 Welcome and thank you for joining today's National Industrial Security Program Policy Advisory Committee meeting, also known as the NISPAC. To receive all pertinent information about upcoming NISPAC meetings, please subscribe to the Information Security Oversight Office's overview blog at https://isoo-overview.blogs.archives.gov or by going to the Federal Register. All available meeting materials including today's agenda slides and biographies for NISPAC members and speakers have been posted to the ISOO website at https://www.archives.gov.isoo.oversite-groups.nispac.com.html and have also been emailed to all registrants. Please note, not all NISPAC members and speakers have biographies for slides. It is preferred that you connect through your computer to listen to today's conference. However, you can call in as a secondary option. If you require technical assistance, please send a private chat message to the event producer. Please note, all audio connections will be muted for the duration of the meeting with the exception of NISPAC members, speakers, and ISOO. We are now, we are expecting a fairly large audience today. Because of this, we will not be taking questions from the public over the phone. Please email your questions and comments to nispac.nara.gov and someone will answer your questions there. Only ISOO and NISPAC members will be authorized to ask questions throughout the meeting. This is a public meeting. Like previous NISPAC meetings, this will be recorded. This recording, along with the transcript and minutes, will be available within 90 days of the NISPAC reports on committee activities webpage mentioned earlier. Let me now turn things over to Mr. Mark Bradley, the director of ISOO, as well as the chairman of NISPAC. Thank you so much, Mr. Producer, for your kind introduction. Good morning, everybody. Welcome to the 70th meeting of the NISPAC. This is the 7th NISPAC meeting that's being conducted 100% virtually. We're planning on a five-minute break and no removing, which I will flag as you move closer. We have the meeting scheduled for three hours, but I expect and hope it will be finished well before that and you can have some of your morning back. I'm now going to turn it over to Ms. Heather Harris, the designated federal officer for the NISPAC for some administrative actions. Heather, floor is yours. Thank you, Mr. Chairman. I will now begin attendance for the government members. I will state the name of the agency, then the agency member will reply by identifying themselves. Once I have gone through the government members, I will then move over to the industry members. After the industry members, I will then proceed to the speakers. O.D. and I. Good morning, Heather Valerie Curbin, primary member. Thank you. DOD. Good morning, Heather. This is Jeff Spenninger. Thank you. DOE. Good morning, Heather. This is Natasha Sumter. I am an alternate member. Thank you. DHS. Good morning, Heather. This is Risti Jostrin. I'm the alternate. Thank you. DCSA. Keith Minard. CIA. Good morning, Heather. This is Dawn, primary member for CIA. Thank you. Commerce. Good morning, Heather. This is Steve Barbieri. I'm the primary for commerce. Thank you. DOJ. Good morning, Heather. This is Christine Gunning, primary member. Thank you. NASA. Good morning, this is Vaughan Simon, primary member. Thank you. State. Good morning, this is Kim Lager, primary member. Thank you. Air Force. Good morning, Annie Bakas, Department of the Air Force Alternate. Thank you. Navy. Good morning, Steve James, primary member. Thank you. Now I'm going to turn to the industry members. Heather Sims. Heather Sims, industry NISPAC. Derek Jones. Good morning, Derek Jones, industry NISPAC. Tracy Durkin. Good morning, Tracy Durkin, industry NISPAC. Greg Sadler. Good morning, Greg Sadler, industry NISPAC. Dave Tender. Good morning, Dave Tender, industry NISPAC. Ike Rivers. Good morning, Ike Rivers, industry NISPAC. Jane Dinkel. Good morning, Jane Dinkel, Industry NISPAC. Thank you all. Now I'll do a roll call for the speakers. Dave Scott, thank you, Mike Ray. Good morning, I'm here. All right, great. NRC and Army will not be present for the call, so if there are questions for them, please send an email to nispac at nara.gov and we can forward it to them. If anyone else is speaking during the NISPAC that we have not heard from or we don't know about, please speak now. Thank you. We request that everyone identify themselves by naming the agency if applicable before speaking each time for the record. I wanted to provide everyone with our agency's COVID update. Most of the ISOO staff is still teleworking. We do not currently have restrictions on in-person meetings for NARA staff in all NARA buildings. However, for large public meetings such as this, we are staying virtual. Hopefully in a year, we will be back to in-person NISPAC meetings at the National Archives in Washington, DC. I want to remind the government membership of the requirement to annually file a financial disclosure report with the National Archives and Records Administration Office of General Counsel. Before a government member may serve on the NISPAC and annually thereafter, this must be done. The same form for financial disclosure that is used throughout the federal government, OGE Form 450, satisfies the reporting requirement. If there are questions, please reach out to me. Additionally, we have had a few changes to the NISPAC membership. As discussed during the last meeting, our prior designated federal officer, Greg Pinoni, retired. I am acting for him at this time. We have also had a change at the Commerce Department. Richard Townsend has been replaced by Steve Barbieri. Our CIA primary is now Don replacing Felicia. And the NASA replacement for Kenneth Jones is Von Simon. We would also like to welcome our two new industry members, Ike Rivers and Jane Dinkle, who are replacing Rosie Barrero-Jones and Cheryl Stone. For those departed members, thank you for all of your contributions over the years. We look forward to continuing the work you have done with the new representatives. I also want to thank Mark Bradley, the Director of ISOO and Chairman of the NISPAC. This will be his last NISPAC as he is expecting to retire before the next public meeting in June 2023. Thank you for your lifetime of federal service, especially the last six years as the Director of ISOO. It has been an honor to work for you. We wish you well and look forward to continuing the work you have done. I will now address the items of interest from the April 27th, 2022 NISPAC public meeting. The NISPAC minutes from the last meeting were certified to be true and correct and were finalized by me on August 8th, 2022 and were posted to the ISOO website on August 9th, 2022. The first item of interest is that during the last NISPAC meeting, DOD had requested the NISPAC meet three times a year, Vice 2. During this meeting, the chair will seek an advisory opinion from the full committee on whether it'll be useful for fiscal year 2023 to hold three NISPAC meetings or whether we should continue to hold two. Since the last NISPAC meeting, we also continue to work the ISOO notice discussing the Small Business Administration Regulation combining their mentor protege programs issued in the fall of 2020. The SBA rule appears to eliminate the requirement for a joint venture to have an entity eligibility determination or EED, also known as a facility clearance or FCL. In all cases, if the entity is making up the joint venture, already have EEDs themselves. However, this interpretation of the regulations language is not what the regulation intends and would contradict NISP requirements. In coordination with SBA, we will be issuing an ISOO notice to clarify the joint venture EED requirements. Additionally, we continue to have discussions for NISP entity cost collection with the Cognizant Security Agencies and Offices, also known as CSAs and CSOs. This collection is required by executive order. The cost that will be collected will include information on NISP implementation costs incurred by entities under their security cognizance. The next meeting is November 30th, where all NISPAC members will be in attendance to discuss the way ahead. Once finalized, we will advise the NISPAC chair on the way forward for collecting these data cost elements for industry's implementation of the NISP. The final item of interest is that industry was going to start meeting with DCSA about concerns for how long it takes the company to get cleared, but those meetings have not yet been set up. Additionally, ISOO has three job announcements that have closed, one for a senior program analyst and two CUI program analysts. We hope to have them both on board before the next NISPAC. Do any NISPAC members have any questions? All right, thank you, Mr. Chairman. I will turn it over to you. Thank you, Heather. As Heather mentioned at the last meeting, we discussed changing the number of public NISPAC meetings a year from two to three. As a reminder, I'm seeking only an advisory opinion this time. I'll weigh all considerations before deciding exactly what course to follow. But in the meantime, all I'm gonna do is I'm gonna say the name of the agency and then please respond with your name and whether you want two or three NISPAC meetings a year. Then I will ask industry members to vote in the same manner. ODNI? Two for ODNI. Okay, thank you, Valerie. DoD? This is Jeff Speniger, three for DOD. Okay. DOE? Good morning. This is Natasha Sumter and we would prefer two for DOE. Okay, thank you. NRC? Heather, you're gonna circle back with them, right? Yes, sir. Okay, DHS? This is Richard Joceran. We vote for two. Okay, thank you, Rick. PCSA? Keith Mitard, three. Hey, CIA? Good morning, Mark. It's been a long time. Good morning, Don. Yeah. We're gonna vote for two. Okay, sure. Department of Commerce? We're gonna vote for three. Okay, Department of Justice. This is Christine Dunning, two for DOJ. All right, thank you, Christine. NASA? Voluntary for NASA, two for NASA. Okay, Heather, you're gonna circle back with NSA. State Department? Three for State Department, thanks. Three for State, sure. Air Force? Three for Air Force, thank you. Three, you're welcome. Department of Navy? This is Steve James, three for Navy. Okay, Department of the Army. Heather, you're gonna circle back with them, too, right? Yes, sir. Okay, got it. All right, now I'm gonna turn to the industry members. Heather Sims? Heather Sims, Industry News Pack, I vote for two with a caveat that we revitalize the working groups to make them more impactful. Okay, got that duly noted. All right, does April Abbott ever join us or not? All right, don't hear her. Yeah, I'm sorry. Mark, I just heard from her. She has a meeting right now that's overlapping, but she's gonna try and call in very soon. All right, Heather, if you could record her vote. Yes, sir. At some point. Okay, yes. Derek Jones? Derek Jones, three. All right, Tracy Durkin. Tracy Durkin, three. Okay, Greg Sadler. Two with the caveat of the Enforced or Improved Function of the Working Groups. Okay, duly noted. Dave Tender. Two with the same caveat that Heather and Greg just brought up. All right, duly noted. Ike Rivers? Two, same caveat, please. Okay, sure, duly noted. Jane Denkel. I vote for two with the same caveat regarding the working groups. All right, all right, thank you very much. Heather, I've written them all down. You wanna tally the vote just as it stands for now? I guess, sir, during the meeting right now? Yeah. Okay. Final tally for, you know. Yes, sir, so. No, no, I'm sorry, no, I'm not being clear. The total, how many for two? How many for three? 