 Welcome, and thank you for joining today's MISPAC meeting. To receive all pertinent information about upcoming MISPAC meetings, please subscribe to ISOO overview at ISOO-overview.blogs.archives.gov or by going to the Federal Register. All available meeting materials, including today's agenda, slides, and biographies for MISPAC members and speakers have been posted to the ISOO website at archives.gov.ISOO.oversite-groups.MISPAC.COMITI.HTML. And have also been emailed to all registrants. Please note not all MISPAC members and speakers have biographies or slides. While connecting by phone is necessary to attend today's meeting, there is no requirement to log on to WebEx. However, you are welcome to join WebEx with the link provided with your registration, as all available materials will be shared during the meeting on that platform. If you have connected through WebEx, please ensure you have opened the participant and chat panels by using the associated icons located at the bottom of your screen. If you require technical assistance, please send a private chat message to the event producer. All links will also be shared periodically through WebEx chat. Please note all audio connections will be muted for the duration of the meeting, with the exception of MISPAC members, speakers, and ISOO, excuse me. We are expecting a fairly large audience today. Because of this, we will not be taking questions from the public. Please email your questions and comments to MISPAC at nera.gov and someone will get with you offline. Only ISOO and MISPAC members will be authorized to ask questions throughout the meeting. At the conclusion, a survey will be sent for your feedback. If you would like to be contacted regarding your survey responses, please include your email in the comments block so the MISPAC team can get back to you personally. With that, let me turn things over to Mr. Mark Bradley, the Director of the Information Security Oversight Office, as well as the Chairman of the MISPAC. Thank you very much, Matt and producer, and I appreciate that. Thank you for your kind introduction. Good morning, everybody. Welcome to the 66th meeting of the National Industrial Security Program Policy Advisory Committee, commonly known as the MISPAC. This is the third MISPAC meeting that's been conducted 100% virtually, although we now understand some people are home like we are and some people don't work, actually in the office. This is a public meeting like our previous MISPAC meetings. This one will be recorded. The recording, along with the transcript and minutes, will be available within 90 days on the MISPAC reports on committee activities webpage mentioned earlier by our event producer. We are planning on a five-minute break and middle of the meeting so I'll flag it as we move closer to that. I will now begin attendance with the government members. I will state the name of the agency and the agency members will reply by identifying himself or herself. Once I've gone through the government members, I will then proceed with the industry members. After the industry members, we will move into our speakers. Let me start with the OD and I. Good morning, Mr. Chair. Morning. And Valerie Curran. Hi, hi, Valerie. Department of Defense. Good morning, Mark. This is Jeff Speniger. Morning, Jeff. Department of Energy. Good morning, Mark Panofsky. Is on. Good morning, Mark. NRC. Yes, good morning, everybody. This is Dennis Brady with the NRC. Morning, Dennis. DHS. Morning, Mark. This is Rob McCray and Rich DeJaweser. Morning, gentlemen. DCSA. Good morning, Keith Miners. DCSA. Morning, Keith. CIA. I'm still appears we're missing a rep from the agency. Department of Commerce. Please send an email. They're not going to be able to make it. OK, well. All right, Department of Commerce again. OK. Department of, I'm sorry. Somebody going to speak? Department of Justice. I catch the morning Mark. Kathleen Berry standing for Christine Gunning. Right. Good morning. NASA. Good morning, Kenneth Jones with NASA. Morning, Ken. National Security Agency. Good morning. This is Brad Weatherby from the National Security Agency. Morning, Brad. Department of State. Good morning. This is Kim Bogger from State Department. Morning, Ken. Department of Air Force. Good morning. Jennifer Aquinas here from Department of Air Force. Morning. Department of the Navy. Good morning. This is Jennifer. We're here with Department of the Navy. Good morning to you. Department of the Army. Good morning, everybody. This is Jim Anderson from Department of the Army. Morning, Jim. Right now I'm going to turn to our industry members. Heather Sims, are you present? Heather Sims is present. OK. Dan McGarvey, are you present? Dan McGarvey is present. Good morning, Mark. All right. Morning, Dan. Dennis Ariaga. Hi, Dennis Ariaga is present. Good morning. Morning, Dennis. Morning to you. Rosie Oyo. Good morning. Rosie Barrero is present. OK. Morning, Rosie. Cheryl Stone. Cheryl Stone is present. OK. April Abbott. Good morning, President. Morning, April. Gary Jones. Gary Jones is present. Right. Tracy Durkin. Good morning. Tracy Durkin is present. Morning, Tracy. Right now I'm going to do just a very quick roll call for our speakers to make sure everybody's here. All right. Stacey Bachanik. I'm here. Great. Perry Russell-Henner. I am here. Great. Laura, did you see no? Yes, I am here. Great. Chris Pollock. Good morning. I'm here, too. Great. Marianna Marcineau. Good morning. I'm here as well. OK. Heather Green. Good morning. I'm here. Heather Mordaga. Good morning. Morning. Sheldon Solstice. Good morning. Morning. Charles Tinch. Matt Roach. Good morning. Morning, Matt. Jason Terrio. Good morning. I'm here. Booker Bland. Good morning. Morning, Booker. David Scott. Yes, good morning. Morning to you. Felina Hutchison. Good morning, everyone. Morning to you. Evan Corn. Morning. I am. All right. Rich, it's Yossi Rand. I'm with the AHS, but yes, I'm here. Great. Morning. Is anyone else speaking to the next, the missed act that I have not heard from or that I do not know about? If so, please speak now. All right. We request that everyone identify themselves by name and agency before speaking each time for the record. Because again, what this is, as you all know, all too well, this is recorded. And we have a transcript. So it's much, much easier on us transcribing if we can actually match a name with the spoken words. So with that, we'll give you just a couple of updates. We have a few changes to the missed act membership. We'd like to welcome alternate Natasha Sumter with the Department of Energy. Tracy Kendall also remains an alternate. Additionally, we'd like to welcome Elizabeth O'Kane, representing the Army, and Robin Nicol, alternate with the Navy. The two of our industry members, this is their last missed act meeting as members, Dan McGurley and Demi Shingla Baragio. So anyway, gentlemen, thank you for your service. I mean, you've really made some really nice contributions and we're most grateful for your service. All right, with that, I'm gonna turn it over to Greg Pinoni, who is my deputy, who will address the status of Action Items on the November 18, 2020 meeting. Greg? Thank you, Mark. Good morning, everyone. We just had a couple of items, but before that, I wanna mention that the NISPAC Minutes from the last meeting were finalized on January 26th and were posted to the ISU website on February 2nd. As far as the two Action Items, they're both with DCSA. The first one that's outstanding from the last meeting was the Industrial Security Letter. We refer to them as ISLs, and this one was on Insider Threat, and it will replace ISL 2016-02. It's in a bit of a holding pattern due to the release of the NISPOM rule, but DCSA will continue processing the ISL for issuance and begin engagement with cleared industry through the NISPAC to update tools, resources, and required training with respect to the Insider Threat ISL. The second Action Item still open has to do with DCSA providing an update on their responsibility for accreditations of sensitive department and information facilities, otherwise known as SCIFs, and DCSA will be responsible for the accreditation of military department SCIFs for state SCIFs and contractor SCIFs that fall under DCSA. So, do any of the NISPAC members have any questions about the Action Item status? Okay, thank you. Back to you, Mr. Chair. Sure, my thanks. Thank you, Greg. Now, at this time, we'll go to our speakers. My first one is Ms. Heather Sims. NISPAC spokesperson will provide the industry update. Heather, all yours. Good morning. It's a pleasure to provide industries a collective perspective today on a variety of NISP topics and priorities for 2021. Even though it's only April, it's not too early for industry members that are interested in serving as a NISPAC industry member to start thinking about whether you want to throw your name in the hat. We have September elections coming up very fast. If any industry partners are interested, contact a current NISPAC industry member or an MOU member. Industry continues to increase their engagement and collaboration with a variety of government agencies in order to be more actively involved in our national security role. You can have really bad allergies. Industry cannot be a sometimes safe order partner. NISPAC industry members, along with MOU, industry association members, continue to work tirelessly, fostering relationships and trust in order to bridge the gaps between government and industry. Adapting the change has become industry's middle name. We lose, Heather? Yeah, I don't see her line at the moment. I think it may have. It just fell, I guess. Yeah, I think it may have dropped off. All right. Jeff, I'm going to bring you out of the bullpen. All right, Coach. All right. So anyway, we're going to, as we try to resurface Heather, I'm going to turn to Jeffrey Spindler, Director for Critical Technology Protection for the Office of the Undersecretary of Defense for Intelligence and Security who will give the update on behalf of DOD as the NISPAC Executive Agent. Jeffrey, all yours. Well, Mark, thank you very much for that. And should Heather come back on, I'm more than happy to go back in the mute mode and let her continue. But thanks for that. And thanks for the opportunity as ever today. It's pretty remarkable how we've been able to adapt and execute in this remote environment. I'm pretty sure I said the last time and I'll continue to say, however, I look forward to the opportunity for us to, you know, to get back in a room together, you know, both for the sum and substance of the official portion of the meeting, but frankly, for the candid conversations, you know, that happen in and amongst the women and men who participate in these meetings. I think they're very, very important and something I'm looking very forward to, to being on the receiving end in the future. So with that, our update today, I have a number of things to go over. Some of them hit the wave tops on, deferring much more so to some detail that'll come later in the brief in the meeting today, principally from Keith Minard and others at DCSA. But the alligator that's been nearest our vote or in our vote here for a good long while is now, you know, or shortly to become, you know, I don't know, mounted or, you know, it is due someplace or something, but the NISPOM federal rule became effective on February 24th, and as many of you know, that is a years long, you know, undertaking, you know, that our office, you know, principally Valerie Heil and many, many others have, you know, have been, you know, patiently and persistently. I think the technical term is slogging through for what amounts to several years. It's a big deal. I know I said in the prior meeting when we were forecasting this, I'll continue to say it, you know, the much of the sum of the, and substance of the NISPOM remains unchanged. There are a number of elements that many of you are becoming aware of now that have, but the biggest single takeaway, our single sentence