Enhancing Security Consistency: DCSA's New Security Rating Score Process

The Defense Counterintelligence and Security Agency (DCSA) will deploy a modified security rating score procedure beginning October 1, 2024, to improve the consistency, quality, and transparency of security ratings for contractors. These modifications, developed in conjunction with industry and government partners, are intended to reduce subjectivity and provide clearer direction for meeting greater security criteria. The new method will not affect other components of the security review, but will instead focus on improving how ratings are determined and conveyed.

The DCSA team begins the security rating process by reviewing the outcomes of security reviews to determine the contractor's general conformance status. This compliance-first strategy means that any severe vulnerabilities, systemic vulnerabilities, or serious security flaws discovered throughout the examination will result in the contractor failing to meet general conformance requirements. Historically, less than 1% of security reviews resulted in a non-conformity security rating of unsatisfactory or minor, demonstrating that contractors generally maintain excellent standards.

Contractors deemed to be in general compliance will be given at least an acceptable security rating. These contractors may also be evaluated for higher ratings, such as respectable or superior, based on their demonstrated effectiveness in meeting security requirements. One notable difference in the revised process is the unification of requirements for praiseworthy and superior ratings into a single list known as the "gold standard." This consolidation is complemented by extra information for each criterion, ensuring that all stakeholders have a clear knowledge of the needs and expectations for achieving better ratings.

Another noteworthy improvement is the addition of a numerical score component. This new scoring approach separates the final security rating from particular category ratings, which are no longer required. Instead, the Security Review Rating Scorecard replaces the prior security rating sheet, providing contractors with more detailed feedback on how their scores were derived. This modification intends to deliver more precise and actionable data into the security rating process, allowing contractors to better understand their performance and areas for improvement.

The scoring method begins with a baseline score of 100. Points are added to this initial score for each condition met by the contractor, yielding a provisional score. This preliminary score becomes the final score unless the facility has more vulnerabilities than the complexity tier allows. The complexity tier, which is determined by the facility's approved safeguarding and classified information systems status, determines how many major vulnerabilities are permitted before the maximum permissible score lowers from 160 to 130. For example, a facility without safeguarding capabilities (Tier 0) has different allowances than one with classified information systems (Tier 2).

The final score is derived after taking into account the facility's complexity level and any severe weaknesses. In rare cases, a satisfactory security rating may be negotiated for a non-conformity outcome, taking into account factors such as facility size, the scope of classified activities, and the intrinsic nature of the reported issues. This component of the process guarantees that the final security grade takes into account each facility's unique characteristics.

Overall, the improved DCSA security rating score procedure is intended to produce clearer, more consistent, and transparent security ratings. The approach attempts to help contractors better understand and comply with security standards by unifying criteria, implementing a numeric scoring system, and providing thorough feedback via the Security Review Rating Scorecard. Contractors and interested parties can obtain more extensive information by visiting the DCSA website.