NISPPAC Meeting 4/14/2021
Apr 29, 2021 15:04 · 17884 words · 84 minute read
- [Producer] Welcome and thank you for joining today’s NISPPAC meeting.
00:03 - To receive all pertinent information about upcoming NISPPAC meetings, please subscribe to ISOO Overview at isoo-overview. blog. archives. gov or by going to the Federal Register.
00:19 - All available meeting materials including today’s agenda, slides and biographies for NISPPAC members and speakers have been posted to the ISOO website at archives. gov/isoo/oversight-groups/nisppac/committee. html and have also been emailed to all registrants.
00:43 - Please note, not all NISPPAC members and speakers have biographies or slides.
00:49 - While connecting by phone is necessary to attend today’s meeting, there is no requirement to log on to WebEx.
00:55 - However, you are welcome to join WebEx with the link provided with your registration as all available materials will be shared during the meeting on that platform.
01:04 - If you have connected through WebEx, please ensure you have opened the participant and check panels by using the associated icons located at the bottom of your screen.
01:14 - If you require technical assistance, please send a private chat message to the event producer.
01:20 - All links will also be shared periodically through WebEx chat.
01:24 - Please note all audio connections will be muted for the duration of the meetings with the exception of NISPPAC members, speakers and ISO, ISOO, excuse me.
01:34 - We are expecting a fairly large audience today, because of this we will not be taking questions from the public.
01:40 - Please email your questions and comments to nisppac@nara. gov and someone will get with you offline.
01:47 - Only ISOO and NISPPAC members will be authorized to ask questions throughout the meeting.
01:54 - At the conclusion, a survey will be sent for your feedback.
01:57 - If you would like to be contacted regarding your survey responses, please include your email in the comments block, so the NISPPAC team can get back to you personally.
02:07 - With that, let me turn things over to Mr. Mark Bradley, the director of the Information Security Oversight Office as well as the chairman of the NISPPAC.
02:17 - - [Mark] Thank you very much, madam producer.
02:19 - I appreciate that. Thank you for your kind introduction.
02:22 - Morning everybody, welcome to the 66th meeting for the National Industrial Security Program Policy Advisory Committee, commonly known as the NISPPAC.
02:32 - This is the third NISPPAC meeting has been conducted 100% virtually.
02:37 - Although, we now understand some people are home.
02:39 - Like we are on and some people want work. They’re actually in the office.
02:43 - This is a public meeting, like our previous NISPPAC meetings, this one will be recorded.
02:49 - The recording along with the transcript and minutes should be available in 90 days on the NISPPAC reports on committee activities webpage mentioned earlier by our event producer.
03:00 - We’re planning on a five minute break in the middle of the meeting, so I’ll flag it as we move closer to that.
03:06 - I will now begin attendance with the government members of the state.
03:09 - The name of the agency and the agency members will reply by identifying himself or herself.
03:14 - Once I’ve gone through the government members, I will then proceed with the industry members.
03:18 - After the industry members, we will easily move into speakers.
03:22 - Let me start with the ODNI. - [Woman] Good morning, Mr. Chair.
03:29 - - [Mark] Morning. - [Woman] And how are you coping? (indistinct) - [Mark] Department of Defense.
03:35 - - [Jeff] Good morning, Mark, this is Jeff Spinnanger.
03:38 - - [Mark] Morning, Jeff. Department of Energy.
03:43 - - Good morning, Mark. (indistinct) - [Mark] Morning, Mark.
03:50 - NRC. - [Dennis] Yes, good morning everybody.
03:54 - This is Dennis Brady with the NRC. - [Mark] Morning, Dennis.
03:59 - DHS. - [Rob] Morning, Mark, this is Rob McCray and Rich DeJausserand.
04:07 - - [Mark] Morning, gentleman. DCSA. - [Keith] Good morning, Keith Minard, DCSA.
04:13 - - [Mark] Morning, Keith. CIA. We’re missing a rep from the agency.
04:24 - Department of Commerce. - [Man] They sent an email, they’re not gonna be able to make it.
04:34 - - [Mark] Okay. Department of Commerce, again.
04:43 - I’m sorry, somebody’s gonna speak? All right, Department of Justice.
04:53 - - [Christine] Hi, Christine Gunning, (indistinct) talking for Christine Gunn.
04:57 - - [Mark] Hi, good morning, NASA. - [Kenneth] Good morning, Kenneth Jones with NASA.
05:06 - - [Mark] Morning, Kenneth. National Security Agency.
05:10 - - [Brad] Good morning, this is Brad Wetherby from the National Security Agency.
05:14 - - [Mark] Morning, Brad. Department of State.
05:18 - - Good morning, this is Kim Baugher from State Department.
05:21 - - [Mark] Morning, Kim. Department of Air Force.
05:25 - - [Jennifer] Good morning, Jennifer Aquinas here from Department of Air Force.
05:28 - - [Moderator] Morning, Department of the Navy.
05:31 - - [Jennifer] Good morning, this is Jennifer Obernier.
05:33 - with Department of Navy. - [Mark] Good morning to you.
05:36 - Department of the Army. - [Jim] Good morning, everybody.
05:39 - This is Jim Anderson from Department of the Army.
05:42 - - [Mark] Morning, Jim. Right now I’m going to turn to our industry members.
05:46 - Heather Sims, are you present? - [Heather] Heather Sims is present.
05:50 - - [Mark] Okay, Dan McGarvey, are you present? - [Dan] Dan McGarvey is present, good morning, Mark.
05:56 - - [Mark] All right, morning, Dan. Dennis Arriaga.
06:00 - - [Dennis] Hi, Dennis Arriaga is present, good morning.
06:02 - - [Mark] Morning, Dennis, morning to you. Rosie Borrero.
06:07 - - [Rosie] Good morning, Rosie Borrero is present.
06:09 - - [Mark] Okay, morning, Rosie. Cheryl Stone.
06:13 - - [Cheryl] Cheryl Stone is present. - [Mark] Okay, April Abbott.
06:18 - - [April] Good morning, present. - [Mark] Morning, April.
06:22 - Derek Jones. - [Derek] Derek Jones is present.
06:27 - - [Mark] Tracy Durkin. - [Tracy] Good morning, Tracy Durkin’s present.
06:31 - - [Mark] Good morning, Tracy. Right now I’m gonna do just a very quick roll call for our speakers.
06:35 - Make sure everybody’s here. Stacy Bostjanick.
06:40 - - [Stacy] I’m here. - [Mark] Perry Russell-Hunter.
06:44 - - [Perry] I’m here. - [Mark] Great, Roy Jusino.
06:49 - - [Roy] Yes, I’m here. - [Mark] Great, Chris Pollock.
06:53 - - [Chris] Good morning, I’m here too. - [Mark] Great, Marianna Martineau.
06:58 - - [Marianna] Good morning, I’m here as well.
07:00 - - [Mark] Okay, Heather Green. - [Heather] Good morning.
07:06 - - [Mark] Morning to you. Heather Murdocca.
07:10 - - [Heather] Good morning. - [Mark] Morning, Sheldon Solstice.
07:14 - - [Sheldon] Good morning. - [Mark] Morning.
07:22 - Charles Tench, Matt Ross. - [Matt] Good morning.
07:30 - - [Mark] Morning, Matt, Jason Terrio. - [Jason] Good morning.
07:37 - - [Mark] Morning to you, Booker Bland. - [Booker] Good morning.
07:41 - - [Mark] Morning, Booker. David Scott.
07:44 - - [David] Yes, good morning. - [Mark] Morning to you.
07:47 - Selena Hutchison. - [Selena] Good morning everyone.
07:51 - - [Mark] Morning to you. Evan Corn - [Evan] Morning.
07:56 - - [Mark] All right, Rich DeJausserand. - [Rich] I’m with DHS, but yes, I’m here.
08:03 - - [Mark] Great, morning. All right, is anyone else speaking at the NISPPAC that I have not heard from or I did not know about? If so, please speak now.
08:16 - All right, we request that everyone identify themselves by name and agency before speaking each time for the record, because again, what this is, as you all know all too well, this is recorded and we have a transcript.
08:30 - So, it’s much, much easier on us transcribing if we can actually match a name with the spoken words.
08:39 - With that we get just a couple of updates. We’ve had a few changes to the NISPPAC membership.
08:46 - We’d like to welcome alternate Natasha Sumpter from the Department of Energy.
08:51 - Tracy Kindle also remains an alternate. Additionally, we’d like to welcome Elizabeth O’Kane representing the army and Robin Nickel alternate with the Navy.
09:02 - For two of our industry members, this is their last NISPPAC meeting as members, Dan McGarvey and Dennis Arriaga.
09:11 - Anyway, gentlemen, thank you for your service.
09:14 - You’ve really made some really nice contributions and we are most grateful for your service.
09:22 - All right, with that, I’m gonna turn it over to Greg Pannoni who is my deputy who will address the status of action items on the November 18th, 2020 meeting.
09:30 - Greg. - [Greg] Thank you, Mark. Good morning, everyone.
09:35 - We just had a couple of items, but before that, I wanna mention that the NISPPAC minutes from the last meeting were finalized on January 26 and were posted to the ISOO website on February 2nd.
09:51 - As far as the two action items, they both with DCSA.
09:56 - The first one that’s outstanding from the last meeting was the Industrial Security Letter.
