NISPOM compliance and identify potential gaps in security controls; discuss approach vectors applicable to the facility and determine if measures are in place to counter potential threats; and advise the contractor on how to achieve and maintain an effective security program. DCSA personnel also assess corrective actions taken by the facility to ensure that previously identified vulnerabilities are fully mitigated. Using the information and knowledge from the security review, DCSA coordinates a formal security rating of superior, commendable, satisfactory, marginal, or unsatisfactory that reflects the facility’s effectiveness in protecting classified information.

The security rating process is a criteria-based system that uses a compliance-first approach. Contractors operating in a state of general conformity (98% of NISP facilities) are considered for higher than satisfactory ratings. Criteria for superior and commendable ratings use a whole-company approach spanning four security posture categories: NISPOM Implementation, Management Support, Security Awareness, and Security Community. All criteria must be achieved at the rating level to be assigned that rating.

The security review and rating process is a collaborative effort with an emphasis placed on problem solving and classified information protection. All NISP contractors are subject to a security review on a recurring basis and contractor participation is required to maintain an FCL.

For more information, check out the tabs below.