that we continue to champion here within the building is that it creates more accountability on government. And we think that that's really critical. It's the key to consistency where the industry, where the program itself is intended to be and that is in industry, right? So it's not a hard sentence to get through. It's gonna be very, very hard and challenging in execution, but we're very excited at the prospects of actually getting to that execution layer here later in the year. We are adjudicating a number of comments that did come through in the public period. I think in total, we received 84 comments and just because we're metrics driven around here, just wanted to give some context to that, to our leadership. About 60% of those came in as a collective submission from our NISPAC industry partners and honestly, I cannot thank you enough for that, right? So the due diligence that we undertake to be able to go through each comment is a very deliberate process and our accountability is frankly the people who don't know a whole lot about the NISPAC, right? Their expertise is in policy, right? Federal regulatory policy and being able to make it through what amounts to an audit by them requires, it's not an easy undertaking. And so the work that was done by Heather and the other industry folks to consolidate inputs before they ever got to us through the formal process will absolutely save us a tremendous amount of time and it really speaks to the collaborative nature of the NISPAC, I think, and its intent but more than that and its execution and I really do thank you a lot for that. We're an army of about three and one of those is me and I just sort of nod up and down like a bobble head when we get into much of the details and so it's kind of, it's very, very important to have that partnership and to really call it out. Bring down those 84 comments a little bit. The key issues that we're presently adjudicating are reasonably summarized as focused on seed three. Certainly going to hear more about that. I anticipate that when Heather rejoins us that she'll have some comments and I know that Keith will as well. Further guidance with respect to the work force and continuous vetting. NIDS and Section 842 are making a, you know, made a small resurgence in the discussion and clarification with respect to safeguarding. So we're preparing and propose amendments to the rule to address each of these comments and resulting changes. This will go through a DOD internal coordination and an onto OMB review for about 90 days and there's some fudge factor in those timelines. You know, the OMB collects these sorts of issues and processes from across the federal government and so while it's hard for us to imagine any more important industrial security program, I think it's fair to say that there's more than one thing going on. And that's where interagency review comes in. So while that might, we can't really give a specific timeline to how that will unfold. You know, we probably put ourselves on a spring glide path. I think we have some pretty firm, you know, timelines to be able to provide where we to meet in July, but as much as we're not gonna do that, we'll try to provide, we will provide update through the working groups as they continue to happen. So I mentioned of the C3 ISL that came out, you know, went out for NISPAC comments. We've gotten those back. They are extensive. We thank you for those many comments that came in from industry and government alike. There's a lot in there. There's a lot to unpack. A lot of focus on the implementation timelines, you know, that are getting a lot of attention right now. We'll keep you updated on those. I think like I said, Keith may have a few more comments on them, I'm not sure. But we're trying to, you know, continue a steady drum beat that we can all maintain. The ISL is not new, you know, so as we start to make progress, you know, and come to common understanding with respect to implementation, that is a team sport and one that will, you know, will continue to follow that going forward. A word on the ISL, right? So again, you'll hear more about ISL processes generally, but one of the changes in the, you know, by virtue of the issuance as a federal rule is that OMB, you know, so our issuance of industrial security letters, although ultimately approved by and will be issued, you know, as has been our practice by the undersecretary, we need an OMB coordination before that happens. And so that's another step in the process. And so the first one will be a bit of an experiment and that should inform what our, you know, recurring processes will look like for subsequent security letters. There's been quite a bit of discussion, you know, with respect to federal information systems and the specific term. A lot of questions on, you know, regarding the policy on information and federal information systems, you know, as it's described and defined within volume two of the DOD manual, we believe the term federal information system itself is a source of some confusion. You know, in the past, in federal information systems were previously referred to as guest systems, which meant a system approved by another government organization. DCSA has authorized federal systems in the hands of cleared industry for many years. However, some government customers are reading the volume two federal information systems paragraph as the only way to adhere to policy for their systems, which we think is not really the case. So we're kind of sifting through that, you know, folks are trying to be as deliberate as possible, but with the, you know, the heavy and increasing reliance on, you know, on extensions of systems of this type, you know, we are, we're looking to work through and come to common understanding, you know, policy clarification where necessary. At this time, however, if industry or government customer is told to disconnect a previously proofed system, please raise the issue of the regional authorizing officials who will engage this directly, right? So, you know, happy to take questions on that and address concerns, you know, either here today or of course through the working group as it goes forward. Discussions regarding South State device sanitization, destruction policy, largely deferring at this point to NSA for further, any further guidance for in future NISO working group meetings on the topic for industry, you know, they don't need us to speak for them, but I think it bears mentioning that DCSA follows volume two guidance, which does allow some flexibility for the government information owner to accept a risk of sanitization risk rather than destruction. We recommend, however, if industry has specific sanitization products or questions that you would like to address or utilize, that you either submit them directly to NSA for evaluation or speak to your government customer for further guidance. Couple more, you know, topics that are really, you know, kind of growing near and dear to us here. Mentioned last time, section 847 in the FY20 NDAA includes a requirement for assessment of beneficial ownership pertaining to foreign ownership control and influence for DOD prime and subcontracts that are more than $5 million in value. It will require a DFARS clause that will go through the rulemaking process. However, in advance of that process, DOD right now is in the nascent stages of a draft DOD instruction. It is presently in the internal coordination phases within the DOD components, excuse me, under USDINS. From there, it will make its way out through and into the formal issuance process. There's a lot of congressional attention on this particular issue. You know, FOCAI and supply chain risk management, which Stacey Bustanik is going to go into in quite a bit more detail on, I think, in her briefing here later. These are, you know, near synonymous terms, right? And the source of tremendous amounts of interest. And so this particular one, the expansion of FOCAI, pretty comprehensively, is something that is garnering the interest as you would imagine. You know, for our purposes, like I said, this begins through the issuance process to define kind of what the, you know, how we would get after the provisions that are within the NDAA and left-right rudder guidance as it were for DCSA as the executing agency. And honestly, that's where the real work begins. And so as it continues to unfold, we'll certainly be looking for, you know, government and industry inputs on this very, very important topic. The last two things I'd like to get into, one is a little bit, I'll try to do a whole lot of forecasting, but one thing I'd like to put out there, right? So our office within USDINS is the sponsor of the University Affiliated Research Center called the Applied Research Laboratory for Intelligence and Security. So at some point, some of you may have some familiarity with this, I don't want to spend a lot of time, I'm just about out of time myself. But I wanted to put out there, right, kind of a nod back to the discussion on information systems earlier. But we're sponsoring a project up at RLIS right now that I want to put out here for just public awareness and that it'll tee us up for more substantive reporting on this project when we're next together in the fall. But in short, we're exploring the use of commercial classified cloud in the NISP. RLIS is going to conduct a pilot working with a small number of NISC companies to independently evaluate the connections and approvals process. The project builds on observable improvements in our operability, cybersecurity and core requirements for information security insider threat, user activity monitoring for highly classified IC and DUD requirements pertaining to compartmented programs that are already in work today and similar application and exploring how those can meet similar application and requirements that are presently executed under the NISP. And so we think there's a lot there. You know, there's basically cloud, you know, in the most highly compartmented aspects of work done in industry. And there's certainly cloud within the unclassified space and the opportunity to explore the same options, you know, kind of in the expanse of the industrial security program is something that we think we're, there's quite a bit of potential there. And we look forward to leveraging, you know, what we have up there and a pretty powerful tool in RLIS to showcase, you know, kind of the call for good, the bad and the ugly. And then finally, the last thing, I think you'll hear a lot more about, right, you know, operating within a COVID environment, you know, Mark Britt mentioned, you know, that some folks, there is a slow returning to work. God help me, but I'm happy to be saying that I'm sitting in the Pentagon on the call today. Now remind me, I said that maybe in November, but it is nice to be back to work with some, you know, regularity, right? The work didn't go away and that's true for everyone out here. But one of the things that we continue to look at and continue to capitalize is, right, this environment has forced us to find ways to get work done. And in some ways really confront, confront some of the kind of longstanding processes that we've undertaken and evaluate whether or not those are the right ways to do business. Are they, there's certainly the way that they're defined, but are they the right and best ways to manage the risk as it pertains to general security, not just, you know, but with an eye for industrial security. And I think we're looking to capitalize on what lessons we are learning to make revisions in policy and get better at really, you know, defining what our requirements are and then executing against those requirements in the future. So that's kind of my minor soapbox moment, but I am right at my 15 minute mark. So I'm gonna stop right there and turn it back to you, Mark. Thank you very much. Okay, anyone have any questions for Jeff before we let him off the hook here? Okay, hearing none, is Heather Sims back? Yeah, she's