 Welcome to the 61st meeting of the NISPAC. A couple of house cleaning things first, and then we'll get straight into business. This is a public meeting. It's also audio recorded. We're also using WebEx as we did at the last meeting for our phone participants. There are two microphones at the end of the rows here. And also at the first two rows, we're going to pass those around, right, Greg? Yeah. That end. We have those first two rows in the center are for the NISPAC members, those that aren't seated here. So I'd ask that any of you that are NISPAC members, if not seated in these first two rows, we could – we're going to use the microphone especially. It's a little easier that way. Right. So you use the microphones that we're going to hand to. Folks in the audience can use those two microphones on either side to ask questions. Most importantly, please remember to identify yourselves when you speak. As you know, we record these meetings, and we also prepare a transcript of what was said. It's critical that we know who said what because otherwise we have a chance of getting it wrong. So again, just stand up and say, you know, I'm X from Y, and that's sufficient for us to be able to do that. We're going to let our speakers present, and then questions will be more than welcome. So again, wait until the folks have actually finished their presentations. After addressing the questions, I'll ask Mary Kay Gutarez, our WebEx moderator, if any questions were submitted through the WebEx chat form. So there'll be actually a last few, and then we'll ask folks on the phone. If there are, Caroline McClink and my staff will read the questions so we can all hear. The winners, other than those here at the table who don't have slides, must use the podium at the front of the theater to speak. Robert Cringoli and my staff will assist those who have a presentation on the screen. The presenters will also have access for remote where they can move the slides at their own pace. We'll have a 10-minute break during the middle of the meeting. The location of the restaurant when you exit the theater, they will be on the left. So I want you into the hallway as is the NARA cafe. Do you have any? Let us know. Well, I'd like to welcome our newest NISPAC members and express our appreciation to our housewife members. First, I'd like to welcome Jeffrey Speninger, who will serve as a representative for the Department of Defense. He has replaced Heather McMahon, and we look forward to his contribution. I had a chance to actually work with Jeff. Very pleased with his directness, his openness, and his good sense of humor. So, I'll go ask that question. Thank you. We'd also like to welcome Elizabeth O'Kane, who will serve as a representative from the Department of Army. Elizabeth's on the phone. Okay, I've been told bad information. Anyway, let's welcome Elizabeth. Excited to have you, too. An outgoing member is David Lowy from the Air Force. After 28 years of civil service, David will begin a new career in industry. So, you'll be sitting on the other side of this. We're grateful for your service and wish you well. I understand that this time has not been a replacement. And Sharon Bellinger has been serving very ably as the Air Force alternative. Finally, we'd like to recognize, yeah, right. Finally, we'd like to recognize Allegra Woodward. Woodard from ISU has provided valuable service to both ISU and NISPAC. Allegra was very involved with NISPAC and the NISP program. She's an expert in the field and she'll be retiring and leaving us in June. So, if you know of anybody who's a really good information specialist who'd like to apply to ISU, please do. And a wonderful asset to us. Yeah. We'd also like to recognize Brian Matty as the new industry rep runner. See here? Yeah. Welcome, Brian. I'm glad to have you working with us. You'll find this a collegial group, but I wanted to tell them about getting some things done. So, anyway, welcome. We're going to do introductions a bit differently this time. We're going to try to really cut them down to save some time. So, I'm going to ask those of you here at the table to introduce yourselves along with your affiliations. And then we'll move to the first two rows. I'm Mark Bradley, director of ISU and the chair of the NISPAC. Jeff Finneger from VUD. Greg Pinoni, the designated federal official for the meeting at ISU. Dan McGarney, industry. Clinton Wilkes, NISPAC's president. Valerie Curbin, V&I. Dennis Kees, industry. NISPAC members. Why don't we start over there? Bob Harding, NISPAC. George Ladner, CIA. David Lowey, Air Force. Kim Boggers, State Department. Mike Scott, DHS. Dennis Ariaga, industry. NISPAC. Gerald Stone, industry. NISPAC. Kim Tiger, NFA. Dennis Brady, NRC. Amy Roundtree, NRC. Elizabeth O'Kane, Army. Zodaya Taylor, Don Nelson. Go ahead and introduce yourself, Mark. Could someone give Mark a microphone, please? We know we'd like to have more microphones, by the way. But this is what we're told is all that's available in the National Archives. Mark, where's the U.S. Department of Energy? You're going to have to hold it, Mark. That's part of the deal. Are there any members of the NISPAC itself who are on the telephone who need to be introduced? At this time, I do not see anyone from the list that was sent to me on the telephone. Okay. Could you have someone close? Before we start, I'd like to address an issue that I raised last time. As I said, I've been here now for two and a half years. And I must say, I mean, I've been listening to the NISPAC. My goal is to actually make it into a body that not only hears concerns, but actually does something about them. I've got to tell you, you know, reading the minutes of the past NISPAC meeting reminds me of being back in the CIA and reading Castro's speeches on the Cuban economy. Boy, it's the same. The floppers are good. Coconut's not so much bananas and moving, sugarcane's bottoming out. It's the same stuff over and over again. And it's good that we're all familiar with the issues. The problem is there's no answer to them. And that's not good. I mean, NISPAC to me should be a much more important body than it's been in the past. And so with that in mind, this morning I was reading the Wall Street Journal. And there was a shocking article in the front page. Anybody read the Wall Street Journal this morning? The article's headline, Chinese hackers attack US Navy, reports this. And it talks about a 56-page unclassified report that the Navy just released that talks about how much national security information steal from us and especially from its contractors and subcontractors. And the report excoriates the Navy for not sharing more information with contractors and subcontractors. And the report concludes that what's been taken probably has altered the geopolitical state of the South Pacific. If we were to go to war with the Chinese today, we could well, well lose. Information sharing is critical. If you remember before 9-11, the government didn't do a very good job sharing information among itself. After 9-11, and again, the loss of a few thousand American lives, we finally began to concentrate on getting that right. I think the next crisis is not sharing enough of industry. We've got to do a better job about information sharing to keep this country safe. Things like this happen because of people not being told what the threat is or how deep it is or exactly what our adversaries are after. It exposes us in a way that we may not be able to do. It's devastating. So I would beseech you to, again, we need to realize we're a partnership. We are together in this. Industry and the government, in my view, many times are the same. And I know that there's some things the government wants to keep to itself. And quite frankly, it has the right to. What I want to do on this committee, though, is to be able to explain why that's so or to at least give you some idea of the government's thinking, being more transparent. I have one big sword that I wield. And that's, I write an annual report to the President of the United States. Last year's was actually read for the first time in many years. The reason is we totally changed the format of it. I made it much more like a CIA analytical assessment with judgments, key judgments, findings, trying to make it more forward-leaning. And I need to get the damn thing read. And so, lo and behold, John Bolton, National Security Advisor, actually read it. So what I want to do this year, and again, the government shutdown has hampered me a bit in terms of collecting data and that, what I want to do this year is I want to start highlighting more of the National Industrial Security Program and some of the problems that I see in it and things that need to be fixed. And among those, again, is information sharing. This year, I haven't decided. They talked about the NID process a bit and say, look, you know, we're making great, great strides in security clearances and sharing and reciprocity, but we're not doing such a good job on NIDs. Why is that? Again, to elevate some of these issues up to the leaders of this country, I just want some answers. And again, we may not like the answer if we get. But that's okay. I mean, the main thing is, is to ask the questions. So again, Greg's going to amplify this more as we get into his part of this. Some of the issues that are still outstanding that we need answers on. And again, I know this is sometimes going to be a cumbersome, but it's got to be worked because we cannot afford to have things like this happening. We just can't do it. I mean, if the devastates our national security, that's not accepted. So for that, I'll turn it over to Greg to talk about past evidence. So thank you. We just a few admin things that we have to cover. The presentations and the handouts were sent electronically to all the members and those who provided an RSVP to our invitation. And also for those attendees who received these documents, we will make them available included with final minutes of this meeting and the official transcript that we also provide. Apologize. There was a delay in getting the minutes out from our last meeting, but we did have a 35-day partial government shutdown that greatly impacted ISU and other parts of the government. And you may already know, but the NISPAC meeting announcements are posted in the Federal Register approximately 30 days prior to these meetings because these are public meetings open to everybody. So unless there's a question or questions on that, we're going to move into some of all of our follow-up action items from the last meeting. So at our November 15th meeting, the items that were taken as things that we need to go back and get answers to were that Charlie Phelan from MBib would speak with Lindy Kaiser from Clearance Jobs about security clearance numbers. There was some discussion about discrepancy. My staff has reached out to MBib and Clearance Jobs, and as far as we know, the action is still open. Is there anything you want to say about it? Okay, we'll wait. That's fine. Thank you. Thanks, Robert. The next, there's three items that were for DOD and Valerie Howell will address those. We can either do it now or we can do it. Why don't we do it now? And there you are. Let me just say the first was to provide feedback as to how DOD Critical Technological Protection, the DOD Critical Technologist can speak this morning. Technology Protection Task Force will interact with industry. So if you want to go ahead and update the group now on that. On that item, the Task Force is participating in the meetings that the Under Secretary of Defense for Acquisition and Sustainment has periodically with various industry CEOs. May I go on to the next? Yes, so the other two, they interrelate. They have to do with the DFARS clause. One concerning cyber threats, which is the perennial issue we hear about all the time. And the other one also related to DFARS. And let's see, had to do with industry, wanted to know if there was a way for them to be consulted on with the requirements that may come about on that. So the DFARS requirements are going. Sure. And some follow-up with the two industry representatives who raised those questions for the DFARS. It's the DFARS clause that provides the requirement for compliance with NIST 800-171. And there were questions about how that oversight would work because there had been some individual DOD components who provided specific guidance on their contracts. Department of Defense has now formally established a process for DCMA oversight of contractor compliance with the DFARS clause for 800-171 for those contracts for which DCMA has contract oversight. And I will provide ISU a website where that guidance is listed publicly available for members to review. In the context of cyber threats, it was my understanding from the discussion that I had last week with the industry representatives who raised the question that that question was in relation to the oversight and compliance with NIST 800-171. Does anyone have any questions on those items at this time? Oh, yeah. We're going to need, unfortunately, you're going to have to move towards the album unless you can speak. Okay. State your name, Jane, please. Support to please on... They're supposed to be on mute unless they're speaking. So they should be on mute. Okay, I see. Tech support, did you hear that? Can you repeat that, please? Can you repeat that, please? I'm sorry. Somebody was calling and they saw mute. They can't unmute it. We apparently are on mute, so they can't hear it. No, the audio... I'm sorry. The audio for your participants is coming to just clear because I'm also logged in as a participant and listening as well on that line. Your participants cannot unmute their own lines. Did you need them to be able to do that? So if they wanted to ask a question, we have to... If they want to make a comment or a question, they can press pound two, the pound sign and the number two on their telephone keypad, which would indicate they'd like to ask a question or make a comment, and then I can unmute their line for them. We do have someone who just raised their hand. I'm going to unmute her line. Please go ahead. Your line is open. Hi. This is Wendy Kaiser with Clear & Clear. I just want to say that there were a bunch of us that were on the Google Hangout dial-in and didn't have our individual participant code. I know there were probably about 10 people on there. So I don't... And I didn't actually receive an individual participant code via the Steel Care Line. So my guess is those people were dialing in using the Google Hangout and they cannot hear you, nor can they participate because they're actually on the wrong call. So I don't know if there is a way to open up and join the Google call invite that you sent for the meeting to this meeting, or if you can resend as a participant a general code that they can all dial into, but there were a bunch of people that could not be dialed in. Thank you. Robert, just so you know, if you'd like to send information, the call-in information to whomever you invited, I can give you that information to do so. I know that this event was set up as a pre-registration event, so they were sent an invitation that they would have to fill out and then get a specific attendee ID that they would put in when they called into the number, but I can give you just the regular number and the regular access code. Mary-J, can you send that to my email? Absolutely. And may I provide one more update? Sure. There were discussions at the last public NISPAC meeting about NISPOM Change 3, for C3 implementation. DoD is continuing to assess how to implement that. We did provide a draft ISL some time ago and receive NISPAC feedback. We are continuing to do the assessment, particularly for industry, in the concept of how the pre-approval process would work as DoD is also working to determine how it is going to implement C3. We can provide another update at the next NISPAC meeting. Any comments? I'll just interject on this one. And I know I have the director's support. This is one of those things where I have to say, C3 I think was published June of 2017, if I'm not mistaken. So, you know, here we are almost two years later and we're not there. I'm not throwing stones at anyone, but we really need to take a better look at how we do this, because it's really not acceptable in a case like this where the rest of the government, and you know both programs are supposed to operate in tandem more or less. We have language in the executive order that speaks to that. So we really need, you know, my understanding was conforming changes were meant to address things rapidly or relatively rapidly. I don't see close to two years just meeting that objective. We do briefly, I recall, I said something at either our planarist working group on this or in our resolution