Cybersecurity grading scale lists violations’ severity

Defense Contract Management Agency’s Cybersecurity Center, also referred to as IT-K, will begin a monthly “Cybersecurity Violations” campaign to highlight the agency’s employee and contractors’ responsibility on cybersecurity violations, their effects on the agency and the consequences of violating the rules.

“The DCMA Cybersecurity Center receives thousands of alerts and potential internal violations that could put the agency at risk,” said Khieka Jennings, DCMA cybersecurity watch officer. “The most common violations range from installing unauthorized software such as unapproved antivirus programs, or third party media players, to include unauthorized devices on the network and DCMA-issued iPhones and tablets. Each of these alerts have the potential to be a risk to the DCMA network.”

These guidelines can be found in the DCMA Acceptable Use Policy, which every DCMA user agrees to before accessing the network.

Cybersecurity violations are graded from “very low” to “very high” and apply to all DCMA employees and contractors accessing the agency’s network.

“Very low” violations have negligible adverse effects on organizational operations, assets, individuals, other organizations or to the nation.

“An example of this is sending non-DCMA personally identifiable information, or PII, to your personal email,” said Destinee Winslow, DCMA cybersecurity risk management branch chief. “This includes social security numbers, banking and credit card information.”

The repercussions entail a verbal warning or an email of the violation being sent to the violator’s supervisor.

“Low” violations have limited adverse effects on organizational operations, assets, individuals, other organizations or the nation.

“Low violations are typically when a ‘non-privileged’ user handles unauthorized software, USB drives or files,” said Jennings. “An example of this is installing unapproved software such as Google Chrome, or connecting USB devices.”

Violations at this grade result in a verbal warning and supervisors being notified by email of the violation.

“Moderate” violations have more serious adverse effects on organizational operations, assets, individuals, other organizations or to the nation.

Examples consist of sending classified information to unclassified computers or accounts and using any unapproved software.

Employees with a moderate violation can receive a verbal warning, and up to a one-day suspension from the DCMA network. Individuals may also be required to complete mandatory cybersecurity training.

“High” violations cause severe or catastrophic effects on organizational operations, assets, individuals, other organizations or to the nation.

“Such examples of these catastrophic violations include giving away classified information files or using unapproved software,” said Winslow. “Other examples consist of using Google Drive, Drop Box, One Drive, or similar accounts to store DCMA files.”

If an employee is charged with a high or severe violation, the supervisor will be notified by email and the employee will receive a verbal warning. They could be suspended from the network for up to seven days and may be required to complete cybersecurity training.

The most severe cybersecurity violation is graded at “very high” and may cause multiple severe or catastrophic effects on organizational operations, assets, individuals, other organizations or to the nation.

If a violation is considered very high or severe, it could result in the employee receiving a verbal warning, be required to attend additional cybersecurity training, or even be referred to Human Capital.

“Actions that would put an individual in the very high grading scale range from bypassing the DCMA firewall, using unapproved web browsers such as ‘The Onion Router’ or masking their online actions,” said Winslow. “Another violation would be remote-accessing or hacking into the DCMA network.

“Take the time to become familiar with this grading scale and learn what you can do to avoid these cybersecurity violations, not only to protect the warfighter, but also to help the agency become more cyber smart.”

For more details about cybersecurity violations, please contact the DCMA Network Operations Security Center at DCMANOSC@dcma.mil or call 678-626-4400.