back, Mark. Yep. No, actually, Heather, would you like to pick up where you left off? I'm back in, I think I was talking about adapting to change and I have to continue to do that. Technically challenged. Yeah. So I am back in and thanks for that update, Jeff. That was great. I was wondering how DOD would take industry having so many comments on the ISL. So I was pleasantly surprised when you mentioned that you appreciated the feedback. So thank you for that. So I'm basically gonna talk about our current property industry priorities and some of our watch list items. They're listed on this slide, but I'm not gonna talk in any particular order. The long-awaited new 32 CFR part 117, the new NISPOM, is currently a major focus of industry while we move to implement and also adjust to the new changes. I would like to say thank you to DOD and DCSA for your early and meaningful industry engagements. The more industry engagements are better in our mind. We look forward to a spring from the other CSAs today, how they plan to implement oversight of the new NISPOM declared industry. And I would also encourage my industry partners to actually read the new NISPOM yourself and don't make assumptions what's there and what's not there. We also look for more engagement with PAC PMO, ODNI and OPM as trusted workforce continues to mature. Information sharing continues to be a challenging item for industry. While some of my industry members focus specifically on improvement within the intelligence community, it's a much wider impact on all of industry. Industry often has to manage the security programs blindly. Industry is challenged with sharing of adverse information of our cleared employees, potential insider threats identified by the government, target threats against our companies and our products and services we provide to the government. That industry is charged with protecting against threats. So we'd like to have engagement with our government partners to talk about how we can increase information sharing. Industry is also challenged with being able to share known threats between companies without fear of reprisal and maltsuits. Information sharing with industry holistically is a challenge and improvements with no strength in our ability to provide better security mitigation strategies with including this group. I'll touch a little bit on supply chain. It's been a hot topic for many years, but we're seeing a lot of action in the implementation of many statutory regulatory requirements embedded into the acquisition process. It's not necessarily NIST focus, but there's a direct impact to the NIST at large and the supply chain of the NIST. As the government begins to get back to normal, industry understands there will be fundamental changes to how we operate. Many industry partners will continue to operate virtually for the foreseeable future while others begin the process of bringing remote workers back to the office and some variations in between. Industry does look forward to hearing from the five CSAs today on the return to work plan and how industry can be prepared as we anticipate a return to in-person oversight visits. Now, I would be remiss if I didn't mention the recent J-PASS to this transition. While this wasn't easy by any means, I will say we had a lot of pain points and a lot still exists. There's still quite a few lessons learned. Thanks to Shelley Fultes for truly listening and working on fixes for industry's concerns with the continued issues with functionality of the system and data integrity with a sense of urgency. We've heard a lot of excuses, a lot of process went so poorly, but the bottom line is we can't allow this to happen again. One, if not the largest government system utilized to verify and validate eligibility and access levels, it's still not where it should be operationally and we're already talking about its replacement. While industry has started, and BIS engagements with government partners, industry will not let up on requests for a strategic rollout plan, increased communications, training and an understanding of how industry will utilize the system. Industry understands we're not alone with exerting an enormous amount of resources and validating and correcting this information, but we have to do better. Industry is preparing for the implementations of new NISPOM, managing and validating and correcting data index, anticipating such a workforce 2.0, preparing for CMMC assessments and trying to manage the roles controlled unclassified information in CUI. While we are often reminded that CUI is not the NISP, there is no doubt an impact to clarity industry and will continue to be impacted by CUI implementation and oversight. We're already experiencing a bifurcation of the program. Each federal agency has been charged with developing a program, what industry is dealing with is an interpretation of implementation strategies that vary by government agencies. Each program, each base is coming up with their own set of rules, leaving industry in the middle of managing expectations. Industry only has the much time and resources to manage their program. We need better oversight of government agencies to ensure a consistent approach is levied on industry. With continued engagement, a shared respect between government and industry partners, we can strengthen our NISP, protecting our government, our economic prosperity and continue our war-fighting competitive edge of our adversaries. With industry, we can help ourselves by continuing to be united in our industry priorities with the government partners at a strategic level. I understand we can be better together than simply our own and individual company interests. Most important is stay informed, stay connected and stay engaged. As I conclude, I'd like to thank the industry partners and the government partners for increasing our engagement this past year. Thanks for your time today and I look forward to a strengthen relationship and most importantly, I look forward to in-person meetings again so I don't continue with job calls. Thank you. Okay. Thank you. Anyone have any questions for Heather? Thank you, Heather. I'm glad we got you back. All right, we'll now hear from Mr. Keith Minard, Senior Policy Advisor with the Critical Technology Protection of the Defense, Counterintelligence, and Security Agency. Keith, you're up. So, thanks. Good morning, Keith Minard, DCSA. Today I'll be providing an update on DCSA planning efforts for industry and our internal implementation of 32 CFR Part 1 and 7, the NISPOM rule. Then I'll provide a short update on COVID and post-COVID NISPOPERCITE operations planning. As Mr. Spinnaker already mentioned from DAD, 32 CFR Part 1 and 7, the NISPOM rule is now effective. Since he already addressed some key changes, I will focus on the activities of support implementation of the NISPOM rule by cleared industry. What I would like to note first though is that I believe the other CFAs may be providing some information, so I'd like to note that the planning by DCSA is for cleared contractors under DOD cognizance only. If you fall under another NISP CFA, please contact them for additional guidance. So, as Jeff mentioned, thanks to NISPAC members for the review of the NISP rule, implementation of industrial security letters, and the C3-ISL. As noted, the C3-ISL has a wide range of comments. Comments from industry do help us understand industry's implementation guidance requirements and questions they have as we put these together and draft them, coordinate them, and issue these ISLs. Really, the ISL is there to help clarify, interpret, and provide guidance for industry to better implement portions of the NISPOM requirements. So, in addition to the development coordination of the C3-ISLs and the implementation of the ISL, DCSA policy in late January developed and filled the NISPOM rule cross-reference tool that enables readers to select known sections of the current NISPOM, and it takes the user to the portion of the rule that aligns. You can find the tool on the CDSE website. The cross-reference tool is really a great place to start when reviewing the rule, and ease as much the transition due to formatting changes of the NISPOM from a DOD manual or federal regulation. As Heather already mentioned, I think one of the important things that we have to do is people need to read the rule. I think it helps bring clarity and understanding of what changes there are and what things actually convey from the existing DOD manual to the federal regulation. I just like to note that over a few weeks ago, the tools have been downloaded over 2,500 times. I wasn't able to get an accurate update for today's meeting, but I'm sure we're probably closer to 3,000. So, it's important to engage industry as we move through this process. And I kind of like that. I think this is very similar to 2016 when NISPOM Change 2 came out about insider threat. Our first event was held on March 25th and was hosted by CDSE. This was like the kickoff webinar focused on the NISPOM rule. The webinar had over 800 attendees and provided an overview of the rule for attendees and include the panel members, not only from DCSA, but also from the Office of the Secretary of Defense for Intelligence and Security and Industrial Security Policy. Thanks to them for this joint participation. We are currently working with the NISPAC industry lead and NCMF to plan in late April to additional webinars. The first webinar from CDSE, I will call it a fire hose. Now we need to turn the flow down and begin to discuss more in details, get to meet more like a sprinkler. So the next webinar will be focused on key changes in this POM rule and other key elements that we are either hearing from industry that needs clarification, or where DCSA sees an opportunity to help provide guidance and clarification. A follow on webinar will be focused on safeguarding. One of the other key changes, this session is in part to better educate on the changes in this POM rule referral to national information security policy in 32 CFR Part 2001. And to provide an update on the changes for certification of intrusion detection systems, reference UL-2015, reference to use of other nationally recognized type laboratories. More to follow on scheduling. And additionally, the next steps to be planning for webinars to engage industry on C3 reporting requirements. As you can kind of see, we're kind of thinking that we started off with a broad scope of talking about the NISPOM rule. We'll break it down to key changes. And as we move through this implementation period, we'll benefit those key areas that we can use and help industry leveraging understanding through webinars and other communication capabilities. So to ensure effective communication, DCSA has added an external facing webpage that is now live. It's intended to be a single source of NISPOM rule information, key changes, events, link to tools and policy. And we're looking at adding frequently asked questions for postings related to NISPOM rule to better enable its implementation. This is similar to the webpage that supported NISPOM change 2 and incite a threat in 2016. We'll share with ISU the link to that page so they can post on their blog. But the page can be found on the DCSA website. Go to Missionaries and CTP and you'll find a link at the bottom of the page for the NISPOM rule. You'll also find that the link, there's a link to the cross-reference tool on the NISPOM rule page also as it is also on CVSU's tools under FSO toolbox. I would like to note that we're working with our public affairs to make sure that we're also using social media to communicate updates on the NISPOM rule. And one of the things we worked with, so at the bottom of the NISPOM rule page, please take that opportunity to view the video at the bottom of that page called Get Ready for the Rule. It kind of gets in key points and outlines some of the key changes in the NISPOM rule. During the implementation period, we'll be working to address input challenges