meeting. You know, if there's a way that ISU can help put something out to all the CSAs, we're certainly open to doing that. But I really think we need to take a look at that process of how we, and changes more quickly. So, yeah, Greg, thanks. That's true. But I would say we're sort of stuck in a place where we can get it right or we could get it fast. For the industry folks here, we certainly aren't going to try to push anything into industry until we can figure out how we're going to do it inside the department. And we haven't made a lot of headway there either. And so it is becoming a higher priority. The only thing that we can ask you all to do is to ask to this. To your clock is kind of a long one, but there's a lot in there. And some of it would be easy to write down, but some of it's harder to think about how we would implement. Pre-approval to the one example that Valerie put out there is, and it's challenging inside government. I can only imagine what it will be when it's time for us to take it to industry. Any comments on that? Okay. We're going to move on. The next thing now was the meeting that was spurred on by the chair's comments with some of these issues that we hear about on a regular basis, but don't seem to resolve. So we did start that. The action is still ongoing. We're meeting on February 12th. Again, the partial government shutdown did set us back a bit. We asked industry to prepare their list of top 10 issues or problem areas, and that's how we framed it as problems. So we came together. We did a spreadsheet to further specify and be more granular as to what the problems were. The first move was to get everyone involved. All the CSAs were invited plus DSS to agree that these, in fact, were problems and why they're problems. So what's the impact? If it's a problem, there has to be a problem impact. And so I believe there was, at least in the room, agreement on that for these items. The items were not, we weren't able to completely get through them on the 12th. We used part of the clearance working group meeting, the 28th of February to pick up on those. That spreadsheet that I mentioned was meant for each of the participants to go back to their agencies and based on the discussion and the steps ahead that were recommended to see if the senior agency leadership would agree to those things. So we had recommendations from both industry, government and ISOO on these items. The items themselves were, topically speaking, were the seeds. They were layered. There were some issues within the problem area. Reciprocity, DSS and transition, Trusted Workforce 2.0, Defense Information System for Security, the consultant white paper. So I'm just giving you the topical right now. We'll hear more later, I believe, in this meeting. Liver uncompromised, industry selection for advisory committees, advisory committee on industrial security and industrial base, and meeting timelines for industry concerns. And then subsequent to that initial meeting, accountability for top secret was added to the list. That was also a discussion at the NISA working group meeting on information systems. So as I said, we prepared the spreadsheet on each of these areas so that we could more easily identify, comment on, and ultimately resolve. We have to be more about action oriented to echo what the Chair said. I think we had some good discussion. One positive outcome was that the ODNI is going to host a meeting, including those same participants of the 12 industry people, actually, to discuss, among other things, industry's inclusion in the development of Trusted Workforce 2.0 vetting efforts, and more broadly, NIST-related policy development, at least within the lanes of the ODNI. So that meeting, which is our next action item, where we asked for that at the last meeting, is scheduled for March the 28th, hosted by ODNI CSC Bill Evanino. So I hope that that will generate more discussion in terms of development, leveraging collaboratively the expertise of both industry and government. So let's see, moving on to the next item. If you want to ask questions now, we can or we can just hold until we get into other parts of the meeting. The next item I'm almost done was the possibility of extending an observer role to non-pedal entities on the CUI Advisory Council. And so Mark Riddle of our staff will brief an update on the CUI program in general. But the next CUI Advisory Council meeting is scheduled in two weeks. That is an item that's on discussion. Really, we did have one meeting prior to the shutdown, but we weren't able to tackle this issue. So I'm confident we'll get to a place with those government members where industry can at least be there as an observer. So stay tuned for that one. And last item, we have finalized the dates for the next NIST PAC meetings. So you might want to take note for your calendars July 18th and then November 20th. And we'll be meeting in this theater again. So that's all I have on that. Any questions? Once again, ladies and gentlemen, on the phone, if you'd like to ask a question, please press pound two on your telephone keypad to enter the question queue. First, is the inimitable Charlie Payne who will talk about the in-bit? Charlie, please come up. I'm not sure which adjective you just used, but thank you. This is the end of the lesson. The spotlight and the interrogation lights aren't quite as bad as they had been. And good to see Jeff up here. And I think to your point, Mark, that somebody who has sort of his directive open and has a sense of humor or three good attributes to have in this business. So welcome aboard. A couple of things. I really had three three topics quickly to cover now. They only gave me 10 minutes, and I hope they take only about 30. So first thing, the question, usually the first question, what's the inventory? The first question I get today when I walk into a room is, so where's that executive order? I think the last few times I've been here, I've promised it's right on the cusp of being issued to move the NBIB operation to the Department of Defense in its entirety. That is still just about to happen. I can attest to the fact that I saw a live version of the latest draft, and it is, we're down to a couple of across, and I think it'll be ready for signature soon. But it's, I think the drama part is all pretty much gone, and now it is signature on it. All that said, we at NBIB and the other we, which is DOD and represented several in the front row here, have not been waiting for this executive order. We've been working very, very hard for the last many, many months on pretty much all fronts to get things ready to go and flag it's dropped. We can start moving out. So I think we're in pretty good shape on that. I think in the end, we will end up with this new organization, the biggest security organization in the federal government, perhaps even in the world, depending on how you figure this thing out. And not just for the Department of Defense, but covering the investigative work for 105 federal agencies that we cover today, and that includes a lot of you. And so you have a huge stake in how well this thing works. At times it's a little bit scary because you think about the magnitude of this thing, but our combined commitment here is that this will happen without any speed bumps that you can see, and that when you wake up on October 2nd, notionally, of this coming, it will look just like September 30th. So stay tuned, we'll see where that goes. Second thing is we, am I in charge of slides, or is somebody flying these things here? So which way am I going? I'm sorry, I didn't get the, I also don't fly Max 9s or Max 8s anyway. There we go, okay. So forward to that one. Okay, so now that I know where it is here, I want to talk about where inventory stuff is here. I did promise you over the last two meetings between myself and Mark Ferkel was here, I think for the last one, and talked about some of this, that by the end of the year, our inventory would be down by about 15 to 20%. We made it, and we've continued from there. Our inventory today is 542,000 in the inventory down from its high point of last April of 725. A lot of 25% dropped, and we're continuing to drop. And I think, guys, you're going to, we've made it, we're going to steadily decline here, and I think it's important here. I do want to give you some numbers on, and that's timeliness, I don't like that. We're getting it. Actually, we can go back here for a minute as I think about this. Mark referred to old Cuban reports and coconuts and pineapples and bars or bar charts or something. We start to take on that, or I'm going to show you something here in a couple of minutes that I think isn't, so we're going to bypass that real quick and we're going to talk really about inventory. And what I want to do is break down within that whole total number of 542,000, what are the numbers that mean most to industry right here? I'm going to take a guess. It's tier three initials and tier five initial investigations and how quickly we're able to get those done and what those numbers look like. So of the, in our entire inventory of 100, I'm sorry, 542,000, there are 176,000 tier three initial investigations we have active right now, 37,000 of which are industry. On the tier five side, we have about 80,000 active tier five investigations, about 25,000 of those are industry investigations. Our industry total peak at about 127,000 last June, a little bit lagging delay from what the other high point was. We're currently down to about 96,000 for industry. About a 24% drop matches what we've done overall in our stuff here. I would note that that total number we have, I can't really break this down for industry because I don't have that good access to data. But for the total of the 256,000 initial national security investigations we have in the inventory, about 103,000 of those are currently, those people are currently at work operating on an interim access. And it's about 40 to 45% in each category. So that's not a bad number. Those are people that are working, they're productive, but it still is at least then 60% are not at work and they need to finish all that stuff up. We'll also notice some of the ebb and flow of cases we have coming in in industry. You'll notice August and September there's a spike upward on the initial cases coming in, tier 3s and tier 5s. That's not unusual, we get that every year. A little interestingly is that apparently not everybody was off work in January of this year. You'll notice a spike on incoming cases in January, particularly over on the other side. So some people were not asleep. So getting down to timeliness here, I do want to go to another way of looking at this thing. Rather than short to show by 90% in this many days and everything, I want to show you where the ebb and flow of this stuff goes. And this is sort of a new way we thought about looking at it. We're including this in our key performance indicators that we send out to all of our government customers on a weekly basis here. But what this shows is January of last year versus January of this year in terms of where cases are, how old were they at the time we closed them. And so for example, the top line is the tier 3 initials. What you see in the bar is the colored bar, the blue in this case, represents the middle 50%. So 25% to the left, 25% to the right. And you can see what the median days of age of that case is when we closed it. 184 days old when we closed them as a median age and January 18 down to 150 days today. And you can also see from the very left end of the narrow bar, we're actually closing some, if you do sort of rough measurement, measured in single, single, low double digit days in several of these cases. And you'll see that down there. I'll talk a minute about the tier 3 reinvestigations in just a minute. That's a little bit of an anomaly here. But in what you can't see, actually the lower chart sort of cuts it off, but again, you can see on the tier 5 initials, the sort of brown colored ones, I guess they are here, that median age is dropped from 510 down to 396. And you can see a lot of stuff that is closing a lot earlier in this. It's showing a lot of progress in terms of the bulk of the cases getting closed faster than we were in the past. You will see out on the right-hand side sort of a hash mark. That's the 90% mark. There's a lot of stuff that sits out there because there's some stuff we just have to be collected and we can close the case. A lot of it has to do with prior employment. But I think what this chart shows us, except for that reinvestigation piece, how that number is moving more to the left and where we really want it to be. Not where we totally want it to be at this point by making some good progress. The tier 3 reinvestigation piece really is an anomaly in the sense of some of the stuff was sitting there waiting for some changes in the executive orders and the executive correspondence. And then when we started clearing out a lot of that stuff, which was after January 2018, we were able to close an awful lot of cases that were old and seeing a lot of cases that look a lot older on that. But we don't count the cases and the averages until they're actually closed. So you can take in that. You can adjust that a little bit, but that's sort of where we are on that sort of stuff. Last piece here. We'll before I get to close the last piece. Sort of what has really allowed us to get that far? Reiterating what I've probably said the last two or three times. Field work is the longest call in the tent on all these cases, and that's what has taken the most time. We have our investigative capability or capacity has been up at about 8,800 for the last many months. And as that stays steady and I think it's more mature, we're going to stop put. Equally as important to be more important, better using those investigative assets. We talked in previous meetings about hubs and putting things together geographically, both for government customers and for industry. And we're moving more and more in that direction. Where we do that, we see some significant changes. A couple of us in the room were out at Pacific Command last week looking at what we had done in that entire theater for both government and contract activities out there. And the investigative inventory in many cases dropped by 40% just in the last many months because of the level of effort in those kinds of actions. So we're seeing some really good results on that. And the last piece I really want to talk about today is just a couple of seconds on trusted Workforce 2.0. I see that, Mark, there is a meeting set up at the end of this month for industry to get a little more detail on it. That's good. There's a lot of stuff out on the blog sites and the news reports talking about this. And so you can always log into some of those things. But I would just say that a couple of things. One, it is an ODNI and OPM-led approach to re-looking at what it means to be a trustee. Both the investigative guidelines, what are the adjudicative guidelines, and I would argue probably got to look at the adjudicative guidelines first and then build the investigations to meet those guidelines. And it's really come in two phases. The level of effort one is really focused on what can we do quickly to help make an impact on our inventory and getting cases closed faster. We had a series of executive correspondences. The most effective one was probably the one issued last June which has had a good effect on our ability to close some cases faster and attributed to some of these numbers here. The big leap here is the level of effort two, which is to really go back in baseline all of those adjudicated. That's well underway. We'll hear more about that. The representatives will, later this month, do on the executive steering group, do have two representatives from industry in the group and are active in the executive steering committee on this. And I, again, I would say, oh, and then we get down to the nitty-gritty of who is working on what are these policies and changes look like. We have not just policy makers in the room but people who actually do this stuff and sitting in the room and helping people understand when you do this. What does it, excuse me, mean when you do that with an investigation or making an adjudication and it will be pretty well informed. I would sort of argue this is sort of a once-in-a-lifetime opportunity. I mean, almost literally since the last time we really had a major change and this was probably when Truman was president. But this is an exciting time to be sort of in this business and hope to get you guys more and more engaged and involved in all of this stuff. The last thing I did is to go back and address the one item that was outstanding from last week which is a conversation with Lindy. I know Lindy is on the phone because