Tier 1

Tier 2

Tier 3

Configuration Change Control

Access Restrictions for Change

Configuration Settings

Least Functionality

Software Usage Restrictions

User-Installed Software

Configuration Change Control

Access Restrictions for Change

Configuration Settings

Least Functionality

Software Usage Restrictions

User-Installed Software

Configuration Change Control

Access Restrictions for Change

Configurations Settings

Least Functionality

Software Usage Restrictions

User-Installed Software

Configuration Change Control

Access Restrictions for Change

Configuration Settings

Least Functionality

Software Usage Restrictions

User-Installed Software

The NISP ensures that requirements for continuous monitoring are undertaken by the government before any classified work may begin

The NISP ensures the partnership between the federal government and private industry places the burden of risk on the subcontractors.

The NISP ensures that restrictions on continuous monitoring activities are in place before any classified work may begin.

The NISP ensures that monitoring requirements, restrictions, and safeguards that industry must follow are in place before any classified work may begin.

The configuration management process ensures that patches are applied on systems once a year as a continuous monitoring activity.

Implementing information system changes almost always results in some adjustment to the system configuration that requires continuous monitoring of security controls.

The configuration management process ensures that a schedule for continuous monitoring is in place for anticipated future interconnected systems.

Risk management in continuous monitoring ensures that information security solutions are broad-based, consensus-driven, and address the ongoing needs of and risks to the government and industry.

Cybersecurity requirements are managed through the risk management framework while continuous monitoring activities address password changes and Help Desk tasks.

Risk management facilitates an organization-wide vision for security but does not impact continuous monitoring daily and weekly activities.

Tier 2 ISCM strategies focus on ensuring that all system-level security controls
are implemented correctly, operate as intended, produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time.

Tier 2 ISCM strategies focus on the controls that address the establishment and management of the organization’s information security program, including establishing the minimum frequency with which each security control or metric is to be assessed or monitored.

Tier 2 ISCM strategies focus on high-level information security governance policy as it relates to risk to the organization as a whole, to its core missions, and to its business functions.

Counterintelligence and cybersecurity personnel test automated tools and make recommendations to industry and DoD organizations.

Through aggregation and analysis of Suspicious Network Activity via cyber intrusion, viruses, malware, backdoor attacks, acquisition of user names and passwords, and similar targeting, the DSS CI Directorate produces and disseminates reports on trends in cyberattacks and espionage.

Security auditing is a fundamental activity in continuous monitoring in order to schedule automatic security maintenance.

Security auditing is a fundamental activity in continuous monitoring in order to ensure access restriction controls are in place on an information system.

Security auditing is a fundamental activity in continuous monitoring in order to determine what activities occurred and which user or process was responsible for them on an information system.

The RMF process provides a flexible approach with decision-making at Tier 3.

The RMF process ensures that business process decisions can override user information system concerns.

The RMF process emphasizes continuous monitoring and timely correction of deficiencies.

Keep up-to-date inventories

Interoperability and operational reciprocity

Force users to use encryption

Program Manager/System Manager

Information System Owner

Information System Security Officer

User Representative

Select Control Panel from the Windows Start menu and then select the Security Event Log

Select Control Panel from the Windows Start menu and then select Windows Log

Select Control Panel from the Windows Start menu and then select the Administrative Tools link

Select Control Panel from the Windows Start menu and then select the System and Security link

Step 1, categorize the system

Step 4, assess the controls

Step 5, authorize the information system

Step 6, monitor the security controls

Counterintelligence and cybersecurity personnel ensure the contractor’s Information System Security Manager checks for unusual activity on a classified system at least once during the contract period of performance.

Counterintelligence and cybersecurity personnel share and report unauthorized accesses attempts, denial of service attacks, exfiltrated data, and other threats/vulnerabilities.

Counterintelligence and cybersecurity personnel ensure the contractor’s Information System Security Officer checks for unusual activity on a classified system at least once during the contract period of performance.

Step 1: Define an ISCM strategy

Step 2: Establish an ISCM program

Step 3: Implement an ISCM program

Step 4: Analyze data and report findings

Step 5: Respond to findings

Step 6: Review and update the monitoring program

Baseline Configuration

Least Functionality

Software Usage Restrictions

Information System Component Inventory

The patch management process integrates with SecCM once a year when system maintenance is performed.

The patch management process integrates with SecCM on a regular basis when restrictions must be lifted so that all system users can download software updates.

The patch management process integrates with SecCM when performing a Security Impact Analysis to determine whether unanticipated effects from a patch resulted in a change to existing security controls.