identified by Clarity Industry and to work to address what tools and job aids, webinars, or communications, or guidance in the form of additional ISLs would address those challenges. So in addition to the implementation of C3ISL, we've completed a scrub of our existing ISLs, identified some that have to be reissued. And I would say expect to see those reissued ISLs for coordination sometime in the near term through the NISPOM for industry comment and coordination. Again, not all existing ISLs will remain, but we did identify those that need to be reissued. So, and this will be a reissuance of existing guidance. So I wouldn't be too much concerned about major changes. They're being revised to align with the NISPOM rule, formatting, citations, and other areas like that. One of the key focus areas that Jeff already mentioned, we know we'll need to be working with industry audience. I mentioned already an extra webinar is security execution directory reporting requirements. But that's very important to ensure there's communication guides and any tools that are needed to support that implementation. I would note that while it's now included in the NISPOM rule, everyone must keep in mind that this is a national policy requirement on the reporting for those that personnel with access to classified information hold a sensitive position. As with industry DCSACTP and CDSDR review our products and tools to align with the NISPOM rule. This includes oversight procedures for changes, aligning citations to the NISPOM rule, and updating our systems as well as CDSE revising tools, training the resources. So what should industry do? First, download the cross-reference tool and the NISPOM rule. Begin by clicking on sections in the current NISPOM you are very familiar with, then read the corresponding rule language. Get familiar, this will help you understand that while now a federal regulation, there are some key changes for industry to implement, but much of the NISPOM remain the same or had very minor changes or revisions. Finally, DCSAC is working to ensure our field personnel are consistent message on the rule. DCSAC field personnel will not begin overseeing the new NISPOM rule until its implementation date. So close on this topic, I would be remiss if I didn't mention a couple of my staff members who have been leading efforts in our office to support this implementation by DCSAC and had an impact on many of the topics that I've already discussed, the webinars, the webpage, the tool, and the ISLs. This includes Booker Glenn, Larry Piles, and Jason Terrio. So that's kind of my closure on the NISPOM rule information. I'll go ahead and hit some COVID talking points here, and then I'll open up any questions. With the onset of COVID-19 travel restrictions last March, CTPs shifted from regular operations to remote only activities. Our first priority was the health and safety of workforce and yours. Secondarily, we focus on maintainer support to your facilities and continue to conduct oversight responsibilities. COVID limited our ability to physically conduct on-site actions. For example, ATOs were issued without the necessary on-site review, virtual closed area approvals, and administration inquiries were conducted virtually. The CEMs involved telephonic discussions with clear contractors and their facility security officers to ascertain the overall status of the security program. And the CEM is really a touch point, not an assessment. Therefore, no security ratings resulted from the CEMs. To date, DCSA has conducted over 7,000 CEMs in the past year. So the first priority when we can safely begin scheduling on-site contractor visits will be actions that have been delayed over the past year. This would include final assessments and approvals of stories that have been done without on-site validation, review of information systems that need verification, and review of corrective actions from our CEMs. So that kind of gives you an update on where are the CEMs. And I would note that additionally today, later on, it declared the updates to the working groups. You'll hear from Mr. David Scott, who is now serving at the DCSA CTP, a training authority, and Ms. Mariana Martin, the assistant director for the CAF, who provided an update on DCSA vetting stats during the working group updates. Subject to your questions. This is all I have for you. Thank you. Does anyone have any questions for Keith? Thank you, Keith. Next, we're gonna hear from Ms. Valerie Curbin, senior security advisor, special security director, national panel intelligence and security center office of the director of national intelligence. Valerie Yorks. Hi, good morning. Thank you, Mr. Chair. And I also echo what Jeff and Heather said. It would be great when we can all get together again and work together in person via this virtual environment. So I'm going to provide you all an update since we spoke at the last November NISPEC public meeting. So I'm sure you've all heard the news. Please just say that the new director of national intelligence was the first confirmation of the Biden administration, Ms. Everill Haynes. And during her confirmation, she stated security clearance reform will be a high priority for her and she will come up to speed to understand the progress made thus far and the nature of the problems with the existing process. So we're thrilled to have her in our lane and helping us move forward on trust to workforce and everything else we have our hands on. So to give you a little update on trusted workforce, in January, exactly January 15th, OPM and OZ and I as the executive agents signed a joint executive correspondence. This EC really shifted from the prior phase of trust to workforce where we work to reduce the DI inventory. And I'm sure you'll hear from DCSA where they are their steady state of producing background investigations. But we shifted to phase two of trusted workforce 2.0 and the phase two really focuses on policy development for the implementation of the new government wide approach, the policy levels and how we're gonna get through the personal vetting process from beginning to end. So the EC, one of the main topics in this was guidance for the executive branch departments and agencies and explains the differences between our trusted workforce 1.25 and trusted workforce 1.5 transitional cities. So we're doing this process in iteratively versus one big change at once. So working on the continuous vetting, we're working to ensure agencies are capable and ready to enroll in one of these transitional states. The ultimate goal for transitioning now is that continuous vetting will satisfy the traditional PR process. So we're not going to be doing the periodic reinvestigation every five, 10 years. All employees in the national security population and those contractors, our NIST contracts will be enrolled in a CV capability where checks will be done ongoing. So we also included some milestones. By September 30, 2021, all departments and agencies must enroll their full national security population in at least the trusted workforce 1.25 capability. And DCSA will talk about that, I'm sure, in their update, but it's the capability they are able to offer to their customer agencies. And then by September 30, 2022, all departments and agencies must enroll their full national security population in the 1.5 capability. So there's just some differences in the capabilities regarding which record checks are being done and certain things the agencies are also responsible for doing. So we are in helping our agencies enroll and ensuring to address any of their concerns during the implementation phase. And I also believe some of our NIST PAC members have seen a copy of this correspondence and that was part of the information sharing with some of the high level policies that come out of our office to share with the NIST PAC members. Additionally, in regards to personnel vetting, in December, the prior NCSC director, Mr. Evanina, released a statement regarding COVID-19 and how mental health impacts shouldn't, mental health should not impact national security eligibility. And really stating that counseling and undergoing treatment as a result of COVID or the associated stresses should not in itself be considered a negative or disqualifying factor for rendering eligibility or access to classified. And also in January, our new acting director for NCSC, Mr. Michael Orlando, signs another memo reiterating Mr. Evanina's statement that there are the COVID impacts on the cleared workforce. And we're just concerned and wanna ensure that the wellbeing and seeking counseling to address these concerns are being taken care of. And it is definitely a positive step and not a disqualifier. Let's see, one other area I do want to talk about and we've gotten some questions and I know it's been in the news. OPM did issue their clarifying guidance on marijuana use and reiterating the federal drug free workplace. But just wanted to state and remind that there was a 2014 memo that came out from DNI stating that the adherence to the federal laws of using marijuana is illegal to controlled substance. So we're still following that guidance. It's still valid. However, we are considering putting together clarifying guidance and also monitoring legislation. And I know you all, ISIS has asked us to give a background on the impacts of COVID. ODNI continues to operate with limited staff. Even though we're not back to business as usual, we still have lots of staff working on team type of schedules. We are operational and we're ready and able to respond to questions and concerns from our partner agencies and industry. We just ask you to be patient. Our response times may be a little longer. However, important for you all is that the scattered castles program and our continuous evaluation systems, help desk personnel are still available and they are fully operational. And we continue to attend and brief at industry related conferences and panels. And virtually we are available and do want to continue our partnership with our stakeholders here. Regarding the NISPOM rule implementation, DNI and CIA are working together to implement the NISPOM rule and retract any references to the prior NISPOM manual. I know they are working on making changes internally to new acquisitions. And I'm not sure if CIA came on the line or if they're available, if they want to provide any more details. If not, otherwise I am finished and thank you very much. Do, are there any questions? Okay, well thank you Valerie, that was very helpful. Thank you. Sure, up next is Mr. Rob McRae, Director of the National Security Services Division and Mr. Rich Jocerant, Deputy Director for Industrial Security at the Department of Homeland Security for their updates. Gentlemen. Hey, good morning. Thank you for an opportunity here to update everyone. So the department continues its important mission of protecting the homeland through counterterrorism efforts, mitigating homeland security threats, securing cyberspace and critical infrastructure, securing the country's air, land and sea borders and strengthening the preparedness posture. Our workforce largely remains in a telework, remote work environment with the exception of law enforcement, border operations, port operations, obviously they continue to operate in various areas throughout the country. One thing of note here is through the department's operation, vaccinate our workforce or operation VAL and through a partnership with the Veterans Administration, we have successfully vaccinated over 58,000 mission critical employees here in the department. So we are continuing with that important program here and getting the population of our law enforcement personnel vaccinated here. And so with an update regard to industrial security, I have my deputy here, Rich Digiocera. Rich. Thanks Rob. Good morning everyone. Try to be pretty brief here. As everybody knows, I'm sure that DHS, we receive a majority of our industrial security services from DSA through a special