How to Prepare for Your DCSA Assessment
The Defense Counterintelligence and Security Agency (DCSA) is responsible for safeguarding classified information entrusted to DoD contractors. A crucial part of this process is the DCSA Assessment, which all companies with a Facility Security Clearance (FCL) are required to have annually. The purpose of these security assessments is to evaluate a defense contractor’s ability to protect classified data. Achieving a minimum of a satisfactory rating on this assessment is essential for maintaining your FCL and continuing to work with classified information.
An Overview of the DCSA Assessment Process
Each defense contractor with an FCL is assigned to an Industrial Security Representative (ISR) by the DCSA. It is the responsibility of the ISR to ensure a contractor is complying with the policies and procedures outlined in the National Industrial Security Program Operating Manual (NISPOM) 32 CFR Part 117. These assessments typically will take 4-6 hours and will broadly consist of the ISR asking questions about your security program and requesting documentation. Upon identifying an unmet requirement, the ISR will grant the contractor 15-30 days to submit a corrective action plan. Companies should expect an annual assessment with their ISR, however those in good standing with a strong history of compliance may see longer gaps between their assessments. Contractors can expect on average three weeks advance notice ahead of their assessment, but the DCSA can provide as little as seven days notice.
Preparing in Advance and Best Practices
Organization is key for ensuring you are ready for your DCSA assessment. By centralizing your company’s security policies and creating backup versions, you will be ready to present documentation to the ISR during your assessment. This will include but is not limited to documentation on your company’s security policies/procedures, your insider threat program, employee security training, and incident response plans. In addition to preparing these documents in advance, it is important to make sure they are up to date with the most current information. The following records must be up to date ahead of your assessment:
- Your Key Management Personnel List
- System Security Plans
- Cleared Personnel Security Lists
As a best practice, you should keep your records up to date within NISS, DISS, and NBIS. You should additionally perform a self-assessment as outlined in the NISPOM ahead of your DCSA visit. Through these self-inspections, you can take a proactive approach to your industrial security and strengthen your overall compliance posture.
How IsI can help you prepare
Our team of experts can help you navigate the intricacies of the DCSA to ensure your company is fully prepared for its annual or unannounced assessment. IsI goes beyond simply checking the boxes by specializing in working with both possessing and non-possessing facilities. We will work with you to develop a customized security program that meets your specific needs and complies with DCSA regulations.
Our services include:
- Conducting annual self-inspections to identify vulnerabilities and recommended improvements.
- A comprehensive suite of security training programs to keep your employees informed and vigilant.
- On-site support during DCSA assessments (this can be done both in person or virtually).
Our experienced professionals will be by your side throughout the entire process, providing guidance and ensuring a smooth and successful evaluation. In fact, IsI boasts a 100% success rate in helping clients achieve satisfactory or higher DCSA assessment scores.
By following these steps and utilizing available resources, you can ensure your company is well-prepared for your DCSA Assessment. Remember, a successful assessment allows you to continue working with classified information and demonstrates your commitment to information security.