Phase 1: Planning

Phase 2: Identifying and Implementing Configurations

Phase 3: Controlling Configuration Changes

Phase 4: Monitoring

National Industrial Security Program Operating Manual (NISPOM), Chapter 1.

National Industrial Security Program Operating Manual (NISPOM), Chapter 3.

National Industrial Security Program Operating Manual (NISPOM), Chapter 5.

National Industrial Security Program Operating Manual (NISPOM), Chapter 8.

Tier 1 - the Organization level

Tier 2 - the Mission/Business Process level

Tier 3 - the Information System level

Least Functionality

User-Installed Software

Baseline Configuration

Access Restrictions for Change

Tier 1 ISCM strategies focus on assessing and monitoring hybrid and common controls implemented at the system level.

Tier 1 ISCM strategies focus on how the organization plans to assess, respond to, and monitor risk as well as the oversight required to ensure that the risk management strategy is effective.

Tier 1 ISCM strategies focus on how ensuring that all system-level security controls (technical, operational, and management controls) are implemented correctly and operate as intended.

The RMF process provides a flexible approach to decision-making at Tier 3.

The RMF process ensures traceability and transparency across all levels of the organization.

The RMF process ensures that business process decisions can override user information system concerns.

Determining whether a contractor should be allowed to monitor and assess their classified network activity.

Determining whether a contractor audit trail is a necessary indicator cyber defense

Addressing risks from an information system and platform information technology system perspective to ensure a process for analyzing threats and vulnerabilities is in place, defining the impact, and identifying countermeasures.

Security event log

Setup event log

System event log

Forwarded event log

The patch management process integrates with SecCM on a regular basis when restrictions must be lifted so that all system users can download software updates.

The patch management process integrates with SecCM once a year when system maintenance is performed.

The patch management process integrates with SecCM when updating the baseline configuration to the current patch level and then testing and approving patches as part of the configuration change control process.

A well-defined configuration management process that integrates continuous monitoring ensures a firm schedule for security patch updates once a year.

A well-defined configuration management process that integrates continuous monitoring ensures the system baseline will not change.

A well-defined configuration management process that integrates continuous monitoring ensures that the required adjustments to the system configuration do not adversely affect the security of the information system.

Investigation of the reasoning behind access restrictions at all levels of the organization.

Investigation into events of unauthorized downloads or uploads of sensitive data; unexplained storage of encrypted data; and unauthorized use of removable media or other transfer devices.

Investigation into physical security breaches at the facility.

Continuous monitoring capabilities can detect transmission of information to foreign IP addresses but cannot determine whether classification markings have been removed.

Continuous monitoring capabilities enable security professionals to make quick adjustments to access restriction controls.

Continuous monitoring capabilities and tools ensure cybersecurity products operate in a net-centric manner to enhance the exchange of data and shared security policies.

Offer of financial assistance by a foreign national or stranger

Unreported or frequent foreign travel

Termination notice to go work for a competing company

Contact with an individual who is suspected of being associated with foreign intelligence

a person who works overtime

a person with access to information who unknowingly reveals more than they should to persons without a need to know

a person with access to multiple Special Access Programs

a person who discusses their job with co-workers within the Sensitive Compartmented Information Facility (SCIF)

National security

Your job

Your company’s proprietary and research information

All of the above

Drugs or alcohol

Gambling

Adultery

Financial problems

All of the above

Unsolicited requests for information

Solicitation and marketing of services

Cyber Attacks

International conventions, seminars, and exhibits

All of the above

Hacking

Inputting falsified corrupted data

Phishing

Introducing malicious code such as a virus, logic, or Trojan horse

All of the above

Illegal downloads

Viruses

Weak passwords

Disgruntled or Co-opted employee

All of the above

Call the FBI Hot Line

Report directly to your CI or Security Office

Start recording their conversations to gather evidence

Discuss situation with others to get second opinion

An unidentified press release

A lucky guess

A paid source

A Security Anomaly

Solicitation and Marketing of Services

International conventions, seminars, and exhibits

Elicitation

Visits to Department of Defense (DoD) or contractor facilities

Industrial Security Facilities Database (ISFD)

Electronic Facility Clearance (e-FCL) System

Joint Personnel Adjudication System (JPAS)

Electronic Questionnaires for Investigations Processing (e-QIP)

Industrial Security Facilities Database (ISFD)

Electronic Facility Clearance (e-FCL) System

Joint Personnel Adjudicatoin System (JPAS)

Electronic Questionnaires for Investigations Processing (e-QIP)