service agreement. However, we continue to work with DSA. My team has continually worked with them on the implementation of the new MISPOM final rule. Specifically our person working with our personnel security team in regards to C3. We are developing and implementing communication plans. We're developing policy documents and we are also developing reporting tools or in the process of developing reporting tools for C3. And we continue working with DCSA for polk-eye assessments regarding accepting NIDS. And while we will still conduct our own risk assessments with those NIDS, we will make a risk management decision, get with our CSO who's the CSA to determine if we are going to accept those NIDS based on our risk assessments. So again, we are still in the process of the developing and working hand-in-hand with DCSA. That's all I have, thank you. All right, thank you so much. Anybody have any questions for our colleagues at DHS? Okay, thank you. So the next update we'll hear from is from Mr. Mark Hynoski, Director of Security Policy at the Department of Energy. Mark? Yes, good morning everyone. Thank you for giving us the opportunity to give DOE's update on the NISPOM implementation and our COVID return-to-work status. DOE has included a review of the NISP's CFR requirements against the Department's current security requirements and has noted a number of areas that will be addressed either via page changes to the security directors or through a secretarial policy memoranda. The one that stands out obviously is the NIDS language from the recent NDA update. Our DEAR clause, that's the DOE Acquisition Regulation Security Clause references DOE security directives rather than the NISP to account for other security assets within the department. And because it does not specifically address the NISP, there is no need to update that security clause, although there will be other updates to the DEAR to address the NIDS and SCL processing. Our COVID return-to-work status in March of this year, DOE issued an updated COVID-19 Workplace Safety Plan and held a department-wide safety pause, which included all federal and contractor employees. The safety pause was led by senior leaders within the organization via virtual town hall meetings. The pause introduced the updated COVID-19 Workplace Safety Plan, reviewed and reinforced COVID safety protocols at the department, provided an open dialogue between employees and management about the challenges associated with the COVID-19 protocols. We have also shared vaccine information, including vaccine availability through the department and encourage the workforce to be vaccinated. Our current operating status is that we continue maximum telework throughout the department in compliance with the OMD goal to operate at 25% of normal building occupancy or lower for sites experienced high community prevalence of the transmission of the virus. That 25% occupancy standard can be waived upon approval by the secretary. That's our update for today and I'll provide any answers to any questions anyone may have. Thank you, Mark. We appreciate that. And next we're gonna hear from Mr. Chris Highleague to give the NRC update. And after that, we're gonna take a five minute break. All right, Chris, you're up. Good morning. I'll end up kicking it over to Dennis Brady for the NISPOM implementation and COVID information. But in terms of personnel security or updates, there aren't really much of an update to provide. Our volume of cases and adjudication timeliness is stable. We were fortunate that our agency was able to continue processing cases as usual. Even during the COVID restrictions, our process is primarily electronics. Things are getting a little easier that we could not do in person, for instance, drug tests and fingerprinting. As COVID restrictions are easing, we're able to take care of those steps at almost normal pace again. And as things progress in the COVID world, and we will obviously get back to normal a little quicker because we were not as impacted as some of the other agencies. That's essentially all I have in terms of personnel security updates. I would ask Dennis to take over from there. Okay, thank you, Chris. Good morning, everybody, Dennis Brady. From the NRC perspective, we continue to regulate the civilian use of commercial nuclear energy in the academic and medical use as well. The NRC is continuing to implement the requirements of the NISPOM, although, like all other agencies, we've had to come up with alternative means for conducting that, but working with our industry stakeholder partners, we've been able to achieve those goals. As an agency in our COVID response, most of the agency is in what we have as phase two for maximum telework, but some of our regional offices still are in our phase one for mandatory telework, but are still able to conduct our functions as the regulator for nuclear energy. That's my report for the NRC. Great. Anyone have any questions for our friends at the NRC? All right, with that, we're gonna take a five minute break. I've got 11.04 here, so by 11.09, 11.10, we'll start back up. And our first speaker when we come back will need this Ms. Stacey Busjanic. All right, five minute break. Welcome back. Let me turn things over again to Mr. Mark Bradley. All right, thank you so much, Madam Moderator. Next, we're gonna hear from Ms. Stacey Busjanic, Director of Cyber Security and Maturity Model Certification, also known as CMMC Policy. Stacey, all yours. Oh, thank you very much. Can everybody hear me? Can you hear me? Okay. Okay, good. So as of Monday, I am now the Director of Supply Chain Risk Management for OUSD&S. And so today I'm gonna give you some updates on the whole enchilada that we're working on. So with CMMC, we are continuing to work through the rulemaking process. We have started the adjudication of the comments in earnest. And based on those comments, we've gone back and looked at the model and are considering some possible changes in response to those questions and comments, but we're not ready to publicize exactly what those are yet. We are moving forward with our pilots and getting the C3PAOs assessed at the CMMC level three as we consider the information that they're pulling together with those assessments as being sensitive information. So each and every C3PAO that will be performing the assessments will have to have a CMMC level three assessment done on themselves first. Every assessment that they accumulate and review will be housed in the DISA GovCloud. And that information will then be ported over to the SPERS system, where contracting officers and program managers will have the opportunity to go in to validate that companies have the appropriate CMMC level for the contracts that they're competing on. We have had a couple of pilots that have canceled and waved off for various incendiary reasons. Some of them had award dates in June and our C3PAOs didn't look like they were gonna be ready in time and one of the main tenants of our pilot is we're not gonna impact the timing of any of the award cycles for our acquisitions at this time. You're also working very closely with international cooperation. They always confuse me because they call themselves BIC and coming from BIA, I'm like, wait, who? But international cooperation is working very closely with us to make sure that we get the agreements in place with our partners because they're very interested in participating in CMMC. We have had some countries indicate that they may want to wholesalely adopt the CMMC process and then we have others that may wanna be there on C3PAO may set up their own accreditation body. We've also had other agencies within the federal government express interest in CMMC. DHS is looking to employ their planning, some pilot activity and Pathfinder activity here in the future and as well as GSA is gonna run some pilot sports as well. So CMMC is rocking and rolling. There is a 30 day assessment being done by internally by the new administration just to look to make sure that implementation is going the way that they expect it to. And there's also a GAO assessment going on for Congress. So based on those two, I'm sure we may have some tweaks to the program but wholesalely we've seen a lot of support through the administration for CMMC. On the supply chain risk management side, we're working with trusted capital in setting up avenues for companies to come in and hopefully get some investment to try to mitigate the interest from our adversaries in investing in some of our innovative companies. And we're also working very closely with many of the supply chain illumination tools. We use some of them during project work speed to further our capabilities and that seems to be very successful. So we're looking at that across the board and we also have set up a supply chain working group with members of OUSD across OUSD and the services to come up with a lexicon and taxonomy and a standardization to look at supply chain risk and how to assess it and mitigate it and then what are the tolerance levels that we can expect. And that's pretty much my update. If you're barring any questions, I appreciate your time and the ability to speak with you. Great, anyone have any questions for Stacy? All right, Stacy, go back to the beach. I'm on my way. Thank you guys so much. Okay, enjoy yourself. Yeah. Thank you. Sure, we have Roy Jacino and Chris Pollock with the General Services Administration here to brief us next on the GSA's Black Label Safe Removal Program. Gentlemen. Good morning, Mr. Chairman. This is Chris Pollock with GSA and I appreciate the opportunity to speak to the NISPAT today. As you mentioned, we also have Roy Jacino from the DOD Locke Program here to address some of the issues. By way of introduction, I'm the branch chief of the standardization and engineering branch at GSA. I'm also the program manager for the GSA approved security equipment. I'd like to talk today about a recent policy related issue that addresses the removal of some older GSA approved containers and vault doors that are currently used for protection of classified information. Next slide, please. There we go. Yeah, so this one looks like, at least on my screen, it's a little bit hard to see. But if you have a copy of the presentation, maybe you'll be able to look at it closer there. I'll run through it real quickly. Back at the end of January of this year, we issued this letter to the GSA approved security training schools and equipment manufacturers, laying out the requirement for the removal of black label containers and vault doors. I understand I see was also working on current, on similar policy that should be issued shortly. If you could read the table, you would see that the black label containers are all at least 30 years old, some of them as old as 70 years old. At the end of service, the removal date that's listed in this letter is between 2024 and 2028. This gives everyone at least three years and in most cases seven years to identify the older equipment and get it replaced. Next slide, please. Again, that's just a signature page, so again, next slide. So here are some examples of containers that have the different labels. The containers that will need to be replaced are, the sample is on the right side where you can see there's a black label, a black lettering on a silver label. If you have the containers with that label, they will need to be replaced, again, in some time in the next three to seven years. Containers that have the red label, red lettering on a silver background, as in the right part is on the left-hand sample, do not need to be replaced. Okay, next slide, please. So why is this equipment being removed from service for protecting classified information? Again, as I mentioned a couple of times, the containers are getting very old. This leads to problems that can be attributed to safety issues, security issues and repair issues. Under safety issues, a lot of the moving parts on containers that are over 30 years old tend to wear out. You get