10:03 - We refer to them as ISLs. And this one was on Insider Threat and it will replace ISL 2016-02.
10:12 - It’s in a bit of a holding pattern due to the release of the NISPOM Rule, but DCSA will continue processing the ISL for issuance and begin engagement with cleared industry through the NISPPAC to update tools, resources and required training with respect to Insider Threat ISL.
10:34 - The second action item still open, has to do with DCSA providing an update on their responsibility for accreditation of sensitive department and information facilities, otherwise known as SCIFs.
10:53 - And DCSA will be responsible for the accreditation of military department SCIFs, for SCIFs estates and contractors SCIFs that fall under DCSA.
11:07 - So, do any of the NISPPAC members have any questions about the action item status? Okay, thank you.
11:19 - Back to you, Mr. Chair. - [Mark] Sure, thank you, Greg.
11:22 - Now this time we’ll go to our speakers. My first one is Ms. Heather Sims.
11:29 - NISPPAC spokesperson will provide the industry update.
11:31 - Heather, all yours. - [Heather] Good morning, it’s a pleasure to provide industry’s collective perspective today on a variety of NISP topics and priorities for 2021.
11:43 - Even though it’s only April, it’s not too early for industry members that are interested in serving as a NISPPAC…
11:50 - Industry members to start thinking about whether you want to throw your name in the hat.
11:56 - We have September elections coming up very fast.
12:00 - If any industry partners are interested, contact current our NISPPAC industry member or an MOU member.
12:09 - Industry continues to increase their engagement and collaboration with a variety of government agencies in order to be more actively involved in our national security role.
12:20 - (indistinct) Industry to not, we have sometimes stakeholder partner.
12:28 - NISPPAC industry members along with MOU industry association members continue to work tirelessly fostering relationships and trust in order to bridge the gaps between government and industry.
12:43 - Adapting the change have become industry’s middle names.
13:00 - - [Mark] Did we lose Heather? - [Man] Heather, are you there? - [Mark] Hello? - [Producer] Yeah, I don’t see her line at the moment.
13:12 - I think it may have… - [Mark] It just fell, I guess.
13:16 - - [Producer] Yeah, I think it may have dropped off.
13:22 - - [Man] Maybe go to Jeff and come back. - [Mark] All right, Jeff, I’m gonna bring you out of the bullpen.
13:32 - - [Mark] All right, coach. - [Mark] Alright, so we’re gonna…
13:36 - As we try to resurface Heather, I’m gonna to Jeffrey Spinnanger, director for Critical Technology Protection for the Office of the Under Secretary of Defense for Intelligence and Security who will give the update on behalf of DoD as the NISP executive agent.
13:51 - Jeffrey, all yours. - [Jeffrey] Well, Mark, thank you very much for that.
13:54 - And should Heather come back on, I’m more than happy to go back into mute mode and let her continue.
14:01 - But thanks for that. And thanks for the opportunity as ever today.
14:07 - It’s pretty remarkable how we’ve been able to adapt and execute in this remote environment.
14:15 - I’m pretty sure I said the last time and I’ll continue to say, however, I look forward to the opportunity for us to get back in a room together, both for the sum and substance of the official portion of the meeting, but frankly, for the candid conversations that happened in and amongst the women and men who participate in these meetings.
14:37 - I think they’re very, very important and something I’m looking very forward to being on the receiving end in the future.
14:46 - So, with that, our update today. I have a number of things to go over.
14:50 - Some I’ll hit the wave tops on differing much more so to some detail that’ll come later in the brief in the meeting today, principally from Keith Minard and others at DCSA.
15:03 - But the alligator that’s been nearest our boat or in our boat here for a good long while is now or shortly to become, I don’t know, mounted or at a zoo someplace or something, but the NISPOM Federal Rule became effective on February 24th.
15:22 - And as many of you know, that is a year’s long undertaking that our office and principally Valerie Heil and many others have been patiently and persistently.
15:39 - I think the technical term is slogging through for what amounts to several years.
15:46 - It’s a big deal. I know I said in the prior meeting when we were forecasting this, I’ll continue to say it.
15:53 - Much of the sum and substance of the NISPOM remains unchanged.
15:58 - There are a number of elements that many of you are becoming aware of now that have, but the biggest single takeaway, our single sentence that we continue to champion here within the building is that it creates more accountability on government.
16:15 - And we think that that’s really critical. It’s the key to consistency where the industry, where the program itself is intended to be and that is in industry.
16:24 - So, it’s not a hard sentence to get through.
16:28 - It’s gonna be very hard and challenging in execution, but we’re very excited at the prospects of actually getting to that execution layer here later in the year.
16:40 - We are adjudicating a number of comments that did come through in the public period.
16:46 - I think in total, we received 84 comments. And just because we’re metrics driven around here, just wanted to give some context to our leadership.
16:56 - About 60% of those came in as a collective submission from our NISPPAC industry partners.
17:02 - And honestly, I cannot thank you enough for that.
17:04 - So, the due diligence that we undertake to be able to go through each comment, is a very deliberate process.
17:14 - And our accountability is frankly to people who don’t know a whole lot about the NISPOM.
17:18 - Their expertise is in policy, federal regulatory policy.
17:23 - And being able to make it through what amounts to an audit by them, it’s not an easy undertaking.
17:32 - And so, the work that was done by Heather and the other industry folks to consolidate inputs before they ever got to us through the formal process will absolutely save us a tremendous amount of time.
17:46 - And it really speaks to the collaborative nature of the NISPPAC, I think in its intent, but more than that, in its execution.
17:53 - And I really do thank you a lot for that. We’re an army of about three and one of those is me and I just sort of nod up and down like a bobble head when we get into much of the details.
18:04 - And so, it’s very, very important to have that partnership and to really call it out.
18:11 - Bringing down those 84 comments a little bit, the key issues that we’re presently adjudicating.
18:16 - I’ll reasonably summarize this focused on C3.
18:19 - Certainly, gonna hear more about that. I anticipate that when Heather rejoins this, that she’ll have some comments and I know that Keith will as well.
18:28 - Further guidance with respect to Trusted Workforce continue spreading.
18:33 - NID in section 842 made a small resurgence in the discussion and clarification with respect to safeguarding.
18:44 - So, we’re preparing the proposed amendments to the rule to address each of these comments and resulting changes.
18:50 - This will go through a DoD internal coordination and an onset OMB review for about 90 days.
18:57 - There’s some fudge factors in those timelines.
19:00 - The OMB collects these sorts of issues and processes from across the federal government.
19:06 - And so, while it’s hard for us to imagine any more importantly Industrial Security Program, I think it’s fair to say that there’s more than one thing going on and that’s where inner agency review comes in.
19:17 - So, all that in mind, we can’t really give a specific timeline to how that will unfold.
19:23 - We probably put ourselves on a spring glide path.
19:27 - I think we’d have some pretty firm timelines to be able to provide where we to meet in July, but in as much as we’re not gonna do that, we will provide update through the Working Groups as they continue to happen.
19:43 - So, I mentioned of the C3 ISL that went out for NISPPAC comments, we’ve gotten those back.
19:52 - They are extensive. We thank you for those many comments that came in from industry and government alike.
19:59 - There’s a lot in there. There’s a lot to unpack.
20:03 - A lot of focus on the implementation timelines that are getting a lot of attention right now.
20:10 - We’ll keep you updated on those. I think, like I said, Keith may have a few more comments on, I’m not sure.
20:16 - But we’re trying to continue a steady drumbeat that we can all maintain.
20:22 - I say, it’s not new, so as we start to make progress and come to common understanding with respect to implementation, that is a team sport.
20:31 - And one that we’ll continue to follow that going forward.
20:37 - A word on the ISL. And again, you’ll hear more about ISL processes generally, but one of the changes by virtue of the issuance as a federal rule is that OMB…
20:50 - So, our issuance of Industrial Security Letters, although, ultimately approved by and will be issued as has been our practice by the Under Secretary, we need an OMB coordination before that happens.
21:03 - And so, that’s another step in the process.
21:07 - And so, the first one will be a bit of an experiment and that should inform what our recurring processes will look like for subsequently security letters.
21:16 - There’s been quite a bit of discussion, with respect to Federal Information Systems and the specific term.
21:24 - A lot of questions regarding the policy in Federal Information Systems as it’s described and defined within Volume 2 of the DoD Manual.
21:35 - We believe the term Federal Information System itself is a source of some confusion.
21:42 - In the past, Federal Information Systems were previously referred to as Guests Systems, which meant a system approved by another government organization.
21:51 - DCSA has authorized federal systems in the hands of cleared industry for many years.
21:55 - However, some government customers are reading the Volume 2 Federal Information System paragraph as the only way to adhere to policy for their systems, which we think is not really the case.
22:08 - So, we’re kind of sifting through that. Folks who are trying to be as deliberate as possible, but with the heavy and increasing reliance on extensions of systems of this type.
22:23 - We’re looking to work through and come to common understanding, policy clarification where necessary.
22:31 - At this time, however, at the industry or government customers told the disconnect, they previously proved system.
22:37 - Please raise the issue with the regional authorizing officials who will engage this directly.
22:43 - So, happy to take questions on that and address concerns either here today or of course, through the Working Group, as it goes forward.
22:55 - Discussions regarding Solid State Device Standardization Destruction Policy, largely differing at this point to NSA for any further guidance in future NISA Working Group meetings on the topic.