I think she asked a question a minute ago but some folks from the NBIV liaison activity had some conversations with her at mystery kind of previously as well. I think that recapping the challenge on that was that we had published the secret act. And the first and second we put out following the maximum that you lawyers will understand is you don't answer a question you weren't asked and you try to answer the question you were asked. We did that. The problems with the questions we were asked by the legislation when we answered them didn't really put things into the context that we needed to. We did not do a very good job of saying what this really means in the report. So a number of people looked at it and drew some interesting conclusions that weren't really what to say in this report. So more specifically we talked to Lindy a few times on this and I think she is okay. I'll leave it to her to say if she's still good with the numbers on this. But I think we've closed that loop on that but more importantly we're going to the next version of the secret act that comes out will have a much better array of how those numbers look. We'll answer those questions and then we will tell them what we really meant by those numbers and we'll go from there. So that's all my sort of prepared remarks here. That's sort of what today's like and tomorrow's going to be like. And so I'll open for any questions. One on the front here. Okay, no mind. Sorry. Kim Bogers, they experimented with everything apparently. I just had a quick question when you mentioned about the executive order and you said on September 30th that everything will be the same on October 2nd. I'm asking just because it seems like we always make these huge changes at the end of the fiscal year, which for contractors that are getting contracts and for us is a huge problem. So is there going to be a big process flow change for contractors on September 30th when they've been awarded contracts and have to jump into gear like this past year? It just seems it's a problem. I'm always glad that when we do stuff on September 30th. Yeah. I'll let Heather jump in if she needs to. But our goal here is that the intake of cases will be different. You will be invisible. Same infrastructure to put new people into it. The entirety of NVID, including all of it, all the people, all the processes, everything simply shifts under the Department of Defense. It's the same people, the same processes. Well, I would say the same processes, but if we do our job right, we'll be moving changing processes whether this is going to shift the DOD or not. Processes will evolve. You'll see new SF86 things come out, E-Apple, replace EQIP at some point. That's unrelated to this change. You should see no distinction between the end of September and the 1st of October as to any case it comes in up to the 30th of October. It gets moved into the next case it comes in in October 1st. We'll move into the same inventory. It really is a command issue. Over time, the employees of NVID will become DOD employees today, but that's, again, invisible to you all. You should see no change in how you see it. Fiscal year piece helps because we're going to move the internal funding source from a revolving fund which we work with today at OPM to a working capital fund at the Department of Defense. But that's simply, again, a change of money and a change of color, not a change in process. Yes, sir? In the ski industry. I don't trust the workforce to be one of, Charlie, on level of effort number two with regards to the GTA guidelines. Is there some sort of timeline or expectation for... I think the target, let me say two things about the target. I think the target date that we are talking about right now takes us to the end of 2018 to get this on the street as a final product. That said, no pun intended. These processes or these standards need to undergo continuous evaluation. After that point, we should not say we're done and everybody walks away and then sometime 70 years from now we ask ourselves if we get this right back in 2019. But the target date for sort of finished product is 2019. But I also expect, just like we saw with some of the earlier level of effort, one thing is that we may reach some aha moments between now and then and make some changes in the processes early on just because of the obvious impact and be able to put it in place pretty quickly. We do have a question waiting on the phone when you're ready. Okay, opening that line. Please go ahead. Your line is open. Okay, it's your friend, Lindy Kaiser. So you had some great information last time about the backlog. And so now the clearance processing timelines are kind of falling to arcs that we somewhat expected in that we saw some improvement and then now we see things getting a little bit worse, which again does not surprise me as we await the executive order the whole transfer process. As much as you guys hold hands and think who lay off, we usually see a little bit of a hiccups in terms of especially as we're rolling people into continuous evaluation. But I do know that the efforts you're making on trustable workforce people in this next year, you are anticipating what OT9-OPM has said. This is the year that processing times you expect will improve. So I know last NISPAC meeting made some good comments on the backlog and improvements there and those held true. So I'm just curious this NISPAC meeting, do you have goal points, timelines in mind for saying as we update eliminated adjudicative criteria to get these policies in place, when do we expect processing times to start meeting a better steady state? Six months, one year, two years, et cetera. Linda, it's a very fair question. One of the byproducts of some of the early returns on the executive correspondence, and I think we're seeing some of this kind of thing, is that as we are able to make some changes in the way we're doing the work, we end up closing some of the older cases faster, and we don't count them in the production numbers until they are closed. And so we see, old dogs is probably a bad term, but we see some old dogs filtering in. So that's why you see some of these charts as a better level, or span of cases in terms of aging on them, even though we have reduced some of the meat timelines on this. So my expectation was, as we start to close out the older and older things, that that will have a not good effect on the 90% average. I think what I really want to show more importantly is that our median numbers are moving to the left, and that to me is a leading indicator of where the ultimate numbers will end up going and where we're headed in that direction. To your question, I've got to admit that the acoustics are not really good on the call here, but I think, Lindy, the question was, when do we predict that we'll be back somewhere within ERPA guidelines? That is a really hard prediction. I can tell you, I think on our total inventory numbers, we think we'll be down 300,000 or below, sometime by the fall, and that, again, should have a very positive impact on the timelines. As we do make some changes in the process that will reduce the number of periodic re-investigation, formal investigations that happen, and then unceremoniously dump that work all back on the agencies under a continuous evaluation, a continuous vetting mode, that should reduce the amount of cases that we have to work on and allow us to spend more time on or put more assets on the initial cases and the ERR cases that are the most important. I expect that to have a positive impact, but, Lindy, when you ask, would people be within ERPA guidelines within one or two years? I hope by two years from now we are within those guidelines. I hope somewhere before that point, I think what also may change is what trusted, and we're not waiting for trusted workforce 2.0 to help us drive those numbers down. We're trying to drive them down before we even get there. So I'm not sure that answers the question, but I can't give you an accurate answer on when I think those ERPA guidelines are going to be reached. They are a product of a high inventory and closing all the cases, but I expect the numbers are going to start to drop, will continue to drop and drop perhaps more precipitously than they have at the point. We have not made the progress to see on meeting the ERPA guidelines the way they are measured today. That's why I took this chart to see. Is there any other way we can look at this to tell us whether we're actually making progress or not? I think this chart that's up on the screen right now, hopefully you all can see it online, is really more indicative of though the numbers are still much higher than I wanted to be. Yep, you're on. I am. Okay, wonderful. Thank you. Hi, Caroline DeGaddy from Clearance Jobs. Sorry, I didn't know. I just wanted to ask if you're anticipating that by the end of this year, the inventory will be of around 300,000. A couple weeks ago, we had a conversation with Bill Evanina and I can't remember whether it was him or someone else with ODNI who mentioned that the, what a standing caseload should be would be about 250,000 and that that would be just the number of what it takes for government to be working regularly. I think at this time there would be about 250,000 cases. Would you agree that that number is accurate? And if that is the case, then it seems like we aren't that far away from getting to basically just an average caseload where numbers really should be picking up. Would you anticipate that? Is that something fair or are there other elements that we're not considering? I have an answer here. Yes, I think it's fair. In 2014, before we lost that investigative capacity, we were up where we needed to be in terms of investigative capacity using the pre-2012 investigative guidelines. They sort of added some complexity to it but just to give you that sense, that in that framework, we had to meet their guidelines which we were meeting at the time of the top secret. With that level of capacity, the inventory that was steady-state that allowed us to do it was somewhere between 180 and 200,000 at any given time in motion and understanding that a subset of that would be actual Tier 3, Tier 5 cases. But that's about right. So looking at today and looking at the way some of the cases have evolved, somewhere between 2 and 250,000 as a steady-state is a fair estimate. What will drive that actual number will ultimately, probably a year from now, be able to sit down and say, okay, now what a trusted workforce tell us about what that case looks like. But 2 to 250 is a fair estimate that a steady-state would be. And once we reach that and stabilize at that point, we should be able to meet those urban guidelines. Okay, thank you. Thank you. We're next going to hear from Ryan Deloni from DSS who will tell us about the deployment of the NIST. Ryan Deloni, Defense Security Service. And a little bit of a quiet soft-off. That's okay, I'll just talk to the content on there. I want to give an update on the National Industrial Security System. As a reminder, this is a system of record for industrial security oversight for the DOD and the 30 Plus, other agencies and industries which provide cognizance there. Some usage and statistics reports, we have been tracking those throughout deployment. They've been looking good. For example, we have some provisioning metrics up on the screen here. User base has been consistently growing. You can see we have now around 20,000 unique roles broken out about 7,500 industry, 1,100 government, 600 DSS. It's been good over the past few months. We've been working just to ensure that those issues are happening with provisioning. We're getting work through, for example, we work with State Department trying to work through some bureaucratic tapes of getting certificates up and running within NK, the single sign-on platform. That's been resolved and we've been tracking just to make sure all other non-DOD agencies can get in. We do have about 8,000 cage codes represented, so when last we met as a group, we were around 6,000, so about half, and now we're up around three-quarters in terms of cleared facilities within. We're continuing to see that growth. We'll continue to track that just to make sure that industries end as needed in order to form their functions. Other good news, we did kick off the Operational Requirements Committee, so thank you to the NISPAC team. We do coordinate membership through that as well as through industry groups and other contacts. So it is a good representation of about 30 members and advisors across industry, government, DSF, as well as OSDAS policy, and then D&I and other advisory roles as well. So we had our first meeting discussed roles and responsibilities laid out what's the standard process we're going to use to receive requirements to help enhance the system and drive it going forward. We're going to have our first meeting to synthesize that next month, I believe on April 22nd, and we have received from three groups already a batch of requirements and needs and where their thoughts were, so that's been working well. Ongoing events, we have of course been focusing post-deployment for large system on stability and post-rollout activities, so we've been doing a lot of user support. We just had a major patch over the weekend, version 1.6.4. That did stabilize some of the core records within the system itself, so we're hoping to see a lot more of, as well as just consistency of operation. Of course, we're not going to stop there, we'll continue assessing to make sure we can tune anything we need to within the application to make sure it's serving its function. We also did kick off the PSI, the personal security investigation for industry projection survey on Monday. So that was formally performed in a system that NIS overtook when we cut over, so that is live. We sent out some communications about that yesterday, just direct emails to FSOs, AFSOs and SMOS records we have within the system. So we've seen, I think we were around 500 submissions when I checked yesterday afternoon, so it's up and running, and then feedback within that as well. Most of the feedback actually is that it seems to be an intuitive form and positive feedback, which I'll take any day as far as that capability. So that's live and we'll continue to track that as that rolls through April 5th. A couple of things cut off from the screen. We do continue to update our training and tools. So in addition to the step course, we've just in the past week quadrupled the size of our frequently asked questions for users. So those are available within the system. We're also going to direct send those out, as well as continue to build training products and tools. Other good news, we've been working with our Knowledge Center staff to monitor their responsiveness providing lock and unlock support, but actually to provide functional help. So if you have an issue, you can call them instead of needing to send an email and wait for a response. You can call and get on the phone. They can walk you through, can actually proxy in and see your screen and help walk you through your issues that you may be having. So we're ramping that up. That should be active by the end of this month. And those are all the high level updates. We're kind of keeping it high up here, but wanted to open for any questions specific to the system operations feedback. I'll ask, please, one or two. Thank you, Mike, for the briefing. So this is the system of record for the industrial security program. This is right now, this is the system. There's no other automated systems. Is that correct? Correct. In terms of the core records for facility clearances, which companies are cleared, this is that system. We do have inquiry systems such as OBMS for information system authorization, which will be evolving to EMS later this year. And we're working interfaces for that activity. But as far as which companies are cleared, this is that. So, and the menu on the good progress, let me say 6,000 or so from the last meeting, which means there's, I don't know, 4,000 or so that are not enrolled. And this system, as I understand it, is what is used to report annual self-inspection, facility change conditions, facility verification, things like that. So for those that aren't enrolled, does that mean they just do it manually and submit something? That's one question. Then the other one is what's the strategy for bringing those other 4,000 or 5,000 on? And I guess I'd tack on a third one. Just, and it's probably covered in the operational group that we make sure we keep the, and if it comes to a point where we, you know, mandate the other 4,000 or 5,000 join in. Correct. So I think I got all three. I'll cover those down the line. So we are, we are cracking usage. It is required for any, you know, policy-mandated functions, such as your self-inspection certification, reporting change conditions. So that is all performed in system. We're not taking those outside. It is, there's unique workflows, transparency, process, and probation. So we do, as those are required, industry is required to submit with that venue. We've been discussing, and it was also discussed on the clearance working group, exploring toward the end of the fiscal year, whether an ISL may be needed just to further clarify the requirement for use in registration. So we're exploring that, took that as an action item from the last group. And we will continue to plug in both through the requirements committee. We also have a relationship just with the NCMS chairs and representatives. So we'll primarily work through NCMS if we ever need to make a big push to make any... Okay. Thank you. Any other questions? A quick reminder to those on the phone, press pound two if you'd like to ask a question. And at this time, we have no questions. Thank you. Next year from our executive agent of the NIST, Jeffrey Speniger. So good morning. I am, as I said, I'm Jeff Speniger from DOD. I really don't have a lot to provide in terms of new information other than to say I'm really happy to be here. I was pleased to have the opportunity to meet with Mark and the folks over here. And I enjoy the prospects of a very close working relationship. I am not new to the NIST PAC. And I do find that the things that you're aspiring it to be, you know, collegial, but a place to get stuff done. And when we do it that way, it works very, very well. It creates some accountability on both sides of the ledger. If you think of it that way, and I don't mean to seem like that, you know, we're two parts of the same whole, but we have, you know, complimentary responsibilities there that are similar to the same. But I think when we're able to use the forum the way it's supposed to work very well, I'm very pleased to be here. So unless someone has any questions for me, I'm going to give you four minutes and 30 seconds back. Okay. We're going to move on. Anybody have any questions for Jeff on the phone or anything like that before we move on? No questions waiting at this time. Probably. All right. We're now going to hear from Quinton Wilkes and industry spokesman. Quinton, let me get the slide. Go to the next slide, please. Quick agenda. We're going to talk a little bit about the NISPAC and MLU, touch on some policy changes and some impacts, and then we're going to get into the challenges maybe that we're having and finish up with some old business. Next slide. Again, you want to welcome Brian Mackie from BAE. He's our newest NISPAC member. We did have Kirk Pelson. We want to thank him for his time. When he was on, he got some different things changed. He had to step down and move on to other endeavors. Brian, welcome. We don't have any changes when it comes to the MLUs. Everybody's remaining the same. Other than Matt Hollinsworth, he's holding two right now, but we're trying to work to get the PSA as his person. When it comes to the next slide, when it comes to the policies, changes and impact, there's a lot of policies that are impacted, not just industry but also government, as it stands today. One of the things that we suggest from industry is that we leverage industries, industries, expertise as we move forward. Sometimes we have meetings where the government has meetings and they don't always have the right people in the meeting all the time. We're asking that moving forward, we leverage industries, expertise. Hopefully some of the policies that are coming out will be easily or more easily implemented and moving forward. Next slide. When it comes to CY, industry is still having some challenges when it comes to the FAR compliance for CDI on unclosified networks. What industry requests is that we can get some guidance on D-FAR compliance when it pertains to DSS assessments moving forward. The more guidance we have, the better we can help everyone moving forward to ensure that the right guidance and people are taking care of what they need to take care of. When it comes to DSS and transition, one of the things that we asked in the last meeting is that we could have a meeting to discuss where DSS is going, where they are, and what we want to see or what we would like to see moving forward in the future. Yesterday we did have a meeting. Yesterday we did have a meeting with the industry core group and DSS. We talked about where we are now with DSS and transition, where we're going in the future. One of the things that we talked about was the new rating system that they're coming up with. We had a lot of questions. It was an initial meeting. It wasn't a done deal with any of the things that we discussed. It was just DSS giving us an idea of what they're looking for in the future. We're hoping that as they move along with the rating process, they'll really engage with industry and we can provide guidance to help ensure that whatever they're going to implement moving forward is something that's implementable and acceptable from both industry and government. Next slide. When it comes to insider threats, in the voice of industry, there's a message that DSS is working on the ISL for evaluating insider threat effectiveness. We're looking forward to seeing the ISL and providing comments, hopefully, to assist in having a good transition to the next phase of insider threat. When it comes to the NID and the timeline, we're seeing that the timelines are continually growing. We already touched a little bit on that. That was one of the things that was top 10. We're requesting that in the future that we could institute or put back in place, Greg, the working groups for both NID and insider threat to hopefully come up with some things moving forward that can help with the transition. As far as the trusted workforce through Cornell, currently, there's no NISPAC representation when it comes to the trusted workforce meeting. Charlie Flynn did say that there's two industry people that attend the meetings, but those industry people aren't allowed to or haven't in the past talk to or coordinate with the NISPAC on anything that's being said in the meetings. What we're requesting is that an industry, that a NISPAC member attend the meetings and hopefully be able to come back and provide extra or provide information to the rest of the industry and hopefully provide additional guidance to help as they move forward with trusted workforce. Greg already talked about the meeting that we have with ODNI later this month and we're hoping that we'll be able to discuss some policy issues that are coming in the future that may impact industry and hopefully have a good discussion on any of the seeds that may be coming in the future. Next slide. For the systems that industry is using, I mean, right now there's a lot of systems coming out that look like every week it's a different system that we're having to address and provide training and teach people how to use. Industry is requesting that the government continues to collaborate with industry by having additional working room meetings. Right now we have working room meetings, but sometimes they're not often enough to actually keep things moving in the direction that we need to go. So if we could have more meetings to address some of our concerns, then maybe that'll help when it comes to some of the challenges that we're having once we start using the systems in the field. One of the good things is that industry probably received information back when it comes to the consultant white paper. The only thing that's still lagging out there is that sometimes when consultants are trying to get access to J-PAS, they're having some challenges and DSS is going to take that back to DNDC to see if they can come up with either some changes or a way forward that's going to help them get access when a company has a person that's not available, can't create an account for a consultant and they need access, whether they're an account manager or just need access to help them get the job done. Industry needs specific guidance on policy to address security consultants. The reason why we're asking for that is that there's a lot of security consultants start to pop up out there and there's not a lot of guidance to say what they can and can't do. So we're looking for you guys to tell us, you know, to put out some guidance on what can they do, what can't they do when it pertains to consulting services for a clear company, especially when they're not employees, they're actually consultants. Next slide. We're still awaiting implementation guidance for C3 and industry requests to review and comment on C3, on the C3 ISL before it's released to industry. Next slide. Greg already talked or touched on the advisory committee on industrial security and industrial-based policy. Industry is requesting that the ISU be one of the members if possible so they can be the voice for industry moving forward. I'm going to put you on the spot just for a second. Back to the 2.0, and these two industry representatives, do you know how these are selected or how they were chosen? And secondly, I mean, is there a way to integrate the NISFAC more into this process? Currently, the ESG is called the Executive Steering Group. It was convened by the executive agents, OPM and DNI of the PAC. It's a very small group, a few agencies are involved, and the small group has been meeting monthly just so there's continuous and continuity of making some of the decisions. Has not been changed in the working group. I just know that two members of an industry base were invited to participate, and they've been involved in some of the discussions in the process. And then decisions are then filtered down to the staff of the executive agencies along with the PAC, and we're working through the policy structure. Has not been sent out yet to a community to comment on anything. It's really just the policy structure and approach is being discussed. In fact, Dan McGarvey industry, and Quentin asked me to really kind of focus on the transparency issues. And so taking a look at it from a larger perspective, and I think Greg went through the number of issues that industry is concerned about it, and industry is not concerned so much about writing policy. It's the impact that policy would or could have, which is where the issue is. I will say in support of the things of Valerie and the way they work, as you've heard, we're going to have that meeting on the 28th with Willa Boniva. I also understand that there's been developed a very extensive communication plan to be able to share with industry as progress goes on with trusted workforce. So I think that the ICU support has been critical in that area. The other thing I would mention is that even though we can't talk specifics, I would refer and I'll pass this on, there was a wonderful interview done with the Federal News Network Service with Willa Boniva that really outlines a lot of information. We don't have specifics yet, but certainly enough that has been passed out. So I'll give that to you as that could be part of the minutes. But I will say things are working pretty well. And I'll just add too, and I believe some of the people who are here were invited. There was a press event and all the newspapers are out, is out for review of the basis. So Willa, we're very happy with what's going on right now with the PAC and the PMO. We're going to talk about transparency in other areas as well. Yeah. It's been pretty well covered in the press progress right now. Anybody have any questions for any clues? Anybody on the phone? And once again, please press pound two on your telephone if you'd like to ask a question or make a comment. Pound two. I'd like to hear from Keith Leonard on the DSS. It's a good morning, Keith, 2018 was a really busy year. 2019 will be even busier for DSS as we continue our current missions, implement new missions, and prepare for pending missions. So one of the things I do want to say is, Quint, as we talked about things, over the last month or so in several sessions, DSS, DOD, ICU, and the industry has met together to work to address some of these issues and look for a solution forward. So I've got a couple of updates for you. And this comes from a lot of stuff that we've talked about in the office. One is, industry may have seen a memo from the OSDI reference group classification training for the derivative classifiers. That memo applies to DOD, not NISP, unless applied by your government contract. So any consideration about changing your training from bi-annually to annually, we come from your government contract, and NISPOM applies national standards which requires initial training and bi-annual for those classifiers. The second is, it was suggested the day before, but the certificate pertaining to foreign interest, the SF-328, was revised. Don't worry, the questions didn't change. What was updated was the capabilities for the form and the information collection to be used for the Department of Homeland Security classified critical information infrastructure protection program. It allows them to support them as a CSA, as well as the Penny Defense and the Hand Security Program, which is still in works department of defense. So that was the primary two updates for that form. The form will have a new date. It's going to be 2021. So don't get concerned about questions once it can be unchanged. The next thing is, we must have did a good job with the index as a whole. You really took on the task last year. We posted the notice about Seed 4 and return of foreign passports. On February 5, we posted the industrial security letter. We've heard nothing since we posted it, which means that when the trigger was pulled last year, it was like everything was done. The ISL just replaces the posting and provides formal guidance. The last thing which was brought up a little while ago by Clinton was the fact that insider threat in May 16, 2016, the NISPOM change too was issued, which implied insider threat requirements for cleared industry. So we're nearing the three year mark on this now. After you did a tremendous job in the first year implementing the core requirements, we can consider, really, most companies out there at FOC, now we've got to look at the insuring and effectiveness. We're actually in the process right now of internal and formal coordination of an ISL that was drafted that will rescind and replace the current ISL 2016-02 and update and address the insuring and effectiveness as we go along. We are aligned like we did last time with national standards and processes. We're not creating a new world for anybody. We want to make sure that we stay consistent with that. That being said, as we had great success last time, working with industry and a partnership on this, as well as our government partners, whether it be the CSAs, the National Center for Task Force, ISU, and others to make sure that we had the right product and the right tools and resources to support them. So we see the industrial security letter as part of a package that would require the update of CDSE products and tools related to insider threat, job aids, plan templates, and down the road, as we move along the training. So we're in formal coordination right now within the agency. We'll go to, once we get the comments back from the senior action officer level, we'll move to our internal formal coordination. We'll work along the way to engage the NISPAC and our partners, as well as ISU, as we move forward. We think we have a product that enables various companies based on the size and complexity, whether they have a standalone or corporate program to begin that next step in the process to look at the maturity level of their programs and how they affect this role into different components of their part of the insider threat plans. Subject to your questions. My question is, Keith, industry. Given Valerie's comment earlier with regards to evaluating D-PAR's compliance and the DCM-8 memo that was sent out, is there a current position within DSS on the evaluation of CDI? So, well, you can ask the member of DCM they're moving out on this. The Department of Defense is establishing a common approach to D-PAR's compliance. Well, and we've talked to a few industries before. DSS will have a role when it comes to CUI and compliance with 871. We see our roles with clear industry, but as with anybody else in the Department of Defense with DCMA, DSS, or the requiring activities who will also have a role, the view of a common approach and a common standards to implement this. So that enables reciprocity across the Department. So as we move along, in fact, the Department right now is in the process of developing a CUI instruction. And we're partnering that process to make sure that the work we did last year and look at the side of this is implied in the policy requirements of the Department. We had a lot of success working with our partners from services and acquisitions and CIO this last year. And I think we've built a lot of bonds and capabilities, but back to your question, is that the Department, well, I have to carry on with a common approach. But is there a position today that DSS is trying to assess the process? Right now we are not assessing for formal purposes 801.71. Dan McGrath of the industry. Well, I think along the lines of transparency, I think CUI is going to have a tremendous impact in industry. And the concern is obviously costing, among other things, in timeliness. So I would encourage that as that policy gets developed, we have some impact meetings in terms of what it is in fact going to do to industry, the extent of the effects on industry. And I think as we know more about it, the better we'll be able to prepare for it. Well, I think one of the things that is that CUI is applied in the same manner as the NIST is with the FAR clause. It's applied by the DFARS clause 7012 that lays out the specific requirements of 801.71. We'll see some changes as we go along. In the FAR community, there's a FAR clause being developed for the national level for CUI, but I think maybe Mark Riddle can pull up some of that information to go along. So I don't want to step in his lane, but it goes back to looking at consistency across the process. What we need to strive for is that if someone on the NIST 71, for whatever period of time that is, that assessment should hold valid for others who have, unless they have some increased requirements, pertaining to the type of CUI, which as we know, there's 124 different categories, not all are equal for that process. Well, I appreciate that. And as I recall one time, I had a dentist doing a root canal and he said, well, it's not going to hurt much, but it's certainly him, not me. So we just want to be careful about how we go about this. Thank you. Wait a minute, we're breaking after this? Yeah, we're going to have to go off the second half. You don't get out of it, you next up. Yeah, I'm the comadate. Okay, Mark, please. Okay, great. I actually thought we were going to take a break before I went on, so I'm glad I didn't walk out of the room. Thank you very much, Mark Riddle, with the CUI program. I'm going to give you some of the high notes here. We're kind of going a little bit out of order, what you see on the slide first thing. You're only giving me five minutes today, so there's a good chance I'm not going to address all of your questions, and you probably have a bunk. But we do have a regular update that we provide to stakeholders. Of course, the next one is going to be April 17th, the one after that is going to be July 17th. If you want to participate, it's open to anybody, just subscribe to our CUI blog. The call-in information is there. If you have a question that you want specifically addressed during the update to stakeholders, please submit them to see a good chance based off of questions that if you have them, others have them as well. When we say stakeholders in the CUI program, we mean agencies, industry, academia, state and local tribal, so everybody is on the call. Everybody could potentially be impacted by the gentleman at the end that CUI will have a huge impact on the way the government operates and also state and local votes. So April 17th, definitely subscribe to the blog on that. Also, on June 21st, we're going to be having a CUI industry day. We had our first one in December, right before the shutdown. It was pretty good, you know, but I think that based off of the interest that we had from agencies and industry, it seemed that folks wanted to see more from industry in regard to vendors. So of course we've upped the game a little bit. Last year we had spots for about 10, 10 vendors to come and showcase products and services that are available to assist agencies and other folks implementing the program. This year we have about 23 spots. First come, first serve. Again, send your request to CUI at nara.gov. Subscribe to the blog for more information. Spots are filling up quick. It's going to be open to everybody. We're going to have a short introduction here and then we're going to open up the floor for us to kind of walk and learn about what folks have developed to help assist with the program. First bullet here, agency implementation. Right now we're about two years and a couple months into implementation. And agencies have really taken a lot of momentum with their strides to implement this program. Last year you'll note that the annual report to the president had a very colorful chart in it that highlighted what everybody was doing in fiscal year 17. There was a lot of reaction based off of that chart because it showed that not a whole lot was happening. This year, of course, that same chart will be an annual report and it shows significant progress. Right now we're sitting on about seven government agencies who have asserted full implementation of the program, which means that those agencies are marking and protecting this information. Other agencies, and there's about 101 that we're tracking throughout the executive branch, are asserting to us a very advanced state of implementation, which means that if they don't already have a completed policy on the street, they predict that they're going to have one by this summer or this fall. And that's most of the agencies inside. After a policy is issued within an agency, it kind of flows like a domino effect. Then you see training, then you see the physical environment be modified, systems transition to the standards, and also contracts and agreements. A little bit about the Federal Acquisition Regulation, which we've kind of mentioned earlier. Of course, it is right now being circulated among agencies for comment. This draft will be out for public comment in the near future. We actually anticipate now probably about seeing something on the street. Again, if you subscribe to the CUI blog, you're going to get a hyperlink to the current draft. Our associated CUI form, is going to be how agencies convey these requirements in the standard. And also the reporting timelines, as far as when you're going to be providing comments. Right now, our estimate for when this far will be on the street for agencies to use will be sometime in the fall. So you can look at October and November time frame, depending on when you think fall is. But it'll be this year sometime. So more to come on that, of course. On the April 17th stakeholder meeting, we'll provide another update on the FAR. On the time that get further and further into this year, we get more and more clarity on when that'll happen. So I'm hoping that by the April 17th meeting, we'll have an indicator of this public. Also, you'll notice on my slides here, I have some pretty colors on the slide. We've developed some new cover sheets and media labels for the CUI program. We've had cover sheets out there for a while, but there was some discussion of the CUI Advisory Council and also stakeholders that there was a need to standardize these things even further. We had three cover sheets before. Do you notice that they were green? Solidated them down into one. Existing stocks of old cover sheets can be used for supplies. But now we have a new form that's available for download from GSA and our site for use. It has the similar feature to one of our older forms where there's going to be space for you to populate or agencies to populate the unique handling associated with that particular type of CUI. Also, the smaller labels that you see here are brand new. These are standard forms, of course, 901, 902, and 903. Media labels are, of course, for use with different types of media, whether they be hard drives or USB drives or what have you. They'll be available for purchase from GSA and additional information in the near future. We actually expect that these will be available for purchase by the end of next month. So they'll be out there in the standard booklet if you bought the media labels for the classified systems. It's very similar to that. Although the CUI program does have this, the reality that USB drives will be used in the program. So we created a special label just for those. That's about all I have in regard to implementation for the CUI program update. More on April 17th, but I will open it up for any questions or reactions. Hopefully you guys like the new color of the cover sheet. And if you do, not like it, you know, I really don't want to. Actually, because it's too late, I was already finalized, but actually positive feedback, negative feedback is always sought after. And I think I had a question right there from Ms. Clayton. Is that right? If you could just shout it out and I'll play it back for everybody if you'd like. Oh, so the question is, Amy Roundtree from NRC, but why the change from green to purple? Well, it wasn't just that we're from Baltimore, right, like the Ravens, it was actually, there was a lot of pushback early on in the development of the cover sheets and regard to the color. Believe it or not, the CUI advisory council debated for a number of months on what the color of the stupid sheet would be. And of course we settled at that time on green because right at that particular moment, the FOU cover sheet was green. When it came time to make the shift, of course from the green to the purple, it wasn't just a shift in color, it was actually a shift in the type of form that we were pushing. You'll notice that the forms that were previously available, the green sheets were actually optional forms. This purple sheet is a standard form, standard form 9-0. And the requirements to use these things are kind of laid out in a new CUI notice. If you went to our website, there's a great page that you should definitely check out. There's a policy and guidance page. We issued clarifying guidance to agencies and stakeholders regarding the program. There's a notice out there that speaks to these cover sheets and how they can be used. I think that there was a lot of questions around the issue of an optional form. When really the truth of the matter is is that if you're going to use a cover sheet, this is the one you have to use. So the standard form kind of came off as a little more authoritative. I'll make a break from the purple so that way people would recognize the change. Question? Yes, ma'am? Okay. The question from Michelle Sutton is, of course, when is Ms. ST-871 Rev 2 going to be available for public comment? Now, of course, some of you may not know that, of course, Rev 2 of the 171 has been rattling around inside of the government right now. One of the main changes that you're going to see in this document, and I will get to the question, of course, is there's a new appendix in Rev 2 of the 171 that speaks to security requirements related to an advanced persistent threat? Basically, if an agent's persistent threat to the information or a particular system, they can use the 171 Rev 2 appendix to push out the core requirements and the 171 that you see and that you've grown to love, I hope, are not going to change in this revision. Right now, we don't have word on the exact timeframe for when this publication is going to be out for comment. It was actually supposed to be out already, but I think the internal comment period between agencies kind of... So as soon as those comments are resolved among agencies, we will be posting it again. When the 171 Rev 2 is out for public comment, we will put it through our blogs. I'm not emphasizing that enough. I think that that's where we really do our communication to all stakeholders. I highly recommend that you take a look at this document when it's on the street. For some of you who've been, I don't know, lucky enough to see the draft, you'll notice that there are some things in appendix that will probably raise a couple of eyebrows to safeguarding requirements, because it isn't just a technical document in regard to how to protect systems. There are some statements in there about personnel vetting issues, too. So I'm going to come on that, of course. Any additional questions? That was a great one. I think I heard you mention it. We, in ISOO as the executive agent for the CUI program, a lot having credit to do to Mark, started the process of doing our own assessment implementation of the agency's progress on implementing CUIs. So we have started the line-up assessments of some of the agencies. As Mark mentioned, I think we say seven or a full implementation. I just wanted you to know, as part of that, if they have issued contracts, we'll be looking at that as well, despite our ask to do all this. Oh, yeah, that's absolutely correct. So right now, of course, one of my day jobs is I run a small oversight team where we actually assess agencies. So based on the annual report submissions in fiscal year 18, agencies asserted wherever they were in the implementation movie whether they have a draft policy, whether they initiated training, what have you. So depending on the state of their implementation that they asserted, my team is actually engaging with them. We're kind of like that old saying, like from Missouri, they say it, now we want to see it. We want to see what that policy looks like. And our job is to ensure that it's consistent with the executive order and, of course, the CFR. Sometimes, you know, early on in the drafting process agencies take some liberties with the policy, or they try to take some liberties with the CUI policy. And that's our job to go in there and get them back on the rails as far as what those standards are. There are some clear lines in the sand on what an agency can do and what they can't do with their CUI policies, especially when it comes to implementing those standards on to non-federalized. We're watching. Really, oh, an oversight, right? Any additional questions? On the phone for Mark Riddle. No questions at this time on the phone. Okay, thank you. Okay, let's take a 10 minute break. We will start again at 10 to 12. Okay, we're going to, excuse me, hear next from the defense vetting director, Heather Stokes. Heather? Hi, everyone, I'm Trisha Stokes. I know Heather's better, but you got me. I wasn't human supposed to be here today, so I appreciate you hearing me and allowing me to speak, Anna. And so I'm the director of the defense vetting directorate. And the defense vetting directorate is the directorate that was established in DSS. I'll go to the next slide. There you go. About a year ago now, I think I spoke with you when we had just been birthed. And at that point in time, I think most of you know that we were anticipating taking back the background investigation mission for the Department of Defense. And then within two or three months, we realized the president directed, we would take back the federal government. So I'm going to go to the next slide. So the bottom line is we were establishing, we were preparing, we were establishing what we called our landing team. And as we stood up, the very first thing we did is looked at ourselves internally and what we were getting ready to inherit in terms of with the Department of Defense CAST, Mr. Ned Fish and his organization. And what Dan Payne and I settled on was we would put all things vetting under the same directorate in DV, which we named probably change as we inherit the federal mission as we're anticipating the executive. And we knew we needed to start by putting all things vetting that existed together because it made sense to do so. So what that really entailed was really what you see in the left-hand corner on our right-hand corner was that excellence. So what you usually or previously knew as the PSMOI is now the Vetting Risk Operations Center. I would tell you that that will be our nucleus of operations forward. And that will be headed by Heather Stokes, or I'm sorry, Heather Green. And she's preparing to inherit really the crux of the operational element. We also included insider threat. So most of you may know the DITMAC, Defense Insider Threat Management Analytics Center that we own. I think what you will learn in the future is trust your workforce 2.0 is rolled out as people have spoken about in this one today that the insider threat mission will be what becomes continuous vetting. So pairing those, integrating those together in the same organization seemed like the right thing to do and we're very glad we did. A lot of data sharing back and forth and there's a lot of economies of scale that we can achieve by doing that. We also have a program that we've just established called Enhanced Screening Protocols and what that really is is it's getting after the foreign associations on that great form SF86 that you fill out, anything that contacts foreign associations, foreign travel. What kind of indices do we look at to really be able to get the appropriate information to mitigate risk? So that's what that program is about. We are starting it with the military sessions as directed by the DEFSECDF but I think it's going to be rolled and we are going to look at vetting that process in what will become the transform background investigation process in the future. And then certainly not to forget where we're going with Trustable Force 2.0. The defense vetting directorate is working hand in hand with all the workforce, the PAC PMO who's really doing the heavy list. And we're also representative on the searing committee group that is forming the policy and making the decision because it's kind of important to us because we will be the executionary of that. We will have to execute this in practicality. And then last but not least is Mr. Ned Fish, who probably would have been doing this briefing if I wasn't here today and Ned is, as most of you know, the director of the Department of Defense CAF was gracious enough to open his doors to the defense vetting directorate in Fort Mead in last year. And that's when we really kind of became one. He started integrating way before we were directed to integrate. And Ned has been very gracious to us, not just in that. He's also leading up to help me with a lot of the bigger things that we have to do. I mean, we're practicing on integrating organizations with his organization, which is about 692, about 700 people, only to get ready for Charlie's organization, which we will inherit, you know, which comes in the cast of thousands. And so it's a great test case, but we have I think integrated exceptionally well and our business processes just belong together. So it's working very well. So a real quick snapshot of what we look like today. And what I really want to point out is that part on the left-hand side, the NDISPP, so the National Background Investigation Service, what that is, is Mr. Terry Carpenter. He is the PEO, the Program Executive Officer, building the new enterprise, the new vetting enterprise for all of us. And so Terry came on about the same time last year as I did. We hit the ground running and we realized that we were partners and we had to be no gap between us. He's building what we need, find the requirements, he builds it. He's building in an agile framework capability. I could spend an hour up here talking just about this work chart or really just about what the NDISP program and the DVD program, that I know we have a lot of forms coming up that will be associated with each other at, I think, Quinton's put up the chart of all the conferences coming up. And I think what I will commit to you is, and Heather Shokes and I have been talking about this a lot, and that is how we take all these engagements and what she does so well with the community. And how we will engage what you see in that block called Enterprise Business Support Office. That's really my business office that will be interacting with all of our customers. Building the requirements, working with the PEO, working with strategy, working with strategic comms, working the training issues, working all strategic engagements with our customers, which we thought getting to the Department of Defense was a big thing, but then you add the other 105 agencies that Charlie mentioned, that's now a bigger thing. But industry that, again, Heather pretty much has a handle on anyway, but helping her engage with you to make sure you're an inclusive partner in this process, building the requirements, testing the capabilities, really interacting with us. That is my commitment to this community. And so now I will get off the podium and let the two people who you really want to talk to who were the highlighted boxes, and that's Heather in the Vetting Risk Operations Center, and Ned will follow on the DOD Adjudications Facility Information. And then we'll take any questions. Good afternoon. Heather Green, Director of the Vetting Risk Operations Center, previously known as PSMOI. So I wanted to give you a few updates from a metrics perspective. Currently we have, so far this fiscal year, we have submitted a little over 54,000, probably at more than 55,000 at this point, investigation requests. Good news is we are fully funded this fiscal year, and we are pretty much running out of steady state. And what that means is we carry an average inventory of 10 to 12,000, sometimes a little bit lower, but it usually hovers at that 12,000 mark. So far this fiscal year we have deferred over 16,000 periodic investigations into continuous evaluation. We have processed over 40,000 interim determinations, and we are averaging about 15 days for that interim determination timeline. A few reminders from that interim determination perspective is that we do ask you to submit your fingerprint simultaneously or prior to the EQUIP submission, but we certainly wait for those fingerprint results to come back. Therefore, that's why we hold a little bit of inventory for our initials because we have to wait for the fingerprints to be there at the same time as we... So as soon as you can submit those fingerprints, the better so that we can keep those packages moving through the process. One other note, you know, I know that during the industry takeover meeting on Monday we talked a little bit about getting information prepared to everyone on continuous evaluation and the deferment process and making sure the messaging is out there. So please stay tuned. We will be posting something on the DSS website closely with Quinton and company to ensure that we are capturing some of your questions. It's going to be some additional FAQs. We're going to put it out there as far as, you know, how the reciprocity works, right? What avenue you have to communicate with us when you're concerned or if there are any questions on it, as well as when you submit a PR based on the enrollment date and disc. So we're going to provide that information to you. Thank you. Hello, my name is Ned, but you can call me Heather Fish. All right. Ned Fish from the DOD CAF. And I just want to highlight a couple of points that Ms. Stokes pointed out earlier. We started integrating closely. We've been working closely with Heather and her team for years now. Ms. Stokes and her team moved into the CAF facility up at QuartNeed last summer. And we've been working very closely ever since. GIV is leaning in and working very closely with DS. We were CHOPS, OPCON, under the direction and control of DSS and DVD as of 28th of January. So we're formally aligned under the Defense Security Service and DVD now. I want to talk to you about a few things here on this slide. One is everybody around here has been around long enough to know that the backlogs aren't gone when the investigations are done. Backlogs, all cases that are investigated must be adjudicated. And so we're in a bit of a fight these days. And I think that's the most surprising to you all. And I think we'll be in a bit of a fight for another year or so, because as NBIB ramps up in surges and pushes cases to us, we're in the sword fight with them as we're trying to adjudicate those cases. But we are making some good progress. First of all, as we look at Trust of Workforce 2.0 and some of the implications there, and as you look at the Secretary of Defense, we are prioritizing our work on readiness and threat. So if you see that left block there, what makes sure you get somebody to work or somebody else in the Department of Defense gets somebody to work? So we're prioritizing the initials. We're prioritizing those reciprocity requests. Interim SCIs are critical to getting people to work as well as the upgrades and those other things. On the right side, there's a threat aspect. We have to make sure that we are doing our job in concert with the rest of the security officers and folks in the personal security enterprise to mitigate the threats that are out there. So we're also prioritizing the seats of both incident reports and the CE hits that are validated by Heather's team and then forwarded to the DOD cap. Also, on the PR side, we are prioritizing those higher-risk PRs, those with the major DROG and other things. What is going to the bottom of the pot as we work in this priority are some of those minors and no DROG periodic investigations. So if you look at the work in progress right now today for industry, we have about 52,000 cases in our work in progress. If you heard what Mr. Fallon said earlier and you looked at what the DOD cap has here in front of you today as a work of progress, there is no right today in one spot where you can look at the end-to-end metrics. But the good news is, when you look at the numbers of cases that were in the DOD cases that were in the pipeline, either NVIDIA or the cap last June, over 60,000 cases fewer are in the pipeline today than were in the pipeline of the NVIDIA or the cap in June. A large part of that, about two-thirds of that is due to the deferral submission. Another part of that about the other third of that, 60,000, is due to the cap up-gunning and trying to stay ahead of the full cases coming to us from NVIDIA. And we're making some good progress there. We had some dark days last fall between what that correspondence was signed out in June. NVIDIA really started pushing cases to us primarily in August and September. We had some system issues, but right now, as of the new year, we're ramped up pretty well. Now, I'll give you an example. Last week, we closed 24,000 cases. A year ago, we were closing about 14,000 cases. So we are up-gunning, moving forward, and you see some of the reasons for that. It's kind of off the slide, though, but we're looking harder. So we are now on disk. You know, we've been on disk for a while, and we're getting better on disk, consolidated on disk, and working to improve the speed of the system. Also, off the screen up here is, you know, the targeting and prioritization of work. It's one of that you see on the readiness versus threat. Looking to expand e-adjudication, hopefully. And the next few months, we'll get a bump-up in the cases, those Tier 3 cases in Tier 1 cases that are able to be electronically adjudicated and not manually dealt with. And again, as surging resources, whether it's from DSS, or some of the capabilities that DVD brings to us for Lean Six Sigma and other surges, you know, taking people off of their day jobs and putting them back onto production, policy job or something else, so doing everything we can to surge the work there. I want to talk a bit now about the timelines. So you see initials. And that says 37 days of the bus is coming down. Okay, so expect that to continue to trend downward. You see the PR timelines are continuing to be long. A lot of that's because we are not prioritizing those PRs because you don't lose your eligibility. We are prioritizing those derogatory PRs. But a PR does not keep you from going to work as you retain your eligibility. We'll catch up on that as we move on down the road and get this initial workload out of the way. So with that, I'm going to stop talking here. I think we're about the end of our time, but I think it's time to see if there's any questions for anybody from the DVD, whether it be Ms. Stokes, Ms. Green or myself. Bob Lilge, Industry. I don't know whether this question would be for you or whether it would be for Mr. Bradley. We've heard a lot today about reciprocity. We have the seed from last year, I think it was, about reciprocity. I've seen those statistics on reciprocity timelines, timeliness of reciprocity, is meeting the requirements of the seed, et cetera. So I'm throwing out the question, are we going to see that in the future? Can somebody report on that today? What reciprocity timeliness is looking like? Is four months norm? Is it one month norm? Is it two weeks norm? What it is? Just so that industry has an idea of if this is something that's a concern, the trend line is going up, down, stay inside of your whatever. That's a great question. Valerie, you want to talk about that on the snap? Well, just from the B&I perspective, yes, the seed was signed in November, and we did remind agencies that they are to collect the information, so they'd be able to report back to us, and we have reporting requirements that are captured by my colleague Olga Delgado. So I'm not sure she has that information readily available today, but we are asking agencies to provide their information and we're collecting it and reviewing it, and those reports are due out, and I'm not exactly sure at the time frame, but we are starting to collect and examine how agencies are in compliance. I'll say this. I mean, we will start tracking that for you. Olga from the State Department, I have four questions. Going from his question, I have a question I've brought up before or used. There was a meeting last week online of the Personal Security Group, and I asked the question because go figure, people that retire from the State Department want to go work for companies and we don't have DOD clearances, and it's been a huge problem from my perspective because I get the calls trying to say, can you help me, because I'm getting another job. So on the phone call, someone from DVD said it takes two days. Now, I think that two days is probably the very end when he gets on his desk and then it's out the door, but I asked on that call, do you have any staff of when someone submits, when a company submits a request, and when it actually gets an answer, and nobody had the answer on the call. So I would ask that maybe, that kind of goes with his thing, is how, is that really working because it doesn't seem to be working with as many calls as I'm getting, and how long it's taking months. You know, when some, you know, companies submit a request for an RRU or what the new term is, I forget what the new term is, until they get something. So that would be one question. Do you have, would you like to respond or no? So we are going to continue, we'll work directly with ISOO, and PICAS, and all parties to make sure that we have those timelines thoroughly reviewed and then make sure that we have that process. Yeah. I would agree with that. The fact that a RRU is processed in two days doesn't mean the case is adjudicated already. We may need to go out and get files from a different department. If it's less across the day, there might be a deviation or some other issue in there. And so historically, and I'm not going to get ahead of all those metrics on this, but historically, when it got to the CAF, if the case was in the house and you didn't have a problem getting that file and it did not have an issue or a deviation or a waiver in there, they're adjudicated pretty quickly. It's those ones where we have to go out and get the files that go on and on and take close more time. I look forward to seeing our corporate and less across the day metrics in the near term here as we try to make sure our systems can report in accordance with the seed and everything else. And we find that new normal in order to support that requirement. The entire business process review. And we send up the VROC and we inherit the National Background Investigation Bureau and we have new capabilities that are coming out. We want to get as lean as we possibly can and as automated as we possibly can. So I think it's not going to happen overnight but I think there will be a shift in our business operations which would affect your timeline on questions just like that, ma'am, in the future. Question number two. Disp. I brought it up at two NISPAC meetings. I brought it up a couple weeks ago on the phone. My question is everybody's concerned about what company is getting on to dis and how many are on there and how many are not. And no one seems to be concerned at all that I as a non-DOD user agency and others have not been talked to anything with regard to a timeline as to when I might be able to. It's been nine years or so since I started on the J-PASS thing which I thought dis was coming so I kind of pulled back but now I have to bring it up again. I feel like NISPAC is not just about contractors, it's about government agencies as well and I don't feel like anyone is listening with regard to that access. Okay, so I'll take this one unless you want to. Okay. So we hear you loud and clear. So that office that I showed you, the EBSO, the Enterprise Business Support Office, that office is set up specifically for strategic engagement with all of our customers, Department of State being one of them. We, Terry Carpenter inherited from a PEO perspective two years of, I would say, no work from previous CEOs as he was required to build the NBIS as he got in there and really looked under the hood, found major system architecture issues that he's wanted to make. So we want to roll out dis and all capabilities to all customers tomorrow. Focused his time and effort in the past eight months to a year on really getting the architecture right to maximize us as we roll out new capability. And he will be also responsible for the system of systems. And so my commitment to you, please give me your card before you leave here so that I can have my team, my EBSO team come and sit down with you and get your requirements and lay out a roadmap that is satisfactory for you in the future with the capabilities that we have to be able to offer. If I could just add onto that, is one of the things that's happened in the last, I think it was six months, is that the functional management for the DIST and J-PASS in those systems has shifted from, what you just said, USDI down into the DVD. So Ms. Stokes has that functional management requirements piece and her team worked in the functional management piece, Nick Moran and I think we have Pat Hogan here today work closely with NBIS PEO to execute those requirements in the prioritized way. So I think that was a good move in getting it out of the USDI, higher level OSD and getting it down into the DVD. Out of the MDC then? I'm sorry? Out of the MDC. Yeah, so let me talk about that. That's a good move. Yeah, for a second. So the OPCON memo that the DEPSCF signed down on the 23 transfers three entities. J-PASS, operational control of the Mr. Payne under DCSA under the DVD. The PEO for NBIS out of DIST to operational control under Mr. Payne and elements, elements of DNDC that specifically relate to the systems for vetting. So just with the one of them. Operational control under DCSA. What will become DCSA? That will be the new DCSA. Or apart of NBIS PEO then? Well, yeah. So at any rate, we're all under the operational control as that delegated a lot of the work delegated down to the DVD. And so that's going to be very, very, and already has proven to be. We were working together, but now we are all working under the same route for the same boss, same requirements. And so I think the efficiencies are number three. Don't think for a second. Because there's a couple other questions that came out of our clearance working group meeting that pertained to DISS. So the one had to do with the lack of training for DISS users. Another was kind of similar to the NIS question I asked earlier. Will there come a time, and when is it that all will be mandated DISS user, that you have a DISS user account that you're a clear account? Yeah. So I will certainly touch on the provisioning, I think is what you're getting at, right? Mm-hmm. And we ask for everyone's help here from an industry provisioning perspective. Right now we have 6,000, approximately 6,000 industry individual provisions, and we still have another 3,000 to 7,000 that need to be provisioned. And we have opened the gates. I mean, we've opened up all provisioning. You are welcome to submit any of your PSAR, your system access request form, and all the required information. And we've posted all that information on the DISS website. We're getting to the point where you're right. We're going to need to have, you know, a timeline where we're going to have to shut off certain functionality hopefully to drive the provisioning to occur that needs to occur so we can start moving into one system. When we make that decision, when we come up with that timeline, we have committed that we'll give you 90-day notice that, in fact, we're going to start off a specific functionality within the system so that hopefully we can drive additional provisioning to come in. So I'm asking for your help with that because we need to get everyone provisioned. We need to get everyone into DISS so that we can continue to move forward with our system management. No on the issue of training? Yes. So we have tasked CDSE to get some initial training dragged out. But I will tell you, as I told you that Mr. Carpenter has looked at the entire architecture. All systems are systems. I think there are opportunities for disimprovement. I think the proper IT word is refactoring, I'm told. And so we want to be very careful. We want to make sure that we provide the training. We know when DISS was rolled out to the government side that it was not appropriate training. It was a perfect example of how to not roll out a capability, which we took a lot of lessons learned from that we will employ in the new capability out in EnVis. So we've tasked CDSE, but I think we need to get industry improvements in the future. Yep, I would agree. I think we're going to start making some traction. But I think the message also is don't wait for those improvements. It's important that we get folks on this as soon as possible. It's important that we get the training in place. It's important that we get those improvements. And I'll just add one more thing. So obviously once you get provisioned and you're in the system, the user manuals are in the system. So hopefully that's some help there. As well as we have a DISS short that's available for... Right. So we have moved forward with some training that is available on-step. It's available to you. We also have posted a few webinars. And obviously we do all that we can do to get the information out. So there is some information available out there. So we just ask everyone to access it, look and see if it's what you need. If it's not, then we're welcome to provide feedback so that we can share that with CDSE. Thank you. Okay, I'll drop number four so you don't get mad at me. I'll just ask one more question. Is all the changes, y'all? I have no idea who does what anymore. I think the last time I was wondering, is there any way that there's an org chart, not just what you do, but who you call for what? Because right now I've lost track of who does what at DSS headquarters. Okay, so is there a org chart of some sort that can be provided? No. I don't want to answer this, but it's DSS sometimes. We're unclear right now. I mean, let's be honest with each other. I don't want to go on record saying that, but the bottom line is we are in the midst of, and I just guess, Heather Green, anyway. In all seriousness, if I could be really transparent and honest and humble, if you look at the transitions that DSS is working through right now with the executive order, with the transitions of the OPCOM, that we just talked about, and those big organizations that are coming in, and then what the executive order will do, we have to get 10,000 or 9,000. Mark, how many people does MBIB, 11,000-ish people into the DCSA, which is our new name, Defense, Counterintelligence, Security Agency, when the executive order is coming, into DSS, we stood up, DVD, we are integrating with the PEO. We're re-establishing ourselves completely for business efficiency, to serve our customer base. So, yes, the change management is turmoil. That's the fact. And so, it's my EVSO from the betting directorate side of the house that we get you the information on so that you know who to call. I'm not going to speak to the other parts of DCSA, but our DCSA order chart, our new order chart, is up to get our secretaries to approve it right now. So, I understand your angst, and I feel it, we share it, every DSS employee, and every MBIB employee share it too, but I will commit to you that where we are going is the right thing for national security, it's the right thing to get after risk, and it's the right way we need to bet to a trusted workforce 2.0 future. And that's where we all have to, I have to beg your indulgence and your patience. It's very hard for our employees as well. So, if I could, and the reason we highlighted the V-Rock and the cap here is because that's where the bulk of your questions are and the work. So, by and large, and Heather's checking on this, is that you still have the same hope. So, Heather and her team are still the PSMOI and execute those. Your requirement, she has Pat Hogan on her staff so he can work those requirements up into the EVSO. And so, when it comes to the cap, you still have the same cap call center and you still have the same process by what you're dealing with the cap. It doesn't mean we're not going to move things further and further integrate them in the future. And of course, MBIB is still with MBIB and you still have the same call center, whatever. Now, do we have ideas in the future to merge these things and make it more better and improve the whole processes? Yes, but for the most part, although we have some work charts here that are new and functioning, folks you're calling are the same ones. Is that correct, Heather? John Nasser. My question was to follow on to Kim's about this and our biggest concern is information sharing and I wanted to know what is the timeline for you all to start addressing our agencies collectively? Is that immediate or one to two years out or what is this, you know? So, I'll take a whack at that. First of all, there's a lot of requirements out there. There's ear requirements, there's cap requirements, there's component security manager, no-depth requirements, and all of those are being addressed in a manner of prioritization. You know, this isn't perfect for the adjudicators. You know, many funders probably work around this, but we had to get on with it because that was the system of adjudications and that's kind of my point. If we wait for this to be perfect before we get on to this, we're a day late develop short. Separately from that, as we go forward with M-DIS, you're going to see pieces and parts of the disc deployed within the M-DIS system. If you're on this, you're going to be part of that graduation into M-DIS. There will be no sunset. I don't think there will be a sunset day for this. It will just become M-DIS as they make the improvements. So is there a timeline for your agency's requirements? I couldn't answer that. I think that would have to go into the requirements process to look at it, but I think we'll be making some good progress for sure within the next... Okay. So you don't have access to those systems? Yeah. I'm going to take an action item from my EBSO to hold a stakeholders group. And we've talked about this, and I think that way we can get out of this form and let you move on, but really get to the questions that you're asking with the right people there to take the actions and to make sure we have the... share the right information with you. But again, we are in the biggest change management I've ever seen in Valerie. I think you can vetting enterprise. And so none of this is easy, and we want to roll out things that are right and ready for our community. You will think those that aren't right and ready. You have way more problems. And so we will take an action. We'll get the appropriate list of stakeholders, and we will hold them. Yeah, because you gave me feedback on Monday, right? So Monday night, I went right at it. So great, thank you. I think I'm well over my time. Thank you very much. Well, all questions, did you get... Monday, I mean, we will... I don't want to come back in June and have to hear the same thing. You still don't have access. So keep us at a price then. I think we can do the help. Thank you so much for that full conversation. All right, we're now going to hear from Valerie. Irvin, about C's. Nothing really to update. Thank you, Mr. Chairman. I know our time is very short, but I mean, I was just going to say that I'm happy we're going to be hosting the trust of workforce briefing for the NISPAC and ISOO, and we look forward to continuing our conversation. Thank you. Quickly into our working group reports. This is a working group. Thank you, Robert. In an effort for time, just these are DSS items that we're engaged with the NISP working group on. First off is our process manual that describes how we get through the assessment and authorization process of classified systems, and it is scheduled to be released April 8th with an effective date of May 6th. It's something that we worked out in the... we've had a variety of feedback both internally and externally on developing the next version of it. It includes the revisions that have been made in this, instructions on our transition to EMAS as our system of record, and something that came out of the NISP working group was some language and some streamlined processes for doing proposal systems. So that will start... be released on the 8th of April, effective on May 6th, so it gives folks about a month to read and comprehend what's in the new process manual. Transition to EMAS, again, we're scheduled to transition to EMAS as our system of record beginning May 6th. There are numerous job aids on our NISP RMF Resource Center link. Under that link, there's two tabs. One is for risk management, framework information, and other is for EMAS. There's job aids is how to get sponsored to get access to the training, job aids for getting you on to the training site and taking the training, job aids for doing account registration and all the forms needed, and then we'll have some additional job aids on just some high-level... the high-level items that... things like account system registration for within the program. But between now and then, OVMS is our current system of record for assessment and authorization. It will remain so. We will begin... we will take this as a phase transition, so information in OVMS we will work those packages through. So if you submit something on April the 1st, or, I mean, on May the 1st, we won't ask you to resubmit it into EMAS on May the 6th. We'll work it through OVMS all the packages worked within OVMS will. The last one and the bullet points are cut out just to talk about... we're doing classified enterprise wide-area networks as a national-level initiative to try to bring central monitoring and management along with continuous monitoring, vulnerability management, insider threat management into the classified arena where I know a lot of industry already has those items on their unclassified networks. We're trying to leverage those best practices within the classified arena now. And we see that this will be a huge impact on resources for both industry and DSS who will save us time because we'll finally start using technology, by using manpower to do auditing and to look at the security controls. So we started down that road. We have a few companies that have their initial classified wide-area networks authorized and we have probably another eight to ten companies that are in the process of putting information together. I won't go through all... I won't go through the metrics. I know this is part of the packet that you all can receive, but just these are... we track our metrics via region so we can identify and then down to the field office location so we can identify where we might have potential gaps. Currently, we are leveraging folks from the capital region into the northern region to work a bubble that we've had there for a few... a few months and we continue to monitor this as far as what we have for workloads, what we have for impacts, and how we can continue to manage the assessment and authorization process. Pending any questions, Mr. Chairman, I will... I am done. Do you have anything to call? I have two questions. Actually, I don't... I would say that from the standpoint of the western region, aside from expiring things that are coming due in... we're looking at that. Currently, the western region workload, we're pretty current on that. But part of that, looking at what's coming out in the next 90 days, we'll tell you we look at the next 180 days in the next year, is that we are... so we are looking at that future state. What would we... But until those are ones that are defined in the system that are set to expire, they may not actually turn into submissions. So we're... so we manage that on a routine basis by looking at what's currently coming in. So good question. Thank you. So sticking to that chart, the... you mentioned Northern is coming down to help Capital, but... No. The other way around. But either way, Capital has 100... mine says 101, that says 93 denied, still far and above all the other three regions, and even making it more significant, they don't have... in fact, they have the least number of submissions. So you know what the factors are that are contributing to why the one region has a significantly higher number of SPP denials? Sure. Capital Region has the largest percentage of very small contractor, you know, cleared contractors. And I'm talking less than 10 people. They just do not have the cybersecurity skills to submit a package. So to be truly honest, if the package is submitted and it's just wholly inappropriate, it just doesn't cover anything within the risk management framework, we just deny the package out and send give them some locations to go and get some training. So that's what a security consult. That's exactly right. I think everyone sees the