worn slides, you get outstops that break off, and you also can get rusty interiors, which can affect the operation and security of the containers. Over the years, there's been a lot of different improvements to the containers, which were not incorporated in some of these older containers, things like changes in the lock box, and also changes in the locks from mechanical to electrical mechanical locks. There's also repair issues. Many of the manufacturers who originally produced the equipment under the longer business, the repair parts are no longer available. So all these factors add up to a situation where it's time to start removing the older equipment from service. I will now show it over to Roy Jacino to go over some of the industry requirements, Roy. Oh, thank you, Chris. My name is Roy Jacino. I am the chair of the Act to Seal subcommittee that oversees these specifications for all the different GSA security equipment. I'm also director of the DOD lock program for the Department of Defense. So basically, we put out this letter to all the GSA manufacturers in training. We will be working with all the agencies to get the letter out to all of the agencies so they can plan. And what we're asking right now is everybody to start surveying their facilities for GSA approved containers. Determine the number of black label containers that you have in all doors that are in use. And that'll be on the list for replacement. Determine the requirements, facility accreditation reviews, possible classified holding reductions. Work with the credit authorities and contracting officers to formulate a company plan for replacement. And again, this is government wide through all federal government. So this is, again, we put up these time frames. We feel that will be plenty of time for everybody to start addressing this and looking at and surveying and making plans. And again, we put the date out there and of course it'll be flexible, but we have to start somewhere to replace these older containers. Next slide, please. And that's really all we have. Please submit any questions that you have and we'll be more than happy to answer. Thank you. Thank you. Any questions for our friends from GSA? All right. We're now moving into the portion of the meeting where we get reports from the NISPAC looking groups. However, we're not going to be discussing all of them, but we have provided slides with highlights of all of them. I'll only be discussing today the clearance, cost, and NISP information systems authorization, also known as MISA working groups at this time. All right, Greg, you want to take back over? Looks like if I may have them disconnected. All right, do you think you can raise them or do you want me to, Greg? This is David Scott. I'm available to present. All right, well. You guys ready? Mark, do you want me to speak for Greg's team? Yeah, yeah, yeah, yeah. I'll take over for Greg here and then we'll get right to it. All right, let's see. You've heard from some of the SISIs on, oh, the SISIs help. I mean, the SCAs on the high-level points of what we've discussed during the clearance working group and on March 3rd, 2021. Since the last NISPAC, we also discussed the Small Business Administration, the SBA regulation combining their mentor protege programs issued this past fall. The SBA rule appears to eliminate the requirement for a joint venture to have an entity eligibility determination or EED that the entities making up the joint venture already have EEDs themselves. However, this interpretation of the regulations language is not actually what the regulation intends and it would contradict NISP requirements. Therefore, we will be issuing an ISO notice soon according to the... Come back on, I'm sorry. All right, Greg, let me just finish this paragraph and ensure with SBA, the Small Business Administration to clarify the joint venture EED requirements. All right, Greg, you can pick it up and we have continued in terms of discussion. Okay, yeah, I apologize, everyone. In my case, it was simply a matter of my chin hitting the phone and I accidentally disconnected. So anyway, these things happen, right? All right, so you already covered some of the points the working group did meet and a lot of things that were discussed today, we discussed during the working group, obviously the trusted workforce ongoing transition, the 2.0 was discussed, the JPAS, the DISS transition, the NISPOM changing over to a rule and the implications of some of the changes, particularly C3, but also a little bit on TS accountability, limited facility security clearances and the intrusion detection recognition that not just UL 2050, but other entities that meet nationally recognized testing laboratory standards which InterTech, I believe, is one such other entity that does qualify, certified under this NERDO NRTL standards. And there's a little bit of discussion about security vulnerability assessments, the ratings, how that's evolving, ratings for SVA's. Discussing about the NERDO NRTL standards oversight in general, did you cover the other issues that I was going to mention? I think you did cover joint ventures and small business administrations, is that right? Yes, yes, yes. And then the cost, did you discuss the NISP entity cost? No, we were just getting there when you got back on, so please. Okay, so this is a continuation of, let me just say, this is a broader sub-element to an initiative that ISU has undertaken beginning about two or so years ago to refine and simplify to support agencies in their efforts to provide overall data with respect to their classified national security information programs as required by executive order and directive to ISU on an annual basis. The one probably that would always get the most attention was reporting on the estimated numbers of derivative and original classification activities, which in and of itself was a highly suspect number. It was an estimate, but even with that, it was an extrapolation. And in any event, ISU director suspended the collection of data while we worked on refining our collection efforts, consolidating them and taking advantage of technology in doing these things. And so cost is one of those elements within the overall collection of data that is required. And in this case in particular, we're talking about cost incurred by contractors under CSA Cognizants, under Cognizant Security Agency Cognizants. And so that's what we've been focused on in this area. And we the government have met several times discussing this and what we're trying to do before we bring industry in to see what we've come up with is for each CSA to bring their proposal for how they intend to gather costs that their contractors under the NIST, under their Cognizants incur. That said, it could be that each CSA comes up with something that they all agree on, and we just have one mechanism. One of the keys of course is we do not want to have duplication of cost collection and keeping with the overall intent of the reform effort for data collection, we want to keep it as simple as possible. So once we get to that point where we have the CSA's way ahead and some degree of consensus, we would then bring NIST industry, NIST PAC industry, excuse me, in to take a look at what we have and to get their input. So that's what we have on that. Turning to the, let's see, the NISA working group, the Information Systems Authorization Working Group, we also met and has also been stated during the updates that were given. One of the topics was sanitizing solid state devices, drives also known as SSDs, and appreciate the update that DOD gave. The one thing I would add to that is we, ICE, who do intend to reach out, actually started already to the Committee on National Security Systems, CNSS, as they set the policy, national policy, for utilizing information, national security information systems that process classified. So in this case, as it relates to remediation methods for drives involved in classified spillages, we want to at least ask them to examine the existing policy to see if there's any need to make some adjustments. So with that, what I want to do before we collectively take questions in this part of the agenda is we want to hear from first David Scott from DCSA to give an update on DCSA's information systems. David? Yes, thank you, sir, appreciate that. So I started off this position as the NIST AO last week, so I appreciate the invite, and I look forward to working with the NIST PAC members and the audience as a whole. Previous to this, I was no stranger to the NIST. The last four years I served as a regional authorization official in the Capital Region and served as acting Southern Region AO for the past year, as well as a very extensive work in cleared industry myself. Quick updates with the leadership changes in Capital Region, there is an acting, Jamie Davis, she's acting while we look to fill, backfill my position in Capital Region, and in Southern Region there is a, we've selected and have on board a permanent Southern Region AO, his name is William Barn. He just started a few weeks ago, and we're looking forward to his contribution to the team. Next slide, please. Okay, so from a metric standpoint, it's a pretty self-explanatory, I'm not gonna run through all of them. What I wanna do is just kind of highlight a couple of points. The system registrations and EMAS, or the systems that are authorized are staying at a steady state, little increase, but not too significant. But what I wanna inform everyone is we've implemented over the past, since about January, the past few months, a triage process. What we identified within our agency is we moved to RMF and we had some backlog in certain areas. We were getting to the point where we had some ISSP's, their cues were getting big, and we had industry waiting for some sort of communication of whether or not what they submitted was actually in the process being authorized. And we were having some timelines where they wouldn't receive a comment back up to like 80 days. And then the unfortunate case where an industry would submit something in this somewhat new process, we've been in a few years now where simple mistakes were made that we just could not move forward. So what we did was we implemented over the past few months a triage process where within the first 10 to 14 days, we'll take a look at what's submitted by industry. We'll make sure that it's meet in the mark and then we'll put it into our queue. If we find some simple mistakes throughout the initial triage, we'll return that so the industry can immediately address those concerns. So industry's not waiting 60, 90 days before they hear something from us. So we've already seen some very good return on investing with that process. And we'll continue to do that. The other piece that I wanted to hit is the AOs as a part of COVID. Initially, when we first started the pandemic, we were deferring the onsites and doing roughly around six month authorizations. This is going back a year ago. And then once we realized that the pandemic was going to be a little bit longer termed than what everyone expected, the AOs got together last fall and we said, we need to do better. So we came up with a framework to where if the industry package is sufficient, it's solid, the controls are addressed, the risk is clear and understood and acceptable. We would issue a three year authorization deferring the onsite until we can get to a post-pandemic or a regular business model. We're just now starting to see some benefits of that. We still have the tool of a conditional authorization if in fact we're still missing a few pieces that we could do a six month authorization. However, we are moving more towards a model of a three year authorization deferring the onsite and that is actually starting to re-benefit. Next slide, please. Okay, this is a slide that we just started recently putting together. It's our top 10 miscompliant controls, non-compliant controls within EMAS. This is new. We're still digesting this information as an agency, but we're hopefully gonna use this tool internally and externally to help address some consistency concerns. I won't go into too much detail, but you'll see the top one right there are A5, vulnerability scanning. And I can tell you coming from the field over the past few years, there is a misinterpretation of that control. For example, vulnerability scanning, we have a lot of industry team members, our ISSNs would state that they're using a certain tool like a SCAP compliance checker. That is not the intent of that control. It is a scanning tool, but the control itself is vulnerability scanning. What is the process for defining weaknesses in the application of the system? For example, your Microsoft patches. So it is just a misunderstanding of the actual control. So what we're gonna do is take this metric and start identifying some trends and then start education internally and externally for consistency across the country. Next slide, please. So we are in the early process of a planning for a DAPM upgrade. What I wanna call to your attention is we are well aware of the NIST Rev5, our 853 controls. We are well aware we'll have to do an update for that. We're also has been working since last August internally on a NIST connection process guide is the first of our kind for an agency. Over the past many years, other agencies, DISA, et cetera, they actually have a connection process guide on how to do business with them for interconnected networks. And what we saw there was great benefits with those types of documents. So we actually are starting to draft our own and expand upon the requirements, processes and guidance on how to have an interconnection with the NIST. So some of the highlights are a process flow map. If you're gonna interconnect with a government network, here's what you would do. And it would follow process flows. We'll provide templates and easy to read guidance. So it'll be available. It should be easy to read for any government or industry stakeholders. So we're looking forward to that. We're in the early stages of developing. We understand we've got some coordination aspects to do. We'll definitely share it with the NIST pack as well. But we're very excited about that document. We look forward to sharing that with you guys. And next slide. So NIST common EMAP issues, no changes here. One thing I do want to kind of call out to is if we could make for everybody's awareness, especially industry items is ensuring that we're checking the security classification guidance before we input stuff into EMAPs. Just making sure that we're double checking any classification guidance at all. We have a process if we have an SEG that states certain controls are at a classification level. We have a process for handling that in our job aids. But just want to make sure that that word is spread and that we're adhering to that. But other than that, EMAP common issues are pretty much straightforward. We're getting the questions into our group mail box and we're addressing them on the regular. And next slide is just questions and some available resources. And that's all I have unless there's questions from the group. Thank you. Does anyone have any, before we turn back to vetting statistics or that process, anyone have any questions on information systems authorization? Hi, this is Rosie Barrero, Industry NISPAC. I just wanted to ask a quick question and thank you, Dave, for that. Just wanted to ask for the top non-compliant controls. Would you be willing to post examples of compliance in the frequently asked questions online for industry? That is the goal. I've gotta work through the coordination publication process but that is the main goal of this tool. We've been wanting to put, now that we have enough data and EMAPs collected over the last year, year and a half, we're able to provide some trends. But the goal is absolutely to share some of this information with industry for common understanding and consistency across the board. But yeah, that is the goal. No promises on timelines. I'm still a little new to this position and understanding the coordination aspect of it and we'll definitely do as much as we can to get that out to you guys. Great, thank you. I appreciate that. Thank you. Unless there's no other questions for that and we'll now look at some vetting statistics and I'll ask Mariana Marcheno, please, to start that looking at the background investigations, adjudications and vetting data, please. Mariana. Yes, thank you. Good morning everyone. I'll be covering background investigations, continuous vetting and adjudication mission updates for DCSA today. Regarding background investigations, our total inventory is currently just slightly over 205,000 cases of which 34,000 are industry investigations which is consistent with inventory from about a year ago and less than half of the inventory from two years ago. Timeliness statistics for end-to-end processing for industry cases, including initiation, investigation and adjudication in FY 21, the second quarter improved significantly as compared to one to two years ago. Specifically, our tier-5s were running end-to-end about 159 days and tier-3s 127 days. Timeliness and inventory do continue to fluctuate due to seasonal onboarding and hiring. However, of course, in the past year as we've all talked about here, we've had a few unpredictable impacts related to COVID-19 and specifically surges and occasional IT hiccups but we are seeing a gradual increase in timeliness as a result of some of these challenges that we've experienced over the past year. For the background investigation group as COVID continues, we are maximizing telework as most staff are already working remotely and we are continuing to use the executive agent approved alternative processes, including telephone interviews. While roughly about 5% of the background investigations in our inventory have been delayed or placed on hold due to COVID challenges, our team is constantly revisiting each case to continue to work and close these cases as quickly as possible. DCSA remains postured and committed to mitigating COVID-related impacts with timeliness and our overall inventory without degrading quality. I'll talk a little bit further and in a bit on the adjudication timeline. So let's go ahead and switch over to the next slide and talk about the Bedding Risk Operations Center. The VROC is staying laser focused on all industry functions and as you know, that includes investigations, missions, interim, periodic re-investigations and continuous setting to firmness, processing incident reports and other discs or the defense information system for security customer service requests and balancing timeliness to support mission readiness and identifying and mitigating insider threat concerns. To date, in FY21, the VROC has submitted roughly 62,000 background investigation requests. 90% of those have had an interim determination made on average within five to seven business days. Effective April the 1st, as I'm sure everybody here knows, investigation requests can no longer be submitted than J-PASS and industry must use the defense information system for security for all security management functions to include investigation submissions. So as a reminder, please submit your fingerprints for initial clearances prior to submitting an investigation request. The VROC cannot open a background investigation or enter or issue an interim determination without first the required fingerprint results when applicable. Regarding continuous setting, DCSA is responsible for implementing the DOD Continuous Setting Program and has began offering the trusted workforce 1.25 service to non-federal agencies. Our goal is to have the entire DOD cleared population enrolled in the trusted workforce continuance setting compliant program by the end of 2021. So you'll see a significant increase in enrollment this FY as we are working to achieve this goal. A few items to note here is enrollment do include the NIST contractor population. Currently about 675,000 industry subjects are enrolled in continuous setting and all industry periodic re-investigation deferred subjects or about 121,000 are also enrolled in trusted workforce 1.5 automated records checks. And an additional 350,000 industry subjects are pending enrollment. The VROC is currently enrolling all subjects post-adjudication and is also working to extract SF-86s on file within the Defense Information System for Security and other, I'm sorry, excuse me, other systems of records. What we need from industry is to be responsive for any overdue periodic re-investigation or if an out-of-cycle SF-86 is requested for submission. Continuous setting enrollment does require adding minimum the 2010 version of the SF-86, of which we have most of them, but not all since the 2010 version wasn't deployed until the 2012 timeframe. If needed, the VROC will be sending specific instructions to individual companies in this spring, so please be on the lookout. For continuous setting alert management, post-enrollment alerts are generated based on established thresholds which align to the federal investigative standards and adjudicative guidelines. We're currently seeing an average of a 6% alert rate, although we are base-lining a large volume of population. Criminal and financial indicators are still the most common valid actionable alerts. And so far in FY21, we received 19,000 industry alerts on 14,000 unique industry subjects, of which 8,000, while this is a lot of numbers, or 48% were not previously known. So what does that mean? It means that these alerts represent information that should have been self-reported. And our goal moving forward is to encourage self-reporting of information as early as it is known, as it will avoid future continuous setting alerts. Moving on to the next slide about the CAF. So today the CAF continues to apply portfolio management techniques to deliver national security, suitability, and credentialing adjudications. Our readiness portfolio represents those adjudicative actions designed to get people to work, where the risk management portfolio manages risk within the trusted workforce. So far in FY21, through the second quarter, the CAF adjudicated to your background investigation products in an average of 16 days for initials, or 92 days for periodic re-investigation. For the industry population, we did the same work in adjudicated initials in an average of 17 days, or 119 days for periodic re-investigation. We do expect that adjudicative timeliness performance for PRs will continue to be higher than historical averages, due in large part to the changing derogatory nature of the periodic re-investigation we're receiving for adjudication, coupled with delays related to COVID-19 and obtaining additional information from subjects. Our current total industry inventory is about 30,000 cases, 59% of which are within our readiness portfolio, and the remaining 41% in risk management. The CAF is continuing to focus on processes, on improving processes, timeliness, implementing linked stigma improvements, and increasing efficiencies as we continue to work with our colleagues in the background investigation and the betting risk operation groups to implement the trusted workforce strategy. We'll also continue to focus on preparing our workforce for these challenges, while also striving to continuously improve our services and support to your mission operations and needs. Some of our focus areas for the remainder of this fiscal year include reciprocity. As an update, because I know this is a sensitive subject for those on this call, last year the CAF and the DRock executed a joint linked stigma project focusing on improving the end-to-end reciprocity process. Last month, the DCSA deployed a change in the Defense Information Security that allows industry reciprocity customer service requests to go directly to the CAF. This update of process is functioning without any technical issues and is already improving the end-to-end timeliness. Over