12 for two. Okay. And eight for three. Okay, it was at least a handful still waiting to vote. All right, so anyway, we will take this back and have a look at it once we get the full tally. Thank you very much for doing that, y'all. Okay, at this time, we'll now introduce our speakers for updates. Ms. Heather Sims and this back industry spokesperson will provide the industry update. Heather, the floor is yours. Thank you, thanks for the industry. Good morning, everybody. It's my pleasure to provide another industry update as the Ms. Pack Industry Spokesperson. For me, it's hard to believe that I'm entering my fourth year on the Ms. Pack and as the spokesperson. And we have only had the opportunity to have two public meetings in person. So I look forward to meeting in person again. I'd like to take the opportunity to once again thank the outgoing industry Ms. Pack members, Rosy Barrio and Cheryl Stone for their dedicated efforts on the Ms. Pack over the last four years. Also, I'd like to welcome Isaiah, Ike Rivers and Jane Dinkle. I look forward to working with you on the industry Ms. Pack team this coming year. Since our last meeting, Mr. Greg Panoni as Heather mentioned retired from ISOO, I would personally like to take the time to thank Greg for his partnership with industry and the commitment to the Ms. Pack, always ensuring industry had a seat at the table and a voice in the conversation. Industry wishes Greg well in his future endeavors. This update will be a little bit different in the fact that instead of utilizing my entire time talking about open and unresolved items of interest with our government counterparts, I feel it more important to provide an overview of the role of the industry on Ms. Pack and how the industry memorandum of understanding further referred to as MOU Association assists industry Ms. Pack in capturing and resolving issues for all of industry. Industry is sometimes challenged by allowing ourselves to be divided, sometimes at the hands of our government partners, sometimes by a misunderstanding and sometimes by a lack of understanding that industry is much larger than our own companies and our own self-interest. What may have been a priority for one company that is discussed with our government counterparts may not be an issue for another company and vice versa. In the past three years, I will stand strong on my commitment that the United industry is much stronger than the divided industry base. A strong industry base can better support national security by working as a United group to assist our government on the impacts of emerging and existing policies that may have an impact on industry and help resolve to further the safety and security of our country. Recently, there has been a mention of an effort or intent to create a new industry representation group either through the creation of a new policy advisory committee or through formal group independently meeting with cognizant security agencies, legislators and or government regulators for the purpose of speaking for the whole of industry, often driving the voice of industry to their association or certain members of industry lobbying on behalf of their own self-interest and benefit. With that in mind, I thought it prudent to provide a reminder as to why industry was created and how industry plays a vital role in national security. The NISPAC was created January 8th, 1993 by executive order 12829. The NISPAC was and is still comprised of 16 government and eight industry members. The current industry members are April Abbott, Tracy Durkin, Greg Salars, Dave Tender, Jane Dickle, Mike Rivers and myself. Each serving a total of four years, all allowed still working in the full-time positions at the current employer. We often forget to take the time, forget the time and commitment of the board allowed into the industry NISPAC members to commit to helping with the collective cleared industry concerns. Therefore, we want to thank further employers for allowing industry members to represent industry on NISPAC. There's also a little mystery around how industry members are nominated and selected. So I'd like to offer some insight. Every year, current industry NISPAC members and current MOU members nominate potential industry NISPAC members for the two upcoming vacancies. Voting is held by the same industry NISPAC and MOU members for each cast two votes. In the end, the top two votes are elected into NISPAC. We do our best to remind all voting members and nominated members that the role of NISPAC is to represent all national industry program companies and not their own self-interest, company's interest or specific government agency interests. This is taking into consideration when those are cast. Who is a trusted person who can best represent all of industry, liaison with the five CSAs and work well among all the industry to collect input. If the selfless four years, those that are chosen serve and put their tireless efforts should be focused on making sure all of industry has a voice and not fighting amongst ourselves or putting ourselves above the interests of all of industry, which can have a long-lasting negative effect on how industry is viewed by our government counterparts. While we try and have everyone in industry involved, it simply isn't possible for all cleared industry to participate on the NISPAC. However, there are several NISPAC working group opportunities that industry members can be involved in covering a variety of NISP topics. During the working groups, we tend to work with our government partners to resolve a variety of issues affecting industry. Industry NISPAC is continuously reviewing industry working group members to ensure we have a diversity of industry representation based on company side complexity and skill level. Insuring the same company and the same person isn't on every single working group, which sometimes is the case. Therefore, you have the same people for years driving the discussion and focus on for industry without consideration to the other 10,000-plus companies in the NISP. Industry NISPAC simply cannot operate independently without excluding critical input from the support from our MOU Industry Association. While industry is officially recognized as the NISPAC membership, individual representations from the MOU groups support the NISPAC in several ways, including participation in the working group, making recommendations to the NISPAC and propose and revise national security policy at the request of the industry NISPAC spokesperson. The MOU group supports the industry, NISPAC industry spokesperson in NISPAC matters and initiatives, as with NISPAC industry representation. MOU groups representatives agree that they will not act as representation for the specific company, instead they represent the constituency of the respective organization or association, and by extension all private sector members of the National Industrial Security Program. Nothing in the MOU agreement agreement, however, prohibits prevent each individual association or organization from adopting its own position or particular issue, or from standing for proposal thought to be contradicted to the wish of its membership. There are currently nine MOU industry associations supporting the industry NISPAC, with the additional organization working through the full process to be added. Current MOUs include the following, Aerospace Industries Association, as this Defense Encounter Intelligence Council, Contractor Special to Carry Working Group, Federally Funded Research and Development Centers, University Affiliated Research Centers, Intelligence and National Security Alliance, Industry Security Working Group, National Classification Management Society, National Defense Industrial Association, and Personal Security Council. Industry NISPAC members cannot operate in a vacuum, but also have to be cognizant of, we cannot tackle every and every concern, therefore we have to operate strategically and prioritize industry issues. There are a variety of needs that industry NISPAC tries to capture industry input. While virtually impossible to know every single company and the cognizance of the five GSAs, we do our best to try to reach each. Fundamentally, as a group, we seek industry synergy and work towards capturing a good understanding of what industry representation, either through the NISPAC or MOU we're working on. Industry NISPAC meets monthly, actually more often as issues come up, and also monthly as a full group with our MOU security points of contact. These are critical discussions to ascertain all the issues and narrow down to what we can do as a group to prioritize and may lead to other efforts. All the years industry NISPAC members have increased their presentation over the years, industry NISPAC members have increased their presentation to a variety of industry events throughout the years in country. It's a great source of education for both industry and government members alike to hear concerns from all levels, but also providing overview of the NISPAC and industry and indeed represented the national level. This year, we have established a quarterly newsletter in efforts to try and reach those companies in the NISP that are not members of industry associations. So let them know they are represented and do have a voice. So far, we have issued two newsletters and seek assistance from each of the five GSAs to share with their cleared population. Another way we attempt to hear from the cleared industry is through email communication. A few years ago, industry NISPAC created a dedicated email account where a cleared industry can contact eight industry NISPAC representatives directly. Over the past three years, we have been able to assist and resolve a variety of issues directly submitted to the correct point of contact and simply allow us to watch for trending topics coming directly from industry members. While this next one does cause some controversy, industry NISPAC does do some work with the chief security officers of the large, clear contractors. Clearly by size and totality of revenue from government sources, we CESOs have a unique knowledge and understanding of the impact that the NISP has on the security operations. Their importance is vital to the discussion as industry NISPAC works with their government partners on emerging policies and oversight procedures. While some would say that industry NISPAC does not represent all of industry and governments should not listen to certain individuals, this negatively provides a view on industry that sometimes the loudest and most aggressive voices be heard at the detriment of the other industry companies. If there are recommendations on how we can improve, please utilize one of the names I previously mentioned to bring your ideas forward so we're all heard. I hope that this quick NISPAC 101 overview was helpful. I will be remiss if I did not at least discuss the very purpose of holding the public NISPAC meeting. And this is to discuss those very industry concerns that we have not been sufficiently resolved through our formal NISPAC working group. I continue thank you to PAC PMO, OD&I and OPM for including industry from industry NISPAC reviewing trusted workforce 2.0 strategic documents that pertains the impact to the industry prior to the release. This has been a success at the strategic level, but industry is still already experiencing issues with the implementation of all levels with the enormous variances in the understanding of execution at each of the military services locations and government agencies. Industry looks to capturing examples where we're seeing impacts to industry and sharing with OD&I, PAC PMO and OPM. It's often understood by both government and industry that industry NISPAC members work with all five CSAs and not just DOD. Industry NISPAC is committed to working more proactively with those CSAs over the next year, attempting to capture and bring issues to the points of contact for early resolution. Industry NISPAC will also be committed to partnering at the right level. More than not, industry is forgetful that DOD is the CSA and DCSA is the CSO working on behalf of