an hii PRESENTATIOn for
self-inspection
Start
INTRODUCTION
PURPOSE OF INSPECTIONS & SELF-INSPECTIONS
REGULATORY AND COMPLIANCE DRIVERS
ROLE OF THE ISSM IN MAINTAINING SYSTEM SECURITY POSTURE
OVERALL BENEFITS OF THESE INSPECTIONS
TYPES OF INSPECTIONS
external
INTERNAL
- Performed by external IS reps.
- DCSA subject matter experts review internal processes to evaluate NISPOM compliance and identify potential gaps
- DCSA coordinates a formal security rating of superior, commendable, satisfactory, marginal, or unsatisfactory
- Starts with the FSO, while you may work with, and designate, security team members to assist you in conducting the self-inspection.
- These self-inspections cannot be successfully performed without the participation and cooperation of key individuals within your company.
- You will need to gain the support of your facility’s senior management.
&
external
internal
VS
+ info
+ info
SELF-INSPECTION
CONDUCTING EFFECTIVE SELF-INSPECTIONS
PURPOSE
FREQUENCY
You know that performing a self-inspection fulfills the legal requirement created by your company’s participation in the NISP allowing you to verify that your company
is in compliance with the requirements of the NISPOM, thereby ensuring the protection of our national security, safety of our citizens, and most importantly, the safety of our service members.
The assets you are protecting will determine the government review cycle, or the time interval that your IS rep uses to determine the scope and frequency of your security reviews. Typically annually but always per policy.
&
SCOPE
METHODS
Tailor your self-inspection to cover the security elements applicable to your facility’s classified involvement. Use the self-inspection handbook and determine which ones apply. Covers technical, administrative and operational controls.
- Comprehensive method is based on an examination of the security elements that are applicable to the facility’s security program.
- Programmatic approach focuses on a single classified program, project, or contract, and covers all security aspects of that program.
- Checklist based method.
- Interview sampling method (by user accounts, logs and configuations).
&
INSPECTIONS
THE ISSM ROLEDURING INSPECTIONS
ViDEO
It is better to look ahead and prepare than to look back and regret
– Jackie Joyner-Kersee
where the issm helps
- An ISSM is required anytime classified processing involves information systems.
- ISSM will assist with crucial documentation
PREPARATION
POINT I
POINT II
POINT III
POINT IV
Maintain up to date security documentation
Ensure system configurations match the approved baselines.
Train staff on inspection expectations
Work hand-in-hand with the FSO
where the issm helps
- ISSM will act as primary POC aside the FSO
EXECUTION
POINT A
POINT B
POINT C
POINT D
Serve as primary POC with inspectors aside the FSO
Provide requested artifacts and evidence
DEMONSTRATE CONTROL IMPLEMENTATION AND EFFECTIVENESS
BE AVAILABLE TO DIVE DEEPER INTO YOUR KNOWLEDGE
where the issm helps
- ISSM will complete post-inspection duties
POST-INSPECTION
POINT C
POINT A
POINT B
REVIEW FINDINGS AND REPORTS
DEVELOP AND MANAGE CORRECTIVE ACTION PLANS
TRACK CLOSURE OF FINDINGS IN POA&M
common areas ofinspection focus
- Account Mgmt & Privilege Oversight
- SSP Accuracy
- IRP and Evidence Testing
- Patch Mgmt & Vulnerability Scanning
- Media and Removable Media Control
- Audit Log Review and Retention
- Security Training and Awareness
+ info
best practices
Best practices encompass important cybersecurity measures like strong passwords, regular software updates, multi-factor authentication, antivirus software, data management through regular backups and disaster recovery planning
NEXT
There are multiple benefits of getting a chance to do a self-inspection before the 3PAO.
benefits of self inspections
benefits acquired
no. 01
no. 02
no. 03
no. 04
reduce surprise findings
improve security posture
demonstrates due dillegence and accountability
build confidence with leadership
no. 07
no. 05
no. 06
no. 08
reputation
increased efficiency
safety and hazard identification
sets expectations
PROCESS expectations
self inspections makes the real process ~75% easier
~75%
Don't read this line as numbers are totally made up and varies by nervousness.
indexing
metrics to consider
global cybersecurity index
ncsi rankings
98%
84%
resources
https://www.itu.int/en/ITU-D/Cybersecurity/Documents/GCIv5/2401416_1b_Global-Cybersecurity-Index-E.pdf
https://ncsi.ega.ee/ncsi-index/
https://www.dcsa.mil/Portals/91/Documents/CTP/tools/DCSA%20Assessment%20and%20Authorization%20Process%20Manual%20Version%202.2.pdf
https://www.cdse.edu/Portals/124/Documents/student-guides/IS130-guide.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
from yourissm team
THANKS!
DD Form 2875 (SAAR) Vulnerability scanning identifies and assesses weaknesses and flaws in IS. Software updates, or patches, to systems and applications resolve vulnerabilities, improve performance, and fix bugs.
SSP should correctly reflects an org's security posture by verifying that it aligns with security requirements, system environments, and implemented security controls Implement policies, procedures, and technical tools to manage and restrict the use of portable storage devices and protect sensitive data.
detailed focus
COMMON ARTIFACTS
Privilege accounts - administrative accounts, service accounts, emergency accounts Protects against data breaches, ransomware, system failure, and insider threats by limiting access Detailed logs and audit trails help organizations meet regulatory requirements and demonstrate compliance Least Privilege Principle Insider Threat, Cyber Awareness Training, etc.
External Inspections
provide Government Contracting Agencies (GCAs) with assurance that contractors are eligible for access to classified information and have systems in place to properly safeguard the classified information both in their possession and to which they have access. The continuing process of providing these assurances to the GCA depends upon DCSA’s knowledge of internal processes and security procedures established and maintained by the contractor facilities.