23:08 - For industry, they don’t need us to speak for them, but I think it bears mentioning that DCSA follows the Volume 2 guidance, which does allow some flexibility for the government information owner to accept a risk of sanitization risk rather than destruction.
23:23 - We recommend, however, if the industry has specific sanitization products or questions that you would like to address or utilize, either submit them directly to NSA for evaluation or speak to your government customer for further guidance.
23:39 - Couple more topics that are kind of growing near and dear to us here.
23:44 - I mentioned last time, Section 847 and FY20 NDAA, includes a requirement for assessment of beneficial ownership pertaining to foreign ownership control and influence for DoD prime and sub-contracts that are more than $5 million in value.
24:01 - It will require a DFARS clause that will go through the rule-making process.
24:06 - However, in advance of that process, DoD right now is in the nascent stages of a draft DoD instruction.
24:14 - It is presently in the internal coordination phases within the DoD components, excuse me, under OUSD A&S.
24:25 - From there, it will make its way out through and into the formal issuance process.
24:30 - There’s a lot of congressional attention on this particular issue, FOCI and supply chain risk management, which Stacy Bostajanick is gonna go into quite a bit more detail on, I think in her briefing here later.
24:44 - These are near synonymous terms and a source of tremendous amounts of interest.
24:51 - And so, this particular one, the expansion of FOCI, pretty comprehensively is something that is garnering the interest as you would imagine.
25:05 - For our purposes, like I said, this begins through the issuance process to define kind how we would get after the provisions that are within the NDAA.
25:14 - And left, right whether guidance as it were for the DCSA as the executing agency.
25:20 - And honestly, that’s where the real work begins.
25:22 - And so, as it continues to unfold, we’ll certainly be looking for government and industry inputs on this very, very important topic.
25:31 - Last two things I’d like to get into. One is a little bit…
25:34 - I’ll try to do a whole lot of forecasting, but one thing I’d like to put out there.
25:38 - So, our office within OUSD A&S is the sponsor of the university-affiliated research center called the Applied Research Laboratory for Intelligence and Security So, at some point, some of you may have some familiarity with this.
25:52 - I don’t wanna spend a lot of time. I’m just about out of time myself, but I wanted to put out there, kind of a nod back to the discussion on information systems earlier, but we’re sponsoring a project up at ARLIS right now that I wanna put out here for just public awareness and that’ll tee us up for more substantive reporting on this project when we’re next together in the fall.
26:18 - But in short, we’re exploring the use of commercial classified cloud in the NISP.
26:25 - ARLIS is gonna conduct a pilot working with a small number of NISP companies to independently evaluate the connections and approvals process.
26:33 - Project builds on observable improvements to interoperability, cyber security and core requirements for Information Security Insider Threat, user activity monitoring for highly classified IT and DoD requirements pertaining to compartment it programs that are already in work today and similar application and exploring how those can meet similar application and requirements that are presently executed under the NISP.
27:02 - And so, we think there’s basically cloud in the most highly compartment aspects of work done in industry and there’s certainly cloud within the unclassified space.
27:16 - And the opportunity to explore the same options kind of in the expanse of the industrial security program is something that we think there’s quite a bit of potential there.
27:30 - And we look forward to leveraging what we have up there and a pretty powerful tool in ARLIS to showcase kind of the…
27:38 - I’ll it the good, the bad and the ugly. And then finally, the last thing I think you’ll hear a lot more about, operating within a COVID environment Mark Brett mentioned that some folks…
27:51 - There is a slow returning to work. God help me, but I’m happy to be saying and I’m sitting in the Pentagon on the call today.
28:00 - Nevermind me, I said that maybe in November, but it is nice to be back to work with some regularity.
28:06 - The work didn’t go away. And that’s true for everyone out here.
28:10 - But one of the things that we continue to look at and continue to capitalize, is this environment has forced us to find ways to get work done.
28:18 - And in some ways really confront some of the kind of longstanding processes that we’ve undertaken and evaluate whether or not those are the right ways to do business.
28:28 - There’s certainly the way that they’re defined, but are there the right and best way to manage risk as it pertains to general security, but with an eye for industrial securities.
28:40 - And I think we’re looking to capitalize on what lessons we are learning to make revisions in policy and get better at really defining what our requirements are and then executing those requirements in the future.
28:55 - So, that’s kinda my mind or soapbox moment, but I am right at my 15-minute mark.
29:00 - So, I’m gonna stop right there and turn it back to you, Mark.
29:03 - Thank you very much. - [Mark] Anyone have any questions for Jeff before we let him off the hook here? Okay, hearing none, is Heather Sims back? - [Man] Yeah, she’s back, Mark.
29:18 - - [Mark] Heather, would you like to pick up where you left off? - [Heather] I’m back in, I think I was talking about adapting to change and I have to continue to do that as technically challenged.
29:28 - So, I am back in and thanks for that update, Jeff.
29:33 - That was great. I was wondering how DoD would take industry having so many comments on the IFL.
29:39 - So, I was pleasantly surprised when you mentioned that.
29:42 - We appreciated the feedback. So, thank you for that.
29:45 - So, I’m briefly going to talk about our current top three industry priorities and some of our watch list items as they’re listed on the slide, but I’m not gonna talk in any particular order.
29:55 - The long-awaited new 32 CFR, Part 117, the new NISPOM, is currently a major focus of industry while we move to implement and also adjust to the new changes.
30:07 - I wouldn’t like to say thank you to DoD and DCSA for your early and meaningful industry engagements.
30:14 - The more industry engagements are the better in our mind.
30:18 - We look forward to hearing from the other CSA’s today, how they plan to implement oversight of the new NISPOM to the cleared industry.
30:26 - And I would also encourage my industry partners to actually read the new NISPOM yourself and don’t make assumptions of what’s there and what’s not there.
30:34 - We also look for more engagement with PAC PMO, ODNI and OPM as Trusted Workforce continues to (indistinct).
30:44 - Information sharing continues to be a challenging item for industry.
30:49 - While some of my industry members focused specifically at improvements within the intelligence community, it’s a much wider impact on all of industry.
30:58 - Industry often has to manage the security program blindly.
31:02 - Industry is challenged with sharing of adverse information of our clear employees.
31:07 - Potential Insider Threats identified by the government targets threats against our companies and our products and services we provide to the government.
31:15 - That industry is charged with protecting against threats.
31:20 - So, we would like to have engagements with our government partners to talk about how we can increase information sharing.
31:27 - Industry’s also challenged with being able to share known threats between companies without fear of reprisal and lawsuits.
31:34 - Information sharing with industry holistically is a challenge and improvements when we strengthen our ability to provide better security mitigation strategies with cleared industries.
31:43 - I’ll touch a little bit on supply chain. It’s been a hot topic for many years, but we’re seeing a lot of action in the implementation of many statutory and regulatory requirements embedded into the acquisition process.
31:54 - It’s not necessarily NISP focus, but there’s a direct impact to the NISP at large and the supply chain of the NISP.
32:03 - As government begins to get back to normal, industry understands there will be fundamental changes to how we operate.
32:08 - Many industry partners will continue to operate virtually for the foreseeable future while others begin the process of bringing remote workers back to the office and some variations in between.
32:18 - Industry does look forward to hearing from the five CSA today on the return work to work cut plans and how industry can be prepared as we anticipated return to in-person oversight visits.
32:30 - Now, I would be remiss if I didn’t mention the recent JPAS to DIS transition.
32:34 - While this wasn’t easy by any means, I will say we have a lot of pain points and a lot still exists.
32:39 - There’s still quite a few lessons learned. Thanks to Sheldon Solstice for truly listening and working on fixes for industry’s concerns, with the continued issues with functionality of the system and data integrity with a sense of urgency.
32:52 - We’ve heard a lot of excuses of why the process went so poorly, but the bottom line is we can’t allow this to happen again.
32:58 - One, if not the largest government system utilized to verify and validate eligibility and access level is still not where it should be operationally.
33:07 - And we’re already talking about it’s replacements.
33:10 - While industry has started NDIS engagements with government partners, industry will not let up the quest for a strategic rollout plan, increased communications, training and understanding of how industry will utilize the system.
33:23 - Industry understands we’re not alone with exerting an enormous amount of resources and correcting disinformation, but we have to do better.
33:33 - Industry is preparing for the implementation of new NISPOM, managing and validating and correcting data in DIS anticipating Trusted Workforce 2. 0, preparing for CMMC assessments and trying to manage the role of Controlled Unclassified Information, CUI.
33:50 - While we are often reminded that CUI is not the NISP, there is no doubt an impact to cleared industry will continue to be impacted by CUI implementation oversight.
34:02 - We’re already experiencing a bifurcation of the programs.
34:06 - Each federal agency have been charged with developing a program, but what industry is dealing with is interpretation of implementation strategies that vary by government agencies.
34:17 - Each program, each base is coming up with their own set of rules leaving industry in the middle of managing expectations.
34:23 - Industry only has so much time and resources to manage their programs.
34:28 - We need better oversight of government agencies to ensure consistent approaches (indistinct) the industry.
34:33 - With continued engagement, a shared respect between government and industry partners, we can strengthen our NISP, protecting our government…
34:40 - Oh, excuse me, our economic prosperity and continue our work by the competitive edge over our adversaries.