DOD. Industry NISPAC will be increasing their collaboration and conversations with the DOD representation on the NISPAC. With that said, industry appreciates the support of DOD and DCSA that they have offered to industry over this past year while we implement 32 CFR Part 117. There are many areas of clarification, questions about implementations and concerns for the many interpretations in the oversight agency we're making to industry's compliance with 32 CFR. DCSA specific with Keith Miners, Matt Rhodes, Jason Finehauer and many others quickly sprang into action and listened to industry and offered a variety of guidance from fact sheets, job aids, and training seminars. We appreciate the support and commit them to assist industry in understanding the changes. Industry would also like to cite DRock for the support over the past six months in providing guidance and support as continuous vetting is ensured. An item that has been brought up by industry over the last two years at the public NISPAC meetings and working group that has not been resolved is the timeliness of the new companies to receive a facility clearance or upgrades for existing care companies. While DCSA has initiated a process to track timelines and process improvement, it's still an issue and more and more companies are requesting support from industry NISPAC. This should be a concern for all of industry and government alike. NISPAC lawyers could and may impact industry's ability to deliver on the next critical military platform ensuring America's military superiority. Industry looks forward to discussing the larger issues in concerns with DOD in the next few weeks to get a real solution to improve its longstanding and growing concern. DCSA heard industry's concern about the national background investigation system and this industry appreciates the increased industry collaboration communication while there are still many concerns such as operability, data integrity, and support for industry once the system is online. We are appreciative of being heard and for the opportunity for industry NISPAC working group members to work on improvements. Finally, an overwhelming thank you to industry for your efforts this past year and during COVID for keeping up to watch for the most part maintaining solid security program while implementing a new 32 CFR Part 117 implementation of DCSA oversight and rating process, rolling out trusted workforce 2.0 and C3 implementation. All these major changes all at once on top of shrinking budget is a feat no doubt and it should be commended for your effort and commitment to do your part for national security. I would like to thank you for the time and open up the remainder of my time for any questions and comments and then also to the other industry NISPAC members if there are any additional comments. Thank you. Anyone have any questions for Heather and any reaction? Well, thank you Heather, especially for that lesson on history. It's important to be reminded about how all this came about and what it stands for. I'm now going to turn to Mr. Jeff Spenninger, Director for Critical Technology Protection for the Office of the Undersecretary of Defense for Intelligence and Security who will give an update on behalf of DOD as the NISP Executive Agent. Jeffrey for yours. Thank you very much Mark. Good morning everyone. I'd like to begin and echo, I'm sure it'll be a bit of a theme today and that is expressing my thanks Mark to you. It came as a slight bit of a surprise to know that this would be your last NISPAC. That's no small undertaking. Your leadership during some interesting times to say the least has been steady and I think sometimes we don't really appreciate what that is until we don't have it. I know that I think I can speak on behalf of a whole lot of folks here that will say thank you for that. I imagine we'll have some more to say about you whether you're on the call or you're not on the call in the weeks and months ahead but thank you for that. I'd also like to say thank you to Heather who has stepped in adroitly where we find ourselves saying Greg Hoop and that's a good thing although it was nice to see him in a slightly different capacity last week. All that to say that the work that ISOO undertakes you know to execute the responsibilities of the NISPAC on behalf of all of the CSAs and industry you know an accumulated tally that puts us comfortably into the millions is no small thing and it's also not without it's remarkable importance much of which Heather Sims outlined today and which I would like to echo. So thank you for that and with that it is good to be here again for what is the final meeting of the year. We've got a number of topics to cover. We like taking advantage of the opportunity to be on the record here. Transparency and accountability are kind of recurrent themes because that's how we're able to get things done. So coming to common understanding we can't always promise that we're going to get to consensus but we can at least get to common understanding and I'm not aware of a better forum for that than the NISPAC. So with that I'll jump in in no particular order. I want to provide a brief update on where we stand on cloud sandbox. We've talked about it in the last couple of public meetings. There's been a bevy of work in between those meetings and all of which really reinforces what is fairly obvious but I don't think is can be overstated the relevance of cyber security and within this framework within the NISPAM. Safeguarding information of industry and systems is again fairly obvious and straightforward. The application of cloud solutions to meet those responsibilities and requirements is the first time out of the chute is we'll be a bit of a pathfinder for us as we move forward. We're as close to that as we've been thanks to outstanding leadership and initiative from DCSA and industry partners to kind of help to create that path. We'll have some more to say about that on the other, I'm very sure at the upcoming NISPAC but to kind of focus in on the continuing initiatives that my office is pleased to sponsor we continue to leverage the applied research laboratory for intelligence and security. Arliss, New York sponsored by our office to establish and initiate what we call affectionately a class-like cloud sandbox which is intended to be a mechanism for research framework so that we can explore both the potential and maybe challenges that cloud represents for enterprise solutions that are consistent with NISPAM expectations. We've made again quite a bit of good headway there based on some really smart researchers and again that initiative and willingness to participate. I mentioned DCSA, I'd be remiss if I didn't also mention DCSA who is also a partner in this as we try to get it right. We've been quite deliberate because there's right and fast, we want right and I think we're making a tremendous headway there. The project itself is intended to be a pathway to move from what have been largely theoretical discussions into a real world example to understanding applicability of cloud services and solutions and what they represent to what are enduring and steady state security requirements, understanding what the policy says under places where there are needs for interpretations that can be consistently defined and then therefore consistently applied and examined and to explore those places where there may be gaps within policy. I'm very pleased to report that to this moment it continues to be that we don't see impediments, policy impediments of any stripe within the framework of the CFR, either the NISP CFR or the NISPAM CFR and that's really quite important. I will say without going into a lot of detail because I would only frankly embarrass myself on the record and that there are complications on the acquisition side of things that we're looking to resolve. We're having the right discussions with the right empowered officials in the department who manage DTFAR rules that relate to how cloud would be defined or cloud requirements could be defined and I will put myself on notice to hopefully have an update that's substantive next time we all get together. So we continue to welcome interest from the NISPAC. This would maybe be one of those areas that integrated working groups would be keen to examine and if working groups can involve field trips we'd be happy to play host to a working group to sort of take what are words to this moment and understand what a sandbox initiative looks like. I'm very sure that our program manager for Arliss is not on the call right now so I will absolutely and happily put her on the X to facilitate that if a working group or NISPAC in general has interest in that. As was mentioned in the ISU update, right? So we're really pleased to hear of a forthcoming working group meeting looking at NISP costs, right? Again, in testament to the measured approach that ISU has taken, I think it's been really smart to be prudent and quite deliberate understanding that we have a regulatory requirement to report but again getting it fast versus getting it right. Those of you who've been around a time or two know that the report cost reporting in the past last time it was really done in earnest there was consensus among the group that there were some inaccuracies and we wanna be able to get it right. I think that's very important to inform decision-making with all due deference to all of the NISP CSAs out there. The department's bite of that apple is a bit larger in terms of volume but most importantly in terms of cost making sure that we can accurately reflect what that looks like it relates to that transparency and accuracy that we think is really quite essential given the state of things in the world such as they are. With that however we also wanna make sure that it's deliberate in meeting the requirements accurately that we do so with the appropriate measures of security so that we're not giving away information that would actually undermine the nature of the program. So just to lay out a few things that I hope the working group when it meets will take up in earnest and that we can move forward on certainly as we move into the current budget cycle that would be something that would be well timed for the NISPAC to represent because I will say the department we are moving forward with that right now that's responsive to a number of internal tasking that had been levied on us to be able to assist with senior department understanding of these issues and of security costs generally. So that we can make smart investments to meet the department's needs. I say that with again acknowledgement to the other CSAs out there noting that we're the largest piece of the pie but to have a complete picture which would support the administration is something again that we would look to tuck in behind NISPAC's and ISU's leadership on this issue to move forward. Again, it's almost as if Heather had stolen my notes but very pleased for the update with respect to joint ventures. We think that's encouraging. It's absolutely essential and really frankly the direction it appears that this is going in terms of coming with common understanding between certainly ISU, NISPAC and the Small Business Administration seems like we're in the right direction. I noted that you mentioned and ISU notice would be forthcoming. I don't wanna put anybody on the X here but if you can maybe put some fidelity to that so we could help to manage some expectations as to when that would be helpful. And then it would be equally instructive to know the extent to which or if it's possible that the Small Business Administration would reciprocate in whatever forum and communications that they put out so that there is level set understanding that would be maybe to be anticipating of places where there could be disconnects where security issues and Small Business Administrative issues may not