 Welcome, and thank you for joining today's National Industrial Security Program Policy Advisory Committee meeting, also known as NISPAC. To receive all pertinent information about upcoming NISPAC meetings, please subscribe to the Information Security Oversight Offices Overview blog at isoohyphenoverview.blogs.archives.gov or by going to the Federal Register. All available meeting materials, including today's agenda, slides, and biographies for NISPAC members and speakers, have been posted to the ISOO website at www.archives.gov.isooh.oversight-groups.nispac.com.html and have also been emailed to all registrants. Please note, not all NISPAC members and speakers have biographies or slides. While connecting by phone is necessary to attend today's meeting, there is no requirement to log on to WebEx. However, you are welcome to join WebEx with the link provided with your registration as all available materials will be shared during the meeting on that platform. If you have connected through WebEx, please ensure you have opened the Participant and Chat panels by using the associated icons located at the bottom of your screen. If you require technical assistance, please send a private chat message to the event producer. All links will also be shared periodically through WebEx Chat. Please note, all audio connections will be muted for the duration of the meeting with the exception of NISPAC members, speakers, and ISOO. We are expecting a fairly large audience today. Because of this, we will not be taking questions from the public over the phone. Please email your questions and comments to nispac.nara.gov and someone will get with there. Only ISOO and NISPAC members will be authorized to ask questions throughout the meeting. At the conclusion, a survey will be provided for feedback. If you would like to be contacted regarding your survey responses, please include your email in the comments box so the NISPAC team can get back to you personally. Let me now turn things over to Mr. Mark Bradley, the Director of ISOO, as well as the Chairman of the NISPAC. Thank you so much, Madam Producer, for your kind introduction and your instructions. Good morning, everybody. Welcome to the 68th meeting of the NISPAC. This is the fifth NISPAC meeting that is being conducted 100% virtually. This is a public meeting. Like our previous NISPAC meetings, this will be recorded. Meeting along with the transcript in minutes will be available within 90 days on the NISPAC reports on committee activities webpage mentioned earlier by our event producer. The planning on a five-minute break in the middle of the meeting, which I will flag as we move closer to it, I will now begin attendance for the government members. I will state the name of the agency. The agency member will reply by identifying themselves by name. Once I have gone through the government members, I will then move over to the industry members. At the end of the industry members, I will then proceed to the speakers. All right. ODNI. Good morning, Mr. Bradley. It's Valerie Curvin here. Good morning, Valerie. Department of Defense. Hi, Valerie. Brad, thanks. Department of Energy. Good morning. Natasha Sumters here. Morning. NRC. Dennis Grady. Morning, Dennis. DHS. Good morning, everyone. This is Rich DeGiofferin. Good morning, Rich. DCSA. You're faint there, but I got it. CIA. Good morning. Felicia here. Morning, Felicia. Department of Justice. Good morning, Kathleen Berry. Good morning, Dr. DHS. Dr. DHS. The DHS. Good morning, everyone. This is Rich DeGiofferin. Good morning, Rich. DCSA. DCSA. DCSA. Good morning Kathleen. NSA. Brad Wetherby from NSA. Good morning Brad. Department of State. Ken Barger, State Department. Good morning Ken. Department of Air Force. Good morning Jennifer Plain, Department of Air Force. Good morning, Department of the Navy. Department of the Navy. Please identify yourself by name please. Yeah, Department of Navy Steve James, primary representative. Alright, thank you Steve. Department of the Army. Alright, I'm going to now turn to the industry members. Heather Sims. Yeah, I'm sorry. Beth O'Kane from the Army. Oh, okay, great. Thank you. Alright, I'm now going to turn to the industry members. Heather Sims. Heather Sims Industries, present. Great. Rosie Taburio. Rosie Burrero present. Great. Cheryl Stone. Cheryl Stone, present. Great. April Abbott. April Abbott, present. Morning. Derek Jones. Derek Jones, present. Great. Tracy Durkin. Tracy Durkin, present. Great. Greg Sattler. Greg Sattler, present. Right now I'll do a quick roll call for the speakers to make sure we get everybody lined up. Eric Person. Yes sir, good morning. Eric Person's here. Good morning again. Chris Highleg. Good morning. Chris Highleg. Good morning, Chris. Bob Mason. Good morning. Bob Mason's here. Good morning, Bob. Chris Pollock. Good morning. Chris Pollock is here. Great, Chris. David Scott. Alright, Donna McLeod. Good morning. Donna McLeod is here. Alright, Paul Dufresne. Good morning, Paul Dufresne here. Terry Russell Hunter. Terry Russell Hunter for Doha is present. Alright, thank you, Terry. If anyone else is speaking during this talk that we've not heard from or I did not know about, please speak now. Mark, this is Greg Pinoni. Just for the record, our colleague sitting next to me, Jeff Spinninger, is here and he is representing the Department of Defense. Okay. Morning, Jeff. Alright. Again, we requested everyone identify themselves by name and agency applicable before speaking each time because this is being recorded and as you all know, we do a transcript. It just makes it a whole lot easier for us if you don't have to try to guess who actually talked. I want to provide everyone with our agencies quick COVID update. For a month now, we've not had any restrictions on in-person meetings for now, the staff and all in our buildings. However, most of our staff is still teleworking, although we are moving into much more of a hybrid state, as I'm sure a lot of you are too. We do not yet know with large gatherings such as the NISPAC working groups and the next NISPAC will be in person because D.C., Washington D.C. is now at a medium COVID transmission level per CDC guidelines, but obviously we will keep monitoring that and I personally hope very much we can dispense for this virtual meeting and move into actual face-to-face like we used to, but that's to be determined. Additionally, we've had a few changes to the NISPAC's membership. Dr. Jennifer Obanier, the primary with the Navy has left. She's replaced by Steve James, who's on this call. Additionally, the NSA alternate Shirley Brown has also departed. She's been replaced by Blaine Gucci. The NSA primary, I'm sorry, the NASA primary, Kenneth Jones has departed as well. At this time, her replacement has not yet been designated. Lastly, but also critically for us in ISU, most of you know Greg Pinoni, the designated federal officer for the NISPAC. This will be his last NISPAC meeting before he retired this summer after over 42 years of federal service of which more than 17 of it was spent here in ISU. Greg has been an integral part of the NISP community. He's been a marvelous deputy. I couldn't have asked for a better one. He's just virtually indispensable. Say he will be sorely missed is a understatement. Greg, thank you for your dedicated lifelong service. Obviously, we wish you the very best. We look forward to continuing the work that you've done most of your professional career. Thank you, Mark. Good morning, everyone. It's been a pleasure to be involved with NISPAC many all these years and even before when I was with TOD. Partnership is invaluable. I think many of you that know me know that I've embraced that from the beginning. It doesn't make sense to do it any other way to involve critical stakeholders. I hope to continue to working with all of you. I do have a couple of things. While we didn't have any real formal action item from the last meeting, we did have one and then there's the NISPAC minutes which were certified from the last meeting. Be true, correct, accurate. That was finalized on February 2nd. And the next item with a colleague from DOD recommended that we return to three meetings a year. And while we think that's a great suggestion, we are not in a position at ISU to do that at this time. It kind of falls in line with another item I wanted to mention. We have two vacancies right now and have those filled by the time we have our next NISPAC meeting, which will probably be in October. Once the dust settles on that, hopefully we'll be better resourced to consider returning to the three meetings a year, which I think is an excellent idea. By the way, this is about two and a half years since we've had sort of a semi-live meeting and paraphrase Frank Sinatra. It's nothing like having live meetings. It's good, but we have to deal with the technical stuff as well. We have those two vacancies. One is for the CUI lead in ISU. Heather Harris-Rickman, who has been doing a great job on the NISP work, has a senior lead for that in ISU. He's wearing both hats right now, and she's doing a great job helping out with our CUI. We have to have that position filled. And then we also have a Chief of Staff position open. One last thing you should know. Someone, shall I say, more noteworthy than me, is retiring in the effect of April 30th, and that is the Archivist of the United States, who served for more than 12 years. And so we'll have an acting Deputy Archivist, Edward Steele-Wall. We'll act for all the long it takes the Senate to nominate, and from the President to nominate, and the Senate to nominate the new Archivist of the United States. David has been a great advocate for openness and use of technology to convert records to digital. And, you know, you may ask, why ISU and art? Well, at the end of the life cycle, classified information, it gets declassified, right? Made available to the public. So that's the core of Nora's mission is openness and records. So with that, are there any questions? Thank you. I'll turn it back over to the Chair. No, thank you, Greg. Just time. We'll now introduce our speakers for updates. I'm going to go to Ms. Heather Sims. In this back industry spokesman, we'll provide the industry update. Heather, for yours. Thank you. Heather Sims, industry speaking, and it was sure much easier doing this in my basement in my PJs, the past four times, I'll say that. Definitely a lot different acting field. It reminds me of that I'm truly representing industry in this role. It's definitely been a long two and a half years. I have a year and a half going on this back. But it's definitely been a pleasure representing you at the national level. It's not easy by any means. We do want to thank the other industry news type members. They're all the countless hours that we're on the phone and we're collaborating, making sure that we're truly representing industry at large, on the small, medium, large companies. And this year, we're trying to be more transparent in our efforts. There's many companies out there that are not represented by the MLU that support us. So we did create a newsletter to talk about who we are, what we are, and what we're trying to do. We pushed it out through all five CSAs to make sure that we're reaching those companies who have no ideas or represented at the national level of the policy. So if you know somebody who doesn't know about MEIA, all the MLU's that are out there or what Industry Next Pack does, please send them off so we can make sure we can get them involved one way or another. I also want to thank the MLU members to the Industry Next Pack. Without you, we wouldn't make sure that we have that industry's voice collected. It starts with the working groups' collaboration, making sure we get the right people and the right working groups with the right skill sets. So thank you for sending those names so quickly along the way. I also want to thank Greg Pinoni for your years of service. I was a little lost when I first started, so he gives me the vector checks that I need to make sure that I'm doing the right thing along the way. So thank you, and happy wishes on your retirement. I also want to thank, and I know Matt is in the room, and you're going to hear from him later. So we started something about two years ago that wasn't done in the past, making sure that industry had a voice proactively when it comes to national level policy, specifically talking about personal security reform. So Matt, thanks for continuing this collaboration with industry to review those documents for historic personal security reform, so we do appreciate that. I want to be mindful. We talk a lot about DOD, DCSA, on the stage about what's going well, and sometimes what's not going so well. There are four other DCSAs out there, and I want to thank them along with DOD. We do have issues, we have concerns, we have to reach out to them. Thanks for your quick responsiveness. It really truly matters to get industry responses to the questions or guidance of limitation in a quick manner to make sure that we're doing the right thing. And speaking of DOD, and in this case, DCSA, past year we worked collectively in industry, and hopefully you were reached out to collect what was going well with the 32 CFR implementation. We rolled up an industry report, and after actually forward of how well the 32 CFR rolled out with DOD oversight implementation. And we sent that in to DOD, to DCSA, as a guideline on things that we can work on together. What needs to be further clarified in that 32 CFR. I don't know if