34:46 - With industry, we can help ourselves by continuing to be united in our industry priorities with the government partners at a strategic level.
34:55 - Understand we can be better together than simply our own in individual company is.
35:01 - Most important, with stay informed, stay connected and stay engaged.
35:06 - As I conclude, I’d like to thank the industry partners and the government partners for increasing our engagement this past year.
35:13 - Thanks for your time today. And I look forward to us strengthen relationship and most importantly, I look forward to in-person meetings again.
35:20 - So, I don’t continually drop calls. Thank you.
35:23 - - [Mark] Okay, thank you. Anyone have any questions for Heather? Thank you, Heather, I’m glad we got you back.
35:32 - All right, we’ll now hear from Mr. Keith Minard, senior policy advisor with the Critical Technology Protection of the Defense Counterintelligence and Security Agency.
35:41 - Keith, yours. - [Keith] So, thanks, good morning, Keith Minard, DCSA.
35:45 - Today, I’ll be providing an update on DCSA planning efforts for industry and our internal implementation of 32 CFR, Part 117 in NISPOM Rule.
35:53 - Then I’ll provide a short update on COVID and post-COVID NISPOM operations planning.
35:59 - As Mr. Spinnager already mentioned from DoD, 32 CFR, Part 117 NISPOM Rule is now effective.
36:05 - Since he already addressed some key changes, I will focus on the activities to support implementation of the NISPOM Rule by cleared industry.
36:13 - What I would like to note first though is I believe the other CFA’s may be providing some information.
36:16 - So, I’d like to note that the planning by DCSA is for cleared contractors under DoD cognizance only.
36:22 - If you fall under another new CFA, please contact them for additional guidance.
36:26 - So, as Jeff mentioned, thanks to the NISPPAC members for the review of the NISP rule, implementation Industrial Security Letters and the C3 ISL.
36:33 - As noted, the C3 ISL has a wide range of comments.
36:36 - Comments from industry do help us understand industrial implementation guidance, requirements and questions they have as put these together and draft them, coordinate them and issue ISLs.
36:47 - Really the ISL is there to help clarify, interpret and provide guidance for industry to better implement portions of the NISPOM requirements.
36:55 - So, in addition to development coordination of the C3 ISLs and the implementation of NSL, DCSA, a policy in late January developed a field in NISPOM Rule cross-reference tool that enables readers to select known sections of the current NISPOM.
37:10 - And it takes the user to the portion of the rule that aligns.
37:13 - You can find the tool on the CDSE website. The cross-reference tool is really a great place to start when you’re viewing the rule.
37:19 - And these as much the transition do the formatting changes of the NISPOM from a DoD manual, the federal regulation.
37:25 - As Heather already mentioned, I think one of the important things that we have to do is, is people need to read the rule.
37:32 - I think it helps bring clarity and understanding of what changes there are and what things actually convey from the existing DoD manual to the federal regulation.
37:40 - I’d just like to note that over a few weeks ago, the tools have been downloaded over 2,500 times.
37:45 - I wasn’t able to get an accurate update for today’s meeting, but I’m sure we’re probably closer to 3000.
37:50 - So, it’s important to engage industry as we move through this process.
37:54 - And I kind of think this is very similar 2016 when NISPOM Change 2 came out about Insider Threat.
38:02 - Our first event was held on March 25th and was hosted by CDSE.
38:05 - This was the kickoff webinar focused in the NISPOM Rule.
38:09 - The webinar had over 800 attendees and provided an overview of the rule for attendees and include the panel members not only from DCSA, but also from the Office of the Secretary of Defense, for Intelligence and Industrial Security Policy.
38:21 - Thanks to them for this joint participation.
38:25 - We are currently working with the NISPPAC industry lead and NCMS to plan in late April two additional webinars, the first webinar from CDSE, I will call it a fire hose.
38:33 - Now we need to turn the flow down and begin to discuss more in details, get to meet more like a sprinkler.
38:38 - So, the next webinar will be focused on key changes in NISPOM Rule and other key elements that we are either hearing from industry that needs clarification or where DCSA sees an opportunity to help provide guidance and clarification.
38:52 - A follow on webinar will be focused on safeguarding.
38:55 - One of the other key changes. This session is in part to better educate on the changes in NISPOM Rule referral to National Information Security Policy in 32 CFR, Part 2001 and to provide an update on the changes for certification of Intrusion Detection Systems, referenced ISO 2015 to use of other nationally-recognized tech laboratories.
39:17 - More follow on scheduling. And additionally, the next planning for webinars to engage industry on C3 reporting requirements.
39:24 - As you can kind of see, we’re kind of thinking that we started off with the broad scope of talking about the NISPOM Rule.
39:29 - We’ll break it down to key changes. And as we move to its implementation period, we’ll identify those key areas that we can use and help industry leveraging understanding through webinars and other communication capabilities.
39:42 - So, to ensure effective communication, DCSA has added an external facing webpage that is now live.
39:49 - It’s intended to be a single source of NISPOM Rule information, key changes, events, links to tools and policy.
39:56 - And we’re looking at adding frequently asked questions for postings related NISPOM Rule to better enable it’s implementation.
40:02 - This is similar to the webpage that supported NISPOM Change 2 and Insider Threat in 2016.
40:09 - We’ll share with ISOO the link to that page so they can post on their blog, but the page can be found on the DCSA website.
40:15 - Go to Mission, then CTP and you’ll find a link at the bottom of the page for the NISPOM Rule.
40:21 - You’ll also find that there’s a link to the cross-reference tool on the NISPOM Rule page also as it is also on CDSE, tools under FSO toolbox.
40:29 - I would like to note that we’re working with our public affairs to make sure that we’re also using social media to communicate updates on the NISPOM Rule.
40:37 - And one of the things we worked with, so at the bottom of the NISPOM Rule page, please take that opportunity to view the video at the bottom in that page called “Get Ready for the Rule”.
40:44 - It kind of gets the key points and outlines some of the key changes in the NISPOM Rule.
40:51 - During the implementation period, we’ll be working to address input challenges identified by cleared industry and to work to address what tools and job aids, webinars or communications or guidance in the form of additional ISLs would address those challenges.
41:05 - So, in addition to the implementation of C3 ISL, we completed scrub of our existing ISLs, identified some that have to be reissued.
41:13 - And I would say expect to see those re-issued ISLs for coordination sometime in the near term through the NISPPAC for industry comment and coordination.
41:21 - Again, not all existing ISLs remain, but we did identify those that need to be reissued.
41:27 - And this’ll be a re-issue of existing guidance.
41:30 - So, I wouldn’t be too much concerned about major changes.
41:33 - They’re being revised to align with the NISPOM Rule formatting, citations and other areas like that.
41:40 - One of the key focus areas that Jeff already mentioned, we know we’ll need to be working with industry on.
41:45 - As I mentioned already, an extra webinar, is Security Executive Agent Directive 3 Reporting Requirements.
41:52 - That’s very important to ensure there’s communication guides and any tools that are needed to support that implementation.
41:57 - I would note that while it’s now included in the NISPOM Rule, everyone must keep in mind that this is a national policy requirement on the reporting for those that personnel with access classified information hold a sensitive position.
42:13 - As with industry, DCSA, CTP and CDSE are reviewing our products and tools to align the NISPOM Rule.
42:19 - This includes oversight procedures for changes, aligning citations in NISPOM Rule and updating our systems as well as CDSE revising tools, training and resources.
42:29 - So, what should industry do? First, download the cross-reference tool and the NISPOM Rule.
42:36 - Begin by clicking on sections in the current NISPOM you are very familiar with, then read the corresponding rule language.
42:42 - Get familiar, this will help you understand that while now a federal regulation, there are some key changes for industry to implement, but much of the NISPOM remain the same or had very minor changes or revisions.
42:54 - Finally, DCSA is working to ensure our field personnel are consistent message on the rule.
42:59 - DCSA field personnel will not begin overseeing the new NISPOM Rule until its implementation date.
43:05 - So, close on this topic, I would be remiss if I didn’t mention a couple of my staff members, they’ve been leading efforts in our office to support this implementation by DCSA and had an impact on many of the topics that I’ve already discussed with the webinars, the webpage, the tool and the ISLs.
43:24 - This includes Booker Gland, Larry Piles and Jason Terrio.
43:28 - So, that’s kind of my closure on the NISPOM information.
43:32 - I’ll go ahead and hit some COVID talking points here and then I’ll open up for any questions.
43:36 - With the onset of COVID-19 travel restrictions last March, CTP shifted from (indistinct) operations to remote only activities.
43:43 - Our first priority was the health and safety of workforce and yours.
43:46 - Secondarily, we focus on maintaining our support to your facilities and continue to conduct oversight responsibilities.
43:53 - COVID limited our ability to physically conduct onsite actions.
43:57 - For example, ATS were issued without the necessary onsite review, virtual closed area approvals and administration requires were conducted virtually.
44:06 - The CMs involved telephonic discussions with cleared contractors and their facility security officers to ascertain the overall status of the security program.
44:15 - And the CM is really a touchpoint, not an assessment, therefore no security ratings results in the Cms.
44:21 - To date DCSA has conducted over 7,000 CMs in the past year.
44:26 - So, the first priority when we can move safely begin scheduling onsite contractor visits, will be actions that have been delayed over the past year.
44:33 - This would include final assessments and approvals of stories that have been done without on-site validation, review of information systems that need verifications and review of corrective actions from our CMs.
