 Welcome, and thank you for joining today's NISPAC meeting. Let me now turn things over to Mr. Mark Bradley, the Director of the Information Security Oversight Office, as well as the Chairman of the NISPAC. Thank you very much for your time and introduction. Morning, everybody. Welcome to the 65th meeting of the National Industrial Security Program Policy Advisory Committee, commonly known as the NISPAC. We appreciate your patience as we navigate through these difficult times. This is the second NISPAC meeting that's being conducted 100% virtually. At the conclusion, we will provide a survey to find out how this worked for everyone as we did for the last meeting. We've incorporated the comments you were kind enough to send along last time. So again, if you have anything else we can do to improve, please let us know. If you'd like to be contacted regarding survey responses, please include your email in the comments box so we can get back to you personally. If you'd like to receive information about future NISPAC meetings, my staff is no longer sending calendar invitations. We'll be able to get all the permanent information about the upcoming NISPAC meetings signing up for the ISOO overview blog or going to the Federal Register. Please send an email to NISPAC, that's N-I-S-P-P-A-C at NARA.gov if there are any questions or any questions about accessing that. Like the available agenda, slides and biographies can be retrieved by doing a Google search for NISPAC records on committee activities and clicking the first link. Again, do a Google search for NISPAC records on committee activities and click the first link. Now all speakers have slides or biographies. This meeting will be through the phone line only. This is a public meeting, just like all our NISPAC meetings are, that will be recorded. Meeting along with the transcript and minutes will be available in 90 days on the NISPAC reports on committee activities page I just mentioned. We're planning on a five-minute break during the middle of the meeting, so I will flag that as we move closer to that. I'll begin by taking attendance for the meeting of the government members first. I'll state the name of the agency. The agency member will reply by identifying themselves. Once I've gone through the government members, I will then proceed with the industry members. After the industry members, I will then proceed to the speakers. Please keep your phone on mute until I have stated your agency. If you do not have a mute button, please hit star six on your phone to mute and unmute. As a reminder, NISPAC members, speakers and I should have called on the speaker line, not the participant line. Next, we're going to start with a local. I'll start with the ODNI who is present to the ODNI. Hi, this is Kyla Power. All right. Welcome. You're replacing Valerie Turbin today, right? Yeah. Unfortunately, Valerie wasn't able to make it today. Not a problem. Okay. Thank you. DoD, who's representing you today? Good morning. This is Jeff Speninger. Hey, Jeff. How are you doing? Very well, sir. And you? Good. Just like you. Okay. I'm the Department of Energy who is representing you. Good morning. This is Tracy Kendall. Morning, Tracy. All right. NRC. Good morning. This is Chris Highleg. Hi, Cliff. DHS. Hey, good morning. This is Rob McCrae here. I am replacing Mike Scott. Okay. Hi, Rob. Welcome. DCSA. Keith Binerd. Good morning. Hey, Keith. So-and-so. CIA. Okay. Again, please. CIA. Anyone from CIA on the phone call. All right. Apparently not. All right. Department of Commerce. All right. Department of Justice. Good morning. It's Christine Gunning and Kathleen Berry. Hi, Christine. Kathleen. All right. Hey. NASA. Good morning. Ken Jones here. Morning. NSA. National Security Agency. Good morning. Shirley Brown. Hi, Shirley. Let me slip over here and hold on a second. Okay. Department of State. Hi, Kim Bogger. Good morning. Morning. Department of Air Force. Jennifer Aquinas here from Air Force. Good morning. Department of Navy. Good morning, Randy Akers from Department of Navy. Hi, Randy. Department of the Army. Good morning. Jim Anderson, Department of the Army. Morning, Ken. Now I'm going to turn to the industry members. Heather Sins, are you present? Good morning, Heather Sins. All right. Dan McGarty. Good morning. I'm here. Dennis Ariaga. You here. Good morning, sir. Dennis Ariaga here. Right here from you, Dennis. Rosie Barrario. Good morning. Rosie Barrario here. Okay. Cheryl Stone. Yes. This is Cheryl Stone. Great. Hi, Cheryl. April Abbott. Yes. Good morning, April Abbott here. All right. Derek Jones. Good morning. Derek Jones is present. All right. Great. Tracy Durkin. Hi, good morning. Tracy Durkin is present. All right. Now I'll do a quick roll call for our speakers. All right. William. What's up? Are you here? Let's hope he shows up. All right. Stacy. I'm sorry. Yeah. Stacy. Boss Yannick. Are you here? All right. Perry Russell Hunter. This is an inauspicious start for our speakers. Kevin Casey. Good morning, Mark. Hey, Kevin. Thank God you kept me from going 0 for 4. Donna McLeod. Good morning. Donna's here. Great. All right. Selena Hutchison. Good morning, everyone. I'm here. Great. Lovely. All right. Does anyone else speaking during the NISPAC that we have not heard from or I don't know about? Please speak now. Mark, this is Keith. Mr. Lietzow. Yeah. All right. Thank you. All right. We'll keep our fingers crossed as we continue on here. All right. We're expecting this to be a fairly large audience. I think last time we had over 800. Because of this, we will not be taking questions. Please email NISPAC at NARA.gov with your question or questions. And someone will get with you offline. Somebody from my staff. Only ISOO and NISPAC members will be authorized to ask questions through the meeting. We request that everyone identify themselves by name and agency. It's applicable before speaking each time for the record. As I said before, this meeting is recorded. So it's important that we're able to match the speakers up with the questions or comments. Again, as I always do, I want to remind government membership of the requirement to annually file a financial disclosure report with the National Archives and Records Administration's Office of General Counsel, same form of financial disclosure that is throughout the federal government. Which you need form 450 satisfies reporting requirements. You're not being asked to do this twice. We have several changes to the NISPAC membership. I want to bring to your attention. Now, we'd like to welcome Matt Losch as the new alternate representative from the Defense General Intelligence and Security Agency. He's replacing Carla Hellman. We'd also like to welcome Felicia Guess along with her alternates Michelle Perron and John Keasling from the Central Intelligence Agency. Mike Scott, the primary with the Department of Homeland Security, has left us. He has been replaced by Robert McCrae. Randy Akers, the alternate with the Navy, will be leaving us in about a week. Replacement for him has not yet been named. We are also welcoming our two new industry representatives to the NISPAC. His term is told of October 1, 2020. Dary Jones and Tracy Durkin replacing Bob Harney and Brian Mackey. For those departed members, thank you all for your contribution over the years. We look forward to continuing the work you've done with the new representatives we have just named. As a reminder, the agenda slides and biographies for speakers are located on the NISPAC reports on committee activities webpage. Greg, I'm going to turn this over to you. You're going to address the status of action items from the July 15, 2020 meeting. Okay. Thank you, Mr. Chair. This is Greg Pinoni. Good morning, everyone. First, the NISPAC minutes from the last meeting, those were finalized on October the 10th, and they're posted on the ISU website. And then we had four action items. So the first was for industry to provide instances of delayed processing of national interest determinations, otherwise known as NIDS, by cognizant security agencies and offices, also known as CSAs and CSOs. This is considered closed due to the elimination of the NID requirement for a substantial majority of otherwise affected NISP contractors. This was fomented by section 842 of the National Defense Authorization Act of physical year 2019 that removed this requirement for entities that were under the National Technology Industrial Base, if they're folk I emanated, foreign ownership control or influence emanated, that would be the National Technology Industrial Base. Please mute your phone. Never said is. Sorry about that, folks. So anyway, that was action item number one. Action item number two was that ISU would convene a NISPAC NID working group with industry representatives. A government-only meeting occurred on September the 16th. The next working group is scheduled for December 9th, and it will include industry representation. We've also decided to rename the group, the foreign ownership control or influence group, or folk I working group to be more representative of the issues that we're discussing. It's not just about NIDS. Action item number three, concerned DCSA's Industrial Security Letter, also known as an ISL, on insider threat. The ISL is in the process of internal formal coordination at DCSA with their Office of General Counsel. Once promulgated, this ISL will replace ISL 2016-02, and DCSA will engage with cleared industry through the NISPAC to update tools, resources, and required training. And then action item four was to schedule another insider threat working group meeting. This action is considered closed as the meeting was held on September the 2nd. Do any NISPAC members have any questions about the status of action items? Okay. We'll hear none. Back to you, Mr. Chair. Thank you, Greg, for that summary. Just, Tom, I'm pleased to introduce we're going to go to our speakers as we each give an update. First on the block is Jeffrey Spiniger, the Director for Critical Technology Protection for the Office of the Undersecretary of Defense for Intelligence and Security. He will give us an update on behalf of DOD as a NISP Executive Agent. Jeffrey? Thanks very much, Mark. Good morning, everyone out there. Happy to be joining me today. Honestly, I wish I was, you know, not sure when did it happen in my life that I've ever wished to make the trek up to Washington, DC, but I wish I was there right now for sure. You know, the importance of this forum and, frankly, the opportunity for the candid discussions that happened before and during the breaks and after. I miss tremendously. Basically, it's an opportunity for people to help me be better at my job. And I look forward to getting that kind of guidance again here in the future. God willing. So with that, you know, thank you again for the opportunity and we've adapted pretty well in the department, I think, across the federal government to this operating environment that we find ourselves in. And since we were all last together, there's been quite a bit that's happened that I think is notable. First and foremost, I'm just going to reassure excerpt from a Department of Defense policy document. So if you're students of this, I know pretty much everyone on this call largely is that our acquisition partners, you know, under the direction of Ms. Moore, the Under Secretary of Defense for acquisitions and sustainment, undertook just a herculean effort to address the way acquisitions happen in the Department of Defense and to be more agile in those endeavors. And out of that was born something called the Adaptive Acquisition Framework. And if you haven't, if you're not familiar with it, I highly recommend that you become familiar with it because it's frankly the anchor point on which much of, you know, certainly what we think about here within the industrial security program. The capstone document within, you know, all the myriad policy that relates to acquisitions and by myriad, I mean myriad is the, you know, guiding directive we refer to as the 5000.01. And so a very brief excerpt from there within the 5000.01 is under the sub padding of develop and deliver secure capabilities. Security, cybersecurity and protection of critical technologies at all phases of acquisition are the foundation of uncompromised delivery and sustainment of warfighting capabilities. Now that's not new. Some of that lexicon, some of the verbiage there is not new to this audience. You know, this idea of uncompromised delivery has been something that's been, that grew out of what was VSS in my former boss, Mr. Stevens. We give him credit. I'm deciding whether he's been Franklin or Thomas Jefferson in that scenario, maybe both. But the concept has grown into a thing and the importance of the partnership that we see emerging here with our, you know, this kind of renewed partnership that I should say that we see with our acquisition partners here, making that in a directive, making that official Department of Defense policy really reinforces maybe what most, on the call today, know, and that is that, you know, that the protection of, you know, critical technologies, the development of those technologies, the delivery and sustainment of those technologies is a team sport. And for everyone here, again, kind of obvious, but I still think that competing the center of how that all happens and begins is the industrial security program. And so it's interesting, you know, for all of the focus on, you know, kind of the challenges that we see here and this idea of the rise of great power competition, you know, sort of, you know, that we need that reminder, but I think it's very, very important and I thought it was definitely worth calling out. It's issued in September of this year. If any of you who are former government officials know what it's like to issue policy within any agency, it's a super fun time. A bit like going to the dentist without the benefit of nobikine. So all that to say that the importance of the NIST has never been greater because when we get to this idea that security, cybersecurity, and protection are the foundation of that, right? So, well, the most important component of that foundation, of course, is the industrial security program. And I think that that's going to be, I think further exemplified. It's been some time since we've had a senior acquisition official from the department brief in this pack. I was thinking back, Mark, and I think, I don't know if maybe I'll be wrong here, but I'm pretty sure Brett Lambert, I remember him coming once or twice back a long, long time ago, but I think just as a forecast, things are coming up for the rest of the briefing. So if the industrial security program is as important as we all think it is, then that brings us kind of center stage to the NIST POM. And so for those of you who, I'm sure all of you know that we've been working the rewrite and reassurance of the NIST POM for quite some time. And we are in the, we are in sight of our goal. That's really the bottom line up front to get to what's called an interim federal rule. And so if the, I described earlier the joys of issuing policy within the defense agency, that is now second to the real joy, which is issuing federal policy for the federal government. And so I hear a little bit of chuckling. I think that might be you, Mark. And so we're doing this the first time. I got nothing. It is a challenging, challenging endeavor. I think that would be the way to describe it. We went into the 60 day comment period back in the latter part of September. And we've been back and forth, kind of receiving comments from many folks and agencies that are represented here today. And we are at presently the NIST POM is back with the office management and budget. We are, it would be foolish of me to forecast that success is imminent. But all I can say is that all of the things that need to happen to get to success are continuing to happen. And so I will say that we remain cautiously optimistic. However, timelines would be if an interim federal rule is ultimately granted, that will happen sometime we believe before the end of the calendar year. If an interim federal rule does not happen, then at some point, rulemaking will kind of go into abeyance. And sometime in the springtime of 21, the process will reset some and we'll move forward again from there. And so we've got rabbit's feet and all kinds of trinkets and good luck charms out there to try to think that we're still on the glide path to get the interim out. And we'll see where that leaves us. So that's that. A couple of other things I wanted to push out. So again, since we were last together, the department wants a very public, what we call an offset campaign. The secretary just leaks and just all kinds of things that just, you know, that had occurred that had frankly frustrated the secretary and think of many of his predecessors, you know, and he had sort of a watershed moment and said, okay, enough is enough. We need to kind of get back to basics. And that's exactly what this campaign in its essence was. It was a reminder of things that, again, most folks were security professionals, which is probably the vast majority folks on this call. There wasn't anything, any cosmic revelations there, except one, and that was that, you know, at the highest level of the department of defense, there was a call to action to, you know, to kind of tighten our seals and get it together. And so again, just in keeping with, you know, as I mentioned before on the acquisition side from the 5,000, you know, the department, you know, in its issuance is if you hadn't seen it and I hope that you did, right, but the department put out a very short notice that the DOD remains committed to transparency to promote accountability and public trust. However, it is important to emphasize that unclassified information is not publicly-releasable and falls approved for at least by an appropriate authorizing official. And as an exemplar of that, those of you who can have visibility on our slide can see that we went through and we have the clear-for-open publications. You know, these are processes that exist. You know, I'm sure there are variations on these processes across all agencies, but not hard to do, but speaking with a uniform, you know, and so that we're level-cent, we're accurate, and what it is that we're intending to put forward and put out there. And we do so through, you know, the official processes. There's something that we really wanted to be able to say as being very, very important. So, and mostly, you know, it was kind of an eye for this, the concept of accountability here, right? And that accountability, and I realize the vast majority of folks on this call are not government officials, but it was a reminder to government officials that accountability begins with the person that you're looking at in the mirror. You know, so it begins within the government and then makes its way out. That is, you know, basic hygiene things, you know, marking, you know, obtaining, you know, release all those, those internal hygiene components that the secretary expects to see. And so with a nod to the folks on the CUI and to this agenda later in the day, you'll be pleased to know that, you know, that the executive secretary of the Department of Defense will not process a package for signature by the secretary or the deputy secretary that is not properly marked in accordance with the DOD issuance on control and classified information. So that's pretty good from March till now. That little, that took place in about the beginning of October of this year and that's been really great. For everybody now named Michael Russo who runs the CUI program for us. And so there's a lot of learning by doing going on. And finally, then I really wanted to kind of talk a little bit about where our priorities lie for this year. I know 842 will probably come up again. Greg mentioned it this morning. 842 nefs with 847. We couldn't say enough about how much we appreciate, you know, the importance of the NISPAC to get us to where we are today. You know, the patience of industry, the persistence of industry, the facts and data that came from industry and frankly the open-mindedness of our partners, particularly in DOE and DNI, to get us to where we are today with 842 I think is really quite good. I mean, it's incumbent on us to, you know, to, you know, kind of examine, you know, what it took to get where we are and then we'll use that as a springboard as we start to think about, you know, and to move forward on 847 and the broader concept of FOKI, which again I think you'll hear about, you know, among later speakers in which we, you know, cannot underscore the importance of the working group process and, you know, the transparency that the NISPAC affords us to get to where we need to be on this. And frankly, that's a nod to the last bullet on my slide there where you have skips and SAPFs and so, again, the SAP Enterprise folks, the director of DOD-SAPCO, you know, are undertaking kind of a broad initiative that, for which a number of attendant security processes are apart. And so it's not for mine to speak on those elements of the broader objectives of that. Those of you who do a lot of work with the DOD special programs are probably becoming aware of that. But for us, I put skips and SAPFs out there. That has definitely been something that has risen up in the era of COVID. It's been out there for a long time, a couple jobs ago. I remember this being an issue and it continues to be one today. But with an eye for how we got to where we needed to be with respect to national interest determinations, I wanted to put that out there. One, it's a priority for us to kind of work across. And two, to say that, you know, getting the right data, getting data in cooperation and collaboration with industry will help us to make the right decisions and both with those for which we have to control within the department and those for which, frankly, we're going to need assistance in collaboration and cooperation across the other CSAs. And so we look forward to that moving forward as the year progresses. And with that, Mark, I'll stop right there and thank you very much for the time. Anybody have any questions for Jeffery? Any questions for Jeffery? All right, thank you, Jeffery. All right, I'm pleased to introduce... Yeah, sure. No, no, no. Very comprehensive. I'm pleased to introduce now William Litsow, Director of the Defense, County Intelligence and Security Agency. After Bill is done, we'll have some questions, I'm sure. Bye, Bill, please. Hey, thanks very much, Mark, and I appreciate the invitation to talk. I think this is my first opportunity to address the NISPAC, certainly as the Director of DCSA. I can't remember what the conflict was during the July meeting, but I am certainly pleased to be able to be here today, talk about some of the things going on at DCSA. I think I've got a couple slides, so if you have access to them, if you just turn to the one that's... At least in my deck, I've got my name on one. That's probably not worth pausing on, but if you go to the next one, it's just a graphic depiction of what's happened in the last year or so. I know I've had a chance to speak to a number of the MOU groups that are part of the NISPAC, but I'll... So there could be a little bit of repetition for some of you, but for the NISPAC in general, I think it's worth just pausing to reflect on the fact that DCSA has been undergoing a lot of change any way you look at it. We all have. Everyone who's dealing with COVID right now, this will be a special year on anyone's calendar. It changes the way we do business in lots of different ways, but it kind of got piled on top of pretty massive changes. I would say you could say changes to DCSA, but really it's changes that created DCSA as this slide kind of depicts in the two bottom corners left and right, you have the two October 1 transfers, one a year ago and one just a couple weeks ago. A year ago was the big numbers of people, dollars where what was... If you were to technically look at it as a lawyer might, really what happened is Defense Security Service acquired other components and changed its name into DCSA and in that regard it went from an 800 million dollar organization into a 12,000 man, two and a half billion dollar organization. And then there's other metrics that you can see there. 167 field offices around the country and things like that that were added to the... added to it a year ago and there's been a lot of transition as you can imagine whenever you do that. More mission sets were added just a few weeks ago. The ENBIS program came over from DCSA. DCS came over from DMDC. You see the Polygraph School from DIA. You just talked about it. Well, Jeff just mentioned the SCIF accreditation. Well actually I don't know if you did mention SCIF accreditation but you did mention SCIF and in fact just days ago the Undersecretary of Defense for Intelligence and Security Joe Kernan just before he left signed out a memo shifting that mission over to us. And several other IT systems some people don't realize for instance that yes we took NVID from OPM a year ago but a few weeks ago a legacy IT system that goes back to 1984 when it was first put in place and yes it was the one that was hacked into by the Chinese a few years back. That also came under DCSA's cognizance in the last few weeks. So if you just look at the transfers themselves all of those different organizations and offices that are kind of depicted graphically on that slide have come together to form a new agency DCSA really just kind of finishing up its first year of the existence in only the first few weeks with all of these mission sets together. So even if there wasn't COVID we would be undergoing a lot of change. And what you if you go to the next slide with at least on my deck it says slide three you see a fairly common representation we use just kind of a way of graphically depicting the transformation that DCSA is going through we kind of have it separated into phases a transfer phase where we're bringing in the different components. A transition phase which is the same kind of integration that every company goes through when it has mergers or acquisitions government agencies do the same thing. And then a kind of a larger more profound transformation phase which is designed to make DCSA be the implementer that everyone on this call would want it to be if we were going to have the kind of personal betting that you would want the United States government to have if you were going to have the kind of industrial security that we would want the US government to have you know basically that's bringing us solidly into the 21st century with the appropriate innovation and optimization of of the different components to what DCSA does so that we're putting it all together in a way that best protects our security. And that's kind of so I guess my main point would be that we are in a timeline where we have completed most of the transfers there's a few more things that are happening a year from now we're in transition if you I think you go one more slide I've asked them to put out there my transitional organization chart and then we're in the thick of transformational efforts right now as a new organization I guess before I get into how specifically we're transforming I would like to just pause for a minute to reflect on the last year a little bit of bragging on behalf of my agency and the people who work at DCSA because I would say that you know it's difficult to change everyone knows that change management is one of the most complex leadership challenges that people have in this case we've got all this change happening while going through COVID I think for those who were around my change of directorship with Charlie Phelan took place here in the conference room at DCSA in Quantico where I am now there was maybe three or four people in the room and we didn't even shake hands I think we touched elbows because COVID had just started so it was already difficult on the agency it became more difficult but during this period the way I often describe it and probably some of you were on a call yesterday with our stakeholders where I did it that way where we have a it's like we're in charge of changing the engines in this airplane while it's flying we've got to keep our missions going our industrial security mission continues our personnel vetting mission continues we've got to continue flying the plane but we need to change it from a turboprop into a jet while we're flying it to make sure we don't lose altitude while it's happening so that's what this team has been doing and that's kind of what I mean by wanting to brag about the work they've done because during this year of pretty substantial transition that's been going on our background investigation team has further reduced its inventory from what you all know at one point was a 725,000 case inventory and is now hovering around a steady state 200,000 cases you know we were looking I'm sure everyone on this call is familiar with the amount of time it took to complete an investigation to get a top secret clearance or a secret clearance nowhere near our IRPTA timelines yet in the fourth quarter of FY20 during COVID we actually for the first time in I think about eight years hit the T580 day IRPTA goal for a top secret clearance we're hovering around 55 days right now for a secret clearance and our adjudication facility the consolidated adjudication facility which handles about 89% of all of of the adjudications in the US government has now they had a fairly significant backlog a year ago as well they've reduced it to a steady state and they've fallen well within all the IRPTA timelines of under 20 days in some cases hitting 10, 11 days for a top secret clearance so basically while the transformation has been taking place the guys who are actually doing the work out there at the pointy end of the spear have been keeping the mission going in a way that I couldn't be prouder of them on investigation when I mentioned obviously you're familiar we have you know the kind of heart of the agency our industrial security mission that reaches out into all the others has also been making massive improvements during the same timeframe you know our FOCI mitigation assessments are being done in about a 40% shorter timeframe than they were same is true with our facility security clearances of course we've had challenges with COVID and everything but at the same time we kept up that processing and are improving also the kind of the level of sophistication of the vulnerabilities that we're looking at part of that as I think a lot of you know as we've heard in the past things like DSS and transition and Rizzo and things like that that have not always from my understanding been received with enthusiasm for good reason but they've also our attempts at change for good reason too because we're moving from a vulnerability system that was kind of checklist based where we're simply looking at vulnerabilities when we call ourselves the gatekeepers we're essentially looking at whether the walls in the gate are on a firm footing and we've moved into a 21st century where we've got a much more sophisticated threat and we cannot just simply look at a checklist vulnerability kind of assessment we've got to look more specifically at the threats because they're already inside the walls if you will they're behind the gate already we have a counterintelligence capability that has been blossoming in recent years you know I could get similar performance metrics for them if we wanted to you know they're about three and a half percent of DoD's counterintelligence assets but we're producing about 40% of the IIRs you know associated with emerging and disruptive technologies they'll probably produce about 6,000 IIRs today about 20,000 raw industry reports that's something that wasn't even really happening a decade ago and then our training mission CDSE we also have a national training center and of course the polygraph school we just adopted similar situation there during transition during COVID they didn't really ratchet back to the work they were doing in fact we've probably this year tripled the number of course completions as you can imagine during COVID one of the things you can do is take online courses so there was a much bigger demand signal put out to our CDSE team and they responded by stretching all of our IT systems to the limit as they move forward so anyway a lot of great work has been done by the agency you know my goal will to keep all of those trajectories for our mission areas while also transforming the agency into what you want it to be and there I have a new office called the chief strategy officer or chief strategy office it absorbed what was previously some of you heard of a personnel vetting transformation office I was involved in that before I came in as the director here the chief strategy office has we have a number of objectives that we're using to move forward and basically having a greater customer focus coming up with an operating model that's more efficient that makes sense continuing better optimizing our leveraging of technology in innovation kind of optimizing the organizational efficiencies we ought to be able to get by coming together that team is working through the transformation initiatives that are going to take us to where we need to be and there's another component to it I should just pause for a second because I know it is an area of concern across the organizations represented in this meeting with IT architectures you're familiar with the legacy IT probably doesn't give a lot of heartburn to most of the people on this call that's because you don't know what I know about the vulnerabilities of that IT architecture and it's probably the one that gives me the greatest heartburn OPM the plan originally a year ago was that OPM would continue to run the legacy IT architecture it's sometimes called that's just one of 80 some components to it but your taxes are paying about $150 million a year to keep that thing up and running and OPM recently told us they just weren't staffed to be able to keep it running in spite of the original agreement so DOD had to adopt it on October 1st now ideally we wouldn't need it anymore because I think what you're all familiar with is NBIS national background investigation system was supposed to be up and running to replace the legacy IT system it's not it won't be able to replace that legacy IT system in the immediate future so right now we've got to keep both of them running we also just adopted the whole NBIS program management office for this year some of you have heard about that program I think in some ways some of the advertised capabilities that it was going to provide were based on kind of technological development as opposed to a operationally relevant capability and in that regard some of the promises, some of the expectations were more sanguine than they should have been one of the first things we did as I was taking over as director was a re-baselining of the NBIS program trying to get some realistic expectations on the street and a more thorough coordinated integrated master schedule that would be capabilities based so that we could actually start sunsetting the legacy IT structures while we were building NBIS and building it in such a way that we could factor in the new trusted workforce 2.0 requirements of continuous vetting that included some high side capabilities that weren't originally factored into NBIS so that's kind of one of the big moving parts and then the one that I think has a lot of people understandably concerned it was brought to my attention I think Mark you might assign that letter for my so I'm not even sure but I'll wake up call soon after coming in as director when there was concern expressed from our industry partners that the dis capabilities weren't quite up to where they should be before we're ready to sunset J-Pass and so we took a hard look at that and in fact I came to the conclusion that the concerns were well placed and we've recently just adopted the DIS program from DMDC another DOD component a few weeks ago and we have done a pretty hard look at that and come up with a a gap analysis and a kind of a a set of criteria that we're going to use before we sunset J-Pass. Right now I think technically it is still scheduled to sunset on December 31st of this year pretty certain that it will not be sunsetting there and we're going to probably be extending that in fact I have a meeting with the new under secretary of defense for thousands of security tomorrow and probably we'll raise that issue as a something where he's going to have to change that target date so that the chalk line that we were snapping at one point was a date base kind of a calendar chalk line going to be October 1st I think and then it moved to December it'll now be a capabilities based chalk line but we are going to have to move forward fairly soon as we try to get our IT architecture up and running to support the new DCS emissions. Now I'm getting to the end of the time so let me ask you to just turn to that last slide the fourth slide this was just recently done this is the transitional organizational chart you had org charts for many of the different components and BIB had its own org chart within OPM DSS had an org chart the CAF had an org chart we have various offices that have joined what like every major organization we will undoubtedly be reorganizing again in the future this what I have here though is kind of a transitional org chart on day one a year ago Charlie Fallon and I agreed that the thing that made the most sense was to put together an organization that caused the least disruption and change to the ongoing missions at that time at some point we have a transformational organization that kind of integrates the missions better this is what I'm calling the transitional organization chart the bottom row is what's most significant these are our mission areas obviously the pointy end of the spear is our regions and field offices they don't dwell on those very much here they've stayed the same we have not merged them yet we have slightly different regions and office locations in the personnel vetting space that we have in the industrial security space and in the counter intelligence space I broke out counter intelligence so then you move one line up and you see the what I'm calling the seven kind of major mission areas of DCSA these would be the assistant director level leads and I broke out counter intelligence from what was then seen as a larger critical technology protection next one over it says it's called critical technology protection that's really where your industrial security sits and I will admit that I almost changed its name to industrial security when we came up with this transitional work chart but I got enough internal pushback that all right we'll let it we'll let it ride for a while but that is where a broader what I can see of as a broader industrial security set of missions resides primarily background investigations you're familiar with but for a brief period it was it was a much even a bigger organization called personnel but we've broken it out to be product offerings background investigations is probably man power wise is the largest part of DCSA adjudications is about 600 people adjudicate mostly for DoD and most of people on this call should be familiar with the V Rock which is also why we left that name in place but the V Rock is is kind of mixing the industrial security component of personnel vetting but it's also where we're doing the most change right now with respect to continuous evaluation continuous vetting and putting products new products on the street that can be used by the 120 odd agencies that we support as well as industry as we're looking at moving into a continuous vetting framework did Mac you're familiar with and looking at a clock training I've already spoken of a little bit these are our major mission areas as you look up these are the support elements are up above I will say the program executive office which is what houses and this right now that's a little bit more than a support element and that if you really look at the mandate for and this it provides a architecture that can be used by other investigative branches within the US government not just by DCSA and the and the agencies that we support so it's got a little bit of an outward facing component too that's the big picture of where we sit today we're in the process of continuing to transform this organization but to try to keep the missions going as we are and I'll pause there Mark because I do want to leave room for any questions that someone might have sure thank you please anyone have any questions for Bill I can't imagine that they don't know you just hit the spur of job I guess you answered all the questions Mark how would you do that I think you would this is more for future planning looking at DCSA and by the way fantastic kudos to all of you Bill and everyone at DCSA for what you're doing absolutely the transitional organizational chart can't help but notice you know the rest of the world has overlaid there or underlaid and forgive me if it's already in existence there was a time when DSS, DIS had a presence in European and Asian theaters and you know today of course global is more than ever and many of the folks on this call are with companies that have global presence so the question is simply is there a plan in the future for DCSA to establish a presence you know either Europe Middle East or virtually anywhere in the world hey thanks Greg that's a great question and that's actually one of the things we are looking at now the presence that I think you're describing from the past if Mike the history that I've learned upon coming here is accurate to some degree that's been pulled back and it's supported by some headquarters here we do still have now what's interesting is as we merge the mission sets I do have a background investigation presence that's overseas still overseas sitting there but even that has ratcheted back a little bit during the COVID situation so I didn't talk too much about some of the changes that COVID brought about but other than just bragging about the fact that we kept the mission going during COVID too much of a hiccup but you can imagine there were a number of hiccups we did a lot of passing out of laptops and software that needed to replace some of the in-person things that were taking place paper copies of things we made more rapid the shift from paper to if you were to visit Pennsylvania a year ago you could have seen acres of file cabinets that looked like it was coming out of an Indiana Jones movie where the Ark of the Covenant was there and those file cabinets are now gone and they're replaced with electronic records that's a good thing so all that's a good thing but part of it is the work we were doing in interviewing targets the people we interviewed I've also made for it but those people over in Europe a lot more of it was done by videoconference and teleconference and we're looking at how we want to go forward I think all of us have learned things during COVID we've learned about teleworking and where the limits are to what you can and can't accomplish but certainly our presence in Europe has reduced both on the industrial security side and on the personnel vetting side more recently and we're going to look as we look at the operating model going forward we're going to look at what makes sense for the future okay thank you appreciate it very good anyone else have any questions for Bill before we come to our next speaker yes I do this is Dan McGarvey from this pack industry and well I just thank you this is without a doubt very impressive and obviously very challenging I would say that you're not just rebuilding an airplane you're almost like rebuilding a city one thought I had as you go through your transformation process I noticed that it talked about an operating model implementation roadmap it would be terrific if at some point in time you could share that at least within this pack industry as you move along so that we know where DCSA is going and also where we could help in terms of supporting your different initiatives that take place because you've got on your transition piece transition for two and a half years and even though it doesn't give a specific date it looks like somewhere along the lines of maybe 2025 or something like that so understanding where you're going would really help us but once again it's been a terrific presentation thank you no thank you Danny I appreciate the comment and I also appreciate the request I want to pull back the 2025 to maybe 2024 and treat that first year as if it's already gone by because it's funny as you said it would be good to see the implementation roadmap I'm sitting here in my office saying yeah I want to see that out of my CSO office this afternoon too because they wanted to delay the meeting yet again and I said no we're going to do it today so obviously it's not ready for prime time yet it's a work in progress it'll be iterative it has been but that's a great point close to having a more kind of a reticulated plan in place that we could share and I will keep that in mind and we'll find a way to you know in the kind of public facing charts like maybe this transitional work chart we could also put a high level implementation plan in place because that is the next step but it is a one right now if you were to say hey could I look at that plan I've got several of them on my desk and none of them are quite right yet but thank you we will get there hi this is Kim I just want to thank you for saying that you had thought about calling the program keeping it industrial security because from someone who's been in it for many many years I was a little disheartened when I saw the boxes yesterday and didn't see the words industrial security because it's a program close to my heart so I'm glad that you struggled with that and I know it encompasses a lot more than just industrial security but I was just kind of glad to hear you say that so thank you thank you you've just encouraged me too because depending how you define industrial security I personally think that's broad enough that it could capture everything we do in critical technology protection but there are people here who have different opinions on it I would be on your side on that because I'm an old person that doesn't like change so thank you though well good what we're obviously trying to do is because this is such a big you know the transformation as was just described goes out a number of years this isn't one of those kind of changes where you can rip a Band-Aid off and just do it all at once we've got to phase it with the question of alright we're going to do so many changes on this kind of phase but when we start implementing the OP model that's when we probably will kind of nail down what our various organizational components are called thank you anyone else for Bill Bill that was an excellent presentation and it's good to know that you're there during these tumultuous times you're making some real real progress and we couldn't be happier that you're running things so keep it up okay next speaker my pleasure next speaker will be Stacy Boshanic director of cybersecurity security model certification policy Stacy hi good morning how's everybody this morning I don't know did we send you guys slides I don't think so it doesn't look like it so I'm here to talk about the cybersecurity maturity model I think everybody is fairly aware of why we're doing the cybersecurity maturity model certification and so I was going to give you an update as to where we stand so currently we have moved into from proposed rulemaking into an interim rule which will become effective 30 November we are in the public comment period I think we've had 36,000 views I think right now we're up to about 35 or 40 comments and so come November 30 the interim rule will be in effect which means we will be in a position to include CMMC as a condition of award ah here we go okay so we do have slides alright so if you look at the slide that we're on now we're talking about the interim rule so as of November 30th we can include the CMMC in select acquisition programs as a condition of award now the one thing that we wanted to talk about was there are several different parts to the interim rule that we're working with as you all are aware that we have been doing the DOD assessments which is the DCMA group of assessors that go out and work with companies to either provide them a basic medium or a high assessment the basic assessment is in line with what the original 2522047012 clause said which is you need to self-attest to the fact that you have a system security plan and a poem to be in compliance with the 110 controls required by the 10171 the medium assessment is where you get on the phone and you talk through your system security plan and your poem with the DCMA rep so they have confidence and comfort with where you are with your plan and then a high assessment is where they come out and do a they either come to your facility and do an over the shoulder look at they will do an over the shoulder view of what your system looks like and be in a position to validate that the system securities that are in place that you say they are and they will give you a score with regard to that so one of the parts of this in on rule with regard to the DOD assessment requires that by November 30 all DOD contractors submit their basic assessment in the Spurs database. There's been a lot of confusion with regard to that a lot of people are associating that with the CMMC rule so I've been fielding a lot of questions on the Spurs database. There's a requirement to go into that database fill out the basic information of your system security plan and your plan to get there and then you have to self score yourself evaluate yourself as to what score you think you would achieve on the NIST 800171 and the current DOD assessment methodology and have that in the Spurs database before December 1st and a lot of the primes are letting the subs know that they cannot have their options exercised on existing contracts unless that information is in the database so if you get if you have anybody questioning we have information sheets that are going to be on the DPC toolbox website that will give explicit instructions on how to do that on the CMMC rule we are going to have a roll out of about 10 to 15 acquisitions in the first year. We're currently working hand in hand with the services acquisition executives to identify three to four programs within each service and three or four out of the fourth estate to begin implementation of CMMC. Now what will happen can you go to the next slide let's see what I have on the next slide okay so I'll talk to this for a second. What will happen is as we identify those programs in fact Ms. Lourdes getting ready to issue a press release with the first three or four programs listed so people can prepare and get ready and RFI will come out we have model language that we've prepared and gone through in some of our table top exercises and our pathfinders that we've done that will be sent out to the acquisition professionals for them to be able to put the proper language in their RFIs and RFQs for inclusion in those contracts the contractor will be notified they will be able to issue submit a proposal the proposal will be evaluated and if they are the parent or they will have to have the requisite CMMC certification prior to contract award now if you look at the second slide this shows you the phasing of how the DOD assessments are going to be phased over to the CMMC assessment essentially and you can see it's a very slow progression and that the number of contractors that we really anticipate at the CMMC level 3 is not that high can you go to the next slide okay this is what I've already spoken to this is talking about the Spurs information that needs to go in that database and that every contractor will have that listed before December 1 to continue performance on their existing contracts and new contracts as well okay can we go to the next slide this is more explanation of that I think the sparring methodology is one thing that has got some people confused so this information is very important for different companies to have to make sure that they are in the next slide okay so again these are our pilot programs where we've asked each service to provide us three to four programs they will be managing the CMMC level 3 which is just basic CUI in the first year roll out we will not address the higher critical technologies until 2022-23 time frame but currently we've got provisional assessors framed by the CMMC I think we have about 75 to 100 assessors ready to start working we're working on the C3PAOs now those provisional assessors have yet to go through their background investigations we're going to have for CMMC level 1 for assessments they will have to have a tier 1 suitability determination for anything above that they will have to have a tier 3 suitability determination the process and I'm hoping the gentleman from DCSA is still on the line because what we've agreed upon is that the CMMC AB will have an FSO that will work directly with DCSA to process and manage those suitability determinations for those individuals performing the assessment those assessors will work with C3PAOs which are the CMMC third party assessment organizations those C3PAOs will have to have their systems evaluated at CMMC level 3 because it is our contention that the system security plan the assessment information that they will gather when they go out to these companies to do these assessments would be needed to be safeguarded at a CMMC level 3 and be considered to be controlled on classified information can you go to the next slide I guess one thing I want to make sure I mentioned that COPS products are excluded from CMMC they do not require a CMMC certification so the slide you see here is our rollout plan we plan to have 15 acquisitions in FY 21 75 and 22 250 and 23 479 in the last two years and then after FY 26 all contracts will require a CMMC other than the COPS products that I mentioned previously okay can you go to the next slide so you can see here on this slide what we talk about is the percentage of companies that we anticipate being level 1 through 5 and it is our contention that about 60% of the dib will only ever require CMMC level 1 which is there in receipt of the federal contract information one of the things that we're working on with Mr. Speninger's office is to come up with a guide for the acquisition community because probably the toughest nut to crack is that when you have CUI at the CMMC level 3, 4 and 5 how when you disaggregate that data and you start mapping it through the supply chain where does it lose the requirement to be CMMC level 3 where is it no longer CUI and I guess one of the best examples that I can give to illuminate what I'm talking about is Ms. Errington went out to Trainscom and had to meet with a welder and he was quite frustrated that's why he needed to have cybersecurity you know he said I'm just a plain welder and so when she went to visit him she said well how do you know what to weld and he said well they send it to me and she said he had his Apple Mac laptop up on the counter and she could see the Facebook messenger blinking and his Amazon delivery popped up while she was staying in there and she said it was a program and she said can you zoom out on that so I can see what the whole thing is she had the entire structural design of one of our tactical aircraft and she said well don't you think our adversaries would want to get a hold of that or get in and change the tolerances and specifications of your weld so now your quality goes down and you no longer can garner work and it arose our industrial base or how about if he just wants he can redirect your payment to his account and steal your money and one of the the poignant parts about that is why did that welder have the entire tactical design if the prime had only taken the time to cut out each weld and send him the necessary information that he only needed to do his job could he not have been in receipt of CUI and had that you know not necessarily have been CUI those welds in the spot weld so that's one thing we've got to work with our program managers and our primes to identify at what point do those does that CUI when it's disaggregated from other things no longer hold the trappings of CUI can only be seen in CUI level one because you're not going to it doesn't make good business since we probably can ill afford to have every number of a procurement that CUI see them in C level three be seen in C level three if I'm just producing a bolt then I only need to be seen in C level one and we don't need to have that contractor go through the expense of being seen in C level three certified okay can you go to the next slide okay so this again is just a breakdown of the CMMC rollout and where we expect it to be can you go to the next slide and this is a breakdown by entity side I know we've gotten a lot of consternation from the small businesses as to what this is mean to me and they feel like they have a lot of of a heavy lift and expense to become CMMC certified but if you look at this I'm not sure that many of the small businesses will ever have to be anything higher than a CMMC level one and the cost for that is actually fairly minimal we also have go to the next slide I'm not sure if we have it in here we have a lot of programs right now with Project Spectrum and the NISTMIT organization and the PTACS that will be trained on CMMC so they can provide assistance to these small to help guide them through the process figure out where they need to be and what CMMC level they feel they need to have there's also language in the NDA that talks about a grants program with funding to assist some of these small businesses but as you all know we haven't gotten that approved yet so we can't hold our breath on that one quite yet can you go to the next slide please that looks to be the last slide okay well so barring that I will wait for any questions I'm hoping unlike the rest of the people nobody has any right I'll break the ice again thank you very much Stacy great briefing and I don't want to overplay this but looking at that last slide that we see on the rollout by entity size could you amplify a little bit on what the criteria is what is a small entity versus another then small or if that's too much for right now I guess because I'm a little confused in terms of whether you're small or not small you still could be working on a very significant piece of technology and I find it very interesting that none of them as you pointed out would ever go above the level 3 well now I think that I mischaracterize that if that's the way you saw it I'm sorry very few would go above a level 3 I see there are some in the out years and well so in our rollout plan in the first year we are only going to concentrate on things that are level 3 because we're our training and our information for the level 4 and 5 with the highly critical technology is not mature enough yet so we're only going to roll out at level 3 for FY 21 and that was our decision right now what we have to look at is when you start talking about those things that rise to the level of the CMMC 4 and 5 and they're associated with the level of criticality of that technology through our research information where what we've determined is not that many companies are actually going to be participating at that high level now remember that doesn't mean that they can't participate on the program but we don't anticipate that their participation would in require them to have a certification at that high level that other mainly the crimes are doing the work at the big primes on that really critical highly technical area now that's not to say that you won't have one or two right and those types of things are going to be levels 4 and 5 are going to be extremely expensive and we're anticipating that the costs up to level 3 will be incorporated in the overhead and the indirect rates of the company when you get to levels 4 and 5 those would most probably be a direct charge to the program just because it is such an expensive expense for the company that they will probably have a very difficult time affording it so the program will probably bear the brunt of the uplift front they'll have to pay on their own to CMMC level 3 that will be a direct charge to the program okay thanks for amplifying on those points that's where I was going too thinking about the expense involved in level 4 and 5 for the small companies now the one thing I did find interesting was there was a group and I'm going to probably be a little politically incorrect but I'm going to call them cyberdukes on LinkedIn we were lobbying for the CMMC team to move some of the requirements from CMMC level 4 down the CMMC level 3 and we were all snickering because we never expected anybody to say hey you need to make level 3 harder and I'm quite sure that once we get through the public comment phase we're going to reassess CMMC level 3 and it's quite possible that those additional 20 controls over and above the NIST 110 are going to get looked at pretty closely okay again thank you appreciate it this is Kim from State Department at the risk of in front of hundreds of people showing my ignorance I'm just kind of confused by this whole thing which is on me but okay but this all talks about DFARS clause which is DOD and it keeps talking about DOD so is this a separate I'm not DOD I'm State Department non-DOD agency so does this get implemented and do the contractors that have State Department contractors don't fall under DFARS again I'm probably showing ignorance on this no no you're fine no and it makes total sense that you would ask this question so to begin with this is going to be a purely Department of Defense requirement and that's why it's being implemented in the DFARS up front now what I will tell you though is we have a lot of interest across all of federal government and are you familiar with the Federal Acquisition Security Council have you heard of that yeah I think that we've been involved with them with some other clauses with regards to yes yes State Department definitely has a play in the Federal Acquisition Security Council and that is a council setup to help improve our cyber security and our acquisition and supply chain risk management across the entire federal government CMMC so CMMC came into play because we instituted the 2522047012 clause which is DOD only that said if you're going to handle controlled unclassified information you have to meet this NIST 800-171-110 controls in your network to be compliant to handle it which says you have enough protection in your network to keep people from stealing this information that we hold as important so that came into play at the end of December of 2017 there was an IG review and then a Navy cyber readiness review that went out and kind of said hey let's see how contractors are doing with their self attestation and the implementation of this clause that they were supposed to do and they basically found out sorry if you let know they weren't doing it they were self attesting that they were and they weren't because they just didn't understand or they wanted the business and they figured it's self attestation nobody's ever going to come look so we'll just say we are when we aren't so as a result of that a couple of key companies were held to task under the false claims act because they attested that they were compliant when they knowingly knew they weren't so I think it was rocket jet Airdyne got hammered for that for about $14 million and I think Cisco got in trouble for it for knowingly having a vulnerability in one of its products that they never bothered to fix so as a result of that our Secretary of Defense said hey we need to figure out a plan to be able to get out and start checking that these companies are actually doing what they're saying they're doing so the DCMA assessment group they call themselves the DibCAC they began going and they began with all the major primes going and doing these assessments on the basic Miss 171 but we quickly realized that they didn't have the bandwidth or the infrastructure to do all 300,000 companies in the Dib so we got together with Johns Hopkins APL and Carnegie Mellon SEI and we formulated the CMMC model which is the five levels of CMMC from one to five one being just federal contract information which is a requirement in the FAR 52204-21 that everybody across the federal government is supposed to be in compliance with up to CMMC level five which is highly technical critical requirements for highly technical critical technology and those requirements include things like a 24 hour saw so you know it spans the spectrum of what kind of CUI and how sensitive it is and needs to be protected. Now for State Department right now it's not as big of a deal for you to pay attention to but what I will tell you is that there is a lot of chatter across the entire federal government DHS is closely watching what we're doing Treasury we've been in touch with they're very interested in adopting CMMC and then the Federal Acquisition Security Council is also watching because a lot of people are looking at CMMC as maybe the foundational piece to help our nation's industry become secure against a lot of these cyber attacks because if you look across I think around the world it's like $600 billion a year and intellectual property is still one and within just the United States it's $175 billion of intellectual property and you know I know you're probably aware that the F-35 has had horrible problems because we now have an airplane that looks just like it in China right down to the fact that they have the same problem with their canopy on their cockpit that we do right so they even copied in the same flaws that we have so CMMC is a stepping stone to buying down the risk and stopping our adversaries from running away with all our data so you are correct at the onset when we roll this out in the next several years it's not going to apply to State Department contractors now if some of your contractors work for both DOD and the State Department then they will be required to become CMMC certified so that was a long-winded answer to your question I hope I answered it correctly for you yeah my technical minds a little tired today but yeah that's helpful because the term DOD sometimes especially in the National Disability Program we're a non-DOD agency but we're part of the NISP and our contractors but like if we have a contractor that only has State Department contracts then they wouldn't apply to them but if they had State Department and DOD contracts on their DOD contracts only then yes but there is a FAR clause that you gave that if it's the FAR then if State Department ever did it it would have to be in the State Department which is the DOSAR as opposed to the DFAR okay alright start from the time that there's a go ahead would you say and there is a potential and I think the Federal Acquisition Security Council that it will eventually become a FAR clause I think everybody's kind of watching to see how we do if we fall flat on our face or we do a fairly good job getting this implemented then it will probably proliferate and I will often tell you we've had a lot of international interest we've got countries coming out of the woodwork that want to implement it in their country as well okay thanks a lot oh you're welcome well thank you very much for that presentation I think it answered a lot of questions so again thank you very much oh you're welcome anytime oh sure no no no at this time we're going to take a very brief five minute break and then we will resume with our next speaker which will be from the ODNI right be back it is 1029 so what's that 1034 okay then we'll resume thank you I guess I'm unmuted now okay anyway welcome back after that five minute break quick admin note is apparently some of our slides and biographies aren't uploaded yet so but they will be I guess on our website within 90 days and if you have any questions please just reach out to us all right with that I'm going to turn our next speaker from the ODNI Tyler you ready you're welcome all right thanks Mark so my name is Tyler Power I'm filling in for Valerie Curbin today I heard a couple of mentions regarding the National Center for Credibility Assessment so we'll go ahead and start with seed two just a quick update on security executive agent directed to use of polygraph and supportive personnel security determinations for initial or continued eligibility for access to classified information or eligibility to hold a sensitive position this seed was previously issued in 2014 and was recently revised in light of the transfer of the National Center for Credibility Assessment and CCA from the Defense Intelligence Agency to the Defense Counter Intelligence and Security Agency so we just updated the authority section to reflect this transfer and seed two was distributed to departments and agencies via the security executive agent mailbox I sue also distributed to NISPAC members and in October so just recently we published this feed to the NCSC website so you can find it there just transitioning to trusted workforce 2.0 I know that was mentioned earlier as well the executive steering group continues to meet virtually monthly and is committed to continuing to overhaul the security clearance process and the executive agent staff along with the PAC PMO staff continue to meet regularly to work on policy contracts for the next set of documents in the policy framework for trusted workforce 2.0 kind of along those lines the federal personnel core vetting doctor excuse me went through interagency formal review with OMB and PAC PMO in conjunction with PAC PMO we provided a review with NISPAC members to socialize the draft policy and right now we're waiting for final signature by both executive agents and then once that's done it'll be published to the federal register also just kind of wanted to remind everyone that in February ODNI and OPM jointly signed executive correspondence title transforming federal personnel vetting measures to expedite reform and further reduce the federal government's background investigation inventory and this EC introduced important trusted workforce 2.0 reform concepts and measures to drive early adoption compliance with I'm sorry with periodic reinvestigation requirements through continued vetting for individuals in national security positions enrolled in a CV program that meets interim minimum standards fact sheets describing and summarizing this EC were distributed to departments and agencies as well as the public and we also provided a congressional notification sent to oversight committees along with the EC we're also working on an additional executive correspondence regarding trusted workforce and the transitional stages of trusted workforce 1.25 and 1.5 as well as future the future state of trusted workforce 2.0 this EC will provide policy and implementation guidance for moving towards continuous vetting to include how agencies will do automated records checks and agency-specific checks. Transitioning a little bit from personal security and trusted workforce 2.0 I just want to make a mention about a couple things regarding national interest determinations as Greg mentioned earlier section 842 fiscal year 19 NDAA additional requirements came into play as of October 1st in light of section ODNI will no longer process national interest determination concurrent requests for covered national technology and industrial base or NTIB entities operating under a special security agreement as a condition for access to SCI so that's happened but I do want to kind of just reiterate that ODNI is still continuing to process new concurrent requests for those companies that are not affected by section 842 so that's pretty much all of our updates we're still not operating at full capacity due to COVID-19 but we promise to continue the dialogue and provide updates on the industry forums like this one as well as host meetings to share information with our partners as we move forward with things like trusted workforce 2.0 so with that I'll take any questions Any questions for Kyla? Okay, well thank you very much I appreciate it Good presentation Right next we have Heather Sims Yeah And this pack industry folks We'll provide the industry updates Heather There's a lot of trouble here Yeah Mark, do you want me to go? Yeah, Greg I'll try to be brief to keep us on track and hopefully Heather will get back on Okay I'm going to do the part with the NISPAC working groups and some of the discussions that took place there You've heard from the DOD and ODNI on some of the high level points that we discussed at the clearance working group I'm just going to say ACWG from here on out we had that meeting on October 28th and we'll also get some metric data on clearances and information systems in a few minutes here We also discussed at the CWG an issue about the Small Business Administration joint venture final rule This was a surprise to us at ISU NARA I'm not really sure why NARA did not see that rule before it was indicated, but in any event the rule appears to eliminate the requirement for an entity eligibility determination what we've always called a facility security clearance for a joint venture if the entities to the joint venture already have entity eligibility determinations However, this contravenes the requirement in the NISP rule, the 32 CFR part 2004 Therefore we at ISU will put out a notice that we expect to have a forthcoming notice that emphasizes the continuance of the entity eligibility requirement for all legal entities to include joint ventures that enter into classified contracts with an agency of the federal government Another item we discussed at the CWG was NISP entity cost collection methodology This is a requirement for both the government agencies and NISP contractors classified in both the NISP and the classified national security information executive orders and their companion directives We are holding a government only meeting on December 2nd to further discuss the cost methodology Totally transparent we've had two prior meetings The goal here is to have consensus within the government on this topic of cost expenditures This by the way is part of a larger effort within ISU to take advantage of technology and facilitate how we go about collecting various metric data that reveals how the CNSI, the classified programs and the NISP program and the CUI programs are doing as we report those to the president annually After we the government we want to achieve consensus on the cost expenditures that industry spends to implement the requirements of the NISP ISU will then host a meeting of government and industry to garner industry's input on this matter and then finally the NISPAC will be provided a recommendation on the way forward for collecting these data cost elements for industry's NISP implementation Turning to metrics we'll hear from DCSA on their security clearance and information systems metrics and NRC and DOE on their security clearance metrics Last, the NISP of the National Information Systems Authorization Working Group had a discussion with the National Security Agency with a National Security Agency representative regarding sanitizing solid state drives known as SSPs This issue was initially surfaced by the NISP working group industry members in a white paper to interpret the graphic erase as a potential acceptable remediation method for SSPs involved in classified spillages The NISP working group plans to continue the discussions with the CSAs on this topic So we're going to hear now from DCSA for their miss update but first we'll have excuse me, NRC provide their clearance metrics followed by DOE and then DCSA So I'll hold off on questions at this point NRC, are you on the line? I am. Can you hear me? Sure. I will not go through the entire slide deck I'll just focus on that first overall 90% in reported clearance decisions slide so I don't take up too much time In general in terms of initiation we're doing quite well over the last fiscal year and in adjudications we've had a few slurps you can see that we've exceeded 20 days a couple of times over the fiscal year primarily in quarter four I don't have a specific reason for that I think it's a couple of things you know staff taking leave cases just slipping through the cracks but overall we're meeting or exceeding our adjudication timeliness and you know despite all of the hurdles we've had to overcome the past year of transitioning to basically 100% from home I think we've done quite well again fiscal I'm sorry quarter four of the fiscal year we've experienced some blips but I think having moved into fiscal year 21 we'll get back on track where we're hitting or exceeding our adjudication timeliness that's essentially it for the NRC again since we've done well over the last fiscal year we need much information to provide or reasons why we are meeting those goals okay thanks let's move to DOE we'll do the questions as we stay at the end thanks good morning thanks Greg so if the slides are up we can just move to slide two I'll go through the slides and give everyone enough space so as far as our initial T3 and T5 our adjudication timeliness but we're still exceeding the timeliness goals as far as top secret adjudications we also increase those by two days and again we're meeting the timeliness goals as far as the secret investigation we saw a two-day decrease in the adjudication time on this for the quarter and T5 re-investigation we had some substantial improvements in the adjudication and we dropped from 40 to 14 days and last the initiation timeliness with T3Rs decreased by six days and we're also meeting that timeliness goals if we can go ahead and move to slide three so over the last year we've exceeded the initiation goals and the adjudication goals and we expect that those trends to continue slide four on average we've met our adjudication goals as it relates to the initial T3 15 days over the last year but we did have some bumps in the road as it related to adjudication for the month of June and July we've been on a downward and steady trajectory since August for initiation timeliness and expect that downward trajectory to continue slide five as far as the T5 re-investigation we're meeting the initiation goals but again as you saw the second in this slide we did have some challenges over the last year for adjudication but since May we've been meeting both the initial adjudication timeliness goals and we expect that trend to continue as well slide six please as far as the T3R investigations average adjudication decreased from 18 to 13 days and overall we're right below the initiation timeliness goals at 13.5 days this includes our briefing for DOE and standing by answering questions okay let's fact thank you Tracy we'll do the questions like I say at the end let's move to the DCSA clearance metrics I believe Donna the cloud you're going to be doing yes good morning Donna McLeod from DCSA and actually I'm just going to touch on additional metrics that the director actually shared during his comments this morning so I'm going to present information on behalf of the background investigations adjudication and the vetting risk operations center for the background investigation as the director shared our timeliness inventory remains stable for Q1 numbers for the T5 initials again the director shared this timeliness numbers are 81 days for T5 initials if we would remove those cases that were impacted by COVID-19 that number would drop to 77 and cases impacted by COVID what that is in our inventory we have some work that we can complete because the sources or the information we need to get to we can get to it because the places may be closed down or inability to contact subjects and sources so what we have done is we have holding those cases into our inventory so in doing that when the case is closed that's going to impact the timeliness of our cases and that's primarily on our T5 population approximately 10% of our T5 cases completing Q1 were delayed due to COVID the T3 cases are not impacted as much our T3 initial timeliness is at 55 days and the goal is to be at 40 again we're still working through the inventory but we are impacted by some delays due to COVID as the director shared earlier our inventory right now is around 200,000 of this number of roughly 32,000 are industry investigations moving on to adjudication inventory for adjudication the DODCAC continues to apply portfolio management techniques to deliver national security, suitability and credentialing adjudication the two portfolios are divided into the readiness portfolio and the risk management portfolio the readiness portfolio represents those adjudication actions designed to get people to work with a risk management portfolio manage risk within the trust of workforce. Currently the total industry inventory is 27,072 percent which is within the readiness portfolio and the remaining 28 percent is in the risk management portfolio for adjudication timeliness FY20Q4 the DODCAC adjudicated tier investigations for industry in an average of 14 days for initials and 34 days for the periodic reinvestigation the DODCAC is operating a full mission capability and with modified operations to our customer service center due to COVID we expect to continue the fully mission capable throughout COVID-19 and to continue meeting adjudication timeliness requirements for our investigations and products and services for the year on to VROC VROC is staying laser focused with all the VROC industry functions to include investigation submission, interim PRC deferments, processing incidents reports and customer service and balancing all the timeliness to support submission readiness and identifying mitigating insider threat concerns for the investigation submission and interim determination the total industry for FY20 investigation request submission is 190 thousand percent of all initials investigation had an interim determination made on the average within five to seven days but we did have some system challenges in October which had since been resolved but they did result in a longer than usual lead time for interim determination so we're now averaging 25 days for interim but we anticipate to be back at our steady state within a few weeks on to our PR deferments for industry PRs deferred to C.E. to date over 100 thousand have been deferred VROC will send the FSO a J-PASS message when subject investigation has been stopped in J-PASS and the subject is enrolled in C.E. FSO can share the fact that the PR has been deferred into C.E. with the subject all industry deferred PRs enrolled in a fully compliant C.E. program for C.E. about 2.3 million subjects enrolled in C.E. data 2.3 DOD subjects are enrolled in a continuous evaluation data sources via DOD system meeting partial C.E. data category requirements approximately 455 thousand of which are industry subjects of approximately 21 percent of the population all industry deferred PRs all enrolled in all seven data categories and compliant with C.E. 6 to further support reciprocity you will see enrollment increase significantly in this FY as we work to achieve the goal of all clear population into a trusted workforce compliance what we need from you is to be responsive if you have any overdue PRs or if we request an out of cycle SF-86 to be submitted enrollment requires a minimum of the 2010 version of the SF-86 which we do have most of them but since the 2010 was not deployed until the 2012 timeframe we may have to come back and ask for updated new SF-86 industry and government customers can confirm C.E. enrollment in their history and disk government customers can email VROC for C.E. enrollment verification C.E. industry FAQs are posted on the DCSA website under IMFSO FAQs the C.E. questions are numbered 35 through 46 reminder please remember to get provision in disk J-PAC will be decommissioned and it's imperative that everyone is provisioned and that concludes my metric update for DCSA okay thank you very much Donna again we'll roll right through to the NISPAC NISSA national information systems authorization work group and then we'll do the questions so Selina Hutchison are you on the line please yes I am okay please go ahead thank you good morning everyone I want to start by congratulating a cleared industry for the hard work that we put in on EMAS I want to share a fun fact the NISP version of EMAS is the second largest instance in DOD the largest instance is the Navy it's been in effect for over 7,000 users our one year anniversary for the NISP EMAS was in May of this year we have the second largest instance due to the number of containers we have 6300 systems included approximately 3400 users and 2100 containers and the container is based on case codes and systems that put there this would not be possible without the hard work that's been provided by cleared industry over the last year to make this possible so I want to thank you for that and for clearly most of you are not leaving it but for those of you are we ask that you really pay attention to the EMAS rules and help us keep this system where it should be so I just want to begin with that most of you know that Carl Helmet left the agency in September I've been acting for Carl since that time the southern region AO, Ron Donnelly is in charge and David Scott has been acting there kind of creature some of the other acting and capital right now we have approximately 82 ISHPs on board we are averaging about 1 ISHP to 75 systems so what you'll find is that the ISHP is also working AIs and ECPs and ESVAs and CM and outreach our average days to authorization is about 60 so we're still within that timeframe if you would go to slide 2 please the DAPM release in September covered two specific things primarily type authorization there were some inconsistencies in how it was being applied so we want to clear that up the federal ISHP that was also clarified in that version has been a major issue for us we continue to see a misinterpretation of what a federal IS is this is federal IS will lead to government conversation and any exception to that policy will be granted by USDI and keep in mind too that a federal IS exception to policy would be only a temporary measure to get you to compliance so I wanted to stress that slide 3 EMAS we just talked about briefly clearly most of you are doing very good work here we have a small staff so in those instances where EMAS is not being used in the proper workflow it creates problems for everyone so some of the common issues we see is incorrect registration and proper rally to the wrong field office system descriptions are improperly recorded using the incorrect overlay missing artifacts all these things just kind of add to a situation that we don't need so a little bit more care and rigor would be very helpful here we ask that you visit the EMAS site and use those documents that we put out there for your own internal training that will help the consistency across the regions and also help us do a better job doing our reviews slide 4 nothing much has changed for us doing COVID except for the delay and getting to on site activity and keep in mind that when we do go back to work full time we will have to adhere to state and local policies as well we are working to continue to extend these systems working to get the IFSP's to triage and give you guys an answer without waiting to the last day to turn these things around so all these things are being worked you see some numbers here from each of the regions and in summary I just want to say we want to continue to work with you identifying gaps correcting those gaps and inconsistency and policy we are going to be focused on improving quality as the year goes forward and having all the leaders in the region work toward these inconsistency issues that we're seeing we're trying to reduce the impact of how work comes in the IFSP which is why we consistently ask that you submit a complete system security plan because we're not resource to review 10 controls and send it back to you and have you send it back to us those type of processes just kind of eat the clock out so that's all I have hope I didn't rush through that too fast thank you Selena so are there any questions about any of the working groups or their updates hearing none I think we have another slight change Heather has been emailing me Heather Harris from our ISU indicating that Perry Russell-Hunder would like to go next I defer to you Mark yeah no let's let's get Perry on let's promise industry next time you will be the first on the agenda I can return the favor by being very brief my DOHA update is that we are finding ways to be productive in the age of COVID and I have to give a very public shout out and thanks to the leadership and the personnel at the DOD CAF because thanks to Mariana's leadership at the CAF and the professionalism of all the adjudicators there we've been able to stay current in the legal reviews of the statements of reasons in industry cases and that turns out to be really important because when the statement of reasons is issued it is the notice to the individual the contractor, employer employee rather of what the government's concerns are and so we don't want that to be a mystery and so we didn't want there to be any delays there and just to give you an example in fiscal year 2019 DOHA conducted over 2,500 legal reviews of statements of reasons for the DOD CAF that was 571 to be exact but in the current fiscal year the fiscal year just ended fiscal year 2020 DOHA was able to conduct 3,248 legal reviews and we and the CAF are completely current in terms of issuing statements of reasons and that's really important for getting the word out for the employees as to what's going to happen next in administrative due process now the other thing that's going to happen next year and where we've been working diligently toward this obviously COVID has been a factor in this is that at some point next year DOHA will start issuing the industry statements of reasons directly to industry contractor employees those of you who remember back before 2012 remember that DOHA used to do that in the past we will be returning to that mission with an agreed transition taking place between DOHA and the DOD CAF and we are working out the details and the implementation on that right now but the agreed implementation of the process obviously was delayed by the pandemic the good news though is that the pandemic did not stop us from returning to holding in-person hearings which we did in June of this year in addition to some rigorous health and safety protocols which quite frankly we took from the federal district courts that were in the highest COVID areas so we require masks we have gloves available we have plexiglass and we also have a new amplification system in the hearing rooms and of course the reason for that is because we've discovered that it is important to keep people masked even when they're speaking and testifying but the amplification system helps them be heard and understood so that's actually working very well and we've successfully continued to hold in-person hearings we're also developing and expanding on our existing remote video capability the idea is that right now many of you know that we've been using video teleconference technology for many years to reach out to remote places where contractors are located but now we just procured a brand new video teleconference system to work more effectively with the JSP firewalls and be able to go more places we're also working on the ability to conduct hearings remotely where people will be able to be invited into a secure system from their remote computers that has not yet been unveiled but we're working on in the very near future and that's all I have thank you thank you Perry Devin next just so we can finish this part of it and then go back to Heather sure I mean Heather are you on the line though now are you able can you hear me why don't you do a remark I would suggest at this point let's get you while we can go please go I appreciate that I was on the line for some reason I couldn't get unmuted so good morning I'll spot it as quickly as possible but cover my material it's a pleasure to provide the industry perspective today on a variety of topics many which we already talked about but I'd like to go ahead and I know it's already mentioned before but to thank the outgoing industry aspect members Robert Barb, Bob Furnie and Brian Mackey for their years of support and then also welcome Derek Jones and Tracy Durkin and we do look forward to the next couple of years working with the dynamic team I want to say my perspective on industry has certainly changed over the past three years since moving from government to industry I'm finding the balance knowing first hand government's role in the NIST with now having a glimpse of the demand and limitations put on clear companies who truly want to do the right thing the past year the NIST hack industry members along with the memorandum of understanding industry association members have worked hard to bridge the gaps between government and industry industry has encountered enormous amount of change and much of which was certainly needed but nonetheless the past few years it's been pretty hectic on industry and industry is encouraged though about the increased level of partnership and collaboration by the government at large I do have five current top five NIST priority watch list items for industry on the slide that was provided but there are no particular order and I've said it a few times already this year but I also want to offer thanks again to the PAC PMO OD&I and OPM for the willingness to proactively understand impacts to industry on personal security reforms as it begins industry understands we have a long way to go until full implementation but we're sure that our voices will be heard throughout the process next up foreign ownership control and influence was typically reserved as a concern to only limited amount of cleared companies or new companies waiting to be cleared that were usually under foreign ownership industry has already begun to CS15 in the government's focus of FOKI to the control and influence portion with a code of federal regulations the CFR part 2004 clearly defines ownership part of FOKI it really doesn't do justice in defining the influence and control industry would like I choose assistance in having a better understanding and definition of control of influence for FOKI and how it applies to the NISC without a clear and consistent objective of what we're trying to mitigate from all five CSAs and with a better understanding for industry of what they may be subjecting themselves to it leaves a lot to the imagination understanding the risk tolerance thresholds and basis for the risk will be one of the areas industry would like to focus and discuss with the next scheduled FOKI working group meeting transparency to cleared industry as an advanced and anticipated process changes only improves the ability to properly mitigate risk on the front end. Moving on to supply chain risk management it's been a hot topic for many years but we're seeing action to the implementation of the many statutory regulatory requirements DOD already mentioned about the DOD adaptive acquisition framework and industry realizes that many of the regulatory requirements are embedded in the acquisition process now and not necessarily the NISC but it does have a direct impact on the NISC at large in the supply chain of the NISC contractors. One