anybody else read it as many times as I did, but it is not an easy read. And every time I read it, I find something different that I thought I knew. So thanks to DCSA on providing that quick, clarifying guidance when we need something in the industry to make sure we're doing the right thing. If you haven't seen that after action report, I'll make sure you have it before we leave the conference. It is, we want to be transparent, we want to make sure that we're providing the results of the collection from industry as far and wide as possible. We're going to try to continue that trend every year on what's going well and what's not going so well, so that we can share those lessons learned and not repeat the issues from our past. So thank you all for who provided those in. Now, those who know me and heard me speak before, I will always say good things, but then I'll always put a little thing that we can do better in there and then I'll roll that up with some good things. So while things are going really well and we have some good collaboration going on, we can still do better. And I'm going to talk about, we have a lot of discussion about NBIS, but I'm going to open that up just a little bit more. That's every system that the federal government provides that industry has to touch. We have to do better to make sure that we have a strategic plan. We have to have a great communication plan, and that plan has to cover how we're going to interface with those systems at every level. Oftentimes, industries and afterthought system requirements are built for government stakeholders, not necessarily industry stakeholders. We have to do better. I myself came from the government. I thought I knew what industry needed, rude awakening when I came out and couldn't get into this. And after four months, it was pretty difficult. So making sure that we can testing in our environment to make sure that it works for all industry partners that are out there. Many of us spend countless hours doing administrative work typically to fix the system that we didn't create. So I will say that I didn't talk all about NBIS, but any system that the government provides to us, we really need to do a better job there. I will say one of the issues that we're really concerned about now is the JPA as a disk transition. We surveyed about 200 and approximately 250 industry companies, and it was well into the millions of resources and man hours that industry had to eat up the cost to help get that data integrity that system correct. And our main concern right now is that's going to be the same for the disk to the NBIS transition. So while we're trying to meet a timeline, we want to make sure that we have an effective trusted system that industry does not have to fix our own data. So without a doubt, we all want to get to one system pretty quickly. We don't want to operate in two systems, but again, we want to make sure this system works. Now on the positive thing, there has been tremendous amount of work done on the personnel security front. I remember coming to the conference as a government member, and that is all we talked about, how bad the personnel security investigation process was, how bad the adjudication process was. So thank you to, I will say, DOD at large, and specifically BRAF adjudication and the personnel investigation piece of that. Tremendous ground has been made, and industry does appreciate that. I talked to Heather Green a little bit last night. She looks more relieved at these conferences now, right? Not in the hot seat. So that's a lot of work. Industry was instrumental in making sure the improvements were made there as well. Not that we're going to keep our eye off of those timelines, and I know we talked often about risk of poverty and transfer of trust, but I'm very hopeful that trusted workforce 2.0 will get us to where we need to get to. But keep in mind, I learned just the hard way also is industry can move at a very fast pace. Government does not move. So I'll be retired probably once we get to SOC on trusted workforce 2.0. So hopeful, I will say. And with that, a couple other things that are going very well. The collaboration, we did have the DCSA stakeholders with the deputy director of DCSA last week. So we're looking for more engagements like that so we can actually engage and not be briefed. So looking for that two-way conversation so we can bring it up what industry's issues are, and hopefully how to come up with some solutions of how we can solve those. So thank you to all the five DCSAs, DOD and DCSA for all the hard work this year working together. But I will say I'm not done. I know you're ready for me to end there. I'm going to point my attention to industry. We have to do better speaking as a collective voice. Often we're talking in different voices, different priorities, and we are going to have different priorities. But when we're talking at the national level, a legislative level, we have to be able to speak with one voice. Speaking from personal experience, after I heard multiple complaints from multiple people, I toned it out. Because when everything's important to industry, nothing's important to industry, nothing's important to government who's trying to help us resolve that. So we have to do better. We have to lay the foundation to have a strong, united industry fund when we're communicating with our government partners. And we talked a little bit yesterday about how industry is going to be represented at those levels. And expanding the aperture a little bit outside of the industry, NISPEC members, being more inclusive of the MOU members. But I will say for those that come behind me, we need to really clarify and tone up those three priorities, three to five priorities, and really concentrate on those. I will say from personal experience, I am employed full-time by L3Harris, but I will say I spend about five to six hours every evening to include a weekend really working on issues for industry. So it's selfless. I will say when I'm there, but then my husband says it's something that I always do. I'm looking for a lot of opportunities when I'm finished in my role to spend my time with my family. But I say that because people go into it thinking that it's going to be very easy and things will just flow. It doesn't work that way. It takes a lot of networking, a lot of hard work to get there. But I will also say that because I encourage you. It's probably the best time of my life being able to represent industry at this level. I was bamboozled into the position, but I will do it correctly. So I will say that. And most importantly, I want to thank everybody again for coming together. This is great. Lots of networking. This is truly where the work happens. So thank you. Thank you, Heather. Does anyone have any questions for Heather? All right. Hearing none, I'm going to turn to Jeff Speniger, the Director for Critical Technology Protection to the Office of the Undersecretary of Defense for Intelligence and Security. He will give an update on behalf of DOD and the NIST Executive Agent, as the NIST Executive Agent, I should say. Jeffrey? Good morning, Mr. Chairman. Good morning, Greg. Everyone, thank you. It's good to be here with you in person. I'm particularly excited for the opportunity to really sit next to Greg. We were chatting just before and he noted that he's been present for more than half of all of the 68 NIST PACs that there have been. That's a lot. I think it maybe gives a little bit more characterization to the level of effort and support that Greg has represented on behalf of the NIST PAC. And I think about this sort of thing a lot. Longevity, we've relied on a very small number of people for a very long period of time to really be stewards of the National Industrial Security Program. And those folks have decided that there are other things that they would like to do in their lives. And so echoing a little bit of what Heather said and noting, but also noting the importance, you know, this is an important forum. This is an important, these are important roles. And hopefully there are folks out here who have interest in them. Also, Greg, spoke my thunder in the first talking point I had, which was the subject regarding, you know, maybe revisiting the number of public meetings that we have a year. I completely understand the challenges. One, pandemic challenges, staffing challenges and the like. But noting again what Heather said and everything that's playing out right here, the fact that we were able to leverage this forum, you know, for the purposes of this public meeting is kind of a backdoor way to public engagement, but it works. And it's very, very important. It's important for all of the official reasons. It's more important for, I remember the breaks in that wonderfully historic auditorium in the archives. We have a break in the middle, which I know we don't have a break this time, and I have two cups of coffee in front of me. So, oh, okay, good. All right. Excellent. That's really good. But the importance of, it's the dialogues that take place in and around the public setting that are important. And it's, and I wrote here, transparency and public discourse, they are absolutely vital to the work that we do to the integration of public policy, you know, industry engagement and actual, the products, right, the work on the other end. So, thank you for that update. And please let us know what we can do and to continue to kind of keep a drumbeat on this because I think it's quite important. Next, as a function of policy, and again, echoing some of the comments that Heather made before, right. So, I appreciate very much and that she's read it more than once. I imagine many of you have done the same. It's not easy to read. It's not super fun to write. And so, but nonetheless, we're pretty happy with where we are. The feedback that we've received so far and really, again, thank you to DCSA, you know, and it's, you know, primary outward facing role here to be a facilitator to bring information back to make these documents as living as they can possibly be. That is important. You know, it's, we celebrated the fact that we got the rule out there and about a minute and a half later we began the First Amendment. It was more like a week, but not much more than that, right. And we did, we established an amendment regarding reporting and pre-approval of foreign travel associated with C3. That will, the timeline was extended to August of this year. We have no changes or requirements that we're aware of for any further extensions or amendments to that effect. I'm very certain that our overseers in rulemaking would take a dim view on any notion of that. And so, you'll hear more about that in the updates that Keith Menard and others will provide here later in the meeting. But we're not done there, right? So, we got the first one done. So, we're on the Second Amendment. The Second Amendment is largely oriented around public comments that were received during, you know, during the issuance process. We are at a stage now where we do what's called DOD-wide coordination, right? So, the DOD is a giant, you know, federation of components, right, the services and others. We will work through that process, take some time. Stakeholders kind of vary, right? So, some of the, you know, the larger companies, but smaller, smaller, excuse me, components, small components that would, that have interest. So, we will go through that process and then we'll repeat that on a federal scale. So, the process moves forward. Again, with an eye for transparency, we use this forum to provide updates to those pieces that are not, you know, in the public space and, of course, as it moves forward. I'd like to, you know, kind of continue to provide updates on, you know, sort of an obvious one, but the importance of cybersecurity within the framework of the NISPOM. You know, we haven't yet found a seamless and repeatable process for industry direct use of cloud, classified cloud, but we're continuing to coordinate with our partners at this and DCSA. And although I would be, I would, I would, I want to say I'm not happy with where we are. We are making progress. And again, and a nod to, this is a public discussion, right? So, I'm not a big forecast person. I said that in prior meetings. But I think it's important that we kind of shine a light on ourselves here on what is, you know, in many respects, maybe the most, it's the under, most under-viewed and I would, I think, make a pretty strong case, you know, for, that it's maybe the most important aspect of what we do right now, right? So, and so to that, at the last NISPAC meeting in October, public meeting in October, I reported that a project that my office sponsored at the Applied Research Laboratory for Intelligence and Security, or ARLIS, led to the development of what we call a vendor neutral playbook aligned to this and DCSA's current process guides, including wiring, network connection process, security requirements, et cetera, you know, that are intended to lead to authorization to operate. I also described that through the process of developing this playbook and observation of several pilot efforts, we uncovered a number of challenges that make the process possible, although arduous doesn't, I think, quite capture the challenges at this time. ARLIS made a series of recommendations and requirements, you know, they framed those, they wrote them all down, which is super helpful. And then we put them out, you know, and asked NISPAC to review those in earnest. And again, you