44:43 - So, that kind of gives you an update of where in the CMs.
44:46 - And I would note that additionally, today, later on at the updates the Working Groups, you’ll hear from Mr. David Scott, who is now serving as the DCSA CTP accrediting authority and Ms. Marianna Martineau, the assistant director for the CAF, will provide an update on DCSA vetting stats during the Working Group updates.
45:03 - Subject to your questions, this is all I have for you, thank you.
45:08 - - [Mark] Anyone have any questions for Keith? Thank you, Keith.
45:15 - Next, we’re going to hear from Ms. Valerie Kerben, Senior Security Advisor, Special Security Directorate, National Counterintelligence and Security Center Office of the Director of National Intelligence.
45:25 - Valerie, yours. - [Valerie] Hi, good morning.
45:28 - Thank you, Mr. Chair. And I also echo what Jeff and Heather said, it would be great when we can all get together again and work together in person by this virtual environment.
45:44 - So, I’m going to provide you all an update since we spoke at the last November NISPPAC public meeting.
45:52 - So, I’m sure you’ve all heard the news, you’re pleased to say that the new director of National Intelligence was the first confirmation of the Biden administration, Ms. Avril Haines.
46:05 - And during her confirmation, she stated security clearance reform will be a high priority for her.
46:12 - And she will come up to speed to understand the progress made thus far and extent the nature of the problems with the existing process.
46:20 - So, we’re thrilled to have her in our lane and helping us move forward on Trusted Workforce and everything else we have our hands on.
46:31 - So, to give you a little update on Trusted Workforce.
46:35 - In January, exactly January 15th, OPM and ODNI as the executive agent, signed a joint executive correspondence.
46:46 - This EC really shifted from the prior phase of Trusted Workforce where we work to reduce the DCSA inventory.
46:55 - And I’m sure you’ll hear from DCSA where they are, their steady state of producing background investigations, but we shifted to phase two of Trusted Workforce 2. 0.
47:08 - And the phase 2 really focuses on policy development for the implementation of the new government-wide approach, the policy levels and how we’re gonna get through the personal vetting process from beginning to end.
47:25 - So, the EC, one of the main topics in this was guidance for the executive branch, departments and agencies.
47:33 - And explains the differences between our Trusted Workforce 1. 25 and Trusted Workforce 1. 5 transitional state.
47:45 - So, we’re doing this process iteratively versus one big change at once.
47:51 - So, working on the continuous vetting, we’re working to ensure agencies are capable and ready to enroll in one of these transitional state.
48:04 - The ultimate goal for transitioning now is that continued vetting will satisfy the traditional PR process.
48:14 - So, we’re not going to be doing the periodic re-investigation every 5, 10 years.
48:21 - All employees in the national security population and those contractors or missed contracts will be enrolled in a CV capability where (indistinct) will be done ongoing.
48:36 - So, we also included some milestones. By September 30, 2021, all departments and agencies must enroll their full national security population in at least the Trusted Workforce 1. 25 capability.
48:54 - And DCSA will talk about that, I’m sure in their update, but it’s a capability they are able to offer to their customer agencies.
49:07 - And then by September 30, 2022, all departments and agencies must enroll their full national security population in the 1. 5 capability.
49:19 - So, there’s just some differences in the capabilities regarding which record checks are being done and certain things the agencies are also responsible for doing.
49:29 - So, we are helping our agencies enroll and ensuring to address any of their concerns during the implementation phase.
49:41 - And I also believe some of our NISPPAC members have seen a copy of this correspondence and that was part of the information sharing with some of the high-level policies that come out of our office to share with the NISPPAC members.
49:58 - Additionally, in regards to personnel vetting, in December prior NCSC director, Mr. Evanina released a statement regarding COVID-19 and how mental health should not impact national security eligibility.
50:19 - And really stating that counseling and undergoing treatment as a result of COVID or the associated stress, should not in itself be considered a negative or disqualifying factor for rendering eligibility or access to classified.
50:38 - And also, in January, our new acting director for NCSC Mr. Michael Orlando signed another memo reiterating Mr. Evanina’s statement that there are the COVID impacts on the cleared workforce.
50:55 - And we’re just concerned and wanna ensure that the wellbeing and seeking counseling to address these concerns are being taken care of.
51:06 - And it is definitely a positive step and not a disqualifier.
51:11 - Let’s see one other area I do want to talk about and we’ve gotten some questions.
51:18 - And I know it’s been in the news. OPM did issue their clarifying guidance on marijuana use and reiterating the federal drug-free work place.
51:31 - But just wanted to state and remind that there was a 2014 memo that came out from DNI stating that the adherence to the federal laws of using marijuana is illegal it is a controlled substance.
51:48 - So, we’re still following that guidance. It’s still valid.
51:52 - However, we are considering putting together clarifying guidance and also monitoring legislation.
52:02 - And I know you all, ISOO has asked us to give a background on the impacts of COVID.
52:08 - ODNI continues to operate with limited staff.
52:12 - Even though we’re not back to business as usual, we still have lots of staff working on team type of schedules.
52:22 - We are operational and we’re ready and able to respond to questions and concerns from our partner agencies in industry.
52:30 - We just ask you to be patient, our response times may be a little longer.
52:35 - However, important for you all is that the Scattered Castles program and our continuous evaluation systems, help desk personnel are still available and they are fully operational.
52:49 - And we continue to attend and brief at industry-related conferences and panels virtually.
52:59 - We are available and do want to continue our partnership with our stakeholders here.
53:07 - Regarding the NISPOM Rule implementation, DNI and CIA are working together to implement the NISPOM Rule and retract any references to the prior NISPOM manual.
53:20 - I know they are working on making changes internally to new acquisitions.
53:26 - And I’m not sure if CIA came on the line or if they’re available if they wanna provide any more detail.
53:38 - If not, otherwise, I am finished. And thank you very much.
53:43 - Are there any questions? - [Mark] Okay, well, thank you, Valerie.
53:52 - That was very helpful. - [Valerie] Thank you.
53:55 - - [Mark] Sure. Next is Mr. Rob McCray, director of the National Security Services Division and Mr. Rich DeJausserand, deputy director for Industrial Security, the Department of Homeland Security for their updates.
54:08 - Gentlemen. - [Rob] Hey, good morning.
54:12 - Thank you for an opportunity here to update everyone.
54:15 - So, the department continues its important mission of protecting the Homeland through counter-terrorism efforts, mitigating Homeland security threats, securing cyberspace and critical infrastructure, securing the country’s air land and sea borders and strengthening the preparedness posture.
54:32 - Our workforce largely posture larger remains in a tele-work remote work environment with the exception of law enforcement, border operations, port operations.
54:43 - Obviously, they continue to operate in various areas throughout the country.
54:51 - One thing to note here is through the department’s operations, vaccinate our workforce or Operation Val.
54:57 - And through a partnership with the veterans administration, we have successfully vaccinated over 58,000 mission critical employees here in the department.
55:07 - So, we are continuing with that important program here and getting the population of our law enforcement personnel vaccinated here.
55:18 - And so, with an update of regard to industrial security, I have my deputy here, Rich DeJausserand.
55:24 - Rich. - [Rich] Thanks, Rob. Good morning, everyone.
55:29 - I’ll try to be pretty brief here. As everybody knows, I’m sure that DHS, we receive a majority of our Industrial Security Services from DSA through Special Service Agreement.
55:43 - Whoever we continue to work with DCSA, my team is continually working with them.
55:47 - The implementation of the new NISPOM final rule, specifically our person working with our personnel security team in regards to C3, we are developing and implementing communication plans.
56:02 - We’re developing policy documents and we are also developing reporting tools.
56:07 - We’re in the process of developing reporting tools for C3.
56:12 - And we continue working with DCSA for FOCI assessments regarding accepting NIDs.
56:20 - And while we will still conduct our own risk assessments with those NIDs, we will make a risk management decision, get with our DCSA to determine if we are going to accept those NIDs based on our risk assessments.
56:35 - So again, we are still in the process of the developing and working hand-in-hand with DCSA.
56:42 - That’s all I have, thank you. - [Mark] All right, thank you so much.
56:46 - Anybody have any questions for our colleagues at the DHS? Okay, thank you.
56:59 - So, the next update we’ll hear from is from Mr. Mark Hojnacke, director of Security Policy at the Department of Energy.
57:06 - Mark. - [Mark Hojnacke] Yes, good morning, everyone.
57:12 - Thank you for giving us the opportunity to give DOE’s update on the NISPOM implementation and our COVID return to work status.
57:27 - DOE has included a review of the NISP CFR requirements against the department’s current security requirements and has noted a number of areas that will be addressed either via page changes to the security directives or through a secretarial policy memoranda.
57:49 - The one that stands out obviously is the NISP language from the recent NDAA update.
58:00 - Our DEAR clause, that’s the DoE Acquisition Regulation Security clause references DOE security directives rather than the NISP to account for other security assets within the department.
58:14 - And because it does not specifically address the NISP, there is no need to update that security clause.
58:25 - Although, there will be other updates to the DEAR to address the NIDs and FCL processing.
58:34 - Our COVID return to work status in March of this year, DOE issued an updated COVID-19 workplace safety plan and held the department-wide safety pause, which included all federal and contractor employees.
