DCSA - Defense Counterintelligence and Security Agency
10/11/2024 | Press release | Distributed by Public on 10/11/2024 13:27
On the Front Lines: OCCA’s dive into Industrial Security
Editor's Note: The following is a first-person account of a ride along during a security review of a cleared facility in the Mid-Atlantic region.
The Industrial Security (IS) team, within Field Operations, is no stranger to being on the front lines as a guardian of the classified information and technology within the National Industrial Security Program (NISP), comprised of 10,000 cleared companies and 12,500 cleared facilities. The mission for the IS team encompasses granting facility clearances, authorizing information systems that process classified information, mitigating foreign ownership, control or influence (FOCI), providing related security services, and managing mission requirements for oversight of cleared contractors.
Field Operations personnel are there every day assessing and monitoring companies that require access to or are in possession of classified information and controlled unclassified information associated with DOD classified contracts. These companies produce critical technology and provide services for the Department of Defense (DOD) and 35 other federal agencies. "Without security safeguards, our adversaries might get access and disrupt our nation's military and economic competitive advantages," said Daniel Finucane, Hanover 2 Field Office Chief, Mid-Atlantic Region.
In a unique collaboration aimed at enhancing clarity of Industrial Security beyond the surface, I was fortunate to be able to go on a ride-along' with Giselle Allen, Senior Industrial Security Specialist and Eric Koluch, Counterintelligence Special Agent (CISA), both serving the Mid-Atlantic Region, I learned, not only what a day is like for these professionals, I was also provided invaluable insights into the protocol and procedures of security reviews, as well as the complex landscape of safeguarding critical infrastructure.
DCSA's role, as the cognizant security office for DOD portion of the NISP on behalf of the Office of the Under Secretary of Defense for Intelligence and Security, is to oversee the protection of classified U.S. Government and foreign government information, technologies, and material entrusted to cleared industry. While the security review process is standard across the board, results will look differently for each facility depending on the level of clearance.
Obtaining a facility clearance (FCL) is no easy feat as work sites, just like employees, have to be properly vetted to ensure it is feasible and safe to handle classified information. During the security review process, the DCSA team reviews internal processes to evaluate compliance to 32 Code of Federal Regulation, Part 117, "National Industrial Security Program Operating Manual," Rule and identify potential gaps in security controls; discuss approach vectors applicable to the facility and determine if measures are in place to counter potential threats; and advise the contractor on how to achieve and maintain an effective security program. DCSA personnel also assess corrective actions taken by the facility to ensure that previously identified vulnerabilities are fully mitigated.
The Mid-Atlantic region averages 3,500 security reviews every fiscal year. Industrial Security representatives (ISRs) average around two to three every month for the fiscal year. ISRs implement a strategy that allows them to remain efficient and deliberate in their approach, while remaining candid and methodical in their collaboration with the facility. This process is in-depth in nature as it requires weeks of preparation through precise coordination with internal and external stakeholders. That includes notifying and scheduling interviews with all parties, reviewing records, analyzing and comparing data from previous year's reviews, conducting exit briefings, and most importantly, enforcing the NISP requirements.
From contacting counterintelligence support and even calling and/or emailing facility stakeholders to gather additional contractual information, industrial security reps begin at the earliest opportunity to assess the scope and complexity to ensure transparency. While most reviews serve as an assessment of operations, this review also incorporated in-depth teaching moments that allowed the company to retain valuable information.
"As the Counterintelligence Special Agent, it is important that I emphasize how the training and knowledge in regard to counterintelligence and insider threat ensures that we are safeguarding the Department of Defense (DoD) and more importantly, the nation," said Koluch. His portion of the review is critical in nature, because it provides an opportunity to converse with the company about foreign adversaries and potential methods of contact, such as email and tradeshows and/or conferences. Moreover, having a CISA as part of the review gives contractors the chance to ask questions to provide clarity on sensitive topics.
"My goal when conducting a security review, before and after, is to reassure the contractor that they have an advocate who is knowledgeable," said Allen. "Whether the facility security review is executed in a home, or a commercial building, the process remains the same." Using the information and knowledge from the security review, DCSA coordinates a formal security rating of superior, commendable, satisfactory, marginal, or unsatisfactory that reflects the facility's effectiveness in protecting classified information.
With any process there are positives and negatives. At face value, the obvious positive factor is the security review gives DCSA the opportunity to evaluate companies and ensure they are operating in alignment with the NISP. DCSA is focused on process and progress, not perfection. The agency is committed to the success of the facility through intentional integration and collaboration. Through the expertise of ISRs, facilities develop an understanding of the security review process by conducting routine follow ups and communication via email. Furthermore, implementing the standard security requirements results in more facilities receiving a rating of satisfactory or higher. In contrast, security reviews can have drawbacks when there is miscommunication and lack of understanding from all parties involved.
Both Allen and Koluch emphasized the importance of communication and "streamlining efforts" to ensure cleared facilities and their employees are remaining abreast of the regulations. Additionally, with the advancements in modern technology and artificial intelligence, developing and implementing innovative techniques will be key to the evaluation of the effectiveness of the security review process. "As operations within the Department of Defense and DCSA continue to expand, establishing partnerships internally as an agency will serve as the foundation to understanding how our directorates serve as assets to one another," said Allen. "Remaining consistent with meaningful collaborations, such as a ride-along, enables us to retain knowledge and continue to move forward as Gatekeepers of the nation."
The Industrial Security (IS) team, within Field Operations, is no stranger to being on the front lines as a guardian of the classified information and technology within the National Industrial Security Program (NISP), comprised of 10,000 cleared companies and 12,500 cleared facilities. The mission for the IS team encompasses granting facility clearances, authorizing information systems that process classified information, mitigating foreign ownership, control or influence (FOCI), providing related security services, and managing mission requirements for oversight of cleared contractors.
Field Operations personnel are there every day assessing and monitoring companies that require access to or are in possession of classified information and controlled unclassified information associated with DOD classified contracts. These companies produce critical technology and provide services for the Department of Defense (DOD) and 35 other federal agencies. "Without security safeguards, our adversaries might get access and disrupt our nation's military and economic competitive advantages," said Daniel Finucane, Hanover 2 Field Office Chief, Mid-Atlantic Region.
In a unique collaboration aimed at enhancing clarity of Industrial Security beyond the surface, I was fortunate to be able to go on a ride-along' with Giselle Allen, Senior Industrial Security Specialist and Eric Koluch, Counterintelligence Special Agent (CISA), both serving the Mid-Atlantic Region, I learned, not only what a day is like for these professionals, I was also provided invaluable insights into the protocol and procedures of security reviews, as well as the complex landscape of safeguarding critical infrastructure.
DCSA's role, as the cognizant security office for DOD portion of the NISP on behalf of the Office of the Under Secretary of Defense for Intelligence and Security, is to oversee the protection of classified U.S. Government and foreign government information, technologies, and material entrusted to cleared industry. While the security review process is standard across the board, results will look differently for each facility depending on the level of clearance.
Obtaining a facility clearance (FCL) is no easy feat as work sites, just like employees, have to be properly vetted to ensure it is feasible and safe to handle classified information. During the security review process, the DCSA team reviews internal processes to evaluate compliance to 32 Code of Federal Regulation, Part 117, "National Industrial Security Program Operating Manual," Rule and identify potential gaps in security controls; discuss approach vectors applicable to the facility and determine if measures are in place to counter potential threats; and advise the contractor on how to achieve and maintain an effective security program. DCSA personnel also assess corrective actions taken by the facility to ensure that previously identified vulnerabilities are fully mitigated.
The Mid-Atlantic region averages 3,500 security reviews every fiscal year. Industrial Security representatives (ISRs) average around two to three every month for the fiscal year. ISRs implement a strategy that allows them to remain efficient and deliberate in their approach, while remaining candid and methodical in their collaboration with the facility. This process is in-depth in nature as it requires weeks of preparation through precise coordination with internal and external stakeholders. That includes notifying and scheduling interviews with all parties, reviewing records, analyzing and comparing data from previous year's reviews, conducting exit briefings, and most importantly, enforcing the NISP requirements.
From contacting counterintelligence support and even calling and/or emailing facility stakeholders to gather additional contractual information, industrial security reps begin at the earliest opportunity to assess the scope and complexity to ensure transparency. While most reviews serve as an assessment of operations, this review also incorporated in-depth teaching moments that allowed the company to retain valuable information.
"As the Counterintelligence Special Agent, it is important that I emphasize how the training and knowledge in regard to counterintelligence and insider threat ensures that we are safeguarding the Department of Defense (DoD) and more importantly, the nation," said Koluch. His portion of the review is critical in nature, because it provides an opportunity to converse with the company about foreign adversaries and potential methods of contact, such as email and tradeshows and/or conferences. Moreover, having a CISA as part of the review gives contractors the chance to ask questions to provide clarity on sensitive topics.
"My goal when conducting a security review, before and after, is to reassure the contractor that they have an advocate who is knowledgeable," said Allen. "Whether the facility security review is executed in a home, or a commercial building, the process remains the same." Using the information and knowledge from the security review, DCSA coordinates a formal security rating of superior, commendable, satisfactory, marginal, or unsatisfactory that reflects the facility's effectiveness in protecting classified information.
With any process there are positives and negatives. At face value, the obvious positive factor is the security review gives DCSA the opportunity to evaluate companies and ensure they are operating in alignment with the NISP. DCSA is focused on process and progress, not perfection. The agency is committed to the success of the facility through intentional integration and collaboration. Through the expertise of ISRs, facilities develop an understanding of the security review process by conducting routine follow ups and communication via email. Furthermore, implementing the standard security requirements results in more facilities receiving a rating of satisfactory or higher. In contrast, security reviews can have drawbacks when there is miscommunication and lack of understanding from all parties involved.
Both Allen and Koluch emphasized the importance of communication and "streamlining efforts" to ensure cleared facilities and their employees are remaining abreast of the regulations. Additionally, with the advancements in modern technology and artificial intelligence, developing and implementing innovative techniques will be key to the evaluation of the effectiveness of the security review process. "As operations within the Department of Defense and DCSA continue to expand, establishing partnerships internally as an agency will serve as the foundation to understanding how our directorates serve as assets to one another," said Allen. "Remaining consistent with meaningful collaborations, such as a ride-along, enables us to retain knowledge and continue to move forward as Gatekeepers of the nation."