know, with some echoing of what Heather mentioned before, I would be remiss if I didn't, you know, thank Heather and all of the NISPAC industry members, you know, for taking the time to go through in, you know, in really quite agonizing detail, to provide meaningful feedback in the work that we asked, you know, ARLIS to, you know, sort of as a third party broker put together. We look forward to getting just a DCSA kind of in the room on that, understanding that that's the process won't end when we digest all that. It actually will move forward. So I will end up by saying I have more updates to provide on this. But again, by bringing it forward in this way, I think, you know, we're going to be able to, you know, hold ourselves to a timeline and get over the line on what I think is an important issue. And we do this right, you know, the number of ATOs, which number in the thousands, and really in the tens of thousands when you aggregate across all of the stakeholders that are out there, DCSA and others, I don't know, that seems like maybe you wondered. And so there's a better way, I'm convinced of it. Finally, two other topics really briefly. I know I'll stop, Mr. Chair, and that is, so the department continues to make progress, right? I know folks in the audience are paying attention to requirements that were levied under NDAA 847 FY20 NDAA regarding foreign ownership control and influence assessments that are dib-wide. They are largely predicated and intended to be designed on the way in which it's undertaken today, steady state, and for a long time under the industrial security program. But they're broader. There are two pieces that are of importance to this, and we want to get it right. And that is, one, as a function of award, and two, for all contracts greater than $5 million, including subcontracts. That's a pretty tall order, you know, and so some of the scale that's laid out there run, you know, just in drastically high numbers. Not a tremendous amount of accuracy in those, right, in that speculation. But what is, and so instead of starting big and working to small, since so big is very undefined, you know, again, with some really great partnership from BCSA and in particular Keith Miner, who I want to call out publicly, we've kind of worked out from up. We know what works. We know what's familiar as it relates to foci requirements in the industrial security program. There's language in the statute that encourages, as it frankly directs us, to kind of build out from that same model. And we're building out from there. With that in mind, again, all roads start with policy. So we're at the issuance point where we handed over to, we've gotten through all of the editors across the department. Good feedback mostly. So, and now we're off to the lawyers. The lawyers understand the urgency on this when we put some heat on ourselves here. We can create some accountability and we tell the deputy something, deputy secretary something's important. And so we are on target, I believe, for an end of FY issuance, which so hopefully I'll have a more firm update, you know, and you'll have something to see that's actually out by the time we meet again. But that's not, again, just like anything else, that's not where the process ends. It's really where it begins. There's a whole amount of work that is certainly levied on DCSA and in the board industry. So we want you to be aware. We want industry to be aware. We want in this pack to be aware of this as it continues to move forward. But we don't need action at this time. We need to get over the line on the policy where industry and this pack will come into play. We know there's a rule that will be required here. There'll be a DeFAR clause that will have to come out the other end and that will be informed by the policy. Not by this, I mean, certainly everything underpinned by the statute. But if you know how this stuff works, right, we'll build the DeFAR requirements off what's first published in the department's issuance. And finally, our last topic today, we'd like to bring up again an ongoing issue regarding joint ventures and FCL requirements. There was a provision, or there's a provision in FY22 and DAA, Section 16.9 states that both entities that form a JV are cleared. The JV company itself does not require a facility clearance. To address Section 16.29 language, DOD is intending to publish a direct site memorandum by guidance on joint ventures that have been awarded DOD classified contracts. There's also a similar language in small business administration federal rule published in late 2020 that we believe must be addressed in this regulation and guidance. So similar is a wonderful term, but similar is not the same, which means it's open to a just amount of interpretation, and that's sand in the gears to put it bluntly. So the Air Force is encountered and confronted this head-on, and so with that, I'd like to briefly turn over to Ms. Jennifer Aquinas for some input. Thanks, Jaffa. I appreciate the opportunity to comment on this issue. The DOD issues contracts joint ventures frequently, so questions about this frequently come up. The Air Force was the first contracting activity to encounter this issue, and we successfully worked through an exception to policy process. That cleared the way, and we were able to issue a classified contract to an unclear joint venture and allow performance on a contract without a facility clearance. But the regulatory conflict remains between the small business agency and the MIPS, and until this is resolved, there'll be continued confusion. We're concerned about contract protests and impact of mission and cost. At the last MIPS PAC meeting in October of 21, ISU advised that the small business rule was not intended to remove the facility clearance requirement. At that time, ISU committed to issuing a notice to provide a contract, and I am assistant update for ISU today. Thank you, Jennifer, for that. And again, I'll end by saying, just using this last issue as a really great example, this is a nod to the utility of the public forum to put this out there in this way. It creates some accountability in the process. No one's running around with their hair on fire, and we're able to stay in front of what frequently ends up as a litigation matter. That's really what our end state here is. We're trying to do, everyone's trying to do the right thing here, but we see the world where we sit on it, and this is an example as to where those different world views can collide with unintended outcomes. And so with that, you know, Greg, and then this back to Team One, thank you very much for your continued attention on these issues. Thanks for working out of the technology wizardry. I have the word technology in my title, and it's a lie. I'm glad that Jennifer's here, because I'm not the only one without a computer on the inside of it, but the, you know, to be able to put this together and to be able to shine a public light on these kinds of issues is important for all of us, regardless of where we sit. Thank you very much. Thank you, Jeffrey. Does anybody have any questions for Jeff? Mark, this is Greg Kanodian. Yeah, Greg. Yes. It's a song now. Sorry about that. It's just a good time to mention the follow-up that ISOO is involved in with this issue of joint ventures and clearing the entity. It's in fact, it is an entity. I'm told by our attorneys some joint ventures can be created by contract, and therefore technically are not a legal entity. In any event, I don't want to spend time here getting into the details. We are still working on an ISOO notice that will clarify things. The attorneys have assured us they've spoken to SBA, and it was not their intention that we would not vet a joint venture legal entity. You heard this morning from the speaker about what are the methodologies that he's most concerned about is creating entities by some of our adversaries for illicit purposes. So we hope to have this done in short order to clarify things, because admittedly, the SBA rule is a bit interpretive, as I'll say, like a lot of government regs are. But we are going to get this thing fixed so that it's clear to everyone. Any questions? Okay, back to you, Mark. Okay, thanks, Greg. I will now hear from Mr. Keith Meinard, Senior Policy Advisor with the Industrial Security Director of the Defense Counterintelligence and Security Agency. Keith, over to you. There we go. Does this work now? Yeah. Okay, good morning. Keith Meinard, DCSA. Let me start off with thanking Greg Pinoni for his support to the NISPAC, industry and government members, as well as the entire NISC community. The staff of DCSA would like to congratulate you on your retirement and good luck. I have a couple of key updates this morning on leadership. We've got a new Deputy Director of DCSA, Mr. Daniel Eschi, and a new Industrial Security Directorate Lead, Mr. Matthew Redding. Both are here at the event. I'm sure you've talked to them many times, or you will talk to them before the event's over. Well, I get to represent the NISPAC from a DCSA perspective. As the primary member, I do have to say that it takes a large team of action officers at DCSA to make what happens, happens with the NISPAC, and take on the issues and challenges that come up to look at resolution and actually work forward to make better processes in practice. It's just not those on the table up here, but a large workforce that's on the back end making these things happen. So, on the first thing, DCSA is back to on-site assessments. So, you should see our personnel out in the field on-site doing your security reviews. And that's kind of a big change for us coming from the last couple years of continuous monitoring events. So, Heather talked about this, the NISPAC AAR year in review, I like to call it, from last year. Last fall, after we worked through implementing the NISPAM role, we thought about asking the NISPAC industry for, I'll call it a scorecard or an AAR for FY21. And we've got that scorecard and we're working through it now, and we're working through all our action officers to look at the things that we can change, things that we can improve, and look at the best practices that came out of last year's implementation of the NISPAM role. It was a great, it was a great time to evaluate ourselves and on how we do business with industry, communicate and engage. This was the first time we've had a major event like this since 2016, an insider threat. And what's interesting is actually Heather's Thames and myself rolled out insider threat in 2016. In fact, that change came out at an NDI event the week we were in Scottsdale. So, we're in NDI now, so these things keep going around and circling. So, we do like to thank the NISPAC industry on providing that input, and we see it as a best practice. And it'll continue on next year, so next fall we'll ask for the same product. So, I think one of the biggest things that industry's asking about is, we'll talk about that, one of the last components of the NISPAM role implementation for DOD, clear contractors under DOD cognizance. And that's the C3 reporting for foreign travel. As Mr. Spinager said, the amendment to 32 CFR Part 117 deferred the reporting of C3 foreign travel requirements for 18 months from the issue in state. And that, so this will begin in August of this year. So, we want to make sure that we have the right capabilities. And part of this was the ability for industry to bulk upload foreign travel rather than doing one-by-one submissions of foreign travel to try to better enable the reporting requirements and kind of ease some of the strain. So, the deferral was put up to enable the development of the bulk tool. We look like we're still on time for June deployment of the plan tool for its use in August of this summer. We want to make sure that when that comes out and we're ready for this, we want to make sure we have a communication strategy. We want to make sure you have training and awareness products, whatever we need, to better enable implementation by cleared industry. I do want to make a couple of notes that as we look at foreign travel reporting for the reasons of C3, we will begin in August going forward, okay? We're not going to ask to go backwards, but I will have to note that if you have to fill out an SF86, all foreign travel has to be reported on that. So, you have to keep in mind that C3 forward, 86 is still required by the form for submission. To continue on with C3 a little bit, we've actually saw patterns of requests for frequently asked questions. We revised the C3 reporting questions, FAQs on our website. We refined them based on input from industry and things that we saw that can better enable and communicate how to do things. And along with that, we've had staff create an intuitive tool that helps industry walk through the types of contact reporting that's required by C3. It's kind of a yes, no, helps drive through a thought process to better understand how to report the C3 requirements. And I have to say is I think the team of DCSA has become somewhat of subject matter experts on C3 and the federal executive branch from all the work that's being done. Industry certainly, we appreciate the work you're doing. It's very important. As we report things, you know, Heather Sims up front here, we want to get ahead of the CECD hits by you reporting. And then we can see, we can match through that, right? The last thing I have on tools and resources is you may have seen it. The NISPOM actually refers to national policy for safeguarding. And one