58:51 - The safety pause was led by senior leaders within the organization via virtual town hall style meeting.
59:02 - The pause introduced the updated COVID workplace safety plan, reviewed and reinforced COVID safety protocols that the department provided in an open dialogue between employees and management about the challenges associated with the COVID-19 protocols.
59:25 - We have also shared vaccine information, including vaccine availability through the department and encourage the workforce to be vaccinated.
59:38 - Our current operating status is that we continue maximum telework throughout the department in compliance with the OMB goal to operate at 25% of normal building occupancy or lower for sites experienced high community prevalence or transmission of the virus.
59:59 - That 25% occupancy standard can be waived upon approval by the secretary.
60:11 - That’s our update for today and I’ll provide any answers to any questions anyone may have.
60:25 - - [Mark] Thank you, Mark, we appreciate that.
60:28 - Next we’re gonna hear from Mr. Chris Heilig to give the NRC update.
60:33 - And then after that, we’re gonna take a five minute break.
60:37 - Hi Chris, you’re up. - [Chris] Good morning, I’ll end up kicking it over to Dennis Brady for the NISPOM implementation and COVID information, but in terms of personnel security or updates, there aren’t really much of an update to provide.
60:53 - Our volume of cases and adjudication timeliness is stable.
60:57 - We were fortunate that our agency was able to continue processing cases as usual, even during the COVID restrictions.
61:04 - Our process is primarily electronics, things are getting a little easier that we could not do in person, for instance, drug tests and fingerprinting.
61:14 - As COVID restrictions are easing, we were able to take care of those steps at almost a normal pace again.
61:22 - And as things progress in the COVID world, we will obviously get back to normal a little quicker because we were not as impacted as some of the other agencies.
61:34 - That’s essentially all I have in terms of personnel security updates.
61:38 - I would ask Dennis to take over from there.
61:42 - - [Dennis] Okay, thank you, Chris. Good morning, everybody, Dennis Brady.
61:47 - From the NRC perspective, we continue to regulate the civilian use or commercial nuclear energy in the academic and medical use of as well.
62:04 - The NRC is continuing to implement the requirements of the NISPOM, although, like all other agencies, we’ve had to come up with alternative means for conducting that.
62:16 - But working with our industry stakeholder partners, we’ve been able to achieve those goals.
62:25 - As an agency in our COVID’s response, most of the agency is in…
62:31 - What we have is phase two for maximum telework, but some of our regional offices still are in our phase one or mandatory telework, but are still able to bring back our functions as the regulator for nuclear energy.
62:52 - That’s my report from NRC. - [Mark] Great.
62:59 - Anyone have any questions for our friends at the NRC? All right, with that, we’re gonna take a five minute break.
63:08 - I’ve got 11:04 here, so by 11:09, 11:10, we’ll start back up.
63:14 - Our first speaker when we come back will be Ms. Stacy Bostjanick.
63:19 - All right, five minute break. (upbeat music) - [Producer] Welcome back, let me turn things over again to Mr. Mark Bradley.
70:21 - - [Mark] All right, thank you so much, madam moderator.
70:24 - Next we’re gonna hear from Ms. Stacy Bostjanick, director of Cybersecurity Maturity Model Certification, also known as CMMC Policy.
70:34 - Stacy, all yours. - [Stacy] Thank you very much.
70:37 - Can everybody hear me? Can you hear me? - [Mark] Yes, ma’am.
70:45 - - [Stacy] Okay, good. So, as of Monday, I’m now the director of supply chain risk management for OUSD A&S.
70:54 - And so, today I’m gonna give you some updates on the whole enchilada that we’re working on.
71:00 - So, with CMMC we are continuing to work through the rule-making process.
71:05 - We have started the adjudication comments in earnest.
71:10 - And based on those comments, we’ve gone back and looked at the model and are considering some possible changes in response to those questions and comments, but we’re not ready to publicize definitely, what those are yet.
71:26 - We are moving forward with our pilots and getting the C3PAOs assessed at the CMMC Level 3 as we consider the information that they’re pulling together with those assessments as being sensitive information.
71:42 - So, each and every C3PAO that will be performing the assessments, will have to have a CMMC Level 3 assessment done on themselves first.
71:51 - Every assessment that they accumulate and review will be housed in the DISA GovCloud.
72:01 - And that information will then be ported over to the first system where contracting officers and program managers will have the opportunity to go in to validate the companies have the appropriate CMMC Level for the contracts that they’re competing on.
72:18 - We have had a couple of pilots that have canceled and waved off for various and sundry reasons.
72:26 - Some of them had award dates in due and our C3PAOs didn’t look like they were gonna be ready in time.
72:34 - And one of the main tenants of our pilots is we’re not gonna impact the timing of any of the award cycles for our acquisitions at this time.
72:43 - We’re also working very closely with an International Cooperation.
72:48 - They always confuse me ‘cause they call themselves VIC and coming from VIA I’m like, “Wait, who?” The International Cooperation is working very closely with us to make sure that we get the agreements in place with our partners because they’re very interested in participating in CMMC.
73:05 - We have had some countries indicate that they may want to wholesaley adopt the CMMC process.
73:14 - And then we have others that may wanna be there on (indistinct) or may set up their own accreditation body.
73:20 - We’ve also had other agencies within the federal government express interest in CMMC.
73:29 - BHS is looking to onboard. They’re planning some pilot activity and pathfinder activity here in the new stage future.
73:37 - And as well as GSA is gonna run some pilots for us as well.
73:43 - So, CMMC is rocking and rolling. There is a 30-day assessment being done internally by the new administration, just to look to make sure that implementation is going the way that they expect it to.
73:56 - And there’s also a GAO assessment going on for Congress.
74:01 - So, based on those two, I’m sure we may have some tweaks to the program, but wholesaley, we’ve seen a lot of support through the administration for CMMC.
74:11 - On the supply chain illuminates, supply chain risk management side, we’re working with a Trusted Capital in setting up avenues for companies to come in and hopefully get some investment to try to mitigate the interest from our adversaries and investing in some of our innovative companies.
74:32 - And we’re also working very closely with many of the supply chain illumination tools.
74:38 - We use some of them during Project Warp Speed to further our capabilities.
74:42 - And that seemed to be very successful. So, we’re looking at that across the board.
74:47 - And we also have set up a supply chain Working Group with members across OUSD and the services to come up with a lexicon and taxonomy and a standardization to look at supply chain risk and how to assess it and mitigate it.
75:05 - And then what are the tolerance levels that we can expect.
75:09 - And that’s pretty much my update. Barring any questions, I appreciate your time and the ability to speak with you.
75:18 - - [Mark] Great. Does anyone have any questions for Stacy? All right, Stacy, go back to the beach.
75:28 - - [Stacy] I’m on my way, thank you guys so much.
75:31 - - [Mark] Enjoy yourself. - [Stacy] Thank you.
75:34 - - [Mark] Sure. We have Roy Jusino and Chris Pollock with the General Services Administration here to brief us next on the GSA’s Black Label safe removal program.
75:44 - Gentlemen. - [Chris] Hey, good morning, Mr. Chairman.
75:46 - This is Chris Pollock with GSA and I appreciate the opportunity to speak to the NISPPAC today.
75:53 - As you mentioned, we also have voyages from the DoD lock program here to address some of the issues.
76:01 - By way of introduction, I’m the branch chief of the standardization and engineering branch at GSA.
76:06 - I’m also the program manager for the GSA-Approved Security Equipment.
76:11 - I’d like to talk today about a recent policy related issue that addresses the removal of some older GSA-Approved Containers and Vault Doors that are currently used for protection of classified information.
76:25 - Next slide, please. There we go. So, this one looks like…
76:33 - At least on my screen, it’s a little bit hard to see, but if you have a copy of the presentation, maybe you’re looking at it closer there.
76:43 - I’ll run through it real quickly. Back at the end of January of this year, we issued this letter to the GSA-Approved Security Training Schools and Equipment Manufacturers laying out the requirement for the removal of black label containers and vault doors.
77:00 - I understand ISOO was also working on a similar policy that should be issued shortly.
77:08 - If you could read the table, you would see that the black label containers are all at least 30 years old.
77:16 - Some of them as old as 70 years old. At the end of service, the removal date that’s listed in this letter is between 2024 and 2028.
77:32 - This gives everyone at least three years and in most cases, seven years to identify the older equipment and get it replaced.
77:44 - Next slide, please. Yeah, that’s just the signature page.
77:49 - So, again, next slide. So, here are some examples of the containers that had the different labels.
77:59 - The containers that will need to be replaced are…
78:02 - The samples is on the right side, where you can see there’s a black label, a black lettering on a silver label.
78:08 - If you have the containers with that label, they will need to be replaced.
78:12 - Again, in sometime in the next three to seven years.
78:16 - Containers that have the red label red lettering on silver background is on the left hand.
78:23 - Therefore, do not need to be replaced. Next slide, please.
78:30 - So, why is this equipment being removed from service for protecting classified information? Again, as I mentioned, a couple of times, the containers are getting very old.
78:41 - This leads to problems that can be attributed to safety issues, security issues and repair issues.
78:49 - Under safety issues, a lot of the moving parts on containers that are over 30 years old tend to wear out.
78:55 - You get worn slides, you get drawer stops that break off and you also can get rusty interiors, which can affect the operation and security of the containers.