specific example is NBAA section 889 where cleared companies are making self-adjustation that they're not utilizing band products and services. Where industry struggling is the government provided all encompassing lists of products and companies to ensure we're attesting to the same things and being consistent with our understanding of what is banned. We do ask DOD to provide some guidance on what products and companies we should be looking for in our supply chain. There is concern that industry may be missing a product or service unless we'll be putting our facility clearance an ability to bid on future contracts and jeopardy. There are other areas of focus on supply chain but this is really at the forefront of industry's mind today. And moving on not only is our operating environment affected by the COVID pandemic, we're also challenged by the changing security landscape. Thanks to the government partners for quickly adapting many of their processes and procedures during this uncharted time. In particular, thanks to DCSA for listing and adjusting to keep industry operations still viable. Additionally, thanks to the DCSA director for his transparency during the stakeholders meeting yesterday on how this continues to evolve from a service to an agency to an operation. Industry does understand that it takes time on transformational changes in government. We do appreciate the updates. And I want to add that traditional security and cybersecurity are no doubt shifting the ability to maintain and pay those highly technical required workforce employees to meet the emerging regulatory requirements will no doubt have an impact in the foreseeable future. As baby boomers are retiring, to enjoy the agility of working remotely, have the expectations of higher salaries and are not often wanting to work in a structured security environment. When we talk about implementing the correct security mitigation strategies to counter the threat, we also have to start having that conversation about properly funding contracts to account for the right workforce along with the best security posture to produce those products and services uncompromised for our customers. This also goes to the conversation of gaining the support that security is not necessarily just an overhead with an industry. One notable area that industry has been exerting an amount of resources to manage all the government systems developed and utilized to manage the NISC. Thanks to ISU and the NISC PAC members for forming the NISC PAC NISC system working group, it was enlightened to see actually all the NISC systems that were out there being used by industry. Whether there have been increased partnerships on these systems being developed or not, there is still one standout concern for industry and government customers alike. The transition from J-PASS to DIST is still a topic that requires much more conversation and a plan of action that includes functionality correction, data integrity fixes, and training to be understood by all customers and government alike. I'm looking pretty quickly here but I'm moving over to my focus area. Industry over the last years focused on efforts of mutual benefit in addressing our collective concerns for the benefit of the entire cleared industrial base through increased engagement. We're finding together we're stronger and have a bigger voice when we work together. I ask the NISC PAC industry members are utilized the greatest extent possible to address industry concerns with the government to ensure the full complexity of the NISC considered when devising new and improved processes. Also the industry associations reach out to other associations and to industry NISC PAC members when working on the NISC effort that affects cleared industry to ensure we're all on the same page. It is a consistent comment from government that I hear that often we have conflicting industry viewpoints. Being better aligned brings us closer to becoming trusted and respected NISC partners. While industry is making strides on collaboration with government and are still finding many industry partners are fearful from speaking up during assessments and to self-identify vulnerabilities to government overseers as some tend to be punitive in nature instead of working to the common goal of mitigation. Many times we have very talented screening staff within industry. Many retired government senior leaders, senior level executives that have many years of threat mitigation experience but are often overlooked due to being an industry. We must work together to respect each other's experiences and expertise. Industry is hopeful that in the future as oversight models are evolving, that we get to the point where we can partner provide full transparency of our security concerns, have a better understanding of the threat and work toward a truly risk mitigation model to preserve national security. Industry is attracting new legislation and policy changes that we have an overarching impact on our operations. It's vital that the CFAs are transparent to the greatest extent possible and at the local level there's consideration to the primary role of the contract is which is to produce a product or service to the government, albeit uncompromised but we have to find some balance. What I'm really trying to say is when a new policy is developed often additional requirements added not only is the policy changing but industry also encounters additional add-on non-pre-tactual requirements, new implemented training requirements and so forth. After a while these items add up and put potential lead to contract and deliverables lead to un-pursuing requirements that were not participating in the original contract award. While industry sometimes understands the importance of additional requirements we ask for a well-thought-out plan that takes into consideration the impacts to industry's operations. With the additional requirements industry is also experiencing overlapping interactions sometimes with oversight and possible fracturing of the myth and we ask that agencies try to engage with each other before making contact with industry. Prior to COVID some contracts were visited by multiple government agencies reviewing the same material processes. Now we're about to add CMMC and gearing up for COI oversight and we look to myth tax to work on potential resolutions to avoid any duplication effort by both the government and industry at large and that was pretty quick. I cut some things out but I also want to thank everybody for the time today. We look forward to a new year. I'm looking forward to 2021 and strengthening our relationships with our government partners. So thank you for your time today. Thank you Heather for that presentation. Anybody have any questions for Heather? All right, thank you Heather. Devin, we're going to turn to you to talk about give us a CUI update. Yeah, happy to. Good afternoon everyone. My name's Devin Casey for the CUI program. Just a quick update where we are standing with the CUI program. Currently our office is still receiving some of the CUI annual reports from agencies. The primary deadline has passed. However, there are some extensions that have been granted. Those should all be in by the end of the calendar year. We use those to get a better understanding of where agencies are in their implementation of the CUI program and provide a general update through our annual reports to the president. The ICU one about the status of agency implementation for CUI for the government. We did have two notices. CUI notices come out in October. CUI notice 2026 and 2027. 06 covers the marking practices for waivers. When waivers are in place to alert users to the presence of CUI. CUI notice 2027 covers the use of alternate designation indicators or ADIs with CUI when they are authorized by policy. One of the big things that stuff going on in the CUI world has been DODs implementation of CUI. We have a lot of questions into our inbox and on some of our blogs as well about specific questions about DOD's CUI implementation. I would like to point everyone to DOD's website. DODCUI.mil where they have a contact us there. There is also a link on the top of that website where you can look for the point of contact for the different components at DOD and their CUI point of contact there as well as a bunch of information about DOD's CUI program. It is generally where I will have to send DOD a question about DOD's specific implementation questions or concerns. Final update. CUI for our case is still a little bit delayed based off of the prediction on the unified agenda. We are nearing the closing time of comments for that and it hasn't come out yet as predicted. So it is still delayed. GSA will have a new estimated time frame coming out shortly and you can always find out an update or anything new about the CUI program on our CUI blog. We will also be scheduling shortly a CUI stakeholder meeting for December to go over updates to the CUI program as well which is a great way to stay up to date on any developments in the CUI program. That's all I have. Chair? Anybody have any questions for Evan? This is Jeff's manager, I don't have a question but just a comment to echo and flip down something that Devin said and thank you for mentioning it. For those of you who have questions pertaining to the DOD CUI program I cannot emphasize enough the importance of hearing Devin's outstanding advice in going into the DOD CUI webpage for your information. For a point of comparison we are like the beginning of our and the NARA page for CUI is grad school. We are working very focused very much on implementing an aiming add-based requirements. If you go to the NARA page with any points pertaining to the DOD program I think you'll find yourself very confused very quickly over. I don't want to belabor it but it is true as Devin points out there are a lot of stories in ISOO through the electronic mailbox and we divert them back to DOD so it comes from government and industry alike but if you could just put the word out whether it be industry through your various MOU groups to start with in most cases it's going to be DOD and or the DCSA rep does not make ISOO slash CUI office your first stop because it really it doesn't do anybody any good because DOD needs to be aware of these issues and we just have to turn it around to them if we should receive it over. Thanks. Great. Anything else on CUI? I think we've got seven minutes left before we lose the bridge call. So let's turn quickly to the new business. Is anybody of the committee the board have any businesses they'd like to bring up? Hearing none. Does anybody and I'm referring here specifically to DHS NLC and DOE want to update us on any of their doings during the COVID crisis here? How are you adjusting to it or are you adjusting to it fine? Are there any glitches, any problems? I'm a member of the community committee from DOE. We had initially COVID update at the last minute's patch and basically the secretary authorized of course maximum telework flexibility and he also had issued some guidance had to relate to COVID that went out for about six months and some of those things that the secretary had issued were extended last month for another six months. So we're still continuing on with the things that we're doing from a COVID perspective and just from a first and from a first act perspective with we did adjust some of our reporting requirement timelines and due process actions for clearances in addition to physical security and classification perspective with just of our required inventory self-assessment and some of the training timelines that we were having out contractor partners here too. So that's for DOE as it relates to COVID. So really we're pretty much in the same status we were as we started in March. You and everyone else. I'm sorry. Anybody else wish to chime in on that? Hey Mark, this is Robert for ADHS here. So similar to everyone else where we continue to be in a remote work environment, we really experienced no identifiable impact to our ability to continue supporting the industrial security side. And we don't see any lag in processing 254s and continuing to support our industry partners. So that's about it for us. Great. Okay, great. Okay. Anybody else? All right. Hearing no one else. Let me wrap this up. All right. Our next NISPAC is scheduled for April 14th, 2021. We're going to be dropping down to two NISPAC meetings a year instead of three as we jump to the last 10 years or so. We canvassed all the committee members and that was the consensus that two would do it. If for some reason two are not sufficient, we'll revisit that. That's not set in stone, but that's what we're going to aim for this coming year. The April meeting undoubtedly will be 100% virtual. I don't see this COVID crisis ending until at least late spring early summer and that's being optimistic. Let's see. Well, obviously, once we get by the crisis, we will begin to hold meetings in person again at the McGowan Theater. As a reminder, all NISPAC meeting now is meant to be posted in the Federal Register approximately 30 days before the meeting along with our own ISOO blogs. You can always log in to our blogs to probably get the latest latest information. Before I adjourn, is there anything anybody else would like to say, comment on or bring to our attention before I put the gavel down on our meeting with three minutes left? Hearing none, I'm going to adjourn this meeting and wish you all a happy holiday season. So thank you very much for your patience as we struggle with this technology that we've got. But again, I think the meeting went very well and I appreciate all your help and cooperation. Okay, that's it. Goodbye.