of the key things that came up was security and depth. In the last month or so, we've actually posted a video audio short on security and depth. We found those products very useful during the implementation of the rule, six, eight minute videos that are, or slides that are narrated for easy use and information updates. So the last thing I have actually, as I know this is something that keeps coming up is in a larger area is we're working still. You may know that the DOD manual that NISPOM was actually rescinded the end of November. So we're working through the other policy actions to rescind the former industrial security letters. We've issued new, and we have a couple more there coming out. But the reason we're rescinding these, and I'll use some examples, you may have noticed as you read through NISPOM, it talks about certain types of incidents now may occur on unclassified systems, right? Cyber, and then the 2013 ISL and cyber, that was the key point in it. We were, another example of safeguarding. We now point to national policy for open storage. So the former ISLs, there's about 34 of them will be rescinded, and we move forward with a new batch of ISLs. To give a status, we've got two more that are still in the pipeline. It does take some time to get these out. It's a revision to insider threat. Industry NISPAC has reviewed these ISLs. Key point is it talks about your program is having a plan, your self-inspection, and implementation of the minimum requirements. We have added the national insider threat task force maturity framework as a reference, and the other is a ISL that covers about nine different topics from designated government representatives to destruction equipment and things like that. TS accountability, I know that's a major thing. So we've run down our ISLs, we've reduced the amount now, and what we do want to know with industry, when you need additional guidance, please work through industry NISPAC to help us understand what's needed to better implement the program. The last thing I have is actually later you'll hear from Ms. Donna McLeod on our DCSA personal security metrics from the working group, and Mr. David Scott on our systems authorization updates and metrics. Thank you. Thank you, Keith. Anybody have any questions for Keith? Next we'll hear from Ms. Valerie Curbin, Chief Policy and Collaboration Group, Special Security Director, National Counterintelligence Security Center, Office of the Director of National Intelligence. Valerie, floor is yours. Hi, good morning. Thank you very much, Mr. Chair, and hopefully you all can hear me pretty well. It's a great opportunity to always be here and to provide the SECEA update to the community. I do want to echo everybody's congratulations to Greg. It has been a great partnership with you. I've known you for many years, and you've been great to work with and wish you lots of good luck in your retirement. And also to echo Heather, it has been great the past few years collaborating with NISPAC. We know that sharing information with them has been quite helpful in shaping policy for trust and workforce. We are in this together, and we continue to work together on our journey. So I also like to take the opportunity to update you on SECEA policies and some trust to workforce things that have been issued. So really, since the last time we met in, I think, October, a few things have been signed, real signature accomplishments. We had a transforming federal personnel vetting cabinet memorandum. It was signed by the national security advisor Jake Sullivan. So it's really the Biden administration's endorsement for us to take bold action across the government to transform and sustain a trusted federal workforce. So the guidance in this memorandum asked departments and agencies to prioritize and implement trusted workforce. It also asked agencies to designate senior implementation officials who will be accountable for the trust to workforce implementation and ensure all the related efforts that their agencies are conducted and, of course, successful. So that was wonderful that this was signed December 14, 2021. So also just recently, we're pleased to announce that we issued three high-level guideline documents. So these guideline documents were signed jointly from the ODNI security executive agent and OPM as a suitability and credentialing agent. And these three guidelines really describe the outcomes for successful personnel vetting programs. And they align with the principles found in the federal personnel vetting core doctrine that was effective February of 2021. So as we go through all these other documents and policy levels, they all build upon each other. So just to describe a little bit about the personnel vetting guidelines, it will be the outcomes associated with investigations, adjudications, and personnel vetting management activities. It's essential for these components to work together in your personnel vetting programs to help identify and manage human risk to ensure a trusted workforce. We also issued the federal personnel vetting performance management guidelines. And this will be the overarching strategic direction for conducting performance management. We want to measure, we want to make sure we're doing things effectively and efficiently. And from that, we will put out additional standards and strategies and targets for the community. But that will be coming down the road. And we also issued the federal personnel vetting engagement guidelines. This is the outline approach of engagement, which is designed to foster trust in the process. We want to allow the government and healthy individuals to enter into the workforce in a timely manner and help shape a culture of personal accountability and responsibility. So from these three guidelines that were issued this past February, February 10, 2022, we will be coming out with new investigative standards. And I'm sure you're going to be hearing more about it from Matt Eames and also my boss Mark Crownfelter about the new vetting scenarios. But we will be changing the current investigative model. And those investigative standards will be issued very shortly. And then we will come out with additional implementation guidance. So as a result of all the tremendous effort of collaboration and coordination across the IC and with the NIST community, the executive branch and industry partners, we know we're all working together in the same direction for successful outcomes and also to improve transparency in our process and have a shared responsibility. So I also want to just note that two other policies. One is in place right now. It's called seed nine. It's not in place. I'm sorry. It's draft. It's the whistleblower protection appellate review of retaliation regarding security clearance. So we did go out to the community and it was just with OMB, Office of Management and Budget for formal coordination. So we're just finishing up coordination and adjudication on that. So also thank you to those agencies that helped provide us some comments. One other area to explain and I know there's some information out there already and it's been shared with our NIST community is the clarifying guidance on marijuana. It's for agencies to use this guidance to help them in adjudication. And the memo outlines adjudicative guidance on the recency of recreational use of marijuana, the use of CBD product, and the investments of marijuana related. So a lot of good information is in this memorandum. It was signed and issued by the Security Executive Agent on December 21, 2021. So hopefully you all have seen that. And I also want to thank Keith and his team and DCSA. We know you all are working really hard with implementation of C3. A lot of great work is done on the toolkit and resources available for the community for implementing C3. So I think that's all I have to update you on. It was just a high level letting you know what was issued and you will be hearing more later. But if there are any questions, I'd be happy to answer them. Thank you, Valerie. That was very informative. Up next is Mr. Rich DeJossavend, Deputy Director of the National Security Services Division at the Department of Homeland Security for their update. Rich, over to you. Good morning, everyone. Thank you. First of all, we've been asked to comment on a few items here, some updates regarding NISPOM implementation. I'm sure most of you know, but some may not be aware that DHS and DOD have a special security agreement. We work in tandem with DOD, DCSA. Our industrial security branch continues to work with DCSA and their personnel security teams on the implementation of the NISPOM rule. We have not had any issues to date regarding COVID. During the pandemic, 70% of the DHS workforce continued to work. And on March 27, the rest of the staff began a modified return to work schedule. That 30% is mostly on a telework hybrid coming into the office once to twice a week. So that's where we are as of today. Regarding CUI, although CUI has not been adopted, our information security branch continues to participate in our working groups and is working with the intelligence community to plan for implementation once CUI is officially adopted. Trusted Workforce 2.0, DHS continues the implementation of Trusted Workforce 2.0. To date, DHS has enrolled about 83% of our security population into the ODNI continuous evaluation system, and we are on crack for full implementation by FY24. And there was also Heather that asked us to speak a little bit about our insider threat. Our insider threat and personnel security teams continue to work together to develop policies and SOPs. They are meeting once a month to collaborate with each other, so we are on track for that as well. If there are any questions, that's all I really have. If there are any questions regarding any of these updates, please submit them, and we will provide inputs that are in answers to you as soon as we receive those. So if there's nothing else, that's all I have. Thank you. Thank you, Rich. Next update we'll hear from is Natasha Sumter, Director, Office of Security, and Eric Person, Officer of the Insider Threat Program, both the Department of Energy. Please take it away. Good morning, and thank you, Mr. Chair. Yes, my name is Natasha Sumter, and I do work in the Office of Security Policy at the Department of Energy, and I'm joined today by Mr. Paul Dufresne, who is a part of our Departmental Personnel Security Office, as well as Mr. Eric Person, who will provide the insider threat updates. So to begin, thank you so much for allowing us to be a part of this discussion today. We absolutely appreciate the partnership and engagement that we have with our industry and government partners within the NIST. So thank you, and to Greg, thank you so much for your service. We appreciate your leadership within this pack, and we look forward to seeing you in your cities and your umbrella drinks and sitting on the beach somewhere. So best to you in your retirement. So today I'm going to give you just a couple updates from a departmental, from a DOE, departmental perspective. So, of course, we always have a lot of things going on as a self-regulatory organization. We are constantly reviewing national drivers and the security postures of our other organizations, but also, of course, within our own department, just to ensure that we are aligning with those security policies that have been recently published, updated, et cetera, and to ensure that we are doing the things or doing those, exercising those requirements and implementing those practices that make sense for our mission and the security assets that we have within our organization. And to that effort, we have been reviewing DOE Order 470.4b, which is the safeguards and security program order, which handles or actually discusses a lot of the industrial security matters that you would see in the NIST POM or the 32CFR 2004. So we are currently beginning the process to open that order for a complete rewrite. Yes, I said it, a complete rewrite. We are going to review everything that has ever been issued concerning industrial security matters and ensure that we're doing the right thing, not just for the department and our security assets, but also for our stakeholders and our partners within the NIST. So regarding the updates that we have been asked to provide, specifically CUI, we have reviewed the National Driver, the 32CFR 2002, and we have implemented that regulation via DOE Order 471.7, which is controlled unclassified information, which was published on February 3rd of this year. And of course, whenever we update our policies, we always collaborate and engage both our partners, our industry partners, and our federal employees and sneeze throughout the department and even across the agency lines. So just so everyone kind of understands the construct of DOE, DOE is a very decentralized organization. So we have all of these different program offices that implement the national drivers, the departmental requirements, etc. But whenever there is a requirement that applies to our contractors, those are conveyed through what is called a contractor requirements document. And regarding the 471.7, the CUI order, it does have a contractor requirements document that conveys those requirements to our contractors, which will eventually be updated in updated contracts, but also issued with the new contracts that are provided to our contractors. So we were asked a few questions concerning CUI implementation or CUI within the department. And one of the questions