completely align even in those small mom and pop shops that we all like to contemplate. And so inside the department we have taken some initiative here to try to be able to resolve this in a consistent way across the expanse of the department. And so as was briefed in the prior last NISPAC for the first one this year, we proposed the memorandum regarding joint ventures and FCL requirements. We drafted what internal of the department is referred to as a directive type memorandum that will provide guidance, uniform guidance on joint ventures that have been awarded to DOD-classified contracts until such time as the revised policy can be published. And with that I would say I think the notice again kind of unread I think conceptually it's easy to say that that will be helpful but I think it's equally easy to say that that probably will not completely solve the problem. So because we still have two parts that within the illegal framework regulatory or statute that don't line up. So an important first step don't wanna take anything away from that would be very keen to have some understanding as to what that may say and when but I believe it would be fair to say that the work will continue. We will do the same. I think we're at a point now where our DTM is shareable in draft form and I'm willing to commit to put that out. So the other CSAs can see how the department is looking to approach that. It'll say draft and big bold watermark type. So that noting that memorandum of this type are really an exercise in eighth grade English essays meaning that we write it down. We put all the right technical wording in there and then we hand it to a series of editors and see where we are. We're pretty far down the road on that but we will still be in a place where it's good to share if there are inputs that the CSAs in this pack, excuse me, I see would have, I think we could at least be able to bake them in to the extent that we're able. I appreciate in the industry update, Heather mentioning attention, putting some attention on clearance timelines, facility clearance timelines and the challenges that we're facing right now particularly for new entrants. I think that's great again with that eye for transparency and accountability that this pack affords all of us collectively that that's the best way for us to be able to kind of understand or remediate to the extent that we're able to while make sure that of course we're meeting the expectations of the industrial security program so that there is confidence in, when a company is granted a facility clearance that there's confidence in its meaning and what that can represent across one contract or a multitude which is such a circumstances maybe and I should say that it means the same thing regardless of where that contract is awarded be it across the department and any of the awarding contracting activities that award contracts with requirements for access to classified within supply chains of prime contractors and naturally across those other places where there are dependencies on department processes for clearance granting which is frankly most of the government. So again, get it fast or get it right. We know we have some work to do here and DCSA is pretty keenly focused on this, right? The director has put a premium on really examining all aspects of the National Industrial Security Program so the agency has the right optic on it. Those of us in the department that have responsibilities here who do the network and DCSA are endeavoring to make sure that we're good partners with the agency who has the lion's share of the responsibility here and we'll continue to update you with the emphasis and the suggestions from our industry colleagues in particular about the value, the potential, I should say value of the working groups. This is one of those things where I believe that there are some objective work group outcomes that could be laid out here and that we could provide meaningful update in a future NISPAC and the next NISPAC meeting. So that's great. On the bright side of this thing here and I don't think, I don't want to take anything away from DCSA and what the remarks may be but I feel like it's appropriate from a department level to really call out what is really an outstanding body of work with respect to the NISP contract classification system. So a lot of work, years and years of work went into establishing the requirement documenting it within the framework of the FAR and putting it to bear. So that's a slog in and of itself. The system aspects of these things are sometimes pieces and parts that we take for granted but it turns out that it's pretty hard to put systems out there that have responsibilities that are cut across the federal executive branch and then of course have touchpoints across industry. The initial NCCS was successful because it was rolled out but problematic because our patience for anything IT is essentially non-existent. And so DCSA took it on its own and what was frankly not without some controversy to remediate and take some initiatives leveraging cloud frankly to come up with a better means of collecting what are very important and supporting elements related to the NISP and that is the electronic DD-254s. So they have done that. They took a lot of slings and arrows more than a few from my office frankly and elsewhere about taking a system offline because of what that means in a larger FAR world. But we're better for it. They rolled it out back in the summer, early summer I think and if I wanted to take opportunity one to call out what is really a remarkable success by the agency but also frankly to call out that the good news is is out there the challenge that remains for us is it's not being used all that much. And so we'll be looking to memorialize the reminder across the OD agencies here. That should be forthcoming fairly quickly but because it is FAR based I felt like this was an appropriate forum and really frankly the right time to put out there this is something that everyone is supposed to do here. Security professionals who are on this call today carrying that back and working with our acquisition counterparts to really kind of dust off that reminder. I think again with a nod to work groups and really the next update we can say well we're pretty close to zero use rate right now. I think with a little bit of initiative and some energy out of frankly today we could see a substantial uptick and I think that would be really quite good for a whole host of reasons. And finally just a couple more updates here real fast. So we're pleased to have had some contact here recently and what has been a continuing challenge where there's been observations from industry associations and groups regarding delays that are sometimes experienced and by sometimes I mean most of the time when employees move from one contract for which access is a requirement primarily focused on SCI. And in particular INSA provided several recommended courses of action which we've taken for action to explore noting that this is not an eligibility discussion that it is an access discussion and I'll make it through the entirety of this little update without saying the R word because it doesn't apply. But based on some good data frank inputs that we've worked on it we have a draft memo that is largely a reiteration. So again we don't have really a policy problem here we have a little bit of an interpretation challenge. The NISP is a big place the Department of Defense is a big place you see the world where you sit on it all those sorts of things. But starting with to be able to reiterate what is permissible within the framework here we think is something that we in the department are able to undertake. We're pretty sure that there's a and are committed to do. We're pretty sure that that's a pretty short path for us for which we will soon then be reaching out to our counterparts in DNI to make sure that we have their take. We're gonna do that. I think we're at a point with the way which we're putting this guidance together that we'll be reaching over. I don't generally like to forecast too much but I think this is a really kind of timely issue and one that's of substantial interest to an awful lot of folks in industry and candidly there's interest from the Hill. So we think it's good to put ourselves out there in this way so that we can help to hopefully get some fairly prompt feedback from our counterparts on the IC side of the house and put out smart guidance here. I know that that's not the end of the discussion. It's probably more like the beginning in terms of what the government and the department are able to do but we think it's a necessary place to start consistent with other initiatives that we have out here and frankly other interests that we have within the department and a little bit beyond. Some more work to come on that but putting ourselves out there so that again transparency and accountability so that everyone knows how we're marching forward thus far and we'll provide updates in subsequent NISPAC meetings. And then finally a word on upcoming NISPAC meetings and understand where we stand with respect to the continuing challenges of life in a, I don't know if we're supposed to say post COVID environment I don't think that really exists but sort of in a, you know as we understand what new normal looks like here. I would say and many of us had the opportunity to be together in person, you know thanks to what was an outstanding conference that AIA and NDIA put on last week. And I would say Mark if there's a way for us to return in-person meetings. I think I heard earlier in the remarks that there'd be about another year before we could think about that. I hope that that's something that we're able to revisit. I understanding the challenges of that beautiful building that you all work in that may be represented there. I would point and put out there and I'm happy to take offline. There are other venues and options but the importance of the dialogue, the opportunity for questions from folks who are in-person or who are able to participate. It's the dialogue that really is absolutely essential. It's been a long time. Heather Sims mentioned earlier that it's been so long since we've had an in-person meeting that the opportunity for dialogue, we're all in transmit. Honestly, I don't mind transmitting. Those of you who know me know that for sure but it's really be, it's mostly, it's transmit with the intent to receive. That's where we really are able to address and meaningfully engage on what are very, very important issues that certainly affect the department, obviously industry and then more broadly, the fullness of the executive branch. So whatever we're able to do to help, turns out there's lots of DOD facilities around here. I'm pretty sure I could find one that would be willing to play host. That's within reasonable driving distance here so that we at least explore the opportunity of in-person meetings. And with that, I thank you very much for the time and I'm done. Okay, anybody have any questions for Jeff? All right, Jeff, thank you so much for the time, personal remarks. I appreciate it's been a real honor to work with you and people on this committee. As far as the notice goes, I value you that we will share any draft with you and also industry. It seems to me the most important thing is to get this one right. It's such an important topic. On the cost, I can't emphasize how important it is that we get that right too. This is a specialty data-driven administration. I've all the ones I've had the honor to serve in. This one, first question is how much does it cost? And if I've learned anything in this chair and in this part of my portfolio as director of ISU, it's a national industrial base, it's a public rich environment. And we really need to tighten up the security. The problem is security is expensive. And in order to be