79:06 - Over the years, there’ve been a lot of different improvements to the containers, which were not incorporated in some of these older containers.
79:13 - Things like changes in the lockbox and also changes in the locks from mechanical to electrical mechanical locks.
79:22 - There’s also repair issues. Many of the manufacturers who originally produced the equipment are no longer business, the repair parts are no longer available.
79:31 - So, all of these factors add up to a situation where it’s time to start removing the older equipment from service.
79:39 - I will now throw it over to Roy Jusino to go over some of the industry requirements.
79:44 - Roy. - [Roy] Oh, thank you, Chris. My name is Roy Jusino.
79:49 - I am the chair of the active SEALS sub-committee that oversees these specifications for all of the different GSA security equipment.
79:58 - I’m also director of the DoD Lock Program for the Department of Defence.
80:03 - So basically, we put up this letter to all the GSA manufacturers and the training.
80:14 - We will be working with all the agencies to get the letter out to all the agencies so they can plan.
80:23 - And what we’re asking right now is everybody to start surveying your facilities for GSA-approved containers, determine number of black label containers that you have and vault doors that are in use.
80:36 - And that’ll be on the list for replacement.
80:39 - Determine your requirements, facility accreditation reviews, possible classified holding reductions.
80:47 - Work with the crediting authorities and contracting officers to formulate a company plan for replacement.
80:53 - And again, this is government-wide through all federal government.
80:59 - So, this is… Again, we put up these timeframes, we feel that will be plenty of time for everybody to start addressing this and looking at and surveying and making plans.
81:15 - And again, we put a date out there and of course, there’ll be flexible, but we have to start somewhere to replace these older containers.
81:26 - Next slide, please. And that’s really all we have.
81:32 - Please submit any questions that you have and we’ll be more than happy to answer.
81:36 - Thank you. - [Mark] Thank you. Any questions for our friends from GSA? All right, we’re now moving into the portion of the meeting where we get reports from the NISPPAC Working Groups.
81:50 - However, we’re not gonna be discussing all of them, but we have provided slides with highlights of all of them.
81:58 - We’ll be discussing today, the clearance costs and NISP Information Systems Authorization, also known as NISA Working Group at this time.
82:07 - All right, Greg, you wanna take back over? Greg? - [Producer] Looks like his line may have been disconnected.
82:28 - - [Mark] All right, do you think you can raise him or do you want me to…
82:31 - Greg? - [David] This is David Scott.
82:33 - I’m available to present. (indistinct) - [Mark] Yeah, yeah, yeah, yeah.
82:45 - I’ll take over for Greg here and then we’ll get right to it.
82:49 - All right, let’s see. You’ve heard from some of the (indistinct) on the SCA’s on the high level points of what we will discuss during the current Working Group and on March 3rd, 2021.
83:06 - Since the last NISPPAC, we also discussed the Small Business Administration, the SBA regulations combining their Mentor-Protege programs issued this past fall.
83:17 - The SBA rule appears to eliminate the requirement for a joint venture to have an Entity Eligibility Determination or EED.
83:26 - If the entity is making up the joint venture, already have EEDs themselves.
83:30 - However, this interpretation of the regulations language is not actually what the regulation intends and it was contradicting NISP requirements.
83:39 - Therefore, we will be issuing an ISOO notice soon and coordination rules.
83:44 - - Greg I’m sorry. - [Mark] All right Greg, let me just finish this paragraph.
83:47 - With SBA, Small Business Administration to clarify the joint venture EED requirements.
83:52 - All right, Greg, you can pick it up, but we have continued.
83:56 - - [Greg] Yeah, I apologize, everyone. In my case, it was simply a matter of my chin hitting the phone and I accidentally disconnected.
84:07 - So anyway, these things happen. So, you already covered some of the points.
84:16 - The Working Group did meet and lot of things that were discussed today, we discussed during the Working Group.
84:27 - Obviously, the Trusted Workforce ongoing transition to 2. 0 was discussed.
84:35 - The JPAS, the DISS transition, the NISPOM changing over to a rule and the implications of some of the changes, particularly C3, but also a little bit on a TS accountability, limited facility security clearances and the intrusion detection recognition that not just UL 2050, but other entities that meet nationally-recognized testing laboratory standards, which Intertek I believe is one such other entity that does qualify as certified under those nurdle and RTL standards.
85:24 - And there was a little bit of discussion about security vulnerability assessments, the ratings, how that’s evolving ratings for SVAs.
85:37 - So, we’re discussing about oversight in general in the post COVID environment.
85:47 - Now, did you cover the other issues that I was going to mention? I think you did cover joint ventures in Small Business Administrations.
85:54 - Is that the (indistinct)? - Yes. - [Greg] The cost, did you discuss the (indistinct) cost? - [Mark] No, we were just getting there when you got back on.
86:05 - - [Greg] And so, this is a continuation of…
86:09 - Let me just say, this is a broader sub-element to an initiative that ISOO has undertaken beginning about two or so years ago to refine and simplify, to support agencies in their efforts to provide overall data with respect to their classified National Security Information Programs as required by executive order and directive to ISOO on an annual basis.
86:44 - One probably that would always get the most attention was reporting on the estimated numbers of derivative and original classification activities, which in of itself was a highly suspect number.
86:58 - It was an estimate, but even with that, it was an extrapolation.
87:02 - And in any event, ISOO director suspended the collection of data while we worked on refining our collection efforts, consolidating them and taking advantage of technology in doing these things.
87:19 - And so, cost is one of those elements within the raw collection of data that is required.
87:27 - And in this case, in particular, we’re talking about costs incurred by contractors under CSA cognizance, under security agency cognizance.
87:39 - And so, that’s what we’ve been focused on in this area.
87:43 - And we, the government had met several times discussing this.
87:48 - And what we’re trying to do before we bring industry in to see what we’ve come up with, is for each CSA to bring their proposal for how they intend to gather costs that their contractors under the NISP, under their cognizance incur.
88:06 - That said, it could be that each CSA comes up with something that they all agree on.
88:13 - And we just have one mechanism. One of the keys of course, is we do not want to have duplication of cost collection.
88:22 - And keeping with the overall intent of the reform effort for data collection, we wanna keep it as simple as possible.
88:31 - So, once we get to that point where we have the CSCs way ahead and some degree of consensus, we would then bring NISP industry, NISPPAC industry, excuse me, in to take a look at what we have and to get their input.
88:52 - So, that’s what we have on that. Turning to the NISA Working Group, Information Systems Authorization Working Group.
89:06 - We also met and as also been stated during the updates that were given, one of the topics was sanitizing solid state devices drives also known as SSDs.
89:19 - And I appreciate the update that DoD gave. The one thing I would add to that is we ISOO, do intend to reach out…
89:29 - Actually, we started already to the Committee on National Security Systems, CNSS as they set the policy, national policy for utilizing National Security Information Systems that process classified.
89:44 - So, in this case, as it relates to remediation methods for drives involved in classified spillages, we want to at least ask them to examine the existing policy to see if there’s any need to make some adjustments.
90:02 - So, with that, what I wanna do before we collectively take questions in this part of the agenda is we wanna hear from first David Scott from DCSA to give an update on DCSA’s information systems.
90:21 - David. - [David] Yes, thank you, sir.
90:24 - I appreciate that. So, I started off this position at NISP last week.
90:30 - So, I appreciate the invite and I look forward to working with the NISPPAC members and the audience as a whole.
90:39 - Previous to this, I was no stranger to the NISP.
90:43 - The last four years, I served as a regional authorization official in the Capitol region and served as acting Southern region AO for the past year as well as a very extensive work in cleared industry myself.
90:55 - Couple of quick updates with the leadership changes in Capitol region.
91:01 - There is an acting Jamie Davis. She’s acting while we look to back fill my position in Capitol region.
91:07 - And in Southern region, we’ve selected and have onboard a permanent Southern region AO.
91:12 - His name is William Bond. He just started a few weeks ago and we’re looking forward to his contribution to the team.
91:23 - Next slide, please. So, from a metrics standpoint, these are pretty self-explanatory I’m not gonna run through all of them.
91:34 - What I wanna do is just kind of highlight a couple of points.
91:39 - The system registrations in eMASS are the systems that are authorized are staying at a steady state.
91:45 - Little increase but not too significant. But what I wanna inform everyone is we’ve implemented over the past, since about January, past few months, a triage process.
91:57 - What we identified within our agency as we move to RMS and we had some backlog in certain areas.
92:04 - We were getting to the point where we had some ISSPs.
92:09 - The queues were getting big and we had industry waiting for some sort of communication on whether or not what they submitted was actually in the process of being authorized.
92:19 - And we were having some timelines where they wouldn’t comment back up to like 80 days.
92:24 - And then the unfortunate case where industry would submit something in this, somewhat new process.
92:32 - We’ve been in a few years now where simple mistakes were made that we just could not move forward.
92:36 - So, what we did was we implemented over the past few months a triage process where within the first 10 to 14 days, we’ll take a look at what’s submitted by industry.
92:45 - We’ll make sure that it’s meeting the mark and then we’ll put it into our queue.
92:49 - If we find some simple mistakes throughout the initial triage, we’ll return that so that industry can immediately address those concerns, so industry is not waiting 60, 90 days before they hear something from us.
93:03 - So, we’ve already seen some very good return on investment with that process.