Internal inspections
involve making sure as a member of the National Industrial Security Program (NISP), your facility’s security program effectively fulfills the requirements outlined in the 32 Code of Federal Regulations (CFR) Part 117 and the National Industrial Security Program Operating Manual (NISPOM). In order to meet this responsibility, it is imperative that you are aware of the strengths and weaknesses of your security program.
HII ISSM Inspection Presentation
brandon clinkscales
Created on October 1, 2025
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Urban Illustrated Presentation
View
Snow Presentation
View
Corporate Christmas Presentation
View
Historical Presentation
View
Scary Eighties Presentation
View
Memories Presentation
View
Winter Presentation
Explore all templates
Transcript
an hii PRESENTATIOn for
self-inspection
Start
INTRODUCTION
PURPOSE OF INSPECTIONS & SELF-INSPECTIONS
REGULATORY AND COMPLIANCE DRIVERS
ROLE OF THE ISSM IN MAINTAINING SYSTEM SECURITY POSTURE
OVERALL BENEFITS OF THESE INSPECTIONS
TYPES OF INSPECTIONS
external
INTERNAL
&
external
internal
VS
+ info
+ info
SELF-INSPECTION
CONDUCTING EFFECTIVE SELF-INSPECTIONS
PURPOSE
FREQUENCY
You know that performing a self-inspection fulfills the legal requirement created by your company’s participation in the NISP allowing you to verify that your company is in compliance with the requirements of the NISPOM, thereby ensuring the protection of our national security, safety of our citizens, and most importantly, the safety of our service members.
The assets you are protecting will determine the government review cycle, or the time interval that your IS rep uses to determine the scope and frequency of your security reviews. Typically annually but always per policy.
&
SCOPE
METHODS
Tailor your self-inspection to cover the security elements applicable to your facility’s classified involvement. Use the self-inspection handbook and determine which ones apply. Covers technical, administrative and operational controls.
&
INSPECTIONS
THE ISSM ROLEDURING INSPECTIONS
ViDEO
It is better to look ahead and prepare than to look back and regret
– Jackie Joyner-Kersee
where the issm helps
PREPARATION
POINT I
POINT II
POINT III
POINT IV
Maintain up to date security documentation
Ensure system configurations match the approved baselines.
Train staff on inspection expectations
Work hand-in-hand with the FSO
where the issm helps
EXECUTION
POINT A
POINT B
POINT C
POINT D
Serve as primary POC with inspectors aside the FSO
Provide requested artifacts and evidence
DEMONSTRATE CONTROL IMPLEMENTATION AND EFFECTIVENESS
BE AVAILABLE TO DIVE DEEPER INTO YOUR KNOWLEDGE
where the issm helps
POST-INSPECTION
POINT C
POINT A
POINT B
REVIEW FINDINGS AND REPORTS
DEVELOP AND MANAGE CORRECTIVE ACTION PLANS
TRACK CLOSURE OF FINDINGS IN POA&M
common areas ofinspection focus
+ info
best practices
Best practices encompass important cybersecurity measures like strong passwords, regular software updates, multi-factor authentication, antivirus software, data management through regular backups and disaster recovery planning
NEXT
There are multiple benefits of getting a chance to do a self-inspection before the 3PAO.
benefits of self inspections
benefits acquired
no. 01
no. 02
no. 03
no. 04
reduce surprise findings
improve security posture
demonstrates due dillegence and accountability
build confidence with leadership
no. 07
no. 05
no. 06
no. 08
reputation
increased efficiency
safety and hazard identification
sets expectations
PROCESS expectations
self inspections makes the real process ~75% easier
~75%
Don't read this line as numbers are totally made up and varies by nervousness.
indexing
metrics to consider
global cybersecurity index
ncsi rankings
98%
84%
resources
https://www.itu.int/en/ITU-D/Cybersecurity/Documents/GCIv5/2401416_1b_Global-Cybersecurity-Index-E.pdf
https://ncsi.ega.ee/ncsi-index/
https://www.dcsa.mil/Portals/91/Documents/CTP/tools/DCSA%20Assessment%20and%20Authorization%20Process%20Manual%20Version%202.2.pdf
https://www.cdse.edu/Portals/124/Documents/student-guides/IS130-guide.pdf
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
from yourissm team
THANKS!
DD Form 2875 (SAAR) Vulnerability scanning identifies and assesses weaknesses and flaws in IS. Software updates, or patches, to systems and applications resolve vulnerabilities, improve performance, and fix bugs. SSP should correctly reflects an org's security posture by verifying that it aligns with security requirements, system environments, and implemented security controls Implement policies, procedures, and technical tools to manage and restrict the use of portable storage devices and protect sensitive data.
detailed focus
COMMON ARTIFACTS
Privilege accounts - administrative accounts, service accounts, emergency accounts Protects against data breaches, ransomware, system failure, and insider threats by limiting access Detailed logs and audit trails help organizations meet regulatory requirements and demonstrate compliance Least Privilege Principle Insider Threat, Cyber Awareness Training, etc.
External Inspections
provide Government Contracting Agencies (GCAs) with assurance that contractors are eligible for access to classified information and have systems in place to properly safeguard the classified information both in their possession and to which they have access. The continuing process of providing these assurances to the GCA depends upon DCSA’s knowledge of internal processes and security procedures established and maintained by the contractor facilities.
Internal inspections
involve making sure as a member of the National Industrial Security Program (NISP), your facility’s security program effectively fulfills the requirements outlined in the 32 Code of Federal Regulations (CFR) Part 117 and the National Industrial Security Program Operating Manual (NISPOM). In order to meet this responsibility, it is imperative that you are aware of the strengths and weaknesses of your security program.