able to help industry and also help ourselves, we need to be able to give the hill, the appropriators up there and also the policy people to NSC the data that why we need to do this. It's first question, I get time after time as well, how much is this gonna cost? And so anyway, it is imperative that we keep on that working group and try to get those figures as accurately as we can because they will be carefully vetted and examined. So anyway, with that, let's turn now to Mr. Keith Minard, Senior Policy Advisor with the Industrial Security Director of the Defense Intelligence and Security Agency. Keith, forward yours. Thank you again, Keith Minard, DCSA. And first, Mark Lemming, on behalf of DCSA, thank you for your service and leadership to the NISPAC. It's a very important role and the NISPAC serves a very important mission. So today I'm gonna hit a few areas. One, most importantly, FCL timelines seems to be a theme today with industry and DOD, so we'll follow on that on a more practical level. I want to give some of the good news stories this year, implementation of 32 CFR-117 and some other key actions that occurred over the last year with DCSA, DOD and cleared industry. It's very important to capture those events and those things that have been accomplished. So first, I know this is a key area of concern on facility clearance timelines. DCSA is currently working to reduce timelines for both NISPAC and upgraded FCLs. We understand the concerns of both industry and government customers on the current timelines and are working to reduce those timelines. As part of our strategy to reduce timelines, we've established a tiering system for FCLs, akin to those established for personal security investigation. This is the more accurately selected type of FCL case and better allow DCSA to manage those cases in a more efficient manner while managing risk. Each of these tiers have a key performance indicator for processing timeline goals, each of the tiers. So trying to give a overview of what these tiers are is, the tier one are those cases with no identified risk indicators. A risk indicator is defined as a factory vent or circumstance or condition that may indicate that facility is ineligible for an FCL. So we're looking for those things that may FCL not be granted in the first place. Our current KPI for those will be 60 days, though our current average for issuance is 155. You'll see as we're working through these processes, how we need to reduce our timelines down to our KPIs. The tier two are those cases with identified risk indicators, but without a requirement to review or implement mitigation. Our current KPI for tier two is 90 days, our goal, but our current average is currently 266 days. The tier three are those cases with identified risk indicators, requiring review or implementation of mitigation. Our KPI will be 180 days and our current average is 263 days. So additionally to try to reduce these timelines, we've implemented a 90 day plan that began on October 1st. The plan includes contractor surge support in understaffed areas, increased training, internal procedures, and increased efforts to reduce production timelines. The key point here with industry is we wanna establish an external communication working group to make sure we update our customers to these changes and understand the criteria we're working with. So if you have any questions on looking for additional information on FCLs or processing questions on specific FCL processes, I'll share with ISU to share out with the attendees our email box and phone numbers that they can call about FCL timelines and other questions. So the big thing I'd like to, you know, that FCL timeline is really a huge effort that we need to work on right now but I do wanna address kind of the good news story for this past year. Really this last year was a lot of partnership and engagement not only with the UCSA and DOD but definitely with our industry partners and other federal executive branch agencies on the implementation of 32 CFR part 117. Huge effort and it was really a success story and good news this last year. We know that there's additional requirements that we need to work with industry to address areas of question or concern about consistency and how things are interpreted but I think we've come a long way this last year on implementing a major change to this problem on the implementation of the rule. So, you know, I'd like to hand that out as really a success story for industry, DCSA and DOD and other federal executive-based partners. So last August we had the 32 CFR implemented. Industry is one of the 32 CFR last August. Shortly afterwards in September there was a new security review model, new racing system. Later in the fall, sorry, was industry passed yet another huge milestone by reaching full enrollment of its cleared workforce in CD alongside with all DOD cleared personnel. In October DCSA introduced a new field structure to better accommodate its evolving security and mission landscape. Also that same period, the Digital Repository for ED Form 254, as Jeff Finich talked about, NCCS was sunsetted so we can implement the new system. In April of this past this year we transitioned from DIST to ENVIS. And I think one of the most important things we got to at the end of the year on the rule was in August of this year we deployed the unofficial foreign travel bulk upload capability as a DIST update. And that really closed out the implementation of the 32 CFR 117 from an operational perspective. So I think over the last year we've had a lot go on. There's been a lot of successes and a lot of efforts by all parties involved. And I'd just like to go ahead and thank everybody involved for all these efforts. It's a lot of success in enabling the protection of classified national security information in the NISP. And I think it's a way forward to show our best practices and what we do. The next is actually an update on field reorganization. And this is just a quick update. As many of you already know, Mr. Larry Vinson is the director of field operations and came on board earlier this year. Since then DCSA has hired three of the four new regional directors that are at the DISA level. And I think I want to footstomp this. So what does this mean to industry under DCSA oversight? There are no additional changes to which field office you were assigned or your assigned industrial security representative from the reorganization. Those changes already occurred. And we'll also make sure we keep NISPAC informed of any future changes. The last thing I have is, during the most recent clearance working group, industry addressed a few areas that require followup, which included questions on DD Form 254s, security in depth, security rating model and open storage. We've had staff coordinate responses and writing and we'll be sending those to the NISPAC for sharing with industry later this week. That kind of closes my talking points for today. But later in the NISPAC, you'll hear from Mr. Dave Scott on DCSA authorization metrics and Mike Ray on clearance metrics. I'll just hear your questions. Anybody have any questions for Keith? Okay, thanks Keith. Next we'll hear from Ms. Valerie Curbin, Chief of Policy and Collaboration, Special Security Director of National Intelligence and Security Center, Office of the Director of National Intelligence. Valerie Torres-Yors. Okay, thank you, Mr. Chairman. And also, many best wishes to you and your retirement when that date comes. And speaking also on behalf of NCSE, we really thank our partnership, thank you for our partnership and collaboration with ISU and also working together with us with that connection with industry. So thank you so much for your service and your assistance over here at OZNI. You're welcome. So let's see, so we have had a very busy spring over here at OZNI. And I think you all have heard or at least been notified of the various levels of policy that have come out. As you know, we work very closely with OPM, so us as the security executive agent and OPM is the suitability and credentialing executive agent. We have signed a few additional policies this spring and summer. So I'm just gonna touch a little bit on each of them. If you haven't received these or seen them, please get in touch with either myself or Heather after the meeting and we'd be happy to share with you. So we did jointly sign the federal personnel betting investigative standards that was in May, May 18th, it was jointly signed. And this is where we've established the three-tiered investigative model. So I think we have also discussed with everybody that the current tier system of the five investigative levels tiers will convert to three and it applies to those five scenarios for personnel betting. We have the initial vetting, continuous vetting, upgrades, transfer of trust and re-establishment of trust. And those are our distinct areas for reciprocity. And this type of information that is collected in those three investigative tiers will help the agencies make their trust determinations, whether it be a national security determination, a suitability determination, or a credentialing determination. So even though these have been issued, they are not effective at this time. We are currently working on the implementation guidance for the investigative tiers. What's really important is that these standards meet the critical milestone on our path towards full realization of Trusted Workforce 2.0. That model of different policies where we have started with that core doctrine and we have the guidelines and the standards, the next phase is getting to the implementation guidance. And this model will strengthen and empower agencies to ensure they have a Trusted Workforce, a mobile workforce, and that everybody is vetted in a timely process, a timely manner, which also will address risk. And we'll be able to determine things in a more timely way and be able to act on things earlier on than waiting those five or 10 years during the re-investigation cycle. So after the investigative standards were signed, we also worked to sign, our executive agents signed the common principles in applying federal personnel vetting adjudicative standards. So these common principles promote consistency and fairness in the adjudicative process. And it's to really go across all personnel vetting domains where you have your suitability, fitness, national security, and credentialing. In the suitability and credentialing side, there's still always going to be that five CFR 731, which is actually out in proposed rulemaking, but that's still always going to be the policy for making those adjudicative decisions. We on the national security side still use and apply Seeds 4. It is still the valid policy for making the adjudicative determination. But in the future, we will be looking at it and seeing if there's any updates that might be warranted. But for right now, there are still those two different standard structure, but these common principles really show what is the consistency and fairness in the process. And again, the emphasis for these principles really want to ensure we have accurate reporting and recording of a personal vetting action and that the terminations promote transparency and enhance that mobility and facilitate information sharing. So that was issued in July and then just this past September, we issued the federal personnel vetting performance management standards. So these management standards really establish the minimum performance measures and describes those key characteristics of quality management programs that will be used to evaluate personnel vetting. So when we as the executive agent or as Odini comes out as the security executive agent, we want to ensure agencies are in compliance and we want to ensure that everybody would be performing, say at the same level and that way with these new performance management metrics, we'll be seeing how agencies are doing and of course help them if they need additional assistance. But by assessing the success of personnel vetting programs, we're going to measure the efficiency, the effectiveness, fairness and risk in the federal personnel vetting enterprise. And these performance management standards will also enable policy makers and the department agency heads and program managers to really look at the data and see if we need to make improvements in any way. So that goes in line with our whole policy framework. It's an agile policy framework and we'll be able to make changes and adjustments along the way to see how effective we are and efficient in the vetting process. So those were three big policy documents that were just signed and issued. We are still working on other documents such as the national training standards and the training standards are gonna be, as you know, they've been established already since 2014, I think it is, but we are making, we did a gap analysis and to see where we need to make some updates. We'll be putting out investigative standards, I mean, I'm sorry, policy and the training standards for investigators, what they need to know and what they need to do and for those adjudicators, what they need to know and what they need to do to meet those training standards. And remember, we wanna make sure all investigators and adjudicators are doing the same job, they're doing things the same way and everybody understands what's required. So trust and workforce. I think you all have heard that we were going towards 1.25 last year, last September, and now we've passed a milestone of September 30 for having agencies get ready for their 1.5. So most of the key agencies, everybody I think who's on this call have certified to us that they have a 1.5 compliance program for continuous vetting. We will be doing that continuous vetting process in lieu of doing the traditional periodic re-investigation. So lots of great success on your part agencies and coming to us and we're really proud of all the success we've been working on together to get to this interim state of 1.5. So from ODNI's perspective, we're still working on a lot more things. There's a lot of moving parts. We're trying to keep you involved, engaged and informed of everything that's coming down the pike. And as Heather said too, the harder part now is the implementation and being ready for it and understanding the impact to industry as well as the government agencies. But we're all here together working on this. We have great partnership with industry and our other CSAs and seeing how to make this work and moving towards this whole new bull transformation and reform of trust and workforce. Two other things. We are still also working on the updates to standard forms. The thought is to have a new type of platform, kind of a combined format of all the investigative forms. And depending on the position and position designation and what's required, applicants will be filling out certain portions of the investigative form. So updates are being, well, right now we're in the final stages of getting it ready. It's gonna need to be posted into the federal register for public comment. So we will let you know when it does get posted for comment. And we've also made some updates to the implementation strategy. It was issued last April and we said that updates will be done iteratively as implementation progressed. So we've made some great progress and that has also been revised and updated to performance.gov for you all to see what has been done and also what more we have to do to get to full implementation. So we do appreciate all the feedback from our government partners and industry. And we look forward to greater precision in ensuring that all the policies and guidance out there is going to be effective for you all. So I think that's, oh wait, I do have one more update, I'm sorry, for the SF312, it's the non-disclosure agreement. I'm sure you recall, NARA made the change to the 32 CFR saying that the regulation has changed allowing for the digital signature on the SF312. So DNI is very close to submitting the changes, submitting a new form. We are working with GSA, we're gonna have to work with them to make sure the correct form is updated and be available for everybody's use. But right now you can still use the current form but just giving you that update, we are hoping we will be done with those final stages of getting approval and submitting to GSA very soon. So I think that's it for me, Mark. If there's any questions, I'd be happy to entertain them. Okay, thank you, Valerie. That was a very fulsome record and I also appreciate your work on the SF312. Yeah. That's a really important change. All right, does anyone have any questions for Valerie? Okay, thanks again, Valerie. Thank you. Up next, sure, no. Mr. Rich Giussarend, Deputy Director of the National Security Services Division, Office of the Chief Security Officer at the Department of Homeland Security. Rich, floor is yours. Good morning, Mark. Good morning, everyone. Thank you very much. I also would like to thank you for your service and wish you the very best in your retirement. Thank you. I have two updates. One regarding the Cyber Security and Security Model Certification Program, as you point out, DHS is still monitoring DOD's implementation for any outcomes, lessons learned. We're also looking at evaluating the cyber hygiene practices for vendors by the use of self-assessments to evaluate cybersecurity posture of agency contractors rather than conduct third-party assessments. That came directly from our National Cyber Security Division Director, Mr. Dennis Martin. So in a nutshell, we are still evaluating CMMC 2.0. Regarding Trust Workforce 2.0, DHS continues to implement Trust Workforce 2.0. To date, DHS has enrolled about 85% of the national security eligible population into the ODNI Continuous Evaluation System. Additionally, the apartment continues to work with our components. The Department of Planning to have 100% of the population, both National Security and Public Trust, to include low-risk positions enrolled in RAPDAC by the end of FY23 4th quarter and complete enrollment of a RAPDAC eligible population no later than December 31, this year, 2022. By completing these milestones, it's gonna allow the Department to begin replacing periodic re-investigations and receive immediate notifications of arrests or other issues in real time to provide early detections of risk and mitigating threats. And that's all I have. Once there's any questions for us, anyone have any questions for Rich? I hope, thank you, Rich, I appreciate it. The next update, oh, you're most welcome. Yeah, the next update we will hear from is from Ms. Natasha Sumter, Program Planning and Management Team Lead, Office of Security with the Department of Energy. Natasha, the floor is yours. Good morning, Mr. Chairman, and I appreciate the introduction. Good morning to the NISPEC members and the meeting participants. We appreciate the opportunity to provide programmatic updates to our community. To you, Mr. Chairman, thank you so much for your leadership and your efforts to bring government and industry partners together to address and resolve challenges and often achieve programmatic updates and enhancements. We wish you much success. Thank you. So regarding the updates from the Department of Energy, first, thank you to Valerie Curbin and the team out at ODNI for providing the update concerning the SF312. The Department of Energy has actually issued a policy clarification to our community to allow our folks to actually conduct the digital signatures on the SF312. So many of our organizations and sub-organizations are actually doing that now. So we appreciate that update. Concerning some of the questions that were brought to our organization, regarding the cybersecurity maturity model certification, Department of Energy is currently not participating in that and we currently do not intend to do so. For the Trusted Workforce 2.0, we are making great strides in that direction. We are implementing that program and we are beginning to see some cost savings as the periodic reinvestigation requirements are beginning to go away for that. And let's see, my computer has frozen. I'm the one in my organization that always has computer issues. So please bear with me if it takes me a moment. So also concerning the outlook on the return of investments from Trusted Workforce 1.25, 1.5 and 2.0, those cost savings that I mentioned, they are allowing us to focus those funds into other areas because we are incurring new costs associated with continuous vetting of our low risk and non-sensitive public trust positions. Unfortunately, we don't have that data right now to share with you concerning the actual cost savings. However, we anticipate being able to share that information in the future. Regarding the timelines concerning processing facility security clearances, PCLs, et cetera, you will hear more about the metrics concerning personal security clearance processing later on in this discussion. Today when we provide our clearance working group updates but concerning the processing time for facility security clearances, there are quite a few variables and other scenarios that impact the processing time. In a perfect world, it would only take about six months to actually process a facility security clearance. However, because of those variables and other intricate details concerning key management personnel or key managing officers, security clearances themselves, exclusions, it could really take some time to work through those processes. So we can't really give an average time on processing FCLs. We do not currently have any Department of Energy Acquisition Regulation changes on the horizon. So right now it's status quo. However, we do have some changes to DOE order 470.4B that were mentioned a couple of NISPEC meetings ago. Those efforts for updating, actually rewriting the order are currently underway. There are two integrated project teams that are splitting the order into two new directives. We anticipate this project taking approximately two years to complete. But once this project has been completed, we will provide that update and any significant changes along the way that will impact our community. Excuse me. Finally, concerning any continuous improvements or lessons learned to share with the community, we don't have any additional information at this time. So barring any questions for me, this concludes the Department of Energy CSA updates and I turn the floor back over to the Chairman. Thank you so much, Natasha. Anyone have any questions for Department of Energy before we move on? Okay. Next we'll hear from Mr. Dennis Brady, Chief Security Management and Operations Branch giving the NRC's update. Dennis? Mark, NRC will not be calling in so we can move on to the CSA. My paint by the number of talking points here, let me scratch that out. I should have picked that up earlier ahead of, thank you. Okay, next and last before we take a break, we'll hear from Don, Chief Office of Security Policy giving the CIA's update. Don, floor is yours. Good morning, Mr. Chairman and members from CIA's perspective as far as timelines for investigation and education. Over the past 20 months or so CIA's industrial program has reduced its overall case inventory of all types by 55%. In addition, we've reduced the cycle times for several of our key case types by 100 days. And then during FY22, the industrial program set new monthly, quarterly and annual records for production. And this was conveyed to our industry partners at a conference in McLean back in September. Despite a significant increase in crossover requests over the past three fiscal years, CIA's industrial program continues to process clearance crossover requests in one to three days and nearly 88% are immediately approved. The other 12% of the cases require additional security processing and may not be completed in the typical time of 24 to 72 hours. And then on another front, CIA's Office of Medical Services now conducts medical evaluations for incoming contractors who are being submitted for staff-like access, so equivalent to full-time career staff officers. And so it's very similar to what we do for our own officers as far as medical evaluations. As far as process improvement efforts, our one primary continuous improvement effort and one that is an ongoing project is the development of a new case management system that will replace our legacy system. And this should result in some improvement of timelines. The system is expected to be deployed with the industrial program in sometime in FY23. And then finally on Trusted Workforce 2.0, the agency continues to look for ways to evolve our business in the context of Trusted Workforce 2.0. The initiative and within the Federal Investigative Standards and Adjudicative Guidelines as they're published. And this is particularly true in areas related to continuous vetting practices, adjudicative thresholds, and general timeliness. And that's everything I have for now for CIA. Thank you. All right, thank you, Don. Anybody have any questions for Don? All right, hearing none, what we're gonna do right now is take a five-minute break. I've got 11.25 on my watch here. So within five minutes or so, around 11.30, we will start back up and wrap up our meeting for today. So I'm gonna temporarily adjourn for five minutes, right? All right, we're now moving into the portion of the meeting where we get reports from the NISPAC working groups. However, we will not be discussing all of the working groups this time. We've provided slides with highlights of all of them. We will only be hearing about the clearance working group and NISP information systems authorization, also known as NISA working groups at this time, right? I'm gonna turn it over back to Heather, yours. Thank you, Mr. Chairman. You've already heard from some CSAs and CSOs on the high-level points of what was discussed during the clearance working group on August 31st, 2022. We will also hear from DCSA for their security clearance and information systems metrics along with metrics from VOE. The NRC workload and timelines performance metrics have also been emailed to all participants. We are now going to hear from Mr. Dave Scott, the NISP authorizing official for DCSA's information system update. Dave? Yes, thank you and good morning, everybody. I've got two slides to brief you today. One is on national metrics and then other on a triage process that I've talked to you guys earlier about. Looking at a year in review from FY22, I'm really, really happy to report. One of the major items that we looked forward to doing this the course of the past year was a reduction in our systems, really cleaning up our database and partnership with industry and also internally. This time last year, we had a total of 6,420 systems. I'm happy to report as of October 1st that number was 5,634. That was due in large part to a lot of cleanup of systems that had previously expired, not closing out the risk management framework process and then following through on decommissioning or when systems are no longer active for use or required for use per contract. That in turn reduced our overall footprint of users in the database of record of EMAS from over 4,000 a year ago down to about 3,500. So we're happy to report that. This year our authorizations for FY22 were just under 3,000 or around 2,918, which is a reduction of 3,400 the previous year. The previous year increase was due in large part due to COVID and a lot of kind of the cycle of six month authorizations. This past year we made a big effort to get out on site and to reduce our footprint of conditional authorizations and move towards full three year authorizations. And on the left hand side of the chart we had you can see the ATO and ATOC breakout, I'll bring out to light. This time last year, three year authorizations were sitting around or full authorizations around 54%. You can see the significant increase up to about 61%. And that's again, due in large part to us getting out there back to industry, assessing the risk and making those full determinations. And then also a reduction in pending risk or conditional authorizations down from about 20% last year to 16%. So we're happy to report that as well. And then in large part to the partnership with the NISA working group, we made a significant change into our system in January of last this past year where industry wanted transparency into our database of record of EMAS where they could see the full life cycle of their packages from start to finish. And then also we wanted the capability to provide a better national metrics and then also for workload management internally. Due to large part, the transition happened in January. I'm not unable to provide FY22 metrics, but we can provide a snapshot of about 700 workflows as of October 1st, where our DCSA time, this is calendar days, it's 61 days for us to make an authorization decision. And our goal within the published app is 90 days, so we're well within those goals. And we're gonna continue to come up with process improvements throughout the year through our EMAS application in order to continue to strive towards consistency and also enhance timelines. A little break out of the authorization workflows, again, these are active workflows, not FY numbers, is for our three-year authorization decisions, those are around 51 days. That's where we do a complete package review, onsite review and make an assessment recommendation for an authorization is about 51 days. You'll see the days for an extension on the slide is around 70 days. That is due in large part, that's a tool in the authorization officials toolbox where we may need to get some additional resources, we may need to get on a plane, or maybe we're waiting for a last-minute item that we need to close out prior to making that authorization decision, and we can extend the current authorization. And those decisions are made a little bit closer towards expiration, which is why that's a 70 day and a little bit higher than the other number. Moving on to the next chart. We have provided national triage metrics. We at our headquarters level have contractor staff called a scholar, secure compliance assessors, their contractors, and they review the incoming packages from industry. And this is a process that we stood up a few years ago to really improve consistency and timeliness. And it's really starting to show the goodness of this work at the triage process. This past year, from a national metrics perspective, these are FY22 numbers. We had 8,642 packages that have gone through our triage process. Now, this number is significantly higher due in large part because of the January 2022 workloads, that modification that we made. And that's why we had thousands of packages we sent through the workload all at once. And that's why there was no triage conducted on those. And that's the 2,593 number. But we'll start to see throughout the FY, we'll have a better metrics to report as far as the actual triage coming in and going forward and then also return for rework. The top three items, return for rework from industry. Again, this is kind of the step one. This isn't a true assessment. This is making sure that packages are complete and following our published job aids. Our implementation plan, our improper complete implementation plan, test results, not completing the test results or satisfactory in order with the job aid. And then missing artifacts, which is simple as providing contractual work, such as a DD254. And then also missing hardware-based lines, software-based lines, simple items. And then also just kind of to wrap it up from the triage process, from a comparison from FY22 to FY21, we're really starting to see the return on the benefit of having the triage in place. When we first started, it's not on here but on the page, but when we first started, we had significantly higher return, packages returned well over 50% and I think it was closer to 60, 70%. And you'll see in FY21, our return for rework was 36%. And then we've improved drastically reducing that number down to 28% in FY22. And that's in large part to a partnership with industry and industry submitting good, clean, consistent packages throughout the year. And then also in addition, due to the fact that the packages to coming in from industry are really much better, more complete and accurate, our timelines have been reduced for a triage from FY21, which was nine days down to now four days. So that I'm happy to report that we'll continue throughout this next FY, we've got additional plans and upgrades within EMAS to really improve a product metrics and consistency throughout this FY. And that is all I have to report pending any questions. Okay, thank you, I really appreciate that. All right, we are now going to hear from Mr. Mike Ray, Deputy Assistant Director of Operations of Vetting Risk Operations with DCSA for their vetting statistics. Mike? All right, good morning everybody. We'll start off with the investigation inventory and timeliness. For the investigations program as a whole, the inventory continues to remain within a stable state. You can see the inventory of industry cases is at 26,000. Going down the slide there, the timeliness for industry for T5 initials for FY22 Q4 is 121 days. That is an improvement, a 72-day decrease from 193 days into end in Q1. For the T3 initials for FY22 Q4 into end is 95 days and that is a 23-day decrease from 118 days into end in Q1. On the next slide, we'll talk about the CAS updates. You can see on slide one from the upper portion of the slide, the DCSA current adjudication case inventory stands at approximately 26,000 cases. This includes all types of customer service requests, incident reports, peer background investigations and continuous vetting alerts. The DCSA maintains stable inventory levels for the past two fiscal years. The expected fiscal year 2023, that inventory may increase for the increasing derogatory nature of work associated with remaining inventories of periodic re-investigations, continuous vetting alerts and incident reports. You can see on the lower portion of the slide in FY22, DCSA adjudicated just over 184,000 cases. The output as you can see here has been relatively stable for the past two fiscal years, which is a trend that we expect to continue into the foreseeable future. Moving on to the next slide, the adjudicated timeliness for initial peer background investigations, T3s and T5s is at 21 days and seven days respectively as provided in the upper left-hand corner of the slide. Of note, due to the firmament of eligible periodic re-investigations into continuous vetting, periodic re-investigations inventories have drastically reduced. Coupled with the increasing derogatory nature of the remaining cases, we expect periodic re-investigation inventories will continue to remain above our timeliness goals until the remaining inventories are depleted. At the bottom of the slide, you see nearly half of all of the miles of revocations executing FY22 were initiated by a continuous vetting alert or incident report. Please continue to send in those incident reports, the self-reporting is important. Our top reasons for clearance denials and revocations continues to be financial considerations, criminal conduct, personal conduct and drug involvement. For reciprocity, even though it's not displayed on the slide here, we are delivering sustained performance in our reciprocity portfolio, delivering reciprocity decisions on average within one to three business days. That's from submission to decision, a vast improvement over our performance two years ago. And for the next slide for VIVRO updates, the total FY22 investigation request submission for a 207,000. 