93:08 - And we’ll continue to do that. The other piece that I wanted to hit is the AO is a part of COVID.
93:16 - Initially, when we first started the pandemic, we were deferring the on-sites and doing roughly around six months authorizations.
93:23 - This is going back a year ago. And then once we realized that the pandemic was going to be a little bit longer term than what everybody expected, the AOs got together last fall.
93:33 - And we said we need to do better. So, we came up with a framework to where if the industry package it’s efficient, it’s solid, the controls are addressed there, the risk is clear and understood and acceptable, we would issue a three-year authorization deferring the on-site until we can get to a post pandemic or a regular business model.
93:53 - We’re just now starting to see some benefits of that.
93:57 - We still have the tool of a conditional authorization if in fact, we’re still missing a few pieces that we could do a six month authorization.
94:05 - However, we are moving more towards a model of a three-year authorization, deferring onsite and that is actually starting to reap benefits.
94:15 - Next slide, please. This is a slide that we just started recently putting together.
94:24 - It’s our top 10 missed compliance controls, non-compliant controls within eMASS.
94:29 - This is new. We’re still digesting this information as an agency, but we’re hopefully going to use this tool internally and externally to help address some consistency concerns.
94:40 - I won’t go into too much detail, but you’ll see the top one right there, RA-5 Vulnerability Scanning.
94:45 - And I can tell you coming from this field over the past few years, there is a misinterpretation of that control.
94:51 - For example, Vulnerability Scanning, we have a lot of industry team members who will arise the sense would state that they’re using a certain tool like a scout compliance checker.
95:04 - That is not the intent of that control. It is a scanning tool, but the control itself is Vulnerability Scanning.
95:11 - What is the process for finding weaknesses in the application or the system? For example, your Microsoft patches.
95:17 - So, it is just a misunderstanding of the actual control.
95:21 - So, what we’re gonna do is take this metric and start identifying some trends and start education internally and externally for consistency across the country.
95:32 - Next slide, please. So, DAAPM. We are in the early process of a planning for a DAAPM upgrade.
95:41 - What I wanna call to your attention is we are well aware of the NIST Rev files, 800-53 controls.
95:47 - We are well aware we’ll have to do an update for that.
95:50 - We’re also have been working since last August, internally on a NISP connection process guide, is the first of our kind for an agency.
95:59 - Over the past many years, other agencies, DISA, et cetera, they actually have a connection process guide on how to do business with them for interconnected networks.
96:10 - And what we saw there was great benefits with those types of documents.
96:13 - So, we actually are starting to draft our own and expand upon the requirements, processes and guidance on how to have an interconnection with the NISP.
96:25 - So, some of the highlights are a process flow map.
96:29 - If you’re gonna interconnect with a government network, here’s what you would do.
96:35 - And it would follow a process flows, we’ll provide templates and easy to read guidance.
96:39 - So, it will be available. It should be easy to read for any government or industry stakeholders.
96:44 - So, we’re looking forward to that. We’re in the early stages of developing.
96:49 - We understand we’ve got some coordination aspects to do.
96:51 - We’ll definitely share it with the NISPPAC as well.
96:54 - But we’re very excited about that document, we look forward to sharing that with you guys.
96:59 - And next slide. So, NISP common eMASS issues, no changes here.
97:09 - One thing I do wanna kind of call out too, is if we make for everybody’s awareness, especially industry ISSN, is ensuring that we’re checking the security classification guidance before we input to eMASS.
97:24 - Just making sure that we’re double checking any classification guidance at all.
97:27 - We have a process if we have an SEG that states certain controls are at a classification level.
97:33 - We have a process for handling that in our job aids, but just wanna make sure that that word is spread and that we’re adhering to that.
97:41 - But other than that, eMASS common issue to pretty much straightforward.
97:45 - We’re getting the questions into our group mailbox and we’re addressing them on the regular.
97:50 - And next slide is just questions and some available resources.
97:54 - And that’s all I have, unless there’s a questions from the group.
97:57 - Thank you. - [Greg] Does anyone have any before we turn back to vetting statistics for that process? Anyone have any questions on Information Systems Authorization? - [Rosie] Hi, this is Rosie Borrero, industry NISPPAC.
98:15 - I just want to ask a quick question and thank you, Dave for that.
98:20 - So, just wanted to ask for the top non-compliant controls.
98:24 - Would you be willing to post examples of compliance in the frequently asked questions online for industry? - [David] That is the goal.
98:35 - I’ve got to work through the coordination and publication process, but that is the main goal of this tool.
98:42 - We’ve been wanting to put now that we have enough data in eMASS collected over the last year, year and a half, we’re able to provide some trends, but the goal is absolutely to share some of this information with industry for common understanding and consistency across the board.
98:58 - But yeah, that is the goal. No promises on timelines.
99:01 - I’m still a little new to this position and understanding the coordination aspect of it, but we definitely do as much as we can to get that out to you guys.
99:08 - - [Rosie] Great, thank you, I appreciate that.
99:14 - - [Greg] Thank you. Unless there’s no other questions for that.
99:17 - And we’ll now look at some vetting statistics and I’ll ask Marianna Martineau, please to start looking at the background investigations, adjudications embedding data.
99:34 - Please, Marianna. - [Marianna] Yes, thank you.
99:37 - Good morning, everyone. I’ll be covering background investigations, Continuous vetting and adjudication mission updates for DCSA today.
99:46 - Regarding background investigations, our total inventory is currently just slightly over 205,000 cases of which 34,000 are industry investigations, which is consistent with inventory from about a year ago and less than half of the inventory from two years ago.
00:06 - Timeliness statistics for end-to-end processing for industry cases including initiation, investigation and adjudication and FY21 second quarter improved significantly as compared to one to two years ago.
00:21 - Specifically, our tier fives were running end-to-end about 159 days and tier three is 127 days.
00:29 - Timeliness inventory do continue to fluctuate due to seasonal onboarding and hiring.
00:34 - However, of course, in the past year, as we’ve all talked about here, we’ve had a few unpredictable impacts related to COVID-19 and specifically surges and occasional IT hiccups, so we are seeing a gradual increase in timeliness as a result of some of these challenges that we’ve experienced over the past year.
00:55 - For background investigation group as COVID continues, we are maximizing telework as most staff are already working remotely and we are continuing to use the executive agent approved alternative processes, including telephone interview.
01:10 - While roughly about 5% of the background investigations in our inventory has been delayed or placed on hold due to COVID challenges.
01:18 - Our team is constantly revisiting each case to continue to work and close these cases as quickly as possible.
01:26 - DCSA remains postured and committed to mitigating COVID related impacts, but timeliness and our overall inventory without degrading quality.
01:37 - I’ll talk a little bit farther and in the bed on the adjudications timeline.
01:41 - So, let’s go ahead and switch over to the next slide and talk about the Vetting Risk Operations Center.
01:47 - The VROC is staying laser-focused on all industry functions.
01:51 - And as you know, that includes investigation visions, interim, periodical re-investigations and continue with setting deferments, processing incident reports and other Defense Information System for security customer service requests and balancing timeliness to support mission readiness and identifying and mitigating Insider Threat concerns.
02:14 - To date FY21, the VROC has submitted a broad place, 62,000 background investigation requests.
02:21 - 90% of those have had an interim determination made on average within five to seven business days.
02:27 - Effective, April the 1st, as I’m sure everybody here knows, investigation requests can no longer be submitted in JPAS and industry must use the Defense Information System for security for all security management functions to include investigations submissions.
02:43 - So, as a reminder, please submit your fingerprints for initial clearances prior to submitting an investigation requests.
02:50 - The VROC cannot open a background investigation or answer or issue an interim determination without first the required fingerprint results when applicable.
03:01 - Regarding continuous settings, DCSA is responsible for implementing the DoD Continuous Vetting program and has begun offering the Trusted Workforce 1. 25 service to non-federal agencies.
03:14 - Our goal is to have the entire DoD cleared population enrolled in the Trusted Workforce Continuance Vetting compliance program by the end of 2021.
03:24 - So, you’ll see a significant increase in enrollment this FY as we are working to achieve this goal.
03:31 - A few items to note here is enrollment do include in NISP contractor population, currently about 675,000 industry subjects are enrolled in Continuous Vetting and all industry periodic re-investigations deferred subjects are about 121,000 are also enrolled in Trusted Workforce 1. 5 automated records checks.
03:55 - An additional 350,000 industry subjects are pending enrollment.
04:00 - The VROC is currently enrolling all subjects post adjudication and is also working to extract SF 86 on file within the Defense Information System for Security and other programs.
04:12 - I’m sorry, excuse me, other systems of record.
04:15 - What we need from industry is to be responsive for any overdue periodic investigations or if an out of cycle SF 86 is requested for submission.
04:25 - Continuous Vetting enrollment does require adding minimum, the 2010 version of the SF 86 of which we have most of them, but not all since the 2010 version wasn’t deployed.
04:37 - And so, the 2012 timeframe. If needed, the VROC will be sending specific instructions to individual companies in this spring.
04:47 - So, please be on the lookout. For Continuous Vetting alert management, hosts enrollment alerts are generated based on established thresholds, which align to the federal investigators standards and adjudicative guidelines.
05:01 - We’re currently seeing an average of a 6% alert rate.
05:04 - Although, we are baselining a large volume of population.
05:08 - Criminal and financial indicators are still the most common, valid, actionable alerