 Welcome, and thank you for joining today's National Industrial Security Program Policy Advisory Committee meeting, also known as NISPAC. To receive all pertinent information about upcoming NISPAC meetings, please subscribe to the Information Security Oversight Offices Overview blog at isoohythonoverview.blogs.archives.gov or by going to the Federal Register. All available meeting materials, including today's agenda, slides, and biographies for NISPAC members and speakers, have been posted to the ISOO website at www.archives.gov.isooh.oversight-groups.nispac.com.html and have also been emailed to all registrants. Please note that not all NISPAC members and speakers have biographies or slides. While connecting by phone is necessary to attend today's meeting, there is no requirement to log on to WebEx. However, you are welcome to join WebEx with the link provided with your registration as all available materials will be shared during the meeting on that platform. If you have connected through WebEx, please ensure you have opened the participant and chat panels by using the associated icons located at the bottom of your screen. If you require technical assistance, please send a private chat message to the event producer. All links will also be shared periodically through WebEx chat. Please note all audio connections will be muted for the duration of the meeting with the exception of NISPAC members, speakers, and ISOO. We are expecting a fairly large audience today. Because of this, we will not be taking questions from the public over the phone. Please email your questions and comments to NISPAC at nera.gov, that's N-I-S-P-P-A-C at N-A-R-A.gov, and someone will get with you there. Only ISOO and NISPAC members will be authorized to ask questions throughout the meeting. At the conclusion, a survey will be provided for feedback. If you would like to be contacted regarding your survey responses, please include your email in the comments block so the NISPAC team can get back to you personally. Let me now turn things over to Mr. Mark Bradley, the Director of ISOO, as well as the Chairman of the NISPAC. Thank you so much, Madam Producer, for your kind introduction. Good morning, everybody. Welcome to the 66th meeting of the National Industrial Security Program Policy Advisory Committee, commonly known as the NISPAC. This is the third NISPAC meeting that's being conducted 100% virtually, except now we understand some people are at home and some people are at work. This is a public meeting, like our previous NISPAC meetings. This one will be recorded. The recording, along with the transcript and minutes, will be available in 90 days on the NISPAC reports on Committee activities webpage mentioned earlier by our event producer. We're planning on taking a five-minute break in the middle of the meeting, so I'll flag it as we move closer to that. I will now begin attendance for the government members. I will state the name of the agency, that the agency member will reply by identifying themselves by name. Once I've gone through the government members, I'll then move over to the industry members. After the industry members, I will then proceed to the speakers. So again, O.D. and I, are you here? Good morning. This is Valerie Curbin. Good morning, Valerie. DOD, are you here? Good morning. This is Jeff Speniger. Hi, Jeff. DOD, are you here? Good morning. I'm Gene Mark and Oskie is here. Good morning. NRC, are you here? Good morning, yes. Dennis Brady, present. Good morning. Dennis. DHS, are you here? DHS? Yes. Rich Degossarin. Hi, Rich. All right. DCS. Ramlcraig. All right, Bob. You're quick. Keep Minor DC, keep Minor DCSA. I'm sorry, Keith. Can you repeat that again? I jumped in front of you. Please. Keep Minor DCSA. Hi, Keith. CIA. Hi, Felicia Gutierre. Hi, Felicia. Department of Justice. Good morning, Kathleen Berry. Hi, Kathleen. NASA. Good morning, Katherine. I'm here. I can't. NSA. Good morning. This is Brad, whether it be at NSA. Hi, Brad. State Department, are you here? Good morning, Ken Bogger from State Department. I can't. Perforce, are you here? Good morning, Jennifer. I'm going to chair from Air Force. Department of Navy, are you here? Good morning. This is Jennifer. Open here. Okay. Welcome to you. Okay. Now I'm going to turn to the industry members. Heather Sims, are you here? Heather Sims, President. Okay. Great. Dan McGarvey, are you here? Hey, Mark. I'm sorry to interrupt. This is Greg. Yeah. I'm not sure the point, talking point you're reading from, but they may be from the last meeting. I got it. You know, Dan is not in the committee. Got it. Greg, I've now got the right ones. I love virtual meetings, as you know. Period. Okay. I'm sorry. Yeah. I mean, hell, it's all the same. Okay. So we did have the right. Rosie Barriero, are you here? Barriero. Yes. Rosie Barriero, President. Thank you. Thank you, Rosie. Cheryl Stone, President. Okay. April Abbott, are you here? All right. Derek Jones, are you here? Derek Jones, President. All right. Great. Tracy Durkin, are you here? Tracy Durkin, President. All right. Greg Sadler, are you here? Greg Sadler is President. Great. Dave Tender, are you here? All right. Now I'll give you a quick roll call for the speakers. Sarah Cooner, are you here? Here. Great. Dave Scott, are you here? Yes, I'm here. Heather Green. Good morning. All right. Evan Coren. Yes, I'm here, Greg. Greg, Evan. Good morning to you. All right. Anyone else is speaking from the NISPAC that we have not heard from or do not know about? Please speak now. Did I miss anybody? Hi. This is Elizabeth Allersmeyer from the United States Army. I do not have the speaking role, but I just want to make sure you know. Okay. No. Great. Great. No. Thank you. All right. We request again that everybody identify themselves by naming the agency if applicable before speaking each time for the record. As you know, this thing is being recorded. So it's important for us to be able to do an active transcript. I want to remind government membership of the requirement to annually file a financial disclosure report with the National Archives and Recreation Administration's Office of the General Counsel. The same form of financial disclosure is used throughout the federal government. OGE form 450 satisfies this reporting requirement. A member of my staff should have already reached out to you asking for it. If you have any questions, please let us know. All right. We've had a few changes to the NISPAC membership. We'd like to welcome our two new industry members, Greg Sadler and Dave Tender, replacing Dan McGarvey and Dennis Ariaga. Mr. Jim Anderson, the alternate with the Army, also recently departed. For those departed members, thank you all for your contribution over the years. We look forward to continuing the work you've done with the new representatives. I would also like to call out one person in particular who was on her last NISPAC meeting before retirement. While Valerie Heil was never an official member, she has been an integral part of the NISP community. Her sponsorship to the NISP has been unwavering. Thank you for your dedicated life-long service and may you have a safe and enjoyable retirement. The administration is beginning the process to update Executive Order 13526, classified national security information. A lot has changed in how the government works since it was signed in 2009. If you have any recommendations on how you can update it, we are interested in hearing your input. We're asking you submit your ideas via the survey. Please remember to put your name and email address with your input so we can reach out to you. Once the results of the survey are received, someone on my staff will reach out to you to discuss your input. I also want to provide everyone with our agencies about COVID update, meaning national archives. We're still operating under COVID conditions. All but a few members of my staff are operating under 100% telework still. We have building across the country that in various stages are reopening. We'll keep this back informed that there are substantial changes in ISIS operations. Right now we're allowed to have about 25% of this back in on any given day. We're kind of like a baseball team alternating pitchers and bullpens. Anyway, we're still mostly living in this world. Greg Pinoni, ISOO will now address the status of action items from the April 14, 2021 meeting. Greg, all yours. Good morning, everyone. Greg Pinoni, ISOO. Thank you, Mark. So just a couple of things. We actually, from the last meeting, we have the minutes. We're finalized July 13 and are posted on the ISOO website. And for the first time in a long time, as long as I can remember, there were no action items from the last NISPAC meeting. There are some things we can talk about later in the meeting. One thing I'll mention now, though, we recently posted a blog and then updated that blog. It's a little bit of a complicated matter, but it has to do with the delivery, sending classified information via overnight delivery. And as you know, that is addressed in both the NISPAC, the rule itself at 117.15 F3. It's also addressed in the National Policy Directive to the NISPAC, excuse me, the 32 CFR 2001, the National Policy Directive for the CNSI program. And so we did update the blog. The one thing I want to stress is this is only pertaining to classified information. So we're not addressing unclassified or sensitive information. But GSA is the mechanism mentioned in the 32 CFR as far as utilizing agencies, heads when necessary for overnight delivery, authorized to use the current holder of the GSA contract for overnight delivery. Like I said, it's a little bit complicated. What we learned recently was that GSA removed UPS from what they call their multiple award schedule. So this impacts orders or blanket purchasing agreements that an agency had placed with UPS. But agencies are still authorized to use UPS under another valid government contract. And what we learned was, and that's DODUS Transcom, the next generation delivery services program, apparently GSA, not apparently they did, delegate the use by U.S. DOD Transcom the overnight for small parcel deliveries. So it has contracts with UPS and FedEx that satisfy the requirements of the 32 CFR. And I just wanted to make that clear and go look at our blog that was updated just recently on October 21, 2021. And feel free to contact us at ISU if you have any questions about that. So with that, just mention also our NISPAC charter was renewed as is required, which brings us, takes us to September 30, 2023. So with that, unless any members have any questions, I'll turn it back over to you, Mark. Sure. Thanks, Greg. I just want to introduce our speakers for updates. Ms. Heather Sims, the NISPAC industry spokesperson, will provide the industry updates. Heather, floor is yours. Thanks, Mark. Good morning. What can I want to express my gratitude for the opportunity to represent cleared industry on NISPAC? It's certainly been a busy year with many policy changes to include the new NISPAC implementation, what we're dealing with right now with COVID mandates throughout industry, and the continued persistent threats to national security and the national and justice security programs space. But I'm confident that cleared industry has stepped up to meet those challenges. Today, I would first like to take the opportunity to thank the outgoing industry NISPAC members, Mr. Dan McGarvey and Mr. Dennis Ariaga, for their selfless, unselfish dedication of volunteers over the past four years serving on the NISPAC. Their efforts have not gone unnoticed. And that also brings me to the newest members. We'd like to welcome Mr. Greg Souther and Dave Tender, who have already demonstrated an eagerness and enthusiasm to hit the ground running. Their inputs will surely take industry, the industry NISPAC team, to the next level. The industry NISPAC members are eager and excited to represent cleared industry for the next year on a variety of NISP engages. Excuse me. Industry would like to extend our congratulations to Valerie Hale and her retirement. I thank you. It's just not enough to show our gratitude for all your years of service and partnership with industry. The industry NISPAC members cannot do it alone. The industry associations have also been working diligently on a variety of topics, both independently, collectively, with industry NISPAC members. This past year has moved Industry 1 class up closer to truly uniting and moving closer to our larger NISPs concerned for. The industry NISP partners are much stronger united than operating independently. Industry continues to increase their engagement and collaborations with a variety of government agencies in their quest to be more actively involved with our national security partners. Thank you to the DCSA director for recognizing the efforts of cleared industry with the release and implementation of 32 CFR Part 117, otherwise known as the NISPAC. Actually within DCSA over this past year, collaborative efforts overall continue to improve. Of note, Mr. Keith Menard's efforts with producing and providing industry with a NISPAC cross-reference tool offering several webinars and providing clarification to many industries questions about the C3 industrial security letter has been a great source for industry success in implementing new requirements. We understand there's even more supported efforts from this office to further a better understanding of the NISPAC requirements. Also, of note, Mr. John Nasty has been instrumental in incorporating industry's inputs, one for seeing operational impediments to implementation of the contextual, controlled classified information with industry. His working group has been a great demonstration of the work that can be accomplished between industry and government or working collectively and coactively for a desired shared end state. And I would also be remiss if I did not talk about the exceptional work that has been done by DCSA on improving the personnel security mission over these past couple years. The background investigation mission continues vetting and adjudication is a great example of process improvement. We've come a long way from the days where they didn't go by where there was constant issues and complaints with the investigation timelines. While there's still some work to do on other portions of the personnel security reform, personnel security investigation and adjudication timelines should be a shared success story. The industry NISPAC has identified some other areas where timelines and process transparency could be improved to better national security. Lack of formal adjudication standards, process transparency, unrealistic process time and system flow work issues could create unintended risk. This is evident in the current facility clearance process. The industry NISPAC will be working with DCSA on a working group to discuss the issues we're experiencing, hopefully reducing the risk that we're currently seeing in the process. Industry NISPAC members along with the MOU industry and association members will continue to work tirelessly, fostering those relationships and building trust to bridge those gaps between government and industry. The future looks bright with the enhanced collaboration, but we still need to work on proactive communication on any new processes, procedures and policies. Often industry finds out about new requirements after the fact or sometimes by accident in one of the NISP systems. Industry NISP priorities do evolve based on evolving threats, changes in the CSA's processes and other unforeseen reasons. Well, one thing's for sure is industry does adapt. Better communication could help resolve knee-jerk reactions and learn to better implementation. One success story is PAC PMO's continuous engagement with key strategic industry members and trusted workforce 2.0. I mentioned during our last public meeting that the efforts to understand potential impacts to industry proactive was key. And PAC PMO continues to engage industry to discuss this on a reincarnation basis. Those continued efforts are certainly needed and appreciated. The risk management framework process continues to be a challenge for many clear companies. Inconsistency throughout DCSA on approvals and systems shutdowns prevent delivering customer products. The problems have been discussed for many years, but with a new NAO, Mr. Dave Scott at the home, he's making great strides, develop process transparency, increasing his engagements with industry to hear their concerns, propose improvements and truly listen to industry's feedback. Industry is certainly looking forward for great results from Mr. Scott's efforts. One year ago, industry was preparing to make the transition from JPAG to DIST. While the transition did not go well, there were a lot of valuable lessons learned and captured that we're hoping to use to prevent further occurrences within the industry having to populate, correct or validate data in future governance systems. As the government is moving to roll out end-biz, industry is encouraged with increased engagement. Industry would like to extend its appreciation to Mr. Sheldon Soltz from DCSA for his efforts of truly partnering and listening to industry's concerns during the JPAG to this transition and continued efforts as we move forward with end-biz. Congratulations to Sheldon on the impending retirement. Best of luck in your future endeavors. We still have quite a bit of work to do in this, but we commend Mr. Jeff Smith from DCSA with working more closely with industry, listening to concerns and the recommendations, and developing a more realistic implementation strategy where cleared industry is not an afterthought. While we know this is not an easy, by any means, and many pain points towards this, there are glimmers of hope we have to fully operationalize the system to meet all stakeholders and customers needs. With continued engagements, with shared respect between government and industry partners, we can strengthen our NIS, protect our economy, and continue our war-fighting competitive advantage over our adversaries. With industry, we can help ourselves by continuing to unite, order industry priorities and government partners at the strategic level, understand we're better together than simply on our own and individual company interests. But most importantly, we need to stay informed, state-connected, and stay engaged. I thank you once again for an opportunity to speak on industries to have. Thank you, and have a great day. Thank you. Does anyone have any questions for Heather before we can move on to our next speaker? All right. Next, we're going to turn to Mr. Jeffrey Speninger, the Director for Critical Technology Protection for the Office of the Undersecretary of Defense for Intelligence and Security. He will give the update on behalf of DOD as a NIS executive agent. Jeffrey, fuller is yours. Thank you very much, Mr. Bradley, and good morning to everyone. In preparing for today's meeting, I re-read Executive Order 12829, mostly as a means of reminding myself of the NIS's purposes. If you'll indulge a brief quote, to safeguard federal government classified information that is released to contractors, licensees, and grantees of the United States government, and to do so, quote, as a single integrated cohesive industrial security program to protect classified information and to preserve our nation's economic and technological interests. Close quote. These meetings and their formal and public nature are very beneficial to the accomplishment of both of these purposes. They draw each of the CSAs and industry together, establishing both the opportunity and candidly the obligation to share and receive updates publicly. They are important. Last year we came together and all voting members, including me, voted to reduce the number of public meetings, deferring instead to work groups. Looking back at this past last year and thinking of the years ahead, it's worth considering revisiting our collective decision in order to assure we're on track in fulfillment of those enduring this purposes. Next, I'm sure by now you all are aware of the NISPOM as a federal rule that has been published and contractors had to comply by August 24th of this year. In its short time as a rule, we've experienced the need and exercise of the process to publish an amendment to the rule on August 19th in order to defer reporting and pre-approval of foreign travel associated with C3 for contractors under DOD security cognizance for a year to August of next year. This amendment is to allow DCSA time to make adjustments to its IT system of record for receiving and processing from industry of those foreign travel reports. As the rule has gone into effect and the compliance date has passed, DOD has canceled the DOD 5220.22-M manual NISPOM. In fact, I'm pleased to announce the cancellation was officially signed yesterday, 26 October 21, and we should anticipate DOD's Washington Headquarters Service will shortly update its issuance website adding a note and link to the NISPOM federal rule in place of the DOD manual so that people know that the NISPOM hasn't gone away. They just need to access the link to find the rule at Part 117 of Title 32 CFR. DOD is presently working on the Second Amendment to the rule to address the public comments received when the rule was first published back in December of last year. Although we do not have a formal timeline, the Second Amendment will also go out for public comment to give those interested a chance to review and comment on resulting changes to the rule. I'm pleased to follow up on the brief overview of RLIS provided during the last public meeting to let the NISPOM know that DOD sponsored a project with our University Affiliated Research Center. And I should have said earlier, Applied Research Laboratory for Intelligence and Security. RLIS, for those who are not familiar, we asked RLIS to undertake a pilot for cleared industry direct use of classified cloud services. Operating under the premise straight out from the DOD's cloud strategy, which states in part, quote, cloud is a fundamental component of the global infrastructure that will empower the warfighter with data and is critical to maintaining our military's technological advantage. We put that in terms of the NISP. DOD and its clear defense contractors supply chain needs to leverage and promote the use of cloud-based resources at all levels of classification in order to create efficiencies across the enterprise and to benefit from the power and security of collaborative and distributed computing. The adoption of cloud and eventual replacement of legacy classified systems, certainly an aspiration at this time, but something we should be thinking of nonetheless, in industry will provide immeasurable benefits with respect to oversight, security monitoring, and threat mitigation. Despite the department's general recognition of the benefits of cloud use, no contractor has yet been successful in establishing a classified cloud system from a cloud service provider directly with a clear contractor. To address this challenge, we asked our list to leverage its own subject matter expertise, working with cloud service providers and substantial support from participating contractors. DISA, excuse me, the Defense Information Systems Agency, Defense Counterintelligence and Security Agency, Office of the Chief Information Officer, and other government contracting activities to observe several pilots that set out to demonstrate how a NISP contractor can, under current policy, leverage classified cloud services. I'm pleased to report that our list has developed a vendor-neutral playbook describing a process to connect DISA's and DCSA's current process guides, including Widering Network Connection Process, Security Requirements Guides, and Security Technical Implementation Guides, Accreditation, and Authorizations to Operate Architectural Considerations. Through this process, we've also uncovered a number of challenges that make the process possible, although arduous. With this in mind, our list has made a series of recommendations on requirements, authorities, process and policy guidance, and framed critical questions for legal interpretation to assist DOD in developing a repeatable process that allows for broad use of classified cloud by NISP contractors under DOD cognizance. There is a lot more work to be done on different cloud-based scenarios, contractor solutions, and mission requirements, but this project clearly demonstrates how we can use research to work and solve tough security problems, which is one of the value propositions under which we sponsor our list. We look forward to continuing to pursue this and future challenges that bring us right back to those two NISP purposes I mentioned in my opening. Next, with an eye on the importance of implementing controlled and classified information in the DOD's program throughout the department, I would like to provide a snapshot of DOD's current implementation efforts. With continuing thanks to the outstanding team at the Center for Development of Security Excellence, DCSA made DOD's CUI training available in October 2020 via DOD's CUI public site, which is dovcui.mil, if you haven't been there. To date, just shy of 2 million personnel have successfully completed CUI training. DOD components are in the process of implementing DOD policy requirements to safeguard CUI, and as a function of that, we anticipate the requirements will flow down to the NISP through contract requirements. Additionally, we are pleased to note the open lines of communication between DOD and the Office of the Director of National Intelligence and look forward to working collaboratively with ODNI on how the IC undertakes to implement the CUI program. Pivoting to efforts underway to enable supply chain resiliency, DOD, specifically BCSA, will be required to expand its FOCI foreign ownership control and influence assessments to companies that do business with DOD via contract or subcontract worth more than $5 million in accordance with language in the FY20 National Defense Authorization Act. Section 847 of that act requires a FOCI assessment and mitigation of risk of covered contractors doing business with DOD. The draft DOD instruction provides procedures for DOD to implement this requirement and is currently in coordination. Once the instruction is promulgated, the Office of the Under Secretary of Defense for Acquisition and Sustainment will develop and publish a DFARS clause in collaboration with OUSDINF and DCSA addressing Section 847 requirements. Mr. Bradley, I have two more points. Echoing your remarks and also those of Heather's, I'd like to take a moment to acknowledge the outstanding career and accomplishments of Valerie Hile. Her official biography states in part, quote, she develops and oversees industrial security policy and its implementation in the Department of Defense. In that role, she serves as the subject matter expert for the National Industrial Security Program as well as DOD's issuance and maintenance of the NISP operating manual, now 32 CFR Part 117, for the proper protection of classified information by contractors. Close quote. I think all in attendance today know Valerie does so much more than that. For more than 40 years, Valerie has cultivated knowledge and expertise of the NISP, the likes of which I don't think any one or some of many in attendance today could hope to match. Her outstanding efforts, initiatives, expertise and guidance, drove the development and approval by OPM of an exception to the President's direction that federal regulations issued between 6 November 2020 and 20 January 2021 be rescinded, almost single-handedly validating years of personal and collaborative efforts to revise an issue that now issued federal regulation for the NISP. And directly contributing to strategic and operational successes supporting U.S. national security, the warfighter and the nation's industrial base for a lasting influence on this transformation in continuing support of those enduring purposes I mentioned previously. Since 2009, Ms. Hile's collaborative acumen and initiative and unmatched expertise crossed organizational boundaries and leverage also when needed and overcame administrative challenges to meet the objective requirements of the NISP and uniform exercise of NISP on authority granted to the Department of Defense by Executive Order 12829. Her professionalism and steadfast commitment to foster an environment of trust and teamwork with peers in the department, across the executive branch and with industry leaders to accomplish the important mission of industrial security has created an atmosphere of cohesive partnership to strengthen the NISP for many years to come. Mr. Chair, public recognition at a virtual conference can be a challenge, but I'd ask all in attendance to offer a round of virtual applause. We can all envision an NCAA football game-sized crowd applauding Valerie for her outstanding career, mentorship, and friendship. Yes. Finally, as our last topic, we would like to discuss an issue that's been on our radar for a while regarding joint venture companies and facility clearance requirements. There is a provision in the FY20 NDAA section 1629 that states that both entities that form the JV are cleared. The JV company itself does not need a facility clearance. There is also similar language in a small business administration federal rule published late last year. We are working on updating DOD internal policy to reflect the legislation and address the conflicts it poses with current NISP policy. But in the meantime, Air Force has encountered a couple of challenges surrounding solicitations for classified contracts, which Ms. Jennifer Aquinas from the Air Force will now address in more detail. Thank you, Jeff. I appreciate the opportunity to comment on this issue. This is something that impacts all of us in DOD, although the Air Force seems to be feeling the effects most significantly so far. The Air Force recently released a solicitation for a classified contract, and one of the bidders was an unpopulated joint venture whose member companies hold facility clearances at the level of contract performance. In accordance with NISP policy requirements, we indicated a need for the joint venture itself to be cleared in order to access classified information in support of our contract. But due to NDAA language, the joint venture protested and GAO sustained it in favor of the joint venture. In other words, the GAO stated that since both members of the joint venture are cleared, requiring the joint venture to hold its own facility clearance is inconsistent with statutory and regulatory provisions. The Air Force must now find a way to comply with the NDAA until the policy and regulatory issues are resolved. And so directly conflicts with the NISP requirements, and there's no precedent for this. We're working against the cost of finding a solution that mitigates the security risks, ensures classified information is adequately protected, and supports uninterrupted mission performance. It's been quite an effort, and we wanted to bring this up in the public forum since we anticipated impacting not just the Air Force solicitation of contracts, but those across the department. I'm also interested in hearing from I2 how they propose to resolve the regulatory conflict between the Small Business Administration and the NISP rule. Mr. Chair, Mark, this is Greg Pinotti. If you'd like, I can address this a little bit at this point. So thank you both, Jeff and Air Force, for bringing this matter up. As you know, we are aware of it. We've been actively working with both EOD and the SBA. We acknowledge that the SBA rule appears to eliminate the requirement for a joint venture to have an entity eligibility determination, EED. If the entity is making up the joint venture, already have EEDs themselves. However, this interpretation of the regulations language is not actually what the regulation intends, and it would, as noted, contradict NISP requirements. We will be issuing an I2 notice. It's taken a little longer than I would like, certainly, but, you know, we're having to coordinate it with SBA as well as with EOD to clarify the joint venture EED requirements. So work in progress, not quite there. I hope to have it out very soon. Over. Thank you, Greg. Jeff, is there anything else from the near side? No, sir, that concludes my remarks today. Thank you very much for the opportunity. Sure, Jeff. Just one question for me. Are you suggesting that we should go back to three NISPACs meetings a year? Well, you know, sir, taking advantage of the fact that we're virtual and Keith Miner can't throw anything at me. I do think it's something beyond a consider. Yes, sir. I know it puts a lot on your staff to do, but the public nature of this, you know, kind of repeating everything I said before. I think really empowers us for many of the changes that we need and also becomes that framework for that communications that Heather mentioned also in her remarks. So I think it's definitely worth considering, sir. Okay. No, I mean, I agree with you. And Greg, how should we go about that? I mean, the last time we took a vote, I mean, this is just information today. So I mean, I don't want to vote right now, but how should we... So, Greg here, Pinoni, I see again. You know, the option is really, I suppose you could take a vote or you as the chair could, you know, laterally declare that we need to go back to three meetings. That's, I believe, in the past, how it was done by a former chair, because as you may know, there was a time where we only had, like now, two meetings a year and somewhere along the line in 2007 or eight, we started to go to three. I frankly agree with Jeff. I think there's so much going on that three meetings is necessary. Well, it would be better. It would be more efficient to allow the public dialogue and exchange among all parties involved. Well, let me ask this question. Is there anybody who objects to moving to three a year? And I throw that out, you know, to the audience itself. I mean, the industry members and government people. Mark, this is Heather Sims from Industry. While we don't object, I think the intent was to have more working groups so we could actually get to resolution to some of the issues that we bring up. So, I'd like to see that happen as well so we can actually get to resolution to some of the issues. Tell you what I'm going to do. I'm not going to roll all my today, but I will roll soon. I mean, you're absolutely right, Heather. I mean, we need to make sure that I've got two concerns to address. I think Jeff is spot on, you know, a lot's going on and these meetings are very helpful. But you do too in the sense that I want these working groups to continue as well. So let's just defer this for just a short bit of time and then I'll make a decision on it. Okay. With that, let's hear from Mr. Keith Minard of Senior Policy Advisor, the Critical Technology Protection of the Defense Counterintelligence Security Agency, DCSA. Keith. Thanks, Mr. Bradley. Good morning, Keith Minard. Today I have a few updates on the COVID mission operations, this common implementation, the new security review model. And we also have an update from our DCSA Chief Strategy Office on the regional realignment that just recently came out. Some of you may have seen this article on the website addressing the realignment. Just as a note for awareness on October 1st was a two-year mark that the Defense Security Service, the National Background Investigation Bureau, and the DOD Consolidated Education Facility were consolidated into the Defense Counterintelligence Security Agency. And I would like to note, as you mentioned, and Mr. Spindler mentioned, before I go on, the staff at DCSA would like to thank Valerie Heil for career service to the NISP. And on behalf of the staff at DCSA, thanks Valerie and enjoy retirement. So the first thing we'll actually address is COVID operations. This will be brief. It continues the way we've been doing the last 18 months. As with our previous NISP attack updates on COVID operations, DCSA industrial security field personnel continue to manage employee work locations based on COVID levels. This includes planning and conducting on-site assessments. Later on you'll hear from David Scott who addressed COVID-specific operations related to our ISSPs and ATOs during the DCSA update for the NISP working group later on the agenda. What I would like to start off though with is the NISPOM rule implementation. There's been a lot of discussion already on this in this session of the NISPAC, but the NISPOM, in regards to the NISPOM rule, the last eight months have been a very busy time for both cleared industry and DCSA critical technology protection directorate. I would like to start by mentioning that our industry partners, as Ms. Heather Sims said, under DOD cognizance were spent a letter from Mr. Lee Fowle, the director of DCSA. The letter addresses industry's significant efforts and teamwork that occurred this year in implementing the rule. As the director stated in his letter, industry's collaborative approach towards meeting implementation deadlines has set the stage for success. And the results will be strengthening of our ability to protect classified information and technology under the National Industrial Security Program. So a few notes on how we got there. In addition to the work that industry has accomplished in implementing the NISPOM rule, several actions were taken by DCSA and in many cases in partnership with industry to enable implementation of the NISPOM rule. The first was the establishment of a NISPOM rule webpage to provide essential source of information. The production of the Get Ready for the Rule video, which provided cleared industry with a brief overview of what to expect and how to prepare. The deployment of a cross-reference tool that allowed those familiar with the DOD NISPOM manual to more easily find similar portions in the NISPOM rule. As a note, the tool has been revised to address some minor changes and reposted on the CVSE website. Planned and executed seven NISPOM rule related webinars, three hosted by NCMS and four hosted by DCSA, with a total of 8,400 attendees. This gets a little bit better. The C3 webinar alone had 2,781 industry attendees. The seventh is being hosted by NCMS this afternoon, and it's a repeat of the C3 webinar we hosted this summer. With this afternoon's webinar, we'll be getting close to the 10,000 mark of industry attendees at the NISPOM rule related webinars this year alone. So we'd like to reach out to industry members out there and partners about their attendees' events. It really showed a lot of emphasis and importance of us, these things that we have going on. The Senior Management Official Webinar was another success with many of your SMOs in addition to FSOs and security staff in attendance. The Senior Management Official Webinar served to advise senior management officials of their responsibilities. It was short and focused around 19 minutes because we wanted to take an effect near executive time. And the product was recorded and is available like many of other products on the NISPOM rule webpage. One thing we did do differently this time around, less is learned from 2016 with Insider Thread, is we started to utilize new formats for information. This time around, we have three audio shorts and company slides for communicating specific NISPOM requirements. We are looking, as we move forward, the learning from this communications strategy we had during this POM rule to begin what we'd like to call maybe a NISPOM talk, short host guest style recordings to address key industry issues and information for industry. To date, our audio short recordings for the NISPOM rule included SMO responsibilities, a short overview of the rule, and most recently, we released a UL 2050 IDS certification changes. It's about six minutes long and it talks about the changes to the NISPOM rule. Our most recent event webinar was actually held jointly with NISPAC industry members and addressed C3 with questions and answers. Stay tuned. We're updating our FAQs on C3 and the recorded webinar we posted to our webpage. The last thing related to C3 is we created a desktop tool to help industry better find the sections of the IFSL, the tables, and also the reportable sections of the C3 itself to better enable reporting activities. It serves as a quick reference guide and can be kept on your desktop. One of the things I would like to ask, Ms. Chair, in regards to C3 as well, while the NISPOM is newly implementing the C3 requirements as the federal executive branch has done over many years since 2017, it might be wise that we ask ODNI in an upcoming event for the NISPAC to talk about challenges, best practices, and outcomes of C3 implementation in the federal executive branch so that we can make sure we can use lessons learned as we move forward for those things. As Mr. Spindiger noted, there's an amendment to NISPOM rule which extended the foreign travel. We're monitoring that and we'll keep industry informed as we move through the process. But I would note that CCSA will not begin oversight of C3 requirements in our assessments until March 1st of 2022. That's actually addressed in the NISPOM ISL. If there are any other CCSAs that would like to discuss lessons learned on the C3 implementation under DOD cognizance, please let us know. We can also share our products with you. We know that we need to continue to address industry's needs for tools and resources to continue this effort on the NISPOM rule. We look forward to working with industry later this fall to identify those needs. We've already had engagements with Ms. Heather Sims on planning that effort. Again, I would like to acknowledge the efforts that cleared industry under DOD cognizance on their implementation of the rule and special thanks to those in NISPAC industry members who played a crucial role in the coordination efforts. I would be remiss if I didn't acknowledge the CCSA team and my own staff in the CTP policy division for the work they did in supporting this effort. Without them, we would not have gotten where we're at now. So my next update is on the security review model. The CCSA website has a posting on the new security review model. It became effective September 1st. CCSA is following that model now in the conduct of our reviews. We would like to offer, while there's been several webinars for industry, we would like to offer to NISPAC MOUs and members. If they'd like to schedule specific updates on an additional webinar, please let us know. We can help with coordination on that. I've got two more topics and I'll turn it over to Dusty on our regional realignment. But on the national background investigation services or INVIS, CCSA will be onboarded industry over the course of FY22. We are updating our CCSA website with additional INVIS information to keep industry informed. And we'll make sure we push additional information as we have it ready for the CCSA website to the NISPAC industry members for future effective communication. I know one of the questions we had during the clearance working was about the key leadership in CCSA. I would point people to the CCSA website. The page now under About Us and Leadership page has a well-rounded, updated pictures and areas of responsibilities of our key leaders in CCSA. You can find that on our website. Later, you'll receive an update from Ms. Heather Green on background investigations, adjudication and VRO updates, and Mr. Davis Scott on DCSA's classified system authorization during the working group update. One of our last updates is that DCSA has recently undertaken a regional realignment of its field operations. I would like to pass you over to Ms. Sarah Coonan who will talk about this with you. And we'll take any questions on our portion of this after Ms. Coonan provides the update on regional realignments. Ms. Coonan? Thank you, Keith. Good morning, everyone. My name is Sarah Coonan and I'm from DCSA, and I'm going to discuss DCSA's new field structure. You should either see on the screen or you should have been provided slides regarding the DCSA regional realignment title field transformation. So, effective October 1, DCSA implemented new regional boundaries for its background investigation, critical technology protection and counterintelligence missions. The new structure merges the existing field mission areas into a consistent core region structure that includes western, central, eastern and mid-Atlantic regions. Legacy ENVIV and DSS agencies operated with different regional boundaries, and this change once again creates consistency across the DCSA enterprise. And on this slide you should be seeing the map with a legend of the various regions that were referenced. This new structure balances each mission's regional workload and supports information sharing, coordination and cultural integration across the DCSA enterprise. Moving to the next slide. We want to emphasize that these changes will not change the mission requirements and business practices. Those standards are all the same. Stakeholders, federal and industry alike will not experience an interruption. The only real impact for stakeholders involves some point of contact updates. For example, if a DCSA point of contact was changed for a clear contractor, your relevant ISR, CISA or ISFP should have contacted you earlier this month or last month to facilitate a seamless transition to your new point of contact. And just a note from this change for industry, only about 5% of our clear contractor facilities will experience a change in their field office as a result of this realignment. In terms of next steps for field transformation, we are currently working through regional headquarters locations and organizational structure updates. You can find the updated regional structure alignment on the website, as was previously mentioned, the DCSA.no website. And we will share more about field transformation as future changes occur. With that Keith, I'll turn it back over to you to open it up for further discussion. Thank you. Thanks Sarah. That's all we have this time on a subject to your questions. Just a quick question, Greg Pinoni, ISU, I see there's an absence of any international coverage in terms of the regional structure. Is there any intention of DCSA to establish any sort of international presence or is it already being done through this existing integrated DCSA field structure? I'd have to turn over to Sarah Coonan, but from an operational perspective, we're managing international requirements right now out of our regions and out of CTP headquarters for those types of things. In CTP, we haven't discussed any change related to that as an operational perspective. I can't speak with a long range of 10 of DCSA. Sarah, is there anything related to that? Yeah, thank you Keith. So you covered CTP accurately. Thank you for that. In the background investigation mission, it is similar. The international group is still works with these regions as they will be aligned, but is a BI headquarters function and is remaining that way. So at this time, the international presence will sort of remain how it is based on those headquarters functions. And in the future, we may assess if there is a more logical organization for that. Thank you. Mr. Padone, anything else? No, thank you. Appreciate it. Not a problem. Thanks. Anyone else have any questions for our Keith? Okay, hearing none. Thank you so much, Keith, and DCSA for the thorough briefing. All right, next we'll hear from Ms. Valerie Curbin, Senior Security Advisor, Special Security Director, National Counterintelligence and Security Center, Office of Director of National Intelligence. Okay, Valerie, full issues. Hi, good morning. Thank you, Mr. Chair. It is always a pleasure to be here with you all today, and I also hope that soon we could do this in person. It's always nice seeing everybody out there. I'm just going to give you some updates from the ODNI perspective, our COVID operations, trusted workforce updates, and what is happening in our space. So from the COVID perspective, ODNI has totally reconstituted its workforce. We are operational. We are following all the new federal rules for safety and mass mandates in the building, temperature checks, such the like, are in all of our spaces. And we are holding most meetings virtually, but there are some visits to our building. But otherwise, we are fully operational. I believe that the last time we met in April, we've had a new Principal Deputy Director of the National Intelligence, Dr. Stacy Dixon, was nominated and confirmed. She has been briefed on trusted workforce, is behind the effort with the DNI, and will be the PAC champion. She's quickly taken an interest in all of our work, especially the work we are doing with industry. And is very interested in personal vetting clearance reforms and looking forward to championing these efforts to improve timeliness and mobility. So also, there's been a little shift in organization within the National Counterintelligence and Security Center. Our scattered castles program and our continuous evaluation systems has been moved to a new directorate. We created mission capabilities directorates. So all of the kind of shared services that we are providing to the community has been organized into a new directorate for more focus and efficiency. Also, the National Insider Threat Mission, which, as you all know, has its own existing authorities. They were kind of a solo office within MCSC. But because their connections with the community, as you know, have morphed with helping industry and state and local, there's a large presence to help our CI and federal partners, and coordinating with the trusted workforce vetting missions. So this new directorate is called the Enterprise Threat Mitigation. So let me give you some more updates on trusted workforce and where we are. And I know you'll be hearing a lot from DCSA on enrollment and trusted workforce. And I do want to say there's been great success from DCSA with helping agencies get enrolled in trusted workforce. As you know, the executive agents are diligently working on all this policy within the trusted workforce. And it is wonderful to see how DCSA and other ISPs are implementing those policies that have been so far put into place. But MCSC, along with OPM and the PMO, is tracking agency implementation of trusted workforce, the transitional states that we've put into place. We sent out an advisory to our departments and agencies council, the SAC, with a reminder of all the milestones. And most agencies have done very well with their implementation of either coming to DCSA for the trusted workforce 1.25, or coming to DNI for those data categories for 1.5. All this was explained in the January 15, 2021 joint executive agent correspondence, explaining how we shifted into Phase 2 of trusted workforce, the whole policy development of implementation for the new government-wide approach. The ultimate goal of transitioning now is getting the national security population into a continuous vetting capability, which will satisfy that traditional periodic re-investigation process. The timelines that we had set up, September 30, which we just passed, department and agencies must enroll at least their national security population in at least a 1.25 capability. As we know, this service was created for DCSA's customers. And as far as we know, recent numbers are showing that a lot of people are enrolled, a lot of agencies are enrolled, and it's good progress. The next date we are moving towards September 30, 2022, where departments and agencies must enroll their full national security population in the 1.5 capability. So we're moving towards that, and all working together. There is continual updates within the government agencies. We have the trusted workforce agency group meetings. And also the executive steering group continues to meet regularly to ensure decisions are being made as we move towards the rest of the level of policy documents. But the next level I'd like to discuss is the federal personnel vetting guidelines. These guidelines will be for departments and agencies and showing them how to implement some of the outcomes that we're looking towards. So as you recall, the federal core vetting, the federal vetting core doctrine was put into the federal register, and that was published in February, where it was the overarching philosophy and the guiding principles. So if you haven't reviewed that, I do encourage you to see it and understand our direction. So the guidelines have been vetted informally with departments and agencies, and I believe the PMO has also shared it with some of the NISPAC members. So that is currently in coordination with DNI and OPM for signature and issuance. We've also been working very hard the past couple of months on the development of the investigative standards. I believe you all have heard that we will be realigning the five tiers into three tiers. And the standards and their tendencies are being reviewed now by departments and agencies, and they'll be back and forth adjudication with them, as well as, of course, the ISPs. We're also working on an implementation strategy for departments and agencies, and that is also being coordinated for the community. So agencies will understand what they need to do to change some of their policies and procedures, and also there will be some milestones in there for us to be tracking. As we mentioned, as I mentioned in April, NCSC have released that statement regarding COVID-19 and how mental health stressors should not impact national security eligibility and determination. Counseling and undergoing treatment as a result of COVID or the associated stressors should not in itself be considered negative or disqualifying when rendering an eligibility or access determination. As Heather said, there is ongoing discussions with the PAC PMO and also NCSC. We continue to have those discussions too with industry. We're engaged and out there with our industry partners. I know our director has been to several industry forums. So is our director, Mark Soundfelter, and we continue to work on this outreach of sharing. I also want to thank working with Valerie Heil over the years. I know it's been a long journey with C3, but I do admire her expertise and experience, and I thank her for her friendship and work relationship on behalf of SSD and wish her very well. And also kudos to DCSA for all the wonderful things you've put together for the implementation of C3. The toolkit is wonderful, and it's a great resource for industry. That is all that I have planned to speak today, Mr. Bradley. And if there's anything, any questions, I'd be happy to address. Okay. Valerie, just one, going back to Keith's request. Do you have any objections or briefing at some point down the line on C3? No, that's no objection, and I think it's a good idea. We know that we want to also host our security executive agent council meeting. But as you know, it's a COVID restriction. So we will work with you all and DCSA. We could plan something in the near future. All right. Thank you so much for that. Sure. Okay, anybody? No, absolutely. Anybody have any questions for Valerie? All right. Thank you so much, Valerie, for that briefing. Thank you. You're welcome. Up next is Mr. Rob McRae, director of the National Security Services Division, and Mr. Rich DeJocerant, deputy director for industrial security, the Department of Homeland Security, for their update. Gentlemen, please. Good morning, Greg. Good morning, everyone. And Mark, George, take a quick minute to provide an update. This is Rich DeJocerant. Regarding our COVID, DHS still remains largely in a posture, and we are planning on remaining in that posture for the foreseeable future, with the exception of law enforcement, border operations, and port operations. Regarding our implementation of the NISPOM new rule, we are continuing our work with DCSA and primarily working with their personnel security team. We are continuing to implement C3 via policy development and technological resources. We are in the staffing process right now of our draft directed and associated instruction, which we hope to anticipate being promulgated by the end of FY22. We are finalizing an IT-based tool that will provide a user interface that will allow covered individuals to apply with personnel reporting requirements. We anticipate piloting this tool at the headquarters within the first quarter of FY22, and depending on the success rate, hopefully have it implemented department-wide by the end of FY22. I would also like to take a moment to congratulate Valerie. I wish her well in her retirement. Valerie, we never actually met, but we've had several phone calls, and you and your team have been absolutely wonderful. I came into this industrial deputy director position two years ago, and I didn't have much industrial experience, but you and your team definitely brought me along the way, and I just wanted to say congratulations and wish you well. Depending on other questions, that's all DHS has today. Thank you, Rich. Does anybody have any questions for DHS? All right, hearing none. Next update we will hear from is from Mr. Mark Hynoski, director, Office of Security, Department of Energy. Mark, George. Thank you, Mr. Bradley, and good morning, everyone. I'll start with a COVID update. Nothing has really changed in DOE's status. We're still following the LPM guidance on maximum telework for non-essential and mission critical personnel and the associated COVID safety precautions. And that's not only here in the D.C. area, but also throughout the DOE complex. As far as the NISPOM rule implementation, just like to start with a little background specific to DOE that's a little unique. The DOE acquisition rule known as the DEAR establishes our policies and procedures for implementing and supplementing the FAR. And the DEAR requires compliance with DOE's safeguard and security directives rather than referencing compliance with the NISPOM. So DOE implements the NISPOM through a series of departmental security directives, including InfoSec, personnel security, physical security, safeguard and security planning, and our protective forces. This arrangement allows DOE to establish security requirements for all of the assets within the department, particularly where, in addition to classified materials, our special nuclear materials that are under our control. The NISPOM CFR was being developed. We conducted a review of all of our relevant security directives to identify any gaps that would need to be addressed. This review actually identified the references that need to be updated to reflect the CFR and store the manual and to include the C3 language in our directives, specifically the requirements for reporting and training. So those C3 requirements will be included in our personnel security directive, which is currently under revision right now. It's near the end of that revision, so we hope to see that published soon. It's being developed using our directives program integrated project team approach, which is led by an Office of Primary Interest, in this case the Office of Departmental Personnel Security. But the makeup of that IPT actually includes other stakeholders, including our program offices, our site offices, and our site industry partners. They can all be members of that integrated project team. Our directives process includes a review and comment component, which makes that proposed directive available to all stakeholders, including our industry partners, to have the opportunity to comment on that draft directive. We find this approach very beneficial. It's a relatively new approach in the department. This is the third security directive that's being developed using that approach, and I think our directives are better for it. And also in closing, we'd like to follow suit with everyone else so far and congratulate Valerie on her retirement, and thank her for outstanding collaboration with DOE over the years. I've never met Valerie. I've only worked with her for probably the last two years, and her support and collaboration with our office has been tremendous. I'd also like to thank her for her service to the NISPAC and to the country overall. Thank you. And unless anyone has questions, that's all we have. Thank you, Mark. Anybody have any questions for DOE? Okay, hearing none, next we'll hear from Mr. Chris Heilig, Chief of the Personal Security Branch, and Mr. Dennis Brady, Chief of the Security Management and Operations Branch, giving the Nuclear Regulatory Commission's update. Delman? Yeah, hi. Thank you very much. This is Dennis Brady from the NRC. I'll give an update for the NRC, and then I think Chris is going to deliver the metrics for the sector. Sure. So the Nuclear Regulatory Commission has established a reentry date of November 7 for staff to return to the office. The NRC is committed to addressing essential work and requirements consistent with best public health practices to help in safety of all employees, onsite contractors and visitors to our facilities remains the agency's highest priority. The NRC follows the latest guidance from the CDC for employers and fully vaccinated people based on the evolving understanding of the pandemic. The principles will be reassessed over time as conditions warrant and as CDC guidelines are updated. Proceed three, the NRC has implemented all reporting requirements for Security Executive Directive, Agent Directive Three with the exception of personal foreign travel approval. The agency has a foreign travel approval tool in development and has plans to launch the tool in mid-January of 2022. The NRC's industrial security program continues to be fully implemented with no limitations as a result of COVID-19. I, too, want to thank Valerie for her years of service and her years of guidance of, you know, me personally and for the industrial security program in general. Congratulations, and we wish you well in your retirement. Thank you for the opportunity to present the NRC status. Are there any questions? Thank you. Thank you, Dennis. Chris. Did you want me to cover the metric now or later on during the working group update? Greg, what do we want to do? Yes, we're going to wait more than collectively with each of the agencies. Yep. It makes perfect sense. Okay. Chris, we'll hear from you in a bit. Thanks. We're here from Ms. Felicia Guest, Chief Office of Security Policy, giving the CIA's update. And after that, we're going to take a five-minute break. All right. Felicia, please. It's yours. Good morning. Thank you for this opportunity. Let me just say first, due to the sensitive relationships we have with industry, our comments will be brief, but we are making strides in implementation of new guidelines. And so first, I want to speak to the agency's COVID-19 status and then the missed compliance as well as the C3 reporting requirements. So regarding COVID-19 and the agency's latest status, we are following up the appropriate protocols as directed by all officials. And so we are doing everything possible to ensure operational status and safety of the workforce. Regarding the status of the agency's response compliance, the changes will be rolled out shortly. We are in the process of engaging with the industry. And we will be highlighting our future industry events, such as conferences and workshops. And then finally, regarding CD reporting requirements, we already have reporting requirements in place. And to clarify that, the information that we receive or is reported directly to the company's security officer is forwarded to us and we review those on a case-by-case basis. Now also, we would like to take this opportunity to, although we have not had a working relationship with Valerie, but to wish her well in her retirement and also all good things in the next journey of her life. Thank you. Oh, thank you. Anyone have any questions for the CIA before we take our break? Okay. Here I'm going to take a five-minute break. So let me look at my watch here. What is it, 11-18 or so? So please, five minutes and then we can go ahead and go through the last part of our meeting and wrap things up. So I'll talk to you all again in about five minutes. Thank you so much. Okay. We are resuming our meeting. We're now moving into the portion of the meeting where we get reports from the NISPAC working groups. However, we will not be discussing all the working groups, but we have provided slides of highlights of all of them. We'll only be discussing the clearance and NIS information systems authorization, also known as NISA working groups at this time. Greg, I'm going to turn it over to you for this. Thank you. Good morning again, everyone. Greg Pinoni, ISU. You've heard from some CSAs on the high-level points of what was discussed during the clearance working group that was held on September 15th of this year, things such as the C3, the EED timelines. And so I just want to mention one item that hasn't been mentioned so far. And this concerns NISP entity cost collections. This, as we mentioned at the last NISPAC meeting, is part of an overall reform effort within ISU. As you may know, there's a multitude of reporting requirements that agencies in particular have to provide on an annual basis to ISU. And ISU, we embarked on a reform initiative to simplify the cost collection and other data requirements and also to try and prove upon the data that we collect as it relates to things such as self-inspection reporting data, classification activity type data. And so with respect to the NISP and its cost, everyone, I believe, is probably aware that the executive order both for the NISP and for the classified program mention requirement for cost collection, as well as the two applicable directives to those two orders. And so we've had a number of meetings most recently within this calendar year. We've met with just DOD as an executive agent to come up with a consensus position about the costs that are required on behalf of contractors to implement the requirements of the NISP. We are closed to then being able to reconvene with the other CSAs because we certainly don't want the application of cost requirements that contractors incur under if they're, in fact, dealing with more than one NISP Cognizant Security Agency. So that's where things stand. And then we will bring industry in NISPAC industry for input before finally advising the NISPAC chair on the way forward for collecting these data relative to cost in this case that are incurred for implementing the requirements of the NISP by contractors. One other item I want to mention before we move into some of the metric data. We also heard from the Underwriters Laboratory, also known as UL, as you know, during the working group meeting on updates that they are working on for the UL 2050 standard, intrusion detection standard for supplemental controls for safeguarded classified. Fortunately, they were unable to brief today, but we expect to ask them and InterTech, which is another nationally recognized testing laboratory that can certify you under UL 2050 to brief at our next NISPAC meeting or perhaps at our next clearance working group meeting. So with that, we'll hold questions until all of the briefers get through their metric data. So let's move on to Heather Green from, I'm sorry, we're going to start with David Scott, who will give us an update on information systems. So David, are you there? Yeah, thank you and welcome everybody. So just a couple of updates here from the NISO working group. First off, I want to, along with Valerie, congratulations on your retirement. I want to announce that the deputy NAO here for the past 11 years, Ms. Selena Hutchinson will also be retiring in December. So we wanted to make that announcement for her. I also wanted to give you a quick update with the region realignment, the regional AOs and where they stand. So just for clarity, the Eastern Region AO is acting still Michelle Fonville. We're still aggressively trying to fill that back fill that position for Jeff Blood, who left. Central Region AO is William Vaughn. Western Region Stacey Omo in Mid-Atlantic Region Ezekiel Marshall. So just wanted to provide that quick update for everybody. High level of metrics, which is on the slide number three, if you're following on the NISO working group slide, is we've seen an uptick in registered systems within our database of record around 6400. For the fiscal year, we've crossed just over 3,400 authorizations for FY21. And we've seen an uptick on EMAC users, a few hundred were up to about 4,000 users that we are managing within the EMAC application. Along with focusing on our inventory on our spew to assess and authorize our plan review and on-site validations, we're also putting a lot of attention on our expired systems or soon-to-be expired systems. And we're utilizing some contractors' support for that, not only with the triage, but we're going to look to the EMAC gives an automatic record at 180 days, 90 days, 60 days, et cetera, to the contractor ISSM on when systems expire. But we're also going to come up with a process improvement where we'll send an automatic message, a personal message from a contractor staff to the ISSM as an additional warning to kind of give, make sure that if there's a reauthorization activity, there's still a contractor requirement to process classified, that they get that plan as soon as possible so we can eliminate any potential downhorns. We're also going to take a look at closing out a lot of disestablished systems that are coming in and closing it on that cycle. So we look forward to this process improvement. On the next slide, COVID operational adjustments. Really what we're doing now is per HP-CON levels and health condition levels across the country, we are going on and doing our deferred on-site validations. We have been executing those over the past few months and we're getting out there more and more. Really appreciate the industry with opening the doors and letting us come in there and partnering with us to do those on-site validations. We've been doing a lot of those over the past few months. We can still continue to have the flexibility to issue authorizations of deferring on-site as workload areas across the country. And we look forward to that. From a CCRI perspective, we are planning. We've deferred all of those CCRIs over the course of the last 18 months. And we are in talks right now with JFHQ to start getting on the books, some CCRIs in the late second quarter, third and fourth quarters of FY22. Right now, our certified CCRI reviewers are going through some virtual training and preparation for us going on-site and conducting CCRIs on behalf of JFHQ and Cyber Command. And of course, we are continuing our industry stakeholder engagement as much as possible to information share with industry and our government partners. Next slide. The triage process that I talked about at the last NISTAC is definitely improving. We had a few hiccups when we first kicked it off. We knew that we were going to have a few hiccups. This is where we have contractor staff at headquarters review the packages when they first come in from industry, try to eliminate any of those quick administrative items and make sure that the ISSP, they receive a complete package for their initial risk assessment. We've seen a down kick in the common errors, but there still are some significant issues missing artifacts and test results, et cetera. But we have seen an improvement over the past six months and look forward to continued improvement as we get used to this process improvement. Next slide. NAO, what is next? We're looking, what we're really focused on here, tried to implement a package workflow enhancement a few weeks ago. We're working with this, it's probably going to look in that second quarter January timeframe coordinated with industry on this process improvement. Very excited about it because it gets full accountability across the board. What I mean by that is that industry, the ISSM will see exactly where their package is sitting as soon as we make this update within the EMAS instance. Basically, the ISSM would have their own role within a package workflow. We're going into too many details here, but bottom line is it's going to give industry a lot more granular detail into where their package is and so they've got questions or concerns. They can reach out to us and we can provide that. We're also looking to provide additional job aid, some enhancements in EMAS that we've learned over the past couple of years. We've got some process improvements there. We're looking to get out to include additional guidance on security classification and how to address that using the NISP EMAS unclassified instance. We've got some guidance. We're coordinating right now internally. We'll be sharing with the NISP working group prior to publishing. The DAPM 3.0, we are at its initial stages of trying to get an internal working group together and we know that we've got to update certain sections based on some of the things we've learned over the past year. We're looking forward to kickstarting that effort. It will be a long-term project because we want to get it right. We will be partnering with the NISP working group and look forward to what they see, what they need, any gaps within our processes and how we can provide improvements there. The NISP connection process guide is near completion. I'd say about 98% internally. We're finalizing one piece and hope to have that to the NISP working group for its initial coordination over the next couple of weeks and look forward to comments prior to going for official comments and publishing to industry. This is the guide that I briefed at the last NISP Act that will provide clarity and a detailed, easy how-to guide for industry and their government stakeholders if they have to have an interconnect or with contractual requirements to interconnect within the NISP. E-WAN, there is still currently a pause on new E-WAN as we are still providing additional, looking to provide additional clarity on our basic con-ups for this program. We've got six current operating E-WAN and we've done some process improvements over the course of the last three or four months. We had a NISP E-WAN participant meeting where every industry E-WAN owner got to kind of meet with NAO and we had about a four or five-hour meeting where we just kind of talked into some information sharing. It was very beneficial for all parties and we look forward to those future engagements over the next three or four months. And then, of course, we're going to continue to collaborate. We're continuing collaboration with all NISP government and industry stakeholders and look forward to future program and process improvements. And that's all I have sending any questions. Yeah, let's do an audible and if there's questions, take them now since each of these topics are quite different. So any questions for David? Hearing none, thank you, David. We will now move on and hear from Heather Green on DCSA and their vetting statistics. Heather, who is yours? Thank you. Good morning. It is my pleasure to give you the DCSA personal vetting update. The first slide provides an update on our background investigation activity. Regarding the investigative inventory, we are managing to stay under $200,000. We're at $177,000 currently and of this number, $28,000 are industry investigations. So compared to $218,000 a year ago and $291,000 two years ago, we are doing really well. Our inventory is fluctuating due to a number of variables, including COVID impacts on record providers and other data source providers and also case submissions from agencies. But the inventory is an internal metric to manage the business. What really matters is we are producing a quality product in a timely manner. If you look at the bottom of the slide, you will see a breakdown of the timeliness for industry. So T5 initials for fiscal year 21 quarter 4. The end-to-end timeliness is 181 days. And you can see the initiation and investigation and adjudication timelines broken out there as well. T3 initials for fiscal year 21 quarter 2. I'm sorry, quarter 4. The end-to-end is 112 days. And again, you can see the breakdown of the initiation and investigation and adjudication timelines there. This is an improvement from where we were two years ago, two years ago. We are at 295 end-to-end for T5 and 181 days for T3 initials end-to-ends. So the fluctuation in inventory. As with all prior years, our timeliness and case inventories fluctuate due to multiple reasons, including seasonal onboarding and hiring. However, this year has been a little more unpredictable due to some of the COVID impacts, impacting agencies. As a result of COVID unpredictable surges and occasional IT hiccups, we are seeing a gradual increase in the timeliness to close some of the impacted cases. As COVID continues, DCSA continues to maximize telework since most of our staff already works remotely and the continued use of the EA-approved alternative processes to include video interviews and teleconic interviews. Updated IT has enabled us to be 100% to do 100% online reviews, which is eliminating the need for paper files, which is also helping DCSA and our customer agencies. While roughly 3% of the investigations in our inventory have been delayed or placed on hold due to COVID challenges, again, those challenges would include inability to conduct some of the interviews due to COVID, restricted access to some of the criminal history records or closed employment areas or record providers. Our team is constantly revisiting each case to continue to work in closed cases as they are available. We do, DCSA remains postured and committed to mitigate COVID related impacts to both timeliness and, obviously, without degradation to the quality of our products. Next slide. So we are also staying laser-focused on all of the vetting risk operation industry functions to include the investigation submissions, the interview terminations, all of our CV enrollments and processing those incident reports. And we are balancing the timeliness of those mission items to support mission readiness. If you look at the slide here, you see that we have approximately 1 million NIST contractors. And this fiscal year, fiscal year 21, we processed about 180,000 investigation requests. 90% of all investigation requests had an interim determination made on an average within 7 to 10 days, those that qualified for the interim determination. A quick update for our continuous vetting mission. As you are aware and was briefed earlier, DCSA is responsible for the implementation of the UD-CV program. The goal was to have the entire UD-CLEAR population enrolled and the trusted workforce CV compliant program by the end of 2021. This does include the NIST contractors. And success has occurred. We have reached that full enrollment and we will continue to work study state of new enrollments or any outlying enrollments moving forward. So for your awareness, enrollments will continue as follows. We are currently enrolling all subjects, post-investigation and adjudication. So if there are any subjects that are pending investigations or adjudications, whether they're initial or some of the PRs, they will be enrolled post that adjudication process. What we need from industry is to be responsive if you have any overdue PRs or if we request any out-of-cycle SF-86s to be submitted, our enrollment does require a minimum of an SF-86 2010 version or sooner. We also ask that you follow the guidance posted on the DCSA website. It was posted on December 2nd, CV enrollment guide, and we're going to continue to keep that updated as things continue to evolve. So what happens once you're enrolled? Post-enrollment alerts are generated based on established thresholds, which align with federal investigative standards and adjudicative guidelines. Currently, we average about a 6% alert rate. Most of our alerts, we see that trends are criminal and financial and the most common valid actionable alerts. So in just the year 21, we received approximately 19,000 actionable alerts for industry, and that was of 16,000 unique industry subjects. It is really important that we emphasize the requirement to self-report because this information that was developed through the continuous vetting program with the automated record checks should have been self-reported information. That's one of the first things that we do is we look to see if that information had been self-reported. So we really are... Our goal moving forward is to move to that culture to self-report information as early as it occurs because that early detection truly is the key to a successful continuous vetting program. Next slide. We're going to provide an update on adjudications. Although our industry portfolio timeliness fluctuates more than military and civilian populations, as a whole, adjudications is meeting all timeliness goals as set by Congress. Office of Management and Budget and the Director of DNI. You can see our current timeliness on the left side of the chart. The timeliness performance for initial peer background investigations remain in compliance with congressional mandates. Periodic reinvestigations consistently remain above targets primarily due to the increasing derogatory nature of the periodic reinvestigations. In fiscal year 21, adjudications completed nearly 181,000 national security adjudications for industry, the details of which are provided in the upper right hand chart with secret plans as representing the bulk of our adjudicated outcomes this year. Moving to the lower right side of the chart, denial and revocations are largely driven by incident reports, customer service requests, and continuous vetting products. The top three reasons personnel are being denied or revoked remain financial considerations, personal conduct, and criminal conduct. Next slide. Current open industry investigation inventory, I'm sorry, current open industry adjudication inventory is under 20,000 cases, which further breaks down as shown on the chart with customer service requests. Incident reports and continuous evaluations alerts representing the majority of our open inventory and is indicative of our transition to the trusted workforce model. Inventory is trending downward for industry as reflected in the lower left-hand corner. I expect inventory to remain at approximately this level with the timeliness performance stabilizing in fiscal year 22. As we move into fiscal year 22, adjudications will maintain focus on improving processes, timeliness, implementing lean sigma improvements, and increasing efficiencies as we continue to work with our colleagues in the BI and VRO to implement the trusted workforce strategy. Additionally, we are preparing our workforce for these changes. All good news from the adjudicative front, background investigation front, and DRO front. We're working collaboratively together to continue to improve our timeliness from the end-to-end perspective, as well as to improve the efficiencies that we are bringing to bear here as we implement continuous vetting and trusted workforce strategies. Pending any questions? I am done with our PV update. Questions for Heather? Okay. Just real briefly, Heather, thank you. A lot of success going on there. I'd like to ask two things. One, you put a lot of emphasis on self-reporting. I certainly agree with that. Is there any value to be considered to... Of course, this is supposed to be stressed in refresher briefings with all clear people, but would it be worthwhile to add additional emphasis by DCSA perhaps putting something up on its website, like the top 10 list of self-reporting items that all of us as clearance holders should be reminded that you should be reporting? So that's one item. The other... On the slide on denied revoked source, as you pointed out, quite a few of them, it looks like about 46%, and are the result of continuous evaluation, incident reporting, or customer service request. Do we have an idea as to how many of that number, that 46% of the total that are denied revoked, are actually from the continuous evaluation wherein we actually learned of this, as you point out in another slide, at a more quickly time frame than we otherwise would because of continuous evaluation, continuous vetting. Greg, yes, we do internally keep those metrics. I see what you're referring to, that 13 out of the total were related to CE, incident report, and CSRs. I just as an emphasis here, continuous vetting as you move forward, it's going to move out of simply the automated record checks, but it's also going to encompass all vetting information sources, such as incident reports. So future state concept is continuous vetting, it's going to be inclusive of automated record checks, incident reports, agency-specific information, third-party information, and so forth. But absolutely, we do keep trained information on that, and I think the key here is to recognize that information should be self-reported, and we certainly will look at the communications that we have out there and the training. I know that there is training available on adverse information reporting, but we certainly will look to see if there's another additional training campaign that we might be able to continue to emphasize the importance of that self-reporting, and we can move forward from there. Yeah, thanks. Yeah, no, I completely agree. This is a success, and it just drives in the point of how successful it is by the early detection of these new ways of doing continuous evaluation. So thank you for that. Yeah, absolutely. And obviously, the entire community, and SecchiA and CDA, and with our C3 and other policy requirements are certainly trying to continue to emphasize that need for early detection of potential derogatory information. The key is to get ahead of the potential threat. We want to get our personnel the appropriate help to help mitigate any issues before they continue to fester and become a larger issue. So I appreciate everyone's support. Thanks. Okay, unless there's any other questions for Heather, we're going to move to DOE for their metrics, please. Good morning, Greg, and good morning, everyone. I'm Tracy Kendall, and thanks for the opportunity to provide the DOE personnel security IRPA metrics update. If you're following along on the slides, if you can just go to slide two. For this particular slide, DOE is currently meeting IRPA timing this goes for all investigations from quarter four to quarter three, from quarter four 2020 to quarter three 2021 in the aggregate. Next slide, please. For T3 initial clearances, we met our IRPA initiation goals from September 2020 to August 2021. We met our adjudication goals eight out of 12 months from September 2020 to August 21 within an average adjudication of 20 days over those 12 months. Slide four. For the T3 initial clearances, we met our IRPA initiation goals from September 2020 to August 2021. We met our adjudication goals 11 out of 12 months from September 2020 to August 21 with an average adjudication of 16 days over those 12 months. Slide five. For the T5 reinvestigation clearances, we met both the initiation and adjudication goals from September 2020 to August 2021. And slide six. The same as slide five. We met our T3 reinvestigation clearance goals both for initiation and adjudication. Thank you for the opportunity to provide this briefing and this update. So I'll be giving questions. I have nothing further to add. Okay, thank you, Tracy. Any questions for Tracy and DOE? Okay. We'll move on to NRC and the update on their metrics, please. Good morning. This is Chris Highley with the NRC Personal Security Branch. I'm not going to go slide by slide. I'll just give you the high level gist of what's going on. In terms of initial clearance adjudication timeliness, we have slipped a little bit due to COVID. Primarily our agency has a requirement for pre-employment drug tests and those have been very difficult to schedule during COVID. But as was mentioned earlier by Dennis, we will be reopening the agency in two weeks. So I anticipate that rectifying itself and us getting back under the adjudication timeliness performance goals for the initial clearances. Reinvestigations, we are within the goals and anticipate meeting or continuing to meet those requirements. I am happy to report that we are trusted workforce 1.25 compliant and actively working towards the 1.5 goal at the end of the fiscal year. That's really all I had, but I'm happy to take any questions if there are any. Thank you. Any questions for Chris? All right. Thanks, Chris. I'm sorry. I thought I heard something. Let's move on then. Now we're going to hear from Mr. Perry Russell Hunter from Defense Office of Hearings and Appeals, also known as DOHA. Thank you, Greg. You're welcome. I want to start out by joining the previous speakers in recognizing Valerie Heil for many years of exemplary public service. I'm a big fan of expertise and Valerie represents the very best of that. And so thank you, Valerie. DOHA is still making maximum use of telework, except for the personnel who are conducting and supporting the in-person hearings that are a core part of the DOHA mission. We are also fully masked at all times, including at all times in the hearings. In these ways, we're maximizing safety to all involved in the hearing process and at DOHA. But leveraging telework has not affected DOHA productivity, which is in large part thanks to the great partnership between DOHA and the Department of Defense Consolidated Adjudications Facility, or DOD-CAP. The statements of reasons are still going out in typical numbers, and the reviews are timely, with just over 300 stamina reasons reviews currently pending. And that number is typical. It is the typical on-hand end of month number for calendar year 2021. DOHA reviewed 1,200 SORs during the first four months of calendar year 2021. And then in May, June, July, and August, DOHA reviewed 802 draft statements of reasons. And again, the monthly numbers vary slightly, but we're current, and most SOR reviews, as we call them, are completed within the month received. However, at any given time, there may be a group of SORs for which there are requests for additional information, requests for permission to use other agencies' documents or other good reasons why a serious issue case needs work. But year-to-date, we've reviewed over 2,000 draft statements of reasons, averaging about 225 per month. And at this pace, we're on track to review about 2,700 statements of reasons for calendar year 2021. And just for context, between 2017 and 2019, you know, pre-pandemic, we reviewed a typical average of about 2,600 statement of reasons per year. In fiscal year 2021 just ended, DOHA legal reviewed and revised 3,021 industrial statements of reasons, which is a higher-than-average number. But the bottom line is that DOHA has kept up with all the draft statements of reasons sent by the DOD CAF for legal review, and we're working at a typical operating pace despite the pandemic. There have been some discussion in past meetings of DOHA providing statements of reasons directly to industry and tracking them. But the Memorandum of Agreement required to do this has been delayed by a number of external factors. I do not currently have a timeline for when this will be taking place. But while the pandemic was impacting the hearing process due to travel and because DOHA was having challenges with conventional video teleconferencing due to the fact that there would often not be operators available at the other end of the line where DOHA needed to reach, DOHA was able to make good use of the defense communication system or DCS throughout fiscal year 2021 to conduct remote online virtual hearings for clearance holders and clearance applicants in locations where travel would be unsafe or which could not be reached using conventional video teleconference equipment. But with the sunset of the defense communication system DOHA will be holding hearings using Microsoft Teams 365 in fiscal year 2022. DOHA has also continued to hold in-person hearings throughout the pandemic whenever and wherever possible and will continue to do so. And that's all I have for DOHA. Anybody have any questions for Perry? All right. Thank you, Perry. Appreciate it. Thank you. Up next is Mr. Evan Korn from my staff of ISOO. We'll provide an update on the controlled on classified information program also known as CUI. Evan, please. Thank you, Mark. So we're expecting the CUI FAR clause to come out for public comment in November. And this has been a major priority for both our office and now for the current administration. And when it comes out, we're going to be hosting a Q&A to allow those who are interested to ask us about the FAR and get any questions answered before they submit comments. So keep an eye out for that. In addition, we've been engaging with Microsoft regarding Microsoft 365. Their sensitivity labels for security sensitivity has been a major issue for a number of agencies. And we believe the industry as well when they have been trying to do metadata regarding CUI. And so they're aware of the problem and we believe that they are working on it. In the interim, we encourage both agencies and industry to type onto the document the banner markings that are required. And if they're only dealing with CUI basic, you have a tag for CUI basic versus trying to create a tag for every single category. And this has meant that also of getting personnel more trained in knowing how to mark CUI because they actually actually type it. We are also running now up to eight working groups, their agency working groups, every month, including the CUI advisory council and registry committee meetings. Also a working group on metadata and also one to point out for anyone who is working on it. And then there's CUI metadata. There is a new standard in publishers as well as for the intelligence community, ISM is working on a standard as well. There's, I should mention that many of these working groups are able to function because we get agency leadership in running them. And it is Department of Energy and the Air Force that have been running it and OD&I has been gracious enough to have a subject matter expert help that working group as well. We have a destruction working group dealing with the implementation of the destruction of CUI. That group is co-led by Air Force Department of Transportation and the Denali Commission up in Alaska, which is a federal agency focused on Native Alaska issues. We also have a tribal implementation working group that is focused on information that tribes and Native Hawaiian organizations share with the federal government in protecting these things can include things like ancestral burial sites among other very important information. And that group is being led by Department of Interior with a strong assist by the Advisory Council on Historic Preservation. In addition, we have the international grievance working group working on revising the international grievance we have with our foreign partners to make sure that CUI is implemented smoothly when interacting with foreign partners and that is being tried led by ISU, the Department of State and the Department of Defense. And then we also have working groups working on streamlining the registry where we're doing a major effort to streamline and reduce the number of categories on the registry. Now, an example is we started with the privacy categories and we're engaging with Federal Privacy Council on these privacy teams on that. And we're working right now at reducing the nine privacy categories to two or three categories. That's an ongoing effort. We'll also start working on law enforcement category grouping and there is a working group working on that and as well as the legal category grouping and there's a working group going on that. We will soon be starting another working group on the budget and financial categories. So, very busy working through those streamlined issues and hopefully producing a very user-friendly structure for the categories. We also have been working with the National Insider Threat Task Force and we'll be having a joint issuance with them in the near future on the intersection between Insider Threat and CUI. Related to this we also worked the first decontrol of a control document. It's an interesting case. It was actually NSPM 28 which is the National Security Council policy on OSAC. The National Insider Threat Task Force came to us among other agencies and said that they thought it could be decontrolled and we worked with the National Security Council on the National Security Council to decontrol it as a good demonstration of how decontrol processes work and our support at the highest levels of our national security community. I also want to give a major kudos to Colleen Charlene Wallace. Over the last fiscal year we've connected over 70 trainings of CUI. These have included the trainings that we offer publicly to both industry and government officials. They're announced on our blog. Generally she gets between 500 and 600 government industry personnel participating in each training. They're offered about once every month or two. I want everyone to sign up for updates from our blog. You can go sign up on the blog itself and on the right-hand side. There's a place in your email address so that you can find out about these trainings. We do know that the blog has a current glitch that we're working through our social media folks with a number of our recent posts not showing up but that should hopefully be corrected very soon. But please, if you're interested in these trainings go and add your email address so you can find out about it. In addition, we offer a number of training videos on our trainings website and these are available in MP4 format so that they can be uploaded directly into organizations learning management tools. I also want to just give a strong thanks to the agencies that have been doing a lot of work on the implementation of the last year. Particularly the leadership by DOD, the Department of Commerce and the Nuclear Regulatory Commission major shout out to their personnel who have done a lot of heavy lifting and we deeply appreciate it. I want to highlight one of the things that the Nuclear Regulatory Commission has brought to our attention and are working through with them which is a information sharing agreement structure that would allow multiple federal agencies to sign the same information sharing agreement with third party partners of basically industry or academia to allow more common and less complicated ways to share information so you only have to share it with a signed agreement once and you would be able to share with multiple agencies at the same time. And speaking of trying to get things streamlined I just wanted to bring back to the CUI FAR when you see the CUI FAR we will see that we are trying very hard to make this as easy and streamlined as possible for industry and for our government so that everyone knows it's on the exact same page of what is required and it is hopefully a very clear way of communicating between the two. And then finally I wish my congratulations to Valerie on her retirement though we haven't had the pleasure to work together directly your reputation within ISU is that of someone who's enjoyed to work for as top notch and just wishing you well on your next adventure. Thank you Mark. Thank you. Anybody have any questions for Evan on the ins and outs of CUI? Hearing none we are now at the point of the meeting where we ask any NISTAT members to present any new business they may have. Does anyone have any new business? Hearing none do any other committee members have any questions before we close out the meeting? Valerie I know you do. Yes Mr. Chairman thanks earlier Jeff Spinninger had mentioned during the DOG update that there was section 847 of the fiscal year National Defense Authorization Act that section 847 that requires the Department of Defense the Secretary of Defense to establish a program to assess foreign ownership control and influence for all DOD contracts or subcontracts over $5 million with certain limited exceptions for commercial items. It is also section 847 of public law section 922. I understand there was a question about applicability outside of DOD? No the legislation is specific to the Department of Defense so when the Department of Defense establishes this effort as we are working to do through a policy issuance and then a subsequent DEFAR case it will be outside the NIST outside the National Security Program. It will be a DOG specific program. I hope that helps folks who had some questions about that. I'd also like to thank Mark Bradley as the NIST PAC Chairman and all my NIST PAC colleagues for your kind words. I'm proud to have the opportunity for many years sometimes it seems more than I expected to participate in NIST PAC and public meetings. I'm really grateful to have worked with so many of you and as you find through the years security is really a small world. You're going to run into people all over the place throughout your careers. I want to say for the NIST PAC it demonstrates how effective collaboration can be especially between government and industry and while collaboration can be challenging for those of us who've been around for a while and are a number of us on this call today if we look at the strides that have been made by the NIST PAC and its members on many areas of NIST policy and implementation those strides are truly noteworthy. I especially want to thank the NIST Cognizant Security Agencies my colleagues who we've worked with in those agencies the Information Security Oversight Office ISU and DCSA as well as NIST PAC industry and all the coordination and collaboration which resulted in the NIST PAC Federal Rule at Part 117 of Title 32 Code of Federal Regulations. I'm looking forward to retirement at the end of the calendar year and all the very best to all. Thank you very much. Thank you. You are a professional professional and our country is safer and better off because of you so we're the ones who owe you a great debt and again, Godspeed. All right, our next NIST PAC is scheduled for April 27th, 2022 It's hard to believe we're already that close. We're hoping to have the next NIST PAC be in person. We will also plan for having it to be 100% virtual. As a reminder, all NIST PAC meeting announcements are posted in the Federal Register approximately 30 days before the meeting along with being posted to the ISU blog. Again, we'll get back to you between the end of the year as long as we can make sure that our working groups are still able to be functional. All right, with that I am going to adjourn this meeting. Everyone stay safe and again, we can all meet in person sooner than later. Okay. Thanks a lot and meeting adjourned. That concludes our conference. Thank you for using Event Services. You may now disconnect.