the next month, the CAF anticipates further process improvements as we implement the remaining linked stigma efficiencies and we will be bringing DCSA to full compliance with the DNI five-day end-to-end processing requirements. We are also looking to deploy an adjudicative assistance tool which is designed to implement machine learning focused on enhancing adjudicative quality assessments and training programs. And as you heard Valerie talk about earlier today, we are continuing to focus on mental health care and desigmatizing seeking mental health care treatment for clear personnel with losing a security clearance. We started that process in FY20 and we'll continue to do so through FY21. We are expanding our messaging through the DCSA web portal and social media outlets, frequently asked questions and other information located in the DCSA CAF resources webpage. Our mental health campaign efforts also include external outreach engagements with clinicians, psychologists, security managers and defense organizations. And again, we're trying to get our message out that simply seeking mental health care treatment is not in another stopper reason why people lose security clearance. I would like to call to your attention some amended COVID-19 extension processing at the CAF. Last year when at the beginning of COVID-19, we evaluated our processes and implemented basically a hold if you would where we were not receiving responses to our request for additional information or other actions related to COVID-19. We recently reevaluated our current operating procedures and are reinstating our pre-COVID business processes and procedures regarding correspondence requirements for responses. We will no longer be issuing indefinite automatic extensions related to the COVID-19 pandemic and subjects through their security managers and facility security officers will have 30 days from the date of our request for an action and the defense information system for security to comply with that official request for information. If you have any questions, please send those to us through the DIST portal. We'll be happy to answer any questions that you may have, although you can find some additional information on the DCSA website regarding this announcement. Lastly, I'd just like to call your attention to the bottom of the slide where I'm proud to share with you the DOD CAST First Annual Report, covering FY20. It highlights many of our accomplishments and continuous efforts to improve the DOD-assigned adjudications and related personal security eligibility determinations, our adoption of streamlined business processes for security clearance processing timelines and a return to healthy and stable inventory. We are committed to working with you, our customers, and continuing to build strong partnerships to increase information sharing and to support your operations and the commission readiness. So if you can, take a moment to share and read our annual report and the link at the bottom of the slide. And pending your questions, that's all I have for us this morning. Well, thank you, Mariana, for that excellent, comprehensive overview. Does anyone have any questions? Okay. Next, we're going to hear from Tracy Kendall to provide some DOE update metric data. Tracy? Good afternoon, Greg and everyone. I'm Tracy Kendall, and thanks for the opportunity to provide the DOE personnel security update. I know Mark had spoke earlier, but just for those who didn't know that we do have a new secretary and her name is Secretary Jennifer Graham-Holm. The next thing I'll talk about is the DOE personnel security statistics. And currently, we're meeting the IRPA time and its goals for all investigative peers based on the February 2021 statistic. For our initial, our T-5 initial, we met our IRPA goals 11 out of the last 12 months and we expect that trend to continue. For the T-3 initials, we've met our goals over the last six months and we expect that trend to also continue. For T-5Rs, we've met those goals over the last nine months and again, we expect that to continue. For T-3, we had one hiccup in June of 2020 with our initiation process, but since that time, we've been meeting the IRPA goals and again, we expect that trend to continue. That's really all I have right now, Greg, for the personnel security statistics, and anyone's questions, this will conclude my briefing. Pretty short. Okay, thank you, Tracy. Anyone have any questions? Okay, next, we have NRC. Now, I believe Dennis Brady already gave some data on the personnel security metrics, but with Chris Highleague, if you have anything additional to add? Well, I spoke earlier. I don't have anything additional to add. I would clarify, we are meeting our IRPA guidelines for adjudications, and as I mentioned earlier, we didn't experience any slowdowns during COVID, so we would assume everything goes back to normal sooner than later as the COVID restrictions are lifted, and that's really all I have. Thank you, Chris. So, unless there's questions for Chris or any questions overall with respect to the working groups from what you've heard this morning, I'll turn it back over to the Chair. All right. Thanks, Greg. All right. Now, we're going to hear from Mr. Perry Russell Hunter from the Defense Office of Hearings and Appeals, known as DOHA. Perry. Thank you. Thank you, Mr. Chairman. Thank you, NISPAC members. DOHA is continuing to make maximum use of telework, except for the personnel who are conducting and supporting the in-person administrative hearings, the DOHA administrative judges, department counsel, and support personnel. Obviously, the hearings are a core part of the DOHA mission, so by having everybody else telework, we're maximizing the safety to everyone who's involved in those in-person hearings. But leveraging telework has not affected DOHA's productivity, and that's, in large part, thanks to the great partnership between DOHA and the Consolidated Adjudications Facility, the leadership of Mary Anna Martino, who you just heard from, and the excellence and expertise of her staff and the adjudicators of the CAF. Calendar year 2020 was actually the highest average year for total numbers of statements of reasons reviewed and issued since 2016. And statements of reasons are still going out in typical numbers and are timely. We currently have 330 SOR reviews pending, which is a typical number. At the end of January, we had 390 pending, considering that DOHA reviewed and the CAF issued over 3100 draft statements of reasons during the period between March of 2020 and March of 2021. We're in great shape and we're current. The first four months of fiscal year 2021, we reviewed and the CAF issued 1,200 statements of reasons. So there's going to be a shift later this year where DOHA will begin providing the SORs directly to industry employees and also tracking them. So that's something that we've mentioned before, but that's going to be happening over the course of the next year. And while the pandemic was impacting the hearing process, because DOHA was having challenges with conventional video teleconferencing, for example, fact that there would often be no operators available at the other end of the line where DOHA needed to reach, DOHA has now tested and is making good and effective use of something called the Defense Communication System, or DCS, to conduct remote online virtual hearings for clearance holders and clearance applicants in locations where travel would still be unsafe or where we could not reach the individual using conventional video teleconference technology. And that is all I have pending any questions from the group. Thank you. Any questions for Perry? Thank you, Perry. Up next is Mr. Evan Corn from my staff of ISOO who will provide an update on the controlled unclassified information program known as CUI. Evan? Thanks, Mark. As Mark said, I'm Evan Corn. I'm the team lead for CUI at ISOO, and I support the director of ISOO, who is the CUI executive agent. First, I wanted to start with an update for the CUI annual report that the president released and data we wanted to share with you is the initial analysis. So we have 90% of agencies that are reported or that they will have their CUI policy done by the end of 2021. And this includes 65% of agencies who report that they have their policy done or would have it done by December 20th, December of 2020. In addition, 80% of agencies have already begun disseminating awareness products or training their workforce on the upcoming CUI implementation. In addition, 90% of agencies are reporting that they will meet the fiscal and cybersecurity safety requirements by the December 31st, 2021 deadline. In addition, in other good news, the National Information Exchange Model or NIEM has released NIEM 5.0, which for the first time includes a CUI metadata standard. For those not familiar, NIEM is one of the common metadata standards. And this will significantly improve the metadata consistency that occurs as metadata is used in association with CUI. And CUI Registry Committee and ISU will serve as a mechanism to update their review changes to the CUI domain within... In other good news, NIST SD 800-172 has been published. This was formerly known as the Grapped NIST SP 800-171D. So, 172 establishes recognized security protections for non-federal information systems that process, store, or transmit CUI. It was released in Final Form separate second of this year. It mainly involves changes in the narrative and boundaries and does not change the controls that are in place. The controls within the 172 are often used in the CMC... Sorry, CMC level four and level five determine if contractors have the necessary controls in place. Okay. I think a lot of people have been following the issuance of the CUI FAR case. And right now it was projected to go out to public comment from March to May of this year, but since we're already in May to April, we are currently expecting to get pushed back for comment later. Once it is out for comment, we will hold an ad hoc stakeholders meeting that will schedule at the beginning of the public comment period to address concerns and discuss the draft version that will be up in the comment. I also want to encourage everyone to take CUI markings trainings that we are offering as ISU. My colleague Charlie Wallace, who is a CUI trainee, does a superb training about every month or two. And we announced that on our blog. And I'd recommend following the blog for updates on when those are going to be. ISU issues a training certificate. And to date, she's getting about 5,600 government industry personnel attending each training. And she's been doing that for now over a year. In addition to all training resources that ISU CUI website on its training page has a lot of training videos that the upload easily in MP4 format right into learning management tools. And we highly encourage both agencies and industry to take advantage of that resource. That concludes the CUI portion of the update. Thank you, Evan. Does anyone have any questions for Evan on CUI? All right. We're now at the point of the meeting where we ask for NISPAC members to present any new business they may have. Anyone have any new business to discuss? All right. Hearing none. Do any other committee members have any questions or remarks before we close out this meeting today? All right. Hearing none. Our next NISPAC is scheduled for October 27th, 2021. We're hoping to have the next NISPAC in person, but we'll also plan to have it 100% virtual if needed. A reminder, all NISPAC meeting announcements are posted in the federal registry register approximately 30 days before the meeting, along with being posted to the ISOO block. All right. With that, I want to wish you all a good day. Please stay healthy, and this meeting is now adjourned. Thank you so much. Bye. That concludes our conference. Once again, if you have any questions, please forward them to the NISPAC email address. And thank you so much for using Event Services. You may now disconnect.