It should be downgraded

It should be revoked

It should be terminated

No action is necessary

The branch facility

Both the home office facility and the branch facility

The home office facility

It should be revoked

It should be downgraded

It should be administratively terminated

No action is necessary

Limited liability company

Multiple facility organization

Parent-Subsidiary

Partnership

Government Contracting Activity

Industrial Security Representative

PSMO-I

SF-312

Exclusion resolution

Fingerprint card

SF-328

A division or branch within a multiple facility organization

A partnership

A limited liability corporation

A cleared parent company

The government contracting activity sponsoring the facility security clearance request

There is no need to provide a CAGE code for any party in the sponsorship letter

The cleared prime contractor sponsoring the facility security clearance request and the uncleared contractor being sponsored, if it has one

Sole proprietorship

Corporation

Limited liability company

KMP List

DD Form 441

DD Form 254

Only the subsidiary must execute DD Form 441.

Only the parent must execute DD Form 441.

Both the parent and the subsidiary must execute their own DD Form 441.

JPAS

ISFD

e-QIP

e-FCL

Because final eligibility determinations for all key management personnel have not yet been completed

Because all required documentation has not yet been completed

Because all FOCI factors have not yet been favorably adjudicated

The parent must obtain a facility security clearance at a level equal to the level at which the subsidiary is cleared.

The parent will be formally excluded from all access to classified information.

No action is required.

No, because the new FSO is already cleared, a report is not required

No, this does not need to be reported

Yes, this is a reportable change

No, the sponsoring activity is responsible for all costs associated with the facility security clearance process.

No, there is no direct cost to the contractor for being processed for a facility security clearance

Yes, the contractor must pay the government for services rendered during the facility security clearance request process.

No, the sale of stocks is never a reportable change

No, this does not need to be reported

Yes, this is a reportable change

Sponsorship Letter

Business structure

SF-328

DD Form 441

No. All the involved key management personnel must have final personnel security clearance determinations in order for the facility to be issued a final facility security clearance.

Yes. A final facility security clearance may be issued as long as all the involved key management personnel have interim personnel security clearance determinations.

Yes. Personnel security clearance determinations for key management personnel are not required in order to be issued a facility security clearance.

The contractor

The government

Either the government or the contractor

Sponsorship, bona fide classified procurement need, business structure

Legal entity organized under U.S. laws, company has reputation for integrity, FOCI factors sufficiently managed

Sponsorship, DD Form 441, key management personnel

Contract Officer

FCB Security Specialist

Industrial Security Representative

Invalidation of a facility security clearance does not prevent a contractor from receiving new contracts.

Invalidation of a facility security clearance is a final terminating action revoking all privileges associated with an active clearance.

Invalidation of a facility security clearance is an interim measure allowing a contractor to correct negative security circumstances.

Information

Operational

Equipment

Facility

Vulnerability

Risk

Threat

Regressive

What undesirable events regarding a particular asset concern the asset owner?

Could significant damage to national security or loss/injury to human life occur as a result of this event?

What critical/valuable equipment is located at this site? Why is it critical or valuable?

Where are the assets located?

Manpower

Equipment

Written Procedure

Quantity

Undesirable event

Effectiveness

Quality

To identify potential countermeasures for reducing an asset’s vulnerabilities and overall risk to the asset

To identify the value of assets and the degree of impact if they are damaged or lost

To identify vulnerabilities

Intent Assessment Chart

Collection Capability Assessment Chart

Threat Assessment Summary Chart

Countermeasure Analysis Chart

Threats

Vulnerabilities

Countermeasures

Assets

countermeasures

assets

vulnerabilities

threats

What is the potential for an event to take place?

What is the capability of a specific threat?

What is the impact of an undesirable event?

What is the level of weakness at the site?

countermeasures

procedures

assets

policies

Intended plans that may pose a threat to an asset.

The identification of an asset’s threats.

Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to assets.

Any indication, circumstance, or event with the potential to cause the loss of, or damage to an asset.

32

48

1

5

IMINT

HUMINT

SIGINT

OSINT

return, impact, threat, vulnerability

risk, impact, threat, vulnerability

return, importance, threat, vulnerability

risk, importance, threat, vulnerability

Has the adversary attacked or exploited assets and personnel before?

Does the adversary have the weapons or tools for exploiting or attacking an asset?

Has the adversary been suspected of attacking or exploiting assets?

Might some foreseeable event cause the adversary to attempt an attack in the future?

As a recognized religion or radical offshoot

Independently, but receives some support from governments

Primarily by the support of a state or country

Autonomously, receiving no support from any governments

Operating overtly

Being rurally based

Being highly mobile

Considering tactical success as mission success

External training

Revolutionary training

Militaristic training

Internal training

Awareness, Prevention, and Deterrence

Mitigation, Reaction, and Destruction

Detection, Protection, and Action

A Vulnerability Assessment should focus only on WMD.

It is an annual requirement to receive a Higher Headquarters Vulnerability Assessment.

The Commander uses a Vulnerability Assessment to determine the susceptibility of assets to attack from threats.

All of the above.

Vulnerability

Asset Criticality

Threat

All of the above

Threat delay

Threat detection

Threat response

All of the above

Execution

Annexes

Situation

Mission

Execution

Annexes

Mission

Administration and Logistics

Need to fund

Should fund

Must fund

Have been released

Are on assignment

Have been captured

All of the above

Satisfying vengeance

Turning the tide in a Guerrilla War

Causing an overreaction

Release of incarcerated comrades

Internal training

External training

Survival training

Communications training

External training

Internal training

Revolutionary training

Militaristic training

Phase II: Intelligence Gathering and Surveillance

Phase IV: Pre-Attack Surveillance and Planning

Phase V: Attack Rehearsal

Phase VII: Escape

Phase I: Broad Target Selection

Phase IV: Pre-Attack Surveillance and Planning

Phase V: Attack Rehearsal

Phase VI: Actions on the Objectives

Phase II: Intelligence Gathering and Surveillance

Phase III: Specific Target Selection

Phase IV: Pre-Attack Surveillance and Planning

Phase VI: Actions on the Objectives

Phase I: Broad Target Selection

Phase III: Specific Target Selection

Phase IV: Pre-Attack Surveillance and Planning

Phase VI: Actions on the Objectives

The forceful seizure of an aircraft, its passengers, and cargo.

The unlawful seizure and detainment of a person, where the person is usually held for ransom.

The most common type of terrorist attack because of the relatively low risk of injury to the terrorist.

One of the oldest terrorist tactics, it means murdering someone in a surprise attack, usually with small arms or bombs.

The most common type of terrorist attack because of the relatively low risk of injury to the terrorist.

The unlawful seizure and detainment of a person, where the person is usually held for ransom.

The forceful seizure of an aircraft, its passengers, and cargo.

One of the oldest terrorist tactics, it means murdering someone in a surprise attack, usually with small arms or bombs.

The forceful seizure of an aircraft, its passengers, and cargo.

The unlawful seizure and detainment of a person, where the person is usually held for ransom.

The most common type of terrorist attack because of the relatively low risk of injury to the terrorist.

One of the oldest terrorist tactics, it means murdering someone in a surprise attack, usually with small arms or bombs.

The forceful seizure of an aircraft, its passengers, and cargo.

The unlawful seizure and detainment of a person, where the person is usually held for ransom.

The most common type of terrorist attack because of the relatively low risk of injury to the terrorist.

One of the oldest terrorist tactics, it means murdering someone in a surprise attack, usually with small arms or bombs.

The forceful seizure of a surface vehicle, its passengers, and/or its cargo.

A surprise attack by a small armed force on a previously defined target.

The seizure of a facility to include taking all persons inside hostage.

A sudden attack made from a concealed position on a previously defined target.

The forceful seizure of a surface vehicle, its passengers, and/or its cargo.

A surprise attack by a small armed force on a previously defined target.

The seizure of a facility to include taking all persons inside hostage.

A sudden attack made from a concealed position on a previously defined target.

The forceful seizure of a surface vehicle, its passengers, and/or its cargo.

A surprise attack by a small armed force on a previously defined target.

The seizure of a facility to include taking all persons inside hostage.

A sudden attack made from a concealed position on a previously defined target.

The forceful seizure of a surface vehicle, its passengers, and/or its cargo.

A surprise attack by a small armed force on a previously defined target.

The seizure of a facility to include taking all persons inside hostage.

A sudden attack made from a concealed position on a previously defined target.

Environmental Destruction

Seizure

Sabotage

Threats/Hoaxes

Environmental Destruction

Seizure

Sabotage

Threats/Hoaxes

Maliciousness

Disdain of security practices

Carelessness in protecting DoD information

Ignorance of security policy and security practices

All of the above

Sub-Revolutionary

Establishment

Revolutionary

Sub-Revolutionary

Establishment

Revolutionary

Sub-Revolutionary

Establishment

Revolutionary

High

Significant

Moderate

Low

A general global threat of possible terrorist activity exists

An increased threat of terrorist activity exists

A terrorist attack has occurred

Intelligence indicates some form of terrorist activity is likely