business. Second question. On the first chart I understand there's a pilot going on as it relates to maybe you're not ready to give any updates on that. I thought it would be started in December. Is that true? A small number of contractors, companies says there's any updates. Okay. So we have not started the pilot. The EMATS application is owned and managed and supported by DISA. DISA asked us to delay a little bit, which is why one of the reasons we pushed the implementation into May is DISA moves their servers to the cloud. So we haven't started that yet. We have a variety of local companies that we're going to do that with a couple of our NISPAC, the NISP working group members are on that and so we'll be getting feedback for that. Thank you. Thank you, sir. One quick question. On the E-WAM NISPAC, can you give a little color around that as to where that is? Is it ideation? So we are finishing up a couple of different items. So one is kind of a one pager that we're going to send out internally to government folks just kind of describing what it is and things that they might need to talk with their acquisition folks and their program managers about with it. And then two is an external document that gives industries some checkpoints to see is this something that would work for us? It is really geared toward larger multi facility companies. We do have, currently, we have two companies that have approved enterprise level classified WANs. One company has about 65 locations that are under their WAN and the other company has I think seven or eight and they're planning migration for upwards of 70 of them. We have another one that we're just waiting on some certification information from NSA before we start them and just to kind of give you an idea of the scope of it. So we started down the road and we're working, we're engaging individually with the facilities. But to just give you an idea of where we're looking at the future, one of our companies has, currently, they have over 558 authorized systems under ATOs. Their four-year goal is to put 400 of those authorized systems into their classified WAN. So we'll reduce the amount of local oversight both at the industry locations and at the DSS locations required to manage that by centralizing that both within DSS will manage this now and at the facility because they'll have a couple of network operations centers and they'll be able to continuously monitor, pat, manage inside a threat program. We'll actually decrease the number of human assets we need and increase the technology behind good cyber security. Right? No, we're going to turn to Greg. Okay. So, most of what I would cover has already been discussed in updates given by DOD, ODNI, the NISS update. So I just want to maybe impress upon a couple of things. We've heard a lot about transparency, a lot about communication and the Cleaner's Working Group is sort of a catch-all for all the other things that go on. At one point, I also want to make sure you hear, we're planning a follow-up to that resolution group because we still have steps, we have things to resolve. The first week of April we're going to probably try to shoot for April 4th, so we'll send something out to let you know. But in the way of communication, here's one example that I'd like to pay attention after the Working Group meeting, the Cleaner's Working Group. And it may seem simple, but it really just goes back to making sure that we are utilizing, leveraging the NISPAC in this case industry on communications. As I understand it, which is a great thing, the voice of industry letter memo that DSS does periodically, it goes to all the facility officers and or the key management persons. So it's, you know, 12,000, 13,000 companies, but sometimes these eight NISPAC industry members aren't among those two sets of individuals. The ask is just simply include the industry spokesperson on just about any and all communications that are meant to go widespread. This way, Clinton representing all of the NISPAC simultaneously informed of what's going on. Whether or not the task is for him directly or the eight NISPAC members, that is the focus. That's really why we have a NISPAC and the formal process of industry engagement should really go through that. And I'm willing to debate that with anyone, but so that's more than that. The other couple of things just to highlight, I think on one of the slides Ned was showing, use of e-adjudication, it appears from what I've seen we really need to step that up. And I know there's plans to do that, but in the case of industry, numbers I'm hearing is only one to two percent of industry initials. Common sense would say that is that number. There's something in that business process that is too difficult. There's something there that we're not taking enough of a risk management approach. And, you know, if we're trying to do things as efficiently as possible, that's an area that I think is right to take a look at. Most of the people get through the clearance process. There are some that have issues, but a lot don't have issues. So it's puzzling to me why so many don't make it through the e-adjudication process. Other than right now, the business rules are rather strict. At least that's the way it looks. And we kind of touched on this, but also coming after the clearance working group, the business about the NIDS and national interest determinations. It's still, even though it affects small numbers of contractors, it's still an item of concern. And I will say, particularly among just a couple of CSAs without mentioning any names. So what we want to do, as this group sometimes does effectively, I think, is collect numbers. We're not revealing any classified information, folks. We're not revealing any numbers and timelines for how long it takes to process NIDS. Now, that would identify each owner in the prescribed information. I want to put that out there. So that's all I'm going to say. Olga's been patient and she's up next. So that's Melissa's questions. Just a part. This is Mark Brooks with DOV. With respect to NIDS and our partners on that, we support the transparency as a CSA. The only thing, and I heard this initially and due to time, I wasn't going to interject when our industry colleague Quinn raised it, we've never heard where there's a specific issue to the Cognizant Security Agency or the Cognizant Security Office. And with respect to that, it seemed like we're trying to run the appropriate analytical work to see if an issue actually exists. So to my point, once we get that data, if industry could provide that to ISOO to say, hey, we've submitted these NIDS and they exceeded the timelines as prescribed in 32C Part 2004, then that provides a basis. But I just want to make sure that there's actually an issue that's been validated versus an assertion. I may. So this is Jeff Finneger. So first, Greg, I really appreciate you speaking up on it and Quinn as well. I actually think it's a much bigger issue than we actually think it is. So there's a small number of companies that are under SSA, but there are a ton of those companies who are either prime or subcontractors. And so while we see the top level of this thing pretty regularly and we hear from those companies when it's the prime piece, we don't hear about it nearly as often when it's the subcontracting. So I think the working group construct to build a mechanism, this is what this forum is built for. At the same time, we didn't mention it earlier, but for those of your students of all this stuff, Section 842 last year, we'll address as fast as we can, frankly, to address what Congress has given us permission to, which is to implement the provisions in 842 in advance of the 1 October 2020 date. That is a wonderful mechanism by which we will have metrics and we will definitely put our counterparts in the services and SAPCO and particularly where much of the department is described gets where this is kind of in center stage helped us through the coordination process. Now it's over to the lawyers and then it'll roll out, but I will definitely be looking forward to bringing this back and just like we've done before, a work group in this forum I think will help get us where we need to go. I think if I may, Greg, that's excellent, Jeff. I actually sent a note to my Folk Eye FSA NIDS counterpart in the department to ask for those specific information and support of DOD's efforts to implement Section 844 to FY19. But I think that goes to the issue that my State Department colleague raises that in terms of a government-wide approach, whether it's clearances, facility clearances, NIDS, FSA, there needs to be a singular government repository that we have access to that we can grab that data because we have to move away from a working group to do enduring work. So, Jeff, I appreciate that. DOD is going to look to that, but I think based on the response we got from Ms. Stokes and Ms. Heather, I think there's a greater national industrial security system capability across the whole of government that we need to be able to latch into and get this information instead of do independent data calls. So we'll work that through this forum. And then, Jay, what you're saying, and we're not going to solve it right here today, and certainly the idea that you just mentioned about a database in the long run for very healthy data put together. But in the short term, from what I've seen in the years I've been involved in this, whether it be clearance numbers, information system data, when we start to track and highlight it, that tends to put some focus on it. Perhaps there is an issue. I'd be very surprised in terms of timeliness. But we don't have data to support it either way, and it seems like it should not be that difficult to collect this data. So I do think it's worthwhile for us to do it for our, as Jeff pointed out, cascading down subcontractors that were impacted by this. And that was, and just to close out, a little bit over. And that was kind of DOE's retort leading up to the industry's issues meeting, is that in order to get really traction, and bring these long-standing languishing issues to a close that identify the Cognizant Security Office that's causing the issue, propose a resolution, and that's the metric that we could track as a forum, and that's the value proposition. The Cognizant Security Office is a 17-nids that's on hold. Where's the holdup? Where's the breakdown in the process? So that way we could determine rightfully as CSAs and CSOs is it at the policy level, whether it's national level or CSA implementation, or is it somewhere downstream? That'll be helpful. And I think to close out, Jeff has pledged to bring DOD's information to give us a data point if there's a much larger cast. But I think DOD has preponderance and I think the information they provide is going to yield us the information we need to go forward smartly. Thank you. All right. Yeah, wait for another? One more. That's from the the methods. Okay. Last but not least, and also, yeah, I'm very interested. Thank you so much, I know in the interest of time and we're a little bit over. So we'll jump right into that. What is unique about this slide that you've heard from various departments and agencies today about their statistics in terms of timeliness. And so these slides actually do depict data that has been collected from only DOD, OPM and the IC. But the further breakdown of that and this is unique for contractor data that includes agencies contributions from CIA, DIA, SCI, NGA and RO and NSA and State Department. I believe we've captured most of the departments and agencies that are still in the room. That's out of methodology. Most of you are familiar with that and we're currently using the second PICCA 2012 methodology here on the bottom. This slide represents industrial personnel security timeliness metrics as it relates to quarters. So if you take a look at this slide we're comparing each of the investigative pipe secret confidential top secret and periodic investigation. And we're looking at the green bar so on the chart across the board and the purple block. So in comparison to those two items we did see a slight increase in secret and confidential processing totaling within the number of days and also a decrease as well and periodically. This is a snapshot for secret clearances for SLI 19 quarter one. So a little cutoff here on this slide deck on the bottom. But if you take a look at this it's 227 days in total for this secret process at this point in time. And that is a 7-day increase from last quarter. Top secret clearances that includes the legacy types as well as the SSCI and the tier 5 investigations we saw an increase here so 423 days in totality which is an increase of 31 days from last quarter. Periodic investigation you'll also see here 331 days we did have a slight decrease in numbers. So all questions please send us an email and I'll open up the floor for any questions. The decrease in PRs is attributed to modifications in our processing as it relates to ways in which we can find efficiencies in processes. So to relate to that you saw some of the statistics from DOD so Heather Green and I have been working closely together as well as Director Phelan staff as well over at MBIV to really drive down some of those processes. So the timeliness associated with those processes. So the partial government shutdown definitely did impact some of those numbers. I don't know if you were here previously for the quarter but we actually had to caveat our numbers so the department and agencies were not able to report their timeliness metrics back in what was it quarter four of 18 and so we had to give those folks time to get back into the office. We prioritized their work and then we were able to process for a list of agencies who can look online. I didn't bring them all with me but also that included some of the subcomponents of those major organizations. Any other questions? Good afternoon. Recognizing that we are already over time I will be, I will be very brief. The Defense Office of hearings and appeals as most of you know is the due process authority that is the only authority for denials and revocations for not only DOD contractors but contractors with the 30 other federal departments and agencies under the MISP exception of the intelligence community agencies, Department of Energy NRC and a handful of others we are the place where clearances get denied or revoked. The good news is that we do not have a backlog. In fact our workload is at steady state at all of the stages where we work right now we get our cases exclusively from the DOD CAF we work closely with the DOD CAF to ensure that that works smoothly. We are getting right now, we have on hand a small number of the statements of reasons. It is actually 239 active statements of reasons. We have approximately no exactly 472 cases pending hearing 340 cases pending administrative judges. We are all within normal limits. The other good news is that we believe that in the coming year two of the things we talk about investigative standards and adjudicative standards are probably the two biggest innovations that affect the workload that we share with the CAF is continuous evaluation which can in theory increase the workload but if it is managed correctly it just helps us find the needles and the haste back bigger. That is at least our earnest hope. The other thing is I want to answer quickly a question that Greg asked which was may have mentioned rhetorically but the concern about e-adjudication is real. One of the reasons that e-adjudication has historically not worked as well for industry as it does for the military departments and historically the numbers for the military departments are significantly higher than they are for industry. Applicants are older. They have been around longer. There are just more facts in their cases and as a result they don't pass the current e-adjudication business rule. Ned alluded to the fact that those rules are being retooled and with luck probably the best thing that we can do in the coming year for the DOD CAF is to come up with more robust e-adjudication business rules that allow more cases to pass and as suggested when in a world where we have historically and this is a 30 year number only deny the revoked approximately 1.5% of the cases that means that we should be able to do much better than we are currently doing with the e-adjudication. Those are the two big heavy lists for the coming year but as of right now Delha is healthy and looking forward to continue to work with the DOD CAF and DVD. Thank you. Again, we will be July 18th here at the National Archives in this room and then also on November 20th I hope to see you all then. Okay, meeting adjourned. That concludes our conference. Thank you for using AT&T Event Conferencing and Hunt. You may now disconnect.