90% of all investigations had an interim determination on average within seven days. FY22 incident reports treeouts were at 20,000. FY22 customer service requests were at 54,000. The industry population is enrolled into Trusted Workforce 1.5 and VIVRO supports additional guidance on how to enroll individuals through submission of an SF-86 at five-year intervals and also how to verify enrollment. The SF-86 submission provides updated information that supports the success of the CV program. Post-enrollment alerts are generated based upon established thresholds which align with federal investigative standards and adjudicative guidelines. CV is impactful as we average by the 6% alert rate. Criminal and financial are the most valid, actionable alerts. And in FY22, we received 45,000 industry alerts of which 18,000 or 40% were not previously known and that's from 31,000 unique industry subjects. Please note that this information should have been self-reported as our goal moving forward is to have individual self-report information as it occurs. And pending any questions, those are the updates from the CWG. Thank you very much, Mike. Anybody have any questions for him? All right, if not, we'll turn to again to Ms. Natasha Sumpter, DOE for her metrics. Natasha, floor is yours. Thank you, Mr. Chairman. On behalf of Mr. Tracy Kindle who is the Department of Energy, Personnel, Security, Policy, Program Manager, I have these updates for you. So going on to the next slide, please. Excuse me. So as you can see on the chart, the overall or overall DOE has met the average timeline metrics over the past four quarters. So this is definitely a good news story in comparison to some of our other slides that we have provided over the last year. So next slide. For our tier five initials, we've met the ERPTA goal of 11 out of 12 months and we expect this trend to continue in the positive direction. Next slide. So for our tier three initials, we have met the ERPTA goals 12 out of 12 months which is another good news story for the department. And again, we expect this trend to continue moving forward. Next slide, please. For our tier five re-investigations, we've met the ERPTA goals 11 out of the 12 months and this is an improvement from our last briefing to the NISPAC where we met the ERPTA goals for over the last nine to 12 months. So yet the department is continuing to improve our process times. Next slide, please. For our tier three re-investigations, we had a hiccup in June of last year but we have since resolved that and it has been smooth sailing in the upward motion. So pending any questions, this concludes the Department of Energy's clearance updates. Thank you, Natasha, appreciate that a lot. Any questions for the DOE on their metrics? All right, I see next Heather would be in RC but we're gonna be getting those later. So now let me turn to Mr. Perry Russell-Hunter from the Defense Office of Hearings and Appeals, also known as DOEHA. Perry, forward yours. Thank you, Mark. And I would like to start out by recognizing the exceptional federal service of the chairman and Mr. Chairman and members if I may, I just wanted to say how much I appreciated your leadership, Mark. And for those of you who do not know this, Mark is also a prolific author and I am eagerly looking forward to reading whatever books he writes in retirement. I appreciate that very much. You too, God, but still. So with that said, I really appreciated getting to follow up, I pray, because the reports from Vero are very encouraging. There is no question that with continuous betting now being the order of the day, since thanks to trusted workforce reforms and replacing the periodic reinvestigation, we are now finding adverse information sooner. What that means is that potentially, as Mike pointed out, as we run toward, as the COD cast runs toward the end of their inventory of PRs to look at, they are going to be getting more of the cases that have the derogh because those were the issue cases that took more time to resolve in the first place. But also, as Mike pointed out, the financial and criminal cases are not only the most frequent CV hits, but they are also the ones that had the highest validation rate. What that means for the due process end of things is that we will see an increased number of cases with potentially disqualifying information. I say potentially because this is where the new investigative standards come in. And if I may quote from the new investigative standards, the risk is effectively managed by promoting information collection of both positive and negative information to assist national security, suitability, fitness and credentialing adjudications in making a whole person trust determination. And also from a separate section that ISPs must conduct any required additional investigative actions to collect and review all the relevant and available facts and documentation sufficient to resolve the issues that are found. So I'm gonna really foot stop this because issue resolution is the way of the future because the CV or CV hit gives us only a fraction of the information. We're getting it much sooner than we would have otherwise with a PR, but there is still that rest of the story to be told. So with that, I wanna turn to two of the great successes of recent time of Doha working together with the DCSA CAS. Number one, we are timely with all of the legal reviews of industrial statements of reasons and that means that notice is getting out timely to industrial cleared and would be cleared employees about what issues have been found. So that's good news. The other good news is that the CAS is working on an initiative whereby they're gonna start issuing conditional clearances in industry and that is with the full support of Doha because one of the clearance reform principles that we've all worked toward is the idea of being able to resolve cases at the earliest possible point in the process with the fullest information. That not only helps us reduce timelines, it is also the most efficient and effective way to proceed. And so while we have the advantage of learning more information sooner, that really makes it incumbent on all of us throughout the process to do robust issue resolution and I'm happy to report that the Doha and the CAS stand ready to continue to innovate in that area. Speaking of innovation and this is my last point, we are holding more due process hearings than ever before and that means that we're traveling more than we have in the past two years for in-person hearings. We're also holding a lot of in-person hearings, both at our Woodland Hills telework site and in our main headquarters in Arlington. But in addition to that, we are also holding more cases than ever over remote video teleconference. We're using a secure DOD version of Teams, which is obviously a secure where other remote video platforms like Zoom are not. So we're protecting PII, but at the same time, we're able to get to you virtually, if not literally sooner. So that concludes my report and I'm happy to take any questions. Thank you so much, Perry. Anyone have any questions for Perry about Doha? All right, up next is Ms. Heather Harris, Acting Associate Director for the Controlled and Classified Information Program at ISU. Heather, floor is yours. Thank you, Mr. Chairman. Implementation efforts of the CUI program continue. It is still a requirement to safe and handle CUI in accordance with Executive Order 13556 and 32 CFR Part 2002, the Implementation Director for CUI. One of the highest priorities of ISU as a CUI Executive Agent is getting CUI Federal Acquisition Regulation Case, also known as a FAR clause issued. This will create a common mechanism to communicate which information contractors create for and receive from the federal government that must be protected, how to protect it and who it can be shared with. Currently, laws, federal regulations and government-wide policies already mandate these protections. Once the FAR clause is issued, it will be a standard vehicle for conveying whether CUI is involved in the contract and what the existing requirements are for safeguarding it. The CUI program uses the most common existing information security controls, the federal information processing standards, also known as SWIPS, Publication 199, moderate confidentiality impact level as the standard for systems containing CUI. We worked with the National Institute of Standards and Technology, also known as the NIST, to incorporate these requirements into a contractor-specific environment and framework using NIST Special Publication 800-171, which reduces the control contractors need to implement. If there are any questions about CUI, please direct them to CUI at nira.gov. All right. Thank you, Heather. Appreciate that. Okay. We're now at the point in the meeting where we ask for NIST PAC members to present any new business they may have. Anyone wish to have the floor? All right. The new business. All right. Do any other committee members have any questions or remarks before we close out this meeting? All right. I have just a couple. I wanted to thank you all for being such great colleagues and wonderful public servants. I'm going to retire right now, June 1st of 2023. Looking forward to it. And it'll give me about 38 years of working in the government and out. I started out as a young CIA officer in Pakistan not too long after the Soviets invaded Afghanistan and went up to the Hill for a bit and worked for Daniel Peckin, one of him, had a sojourn as a public defender in D.C. And then went to DOJ right when 9-11, 16 years and then came to ISU thanks to President Obama's appointment in December 2016. So I've had a good, fulsome career. I've done a lot of things and pleased to have served my country and have met such wonderful colleagues. One of the reasons I'm retiring now is that this job requires two things. It requires being nominated by the Office of the United States and it requires presidential approval. And whether we're gonna have a continuation of this administration or another one, I wanted to give the powers and be ample time to pick another director of ISU because I think the position is too important to language. So I wanted to give everybody plenty of time to get the ducks in a row and get this seat filled. So anyway, if you're ever down in Shenandoah Valley, please don't hesitate to look me up. I hope to be in Lexington, Virginia where I went to college, a nice college town. So I'm looking forward to writing a third book and watching you all keep the country safe. So with that, our next, or your next, this back meeting, I won't say hour anymore, your next next, this back meeting is scheduled for Monday, June 5th, 2023. Meeting will be a hybrid of in-person and virtual the day before the National Classification Management Society or NCNS Annual Training Seminar in New Orleans. As a reminder, all this back meeting announcements are posted in the federal register approximately 30 days before the meeting along with being posted to the ISU blog. I certainly sympathize or heard, Jeff Fincher's remarks about having in-person meetings are absolutely critical. But one of the oddities about the National Archives is we are open to the public. Our building is, you know, annually visited by hundreds of thousands of visitors from all over the world. And that we had an active COVID case reported today. So, you know, we're a bit unusual in that, but that said, I mean, I think that God willing, and if these vaccines work, we should be able to begin to meet in person. I would hope, you know, very, very soon. I'm trying to hold a state-local, tribal policy advisory committee meeting in January in person. So, that would be a nice kickoff. So anyway, with that, I'm going to adjourn the meeting and again, thank you all for your wonderful public service. Goodbye.