was regarding oversight from a CSA perspective. Another question was asking about the reporting requirements and mechanisms, but also to clarify the definition or the term of unauthorized disclosure. So from an oversight perspective, as I mentioned, that we do have the order that is currently in place. But also we have other governing documents, including CUI policy 226.2, which is the policy for federal oversight and contractor assurances. And CUI order 226.1B, which is implementation of departmental energy oversight policy. Those documents provide the oversight structure for both our federal operations and our contractor assurances. And while both documents are published, we do keep them updated and maintained as well. So we also have the, we have an Office of Independent Assessment, which provides our oversight activities as well. So they do not have any line management or policymaking responsibilities or authorities. However, they do provide the oversight of those requirements that are published in the various security-related orders for the department. Excuse me. So our federal and contractor operations are an integral part of DOE's assurances for our safety and our security programs. And we ensure those documents are updated. We ensure that those assessments are completed or conducted within the timely manner because we have to provide those assurances to not just our senior leadership within the organization, our workers, but also to the public. And of course, you, our contractor partners. So through these independent oversight programs, we enhance our safety and security programs by identifying any concerns or issues that may have arrived during an assessment, but also providing corrective actions and a way forward to addressing or mitigating those issues. And that is also included in our CUI order. So another question that we were asked to address was, what are the reporting mechanisms for industry issues, lack of marking, handling guidance, etc., to our customers? So DOE Order 471.7 contains those reporting requirements to the site and program office oversight officials. And in addition to that, we have other reporting requirements to the Office of the Inspector General, and that are also and other requirements that align under the order that I mentioned earlier, which is the 478.4b, which is respectively my order. That's the one that I'm responsible for updating. And that order has an incidence of security concern program that is leveraged to identify various issues to include, which will include CUI reporting requirements, etc. And finally, we were asked to provide some feedback on how we define unauthorized disclosure. So 32 CFR 2002 section 4 actually has a definition, and the Department of Energy leverages that language to define what it actually means to the department. So the unauthorized disclosure occurs when an authorized holder of CUI intentionally or unintentionally discloses CUI without any lawful government purpose in violation of restrictions imposed by safeguarding or dissemination controls, but on the contrary to limited dissemination controls as well. So with that said, that is the update on what's happening in our policy world and some of our policy world because there's always something going on, but also just to provide some responses to the questions that were posed regarding CUI. And you will later hear updates from Eric Person regarding the insider threat program and also Mr. Paul Dufresne from our departmental personal security offices. And barring any additional questions, I will turn it back over to you, Mr. Chairman. All right. Any questions for Ms. Sumter? All right. Next we'll hear from Mr. Chris Highlake, Chief of the Personal Security Branch, giving the National, I'm sorry, Nuclear Regulatory Commission update. Chris? Good morning. Good morning. I'm speaker at the end for the clearance working group. Yeah. Yeah, Mr. Chair, this is Dennis Brady. I've got something prepared for the NRC. Okay, Jess, please. Thank you. Good morning, everybody. Thank you, Mr. Chair. You're welcome. Just to cover over where we are with the COVID return to work. The NRC has returned to work in a hybrid work environment. With most of the staff in the office, minimum two days a week, that means on any given day, the number of staff physically in our NRC facilities is just over half of what it was prior to COVID-19. The aims who currently doesn't have any plans to change from this COVID work or the hybrid work environment seem to be working very well with the staff. We're able to achieve our mission in providing oversight to the nuclear industry. For the CUI program, we are on track. The NRC has their policy statement published, and the rule has been approved by our commission that supports the NRC's transition to CUI in September of 2022. The NRC operates internally under management directives as DOE uses the rules. We have our management directive in place. Training has been all established, and it supports both the NRC employees and contractor communities. Under seat three, our foreign travel report approval pool has been published and is active for cleared employees in a large portion of our cleared contractor population. The remaining contractor population, which is our cleared licensees, will be captured under that program later this year. That was the last element of the seat three requirements that we had to implement. So, by the end of this summer, we'll be fully compliant capturing all the required reporting data and the agency-approved seat three foreign travel reporting requirements. That's the end of my report. I don't have any other updates from either inside the thread or on the trusted workforce. Okay. Thank you. Thank you, Dennis. Anyone have any questions for Dennis? All right, when Nick's going to turn to Felicia from the Chief Office of Security Policy giving the CIA's update, and then after she talks, we will have a five-minute break. Felicia, this floor is yours. Good morning. Thank you for this opportunity, Mr. Chairman. Also, we would like to also echo what everyone else has been saying about Greg. We want to wish you all the best in your retirement, and we want to thank you for all that you have done for NISPAC and for your engagement with industry as well as with the government. And so today, I will be making brief statements on behalf of the agency in reference to the NISPOM implementation. As well as controlled unclassified information, and then give you a brief statement on trusted workforce. After that time, if you have any additional questions, we ask that you submit those questions through the proper protocol or as instructed at the beginning of this forum. So in reference to NISPAC implementation, the CIA industry's security staff is actively engaging in the implementation of the NISPOM as a federal rule. We're working closely with our procurement executive to have our contract security clauses amended to reflect the new guidance. We are also hosting a series of industrial workshops designed for company security officers, and the information will be discussed at these upcoming events. As far as guidance regarding the C4 updates, we are incorporating that information into our current policy, and the C4, as you know, is the National Security Adjudicative Guidelines. Regarding controlled unclassified information, we are working closely with the ODNI representatives. Once they issue policy guidance, we will begin that implementation. Trusted Workforce 2.0. We are continually actively participating in multiple government-led working groups focused on providing substantive comments and review of Trusted Workforce 2.0 draft policy, and in those discussions of agency and government-wide capabilities in achieving future Trusted Workforce requirements. Our focus at present is in achieving the early 2.0 milestone of full enrollment of agency members in our continuous evaluation, programmed by the 30th of September of 2022, as required in the January 2021 Executive Agent Memorandum. As we wait on issuance of accompanying standards, which will define requirements to an operational level, we remain focused on our review in comparison of current vetting processes against the draft 2.0 future standards, so we might plan and project any agency shifts in technology, resources, and processes by the deadline of 2024. We remain mindful that ensuring a Trusted Workforce within the CIA and throughout the government requires that we all maintain strong and sustained relationships with our industry partners. As we gain additional operational level details and the soon-to-be-release policy, which will tie us to our industry partners, we will begin a series of conversations to ensure that we will work together to achieve these requirements. We want to thank you for this opportunity and your attentiveness. That's all from us from the CIA. Thank you so much. Any questions for Felicia? Hearing none, we're going to take a five-minute break. I've got on my watch here, 11-16, so we'll get back in five minutes. We'll come next year from Bob Mason. We're going to have to start immediately. Okay, so five-minute break will begin now. Letting get started. Okay, welcome back, everybody. Up next is Bob Mason, Alarm System Auditor and UL 2050 Subject Matter Expert with Underlighters Laboratory, LLC. Bob, yours? Thank you very much, Mr. Chair. Thank you for this opportunity for UL to speak during this event. We'll all be talking about the National Industrial Security Systems Standard UL 2050. It's the fifth edition. We'll be talking about four types of monitoring. The first monitoring of the standard is Chapter 6. It's government contracting monitoring station. It has the ability, it's a government contractor location. It has the ability to monitor UL 2050 certificates within a 244-hour radius from that location. The alarm service company who issues the certificate also has to maintain the receiving equipment at the monitoring station, so it couldn't be ABC Alarm Inc. Maintaining the equipment and not writing the certificates like CBA Alarm Inc. is writing the certificate, so it has to be the same alarm company who issues the certificate, also maintains the equipment for the receiving equipment for a government contracting monitoring station. Also, the government contracting monitoring station is maintained by the alarm service company, so they verify compliance for the physical construction of the monitoring station, and they also maintain the alarm receiving equipment. They verify fire protection, they make sure there's clocks in place, primary and secondary power, communication circuits, and personal. Those are the key fundamentals of the GCMS. This government contractor monitoring station also is required to monitor the alarms, opens and closes. It's on the alarms and unauthorized openings, dispatching investigators, trouble signals and service calls, and creation of records. A government contracting monitoring station is not able to monitor any UL certificates outside of the 4-hour 240-mile radius of the station. A national industrial monitoring station, however, is able to monitor outside that 240 miles in 4-hour radius from the station. They are also UL-listed for CRZM, so UL does go out and verify compliance on an annual basis at these stations to make sure for the fundamentals of the monitoring station for physical protection, alarm receiving equipment, fire protection, clocks, primary and secondary power, communication circuits, and personnel. These facilities and these monitoring stations are also required to monitor the alarm systems, openings and closings, alarms and unauthorized openings, dispatching investigators, trouble signals and service calls, and creation of records. And then the third option for monitoring these types of facility, these types of certificates is a central station, commercial UL-listed central station. They can be listed for a UUFX for fire, a CPVX for burglar alarm, or CVSU for residential monitoring. The commercial UL central stations, they follow a UL-827 standard. They're also required to monitor of alarm systems, openings and closes, alarms and unauthorized openings, dispatching investigators, trouble signals and service calls, creation of records. They're also required to monitor the physicals. UL also verifies compliance with these central stations on an annual basis for the category. So these central stations also have to have a ED254 in place to their, for clear operates up to the secret level. And then the fourth type of monitoring is law enforcement. Law enforcement is not able to monitor opens and closes. They only can monitor alarms and troubles. Law enforcement also, anytime using law enforcement, it's required to have prior approval on the alarm system description form for MISPOM. And again, I've only seen one, and that was like 10 years ago. I'm not sure of one that's being operated on as of right now. But those are the four types of monitoring. And if I get invited again to speak at another event in the future, I'd like to talk about the four types of investigating. The other thing I'd like to also talk about is the four of the two proposals that were sent out a couple years ago. One is automation systems, automation systems to bring into the new UL 2056 edition. I haven't done this, but these are just proposals that I'm waiting for approval on by the government. This is for redundancy for Chapter 6, Government Contracting Monitoring Station in the National Industrial Monitoring Station, which is Chapter 7 of the UL 2050 currently. This would allow, like I said, redundancy for any equipment for failure. The intent of the additional paragraphs was monitoring stations to equip with redundancy. This will assure if at any time the computer system were to fail, there is a backup system that will automatically be in place that can continue processing of signals. Not only for the automation system, but also the communication circuits. Whereas like the Internet Service Providers having two Internet Service Providers rather than just one, that way if one of the Service Providers goes down, it would automatically switch over to the secondary Internet Service Provider or even an MFVN, two different MFVNs or a combination of one or the other. So that's what I had today. I heard that we were kind of strapped with time, so I was trying to do this as quick as possible, but as clear as possible as well. But that was my presentation. And again, thank you for this opportunity. You're most welcome. Bob, does anybody have any questions for Bob? Okay, thank you, but we will now hear from the General Services Administration's Chief of Policy Standards and Engineering Branch, Mr. Chris Pollock, who will go over the safe ordering process for industry. Chris? Thank you, Mr. Chairman, and a thank you to ISU for giving me the opportunity to give a quick update on the GSA safe ordering process for the storage containers and vault doors used to protect classified information. In the interest of time, I'm going to just hit a couple of highlights of the presentation, rather than go through it step by step. So I don't know, can we skip to slide number four real quickly? There you go. So this is sort of the synopsis of the procurement requirements. First of all, you have to have the requirement to store classified information within your contract. Usually that's in a DD-254. Some other government agencies do use other forms, but primarily that's in a DD-254. You also have to have an activity address code or the associated DODAQ. These DODAQs or activity address codes are assigned by your government contracting officer. And this is probably the biggest sticking point in placing an order through GSA for the containers. So it's important that you maintain good communication with your contracting officer to make sure that you've got the DODAQ assigned and that you're using the appropriate one. Again, you also have the ability to pay, which is kind of self-explanatory. We do allow payment in all kinds of different methods, including PayPal and connections to bank accounts or different types of credit cards. And so, and this process goes through, this presentation goes through both the online and offline ordering of GSA containers. Primarily for this audience, that would be the offline process, which includes filling out of the form 1348. Just one more quick comment about the process and I'll address a couple of other specific questions. But yeah, through COVID, we found that it is absolutely critical that when you're placing an order in a remark section to provide a good point of contact throughout COVID with different rules regarding building opening and handling of material and the whole process potentially getting changed. It's critical that they have a point that our manufacturers have a point of contact to be able to work through any issues that arise. So again, that's real quick. Again, these slides that will be presented go through it in pretty good detail. But if you have any questions regarding the process, send them to again, nispacatnara.gov. Happy to address any questions. We do have heard a couple of questions regarding some specific issues. The first of those is the cost of the GSA approved containers. I'm kind of probably preaching to the choir a little bit here and talking to the industry partners. But we have seen some sort of unprecedented changes in the cost of steel over the last couple of years, depending on which index you look at. The cost of steel was up about 200% since March of 2020. We've also been affected by the shortage of electronic components. That's caused some redesign and retesting additional costs for our lock. Overall, this has resulted in about a 30 to 40% increase in the cost of our GSA approved containers. Not where we want to be and we are keeping track of those indicators to see if at some point in the future we can reduce the cost. But right now we're looking at again a 30 to 40% increase over the last two years of the cost. Delivery. During COVID, delivery was affected for sure. Our manufacturers had the same issues that most of the rest of the world had regarding staffing shortages, particularly welders, machinists, painters. GSA tries to maintain a 30 to 45 day delivery time. That's what's in our contracts. During COVID, that time slipped sometimes as far as 90 days. But we are working to get back to the 30 to 45 days. Most of our manufacturers are meeting that on a pretty consistent basis. But yes, some of the deliveries over the last couple years have been delayed. The final comment I have is with regard to ISU notice 2021-01, which is the removal of the black label or older containers from service. I understand that there's been quite a little bit of confusion regarding trying to identify the containers that need to be replaced. The best place, the best resource to find out information about that is the DOD lock program technical support hotline that's available to both DOD government and industry as a resource. And I would ask ISU if they could include the web page and the information for the DOD lock program in the minutes to the meeting. And that's all I have. Back to you, Mr. Sherman. You're most welcome, Chris. All right. We're now moving into the portion of the meeting where we get reports from the NISPAC working groups. Whoever we will not be discussing all of them. We will, we have provided slides with highlights of them all. We will only be discussing the clearance and NISP information systems authorization also known as NISA working groups at this time. Greg, you would take that part away. I'd appreciate it. Thank you, Mark. And for those of you who don't know, we've had these two working groups, the NISA and the clearance working groups. These have been standing working groups for probably 15 years. I believe it was Tom Langer and another industry rep who I can't recall who came to ISU at the time when the clearance processing was off the charts and similar issues with the information systems authorizations. And it was right around the time, I think, ERCA was coming out too as far as timeline requirements. And anyway, I think we made a lot of progress by putting focus on it. And we've continued to have these groups. And there's been some ebb and flow. I think right now we're at a pretty good state with the timeliness, at least the personal security clearances. So our working group, the clearance working group, we generally meet at least once between NISPAC meetings. And some of the things you've already heard have been discussed at those meetings. One thing I don't think we've mentioned is the SF312 non-disclosure agreement. One of the things coming out of COVID that we heard from a few agencies was there's the requirement to have a wet signature on the form. And that was deliberate. The Department of Justice when we updated or the initial regulation for the EO13526, 32 CFR part 2001, they wanted that in there for legal purposes. Anyway, technologies advance. We have meaningful ways using cryptography technology to enable the use of a digital signature. We coordinated with OD&I who essentially owns the form as well as the Department of Justice. And I'm pleased to say that effective May 9, the directive language will be effective. It's been amended and it will allow for the use of a digital signature as long as you're using cryptography technology that in a meaningful way can ensure authenticity. So that said, what we're referring to is either the use of the CAC card or the PIV card along with a PIN number. So government-issued cards, those two cards for now. And if an agency can demonstrate another card, then that's fine too. And the way the wording of the directive, it's left up to the agency if they want to deploy this. Now, I will say we'll be putting out a nice, soon-noticed honor about May 9, the effective date, simply because unfortunately it will not actually be able to be operationalized in all likelihood on that date because OD&I has informed us it's very unlikely they will have the changes to the form made. There are some changes obviously needed because with a digital signature you will no longer need a witness, for example. So anyway, some progress there. Let's see, a couple other things. I mentioned in the past ICEHU. We've been undergoing reform in the way we collect data. We collect a lot of data. It's true to the point that sometimes agencies complain a little bit because we have so many reporting requirements. We do, after all, have to report annually to the president each year. So we're not just making this stuff up ourselves. There's requirements that we have by way of executive order to do this. Anyway, through that process, one of the things we've been looking at besides the overall data reform initiative for collecting information is cost. And as it relates to NIST, there are requirements in the two executive orders, the one for the NIST and the one for the CNSI Classified Program. And that concerned cost. And those requirements cascade down into the directives, the applicable directives. So we've been meeting, just government only, to discuss a way forward to get better estimates of the cost of entities under the NIST by CSA that cost to implement the NIST. So another mistake, if we didn't have a NIST, those costs wouldn't exist because those requirements wouldn't exist. So we are at a point where DOD, our colleagues at DOD, put forward an outline that captures like the major buckets of costs and does it in a way we believe that will impact industry the least. So we're coordinating that with the other CSAs and we're planning to meet next week. And just to give you a little flavor of what we're talking about in terms of the buckets. So security labels, right? Every entity has to have a facility security officer. Depending on your facility, you have ISSMs and other individuals that document custodians and what have you. There's obviously then there's the investigations, there's the adjudications and continuous vetting. And these are things that we think we the government will share these with industry once it's ready to be shared. We can get these data without really bothering you. We should be able to get that on our own. And there's a few other things we're looking at. Information systems technology that process classified information, what additional costs are there because you're processing classified information, perhaps physical security aspects, and then training, right? I think the training we can also get on our own by using some revelation of the number of cleared people times X amount of hours per year times a rough dollar figure per hour of salary, you know, pay to get to those things. So we're hopeful to get that and that'll give us a better estimate of the cost on the, and I know there's some debate about it's ultimately governments paying for, but the way the wording in the directive and the orders are written, this would give us a better way to come up with estimated costs to implement the requirements, the main requirements of having in this. So that's a good thing, I think. Another thing, I'm not sure if Heather brought it up, but during our clearance working group, it was discussed and I've heard it in other forums like the DCSA stakeholders meeting for industry, but let's be honest, currently from what I'm hearing, we have a concern right now with the processing times for facility security clearances and the rejection rate as well. So what I'm recommending, we've done this before with other parts of the program, is to form a small ad hoc working group, and I'm asking this of our chair, to focus on what are the issues, what are the major impediments that are causing this rejection rate. So, you know, we can analyze this. I'd hopefully rather quickly study it, see what's going on. Is it the foci aspects of clearing the entity, or what other aspects are going on there? So I'm hoping that we can do that. So I'm going to stop right there, and if there's any questions from NISPAC members, can you take them? Greg, Heather from industry, you knew I'd have a couple questions just to go back. You talked about funding the NISP is inherently a government responsibility. Many of us are aware that there's a lot of unfunded requirements that come out, and so that's why it's ever more important to understand when the five CSAs or anybody that touches industry understands when you add a requirement that is not policy or contractually required, that it's so important to consider that industry is paying out of pocket sometimes for those. But I need to remind industry, if we do get an unfunded requirement, or a new process change, after the contractor has been awarded, you can go back to your government customer, renegotiate that contract. Very important to make sure your company is not eating all those costs. And I'm going to take it back to the day pass of this transition and the just to end this transition. Industry did eat a lot of that money and resources when we corrected that data, so that's very important to make sure something that very minute really adds to the cost of doing business with the government in this space. So very important to make sure we do that. But getting back also to the facility clearance process, you talked about having that small group to work on the ad hoc group to work on the improvements of the process, the 60% rejection rate, but also the IT portion of that where if you have a simple change to make, you have to start that process all over again also adds to the time of trying to get somebody sponsored. But I'll also add that without a good foundation in that facility clearance or entity vetting process with the 845 or 847 coming forward, we want to ensure from the industry's perspective, is that going to be the same bodies at DCSA doing the same process that's going to be doing the FCL and FOKI vetting process? Because if it is, we need to ensure that DCSA has the resources to properly do that because otherwise in industry we're going to see some supply chain issues with bringing in subcontractors to do some of our contract needs. There's no other questions. I think the way we've got this set up is DCSA is going to provide some systems metrics next followed by DOE and NRC. Yeah, that's right. We're going to hear now from David Scott with DCSA for DCSA's information systems update. David? Yes, thank you. I think the last in this pack just give a brief update. We've realigned regions from an AO perspective. Yeah. We're going to announce the regional AOs and which region they align to. Mid-Atlantic region is Mr. Ezekiel Marshall, formerly the Capital Region Eastern Region. We have a brand new AO that's come on board since the last NISPAC, Alexander Hubert, Central Region William Vaughan, Western Region Stacey Omo. Those are your regional AOs that if industry has questions or concerns to work through the regions all the way up to NAO as needed. Next slide. I just want to really just kind of explain our partnership with the NISA working group has been very instrumental working through some major challenges over the last few months where industry has requested more insight into metrics. In December we had a process where DCSA could work changing workflow package workflow and due to our strong relationship with the NISA working group we were able to collaborate, communicate effectively to make a change in January that was I think monumental and that change happened in January with zero downtime and industry was fully engaged. And it really is already starting to prove positive value because industry has now direct insight to where their package is throughout the assessment and authorization process. So we've heard nothing but positive impact there and we're looking to build upon that on many other enhancements within EMAS for industry and for us internally. Currently we're still going to be trending and baselining our metrics and at the next NISPAC I'll be able to provide more insight to include DCSA time. One kind of late breaking thing that I'd like to bring up to the community here is we've had some concerns with access to EMAS computer-based training which is now hosted in the RMF knowledge service and there's been access issues from industry. Just want to report that we have been working with DCSA and we've recently got approval to host in the step environment from CDSE. We are working that actually right now and as soon as that we get approval to hit the live system go we will work with the NISA working group to publicize that. And on the another positive engagement that we've had with the next slide please. The next another positive engagement that I'm happy to report is with the NIS connection process guide. With this guide is instrumental providing a hands-on process flow for any contract requirement to interconnect with a system within the NISP. This is something that I think is much needed and due to the collaboration with the NISPAC, the NISA working group we received a lot of feedback over the course of the last three months and now we are looking to formally publish that through the processes of the federal registry. So that is where we're at with that. We've moved forward with the NISA working group and we're looking forward to a coordination there. And then lastly where are we going next from an NAO perspective. We're going to continue EMAS updates and job aids and we're going to utilize EMAS as their help desk page to put information out to industry as fast as possible to all 4,000 users. So please pay attention to EMAS and that front page for any guidance, job aids to really make the job easier. We're also working internally right now on an update to overall DAPM 3.0 and we're going to partner with the NISA working group for that as well to really close up any gaps in processes and procedures that industry sees and that we also see. And then lastly Command Cyber Readies Inspections the last report that I provided at the NISPAC that we were planning to go out and start executing CCRIs. We've actually already executed one and we're already planning for the rest of the FY to conduct many more. And then also our FY23 planning for our approved CIPRANET notes. And we're going to continue to partner with the NISA working group as our primary working group for information exchange and collaboration to improve our process procedures. And that's all I've got pending questions. Thank you. Thank you, David. We're now going to hear from Donna McLeod with DCSA for their vetting statistics. Thank you. Thank you. This is Donna McLeod from the background investigation program. And today I will be providing the metrics for personal security with DCSA. And that will include the vetting risk operations, VROs, background investigations, and adjudication. So to start with VRO vetting risk operations, the investigation submission in interim industry populations at approximately a million. And FY22 investigation request submission is about 100,000. 90% of all initial investigations have an interim determination made on average within five to seven days. Please remember to submit your fingerprints for initial clearance prior to submitting an investigation request. We cannot open an investigational issue in interim determination without required being a certain result. And FY22, we triage approximately 8,000 incident reports. Under the continuing vetting, DCSA is responsible for implementation of DOD-CV program. Currently approximately 975,000 industry subjects are currently enrolled in CV. And with 156,000 PRs deferred to date. As of January 22, all PR submitted to VRO will be deferred into CV. We reach full enrollment of DOD-CLEAR population into a trusted workforce CD-compliant program in FY21. And we continue to work to steady state of new enrollments moving forward. For our CV alert management, post-CV enrollment alerts are generated based on established thresholds, which aligns with federal investigative standards and adjudicator guidelines. Currently, we average approximately 6% alert rate. Criminal and financial are the most common valid actionable alerts that we receive. And FY22, we receive 19,000 industry alerts of which 8,000 were not previously known information, which would be placed to 41%. On to the background investigation. Our total inventory for background investigation continues to remain within a stable state. Q2 started and ended at approximately 171,000 cases. And we fluctuate between 166,174 throughout the quarter, with the current level also at 171,000 cases. For industry cases and Q2, that we have an inventory of 27.6,000 cases, which represent a 1.5,000 decrease from our Q2 start and currently 26,000 cases. Much of this decrease is due to the PR decrease numbers that are coming in. And Q2 industry announced that they would no longer be submitting PR investigations and have shifted towards the continued vetting. Prior to Q2, we received 8,000 to 10,000 industry PRs per quarter. And during Q2, we received just 600 cases. So you can see the decrease. In regards to the BI timers for industry, remember these metrics are based on end-to-end, meaning the cases that have gone all the way through the process to adjudication for that particular quarter. So in FY 22 for Q2, our T5 end-to-end time limit is at 155 days. That is 30 days for initiation, 108 days for investigation, and 17 days for adjudication. Our T3 initials for the same time period, end-to-end time limit is shown at 117 days, 32 days for initiation, 68 days for investigation, and 17 days for adjudication. This is a big improvement over where we worked two years ago, when we look at the T5 end-to-end time limits numbers, we were at 221 days. And then our T3 end-to-end time limit was at 132 days. Time limit has been trending upward due to multiple reasons within the organization. We have increased in processing time for our security and suitability investigation index files known as our FII files. Analysis was conducted and it shows that the right correlation between this and increase in time limit, particularly throughout T5. Additional staff has been assigned to continue working down the inventory of the FII files. We also experienced a valid printer issue in our data facility, which resulted in 150,000 violations being delayed on over 41,000 cases, and it was largely impacting the T3 time limit. COVID impacts to the background investigation, COVID restrictions beginning to ease across the country were likely to experience a reduction in number of cases that have been held due to COVID. In the past eight weeks, our COVID health cases have dropped by 85 percent and now stands at only 420 cases. But the investigative clock has not stopped due to COVID and it does impact the investigative time limit. Over the past two years, DCSA employees have adapted and remain flexible and just demonstrated agility to continue meeting mission requirements. Since last summer, we've successfully sustained operations through significant surges due to COVID and constantly adapting to close all COVID impacted cases as quickly as possible. On to our adjudication program. As a whole, adjudication is meeting timeliness goals, except by Congress, Office of Management and Budget, and the Director of National Intelligence. For our industry adjudication portfolio, we are largely meeting timeliness goals with a few exceptions. In FY 22Q2, our initial adjudication timeliness was 17 days for T3 and T5 investigations, and 33 and 28 days for T3R and now T5R respectively. We are forecasting initial adjudicative timeliness to remain in compliance with congressional mandates. For periodic re-investigations, we expect timeliness performance to continue to remain close to or above OMB's target of 30 days. Adjudications completed over 95.2 thousand in national security adjudications, which include incident reports, customer service requests, continuous vetting products comprised more than half of the denial and revocation information sources. The top three reasons personnel are being denied a result remain financial considerations, criminal conduct, and personal conduct. Coupled with meeting timeliness requirements, adjudications continue to execute national security adjudication decisions with high level quality, delivering 100% appropriate determination rate in all adjudication and support of our customers. Our current industry inventory is at 19.4 and it complies of customer service requests, incident reports, T8 investigation, and continuous vetting alerts. The industry inventory has been relatively steady for the last four quarters and we closed approximately 94,000 cases this year. On behalf of the personal security mission space for DCSA, thank you again for your partnership as we move forward and trust the workforce transformation initiatives. We remain focused on preparing for the embass and trust the workforce implementation. To this end, we are working collaboratively with our partners and embass, our customer agencies, our industry partners to continue to improve our focus on our customer service and support operational needs. And that concludes my part of the overview. Thank you, Donna. Next I'm going to hear from Paul DeFrame, Personal Security Field Assistance Program Manager at the Department of Energy to give us his metrics. Paul. Good day, everybody. Thank you for the opportunity to provide you this information. As you can see, over a quarterly trend, the Department of Energy has been meeting the 20-day standard for the adjudications on initial investigations as well as the 30-day OMB standard for re-investigations. Next slide, you'll see where we started out on a monthly trend for the top secret investigations, the T-5s, where we weren't meeting the adjudication timelines. However, averaging out over the 12-month time period, you're looking at about an average of about 17 days total. And I'm going through this rather quickly because it's just to keep everybody on track here. For the tier three investigations, the same thing. We started out roughly just over the IRTPA standard. But since then, we've actually over the last 12 months been meeting the IRTPA. For the T-5R investigations, we did see an influx of investigations come in during the early part of the FY. However, we continue to maintain meeting the OMB standard for re-investigation adjudications. And the same thing with the T-5 investigations. We did meet it through, or excuse me, T-3 investigations. We did meet it throughout the entire fiscal year. What I'd like to do is also give a quick update on what we're doing for trusted workforce implementation. We have our order, the DOE Order 472.2 is sitting with the deputy secretary right now for approval and signature. We had plenty of representation across the department to include our industrial partners that were involved in this process. And we wanted to thank everybody for that. Since we last met, the department has actually begun deferment of periodic re-investigations. We're working with our internal IT people, as well as the SDCSA, to get our wrap-back implementation rolling. And with the help of our trusted workforce working group, we have wide representation across the department so that we continue to try to meet all the milestones and everything being put out by the executive agents so that we can actually, once we get our entire clear population into the trusted workforce 1.5 state, we can actually start working on the unclear population, the T-1, T-2, and T-4 population. So we're looking forward to being able to move forward with that. But we're right now at a 1.25 state, and we're looking to be 1.5 compliant by the end of the FY, getting that milestone of September 30th. With that, I'd like to go ahead and turn my time over to Eric Person from the Office of Insider Threat Program here at DOE. Thanks, Paul. Appreciate it. Good afternoon, Mr. Chairman. Again, as Paul and my colleagues said, I'm Eric Person, Department of Energy, and specifically with the Office of Insider Threat Program. Before I begin, I'd also like to congratulate Greg on his retirement and thank him for his service. Very quickly, just an overview. DOE's Office of Insider Threat Program is the support office for the department's program or Insider Threat Program per the direction of our, we call our designated senior official at DSO. Our principal focus is to serve in an organized training-equipped modus and to ensure, among other things, among other items that the department's Insider Threat Program is consistent with national Insider Threat policy and minimum standards, as well as concomitant with national directors and DOE requirements. Also, I should add that transparency and prudent information sharing is a principal focus as we pursue the Insider Threat Program mission at our Department of Energy. Our office works closely with our DOE security policy and personnel security colleagues. In fact, personnel security or PERSEC and physical security representatives are core members of what we call our local Insider Threat working groups or LitWigs. The LitWigs represent the tip of the spear, if you will, for the program in the field, that is at the various national laboratories and DOE sites across the country. Currently, our office is pursuing a number of initiatives to advance the department's mission or Insider Threat Program mission to include revising the DOE Order 470.5. That is the departmental driver, the vehicle that helps us to or enables us to pursue Executive Order 1357, which, of course, stood up nationwide Insider Threat programs at all departments and agencies across the executive branch. Again, we're pursuing that in earnest and looking forward to a positive conclusion and revising that order. Again, it was published in 2014, so it's about eight years old and so it's in need of some retooling. Lastly, our office via DSO guidance and direction maintains a robust outreach effort to our public and private sector colleagues and friends. We certainly understand and appreciate the value in fostering those mission-focused relationships. I'll close there and thank you for your time. You're most welcome. Chris Highly, next Chief of Personnel Security Branch, Nuclear Regulatory Commission, please provide your update. Thank you. So in the interest of time, I will not go through all of the slides one by one in terms of timeliness numbers. The gist for last quarter was our numbers did flip a little bit. We ran into some problematic cases that took longer than normal or expected and we had some issues getting hold of people with the COVID restrictions, but now that everything's reopening, I think our trend will be back to normal and meeting our adjudication times moving forward. In terms of trusted workforce, we are 1.25 and working actively with DCSA to meet the 1.5 compliant deadline at the end of this fiscal year and we don't see any reason why we will not hit the 2.0 deadlines as well. Also, I would just say we're excited to hear about the SF312 moving towards a digital signature. I think that will speed up our internal processes quite a bit and those onboarding with our agency will feel that speed up. That's really all I had and I'm happy to answer any questions. Thank you, Chris. Appreciate that. Right now we're here from Mr. Perry Hunter, Perry Russell Hunter from the Defense Office of Hearings and Appeals, also known as DOHA. All right, Perry, yours. Thank you so much. I really appreciate it. I want to start by recognizing Greg Pinoni for his over four decades of exemplary public service to the NISP and to the nation. Greg represents the very best of expertise in industrial security and information security and public general. So Greg, I want to thank you because you've improved so many things in your time at ISOO and at the various things that are now called DCSA. I also want to join Heather Sims in congratulating DCSA in ongoing improvements to investigation and adjudication and their increased focus on quality in both areas. As you all know, DOHA renders final decisions independent of DCSA and that independence in hearings, appeals, and final decisions is very important. But a focus on quality in both the investigation and adjudication increases DOHA's ability to do its job as effectively and efficiently as possible. So DOHA is still making maximum use of telework, except for the personnel who are conducting and supporting the in-person hearings that are obviously a core part of the DOHA mission. We're fully masked at all times in all hearings and we employ a full range of safety precautions in those hearings and in the office. So in these ways we are maximizing safety to all involved in the hearing process and at DOHA. Leveraging telework is not affected DOHA productivity, which is thanks to the great partnership between DOHA and the Department of Defense Consolidated Adjudications Facility or DODCAF. Statements of reasons or SORs are still going out in typical numbers and we are timely with 257 statements of reasons reviews currently pending. That number is well within the typical on-hand SOR review workload. So while the monthly numbers may vary slightly, we are current and most SOR reviews are completed within the month received. However, at any given time there may be a smaller group of SORs for which there are requests for additional information, requests for permission to use other agencies documents, and other good reasons why a serious issue case needs some work. Just for context, between 2017 and 2019, pre-pandemic, we reviewed a typical average of 2,600 SORs per year. In fiscal year 2021, DOHA legal reviewed and revised 3,021 statements of reasons, which is higher than an average number. And in calendar year 2021, we reviewed 2,578 SORs. So DOHA kept up with all the draft SORs sent by the CAF for legal review and worked at a typical operating pace despite the pandemic using DODSAFE as a delivery system to ensure a secure workflow. While the pandemic was impacting the hearing process due to travel and because DOHA was having challenges with conventional video teleconferencing, DOHA made good use of the Defense Communication System or DCS throughout fiscal year 2021 to conduct remote online virtual hearings for clearance holders and clearance applicants in locations where travel would still be unsafe or which could not be reached using conventional VTC. With the sunset of DCS, DOHA is now holding hearings using Microsoft Teams 365. DOHA has also continued to hold in-person hearings throughout the pandemic whenever and wherever possible, and we will continue to do so. And that is a report from DOHA. Thank you very much, Perry. All right, up next is Greg Pinoni, Associate Director for the Control on Class Fund Information Program at ISU. Greg? Okay, thank you, Mark. CUI. So just a couple things, a couple three things I want to mention. As stated before, ISU has a lot of reporting requirements and one of those is CUI implementation. So we have to report that to the President as well and we'll be doing that very soon. Most agencies and departments have begun implementing their CUI programs. As we talked about a little yesterday, yes, there's some challenges. And speaking of challenges, I do want to emphasize because I've heard not just in this forum but in others, folks will say, well, we don't get information as far as the identity of what CUI we're just told to protect it. There is, just like with the classification program, there's a CLI, I should say, challenge provision. And so we encourage to do it informally, but there's a formal process as well. And it's written into the regulation and every agency knows about it. So I highly recommend it. If you're seeing requirements and contracts, but they're written in a very generic way, you know, that lacks specificity, that provision exists for a reason. And anyone who comes into possession access to CUI, or they're not sure if it's CUI or questions it, they have that avenue to pursue. You know, maybe a little clunky, but it's there. I also want to mention the CUI federal acquisition regulation known as the FAR case. It's still moving through the process. I know it's taken a long time. We don't control that in ISU. The council is led by GSA, along with DOD and NASA. We're doing as much as we can to move things through, have any specific timelines for when that FAR clause will be completed for CUI. But in the meantime, DOD has the D-FAR's clause. The other thing I want to mention about CUI that we've tried to do, I've tried to do when I became involved, is to try to, you know, because I recognize there's a lot of clunkiness, if you will, to the thing, so many categories. And one of the things I tried to do besides establishing headlines, since we're going to have a program, was to neck down the number of CUI specified categories because that just, in my view, adds to the confusion. And so we've been working on that, and we have reduced some specified into CUI basic. So, you know, there's CUI basic, there's two types of CUI basic and specified. Specified is supposed to mean because there's specificity in the law, government-wide policy or regulation that dictates either how to protect the information and or limited dissemination. And most often it is that limited dissemination part. And we have found a way where we can keep that basic and still preserve the controls that the basic controls are still acceptable in a lot of cases. So that's all I want to say. And if there's any questions, I think we'll have to try and take them. Greg, thank you very much. I'm glad that it came up. I just would simply add, right, so the department continues to take a measured approach as it relates to CUI. Again, we would be remiss if we didn't thank ISU for its support in the limited implementation that the department continues to pursue. I know, again, with an eye for transparency, it was very encouraging to hear the updates from the other CSAs today, such as they are, right, kind of works and all. It is challenging, it is cumbersome, but we can't be acknowledging of the, you know, one, the growing reliance on unclassified information that supports, you know, the missions that are represented across the CSAs and not understand the absolute need to be able to identify with specificity, you know, the information that will then, you know, triggers things like cybersecurity requirements. And so I appreciate the nod to the D-FAR rule that the department has. The D-FAR rule is written in a very specific and set of ways largely predicated on identifying cybersecurity, but we get ourselves into a bit of a vicious cycle because we haven't, we really need to focus in on the identification piece of this. Okay. Thank you, Greg and Jeffrey. All right, we're now at the point of the meeting where we asked for NISPAC members to present any new business they may have. Anyone have any new business for us? Hi, this is Heather Stem's industry. Just real quickly, I want to make sure it's part of the record. I missed during my opening comments a special thanks to Dave Scott for his partnership and great improvement in collaboration with the Mr. Working Group, as well as Keith Menard on the 32 CFR implementation and continually cleared my guidance. But I also wanted to note during the GSA presentation, I wanted it noted that GSA is now a sole source provider for containers for industry. And I want it noted that 30%, 40%, 50% rise in the cost is instrumental when we're looking at industry trying to get containers for new contracts, existing contracts. So it is definitely an impediment to our operations as well as the timelines ever increasing to get those containers. No, indeed. Okay, thank you, Heather. Do any other committee members have any questions or remarks before we close out this meeting? All right, hearing none. Our next NISPAC is scheduled for November 2nd, 2022. We're hoping to have the next NISPAC in person, but we'll also obviously have a backup plan for down a percent virtual, as we have to. As a reminder, all NISPAC meeting announcements are posted in the federal register approximately 30 days before the meeting, along with being posted to the ISOO blog. With that, I'm going to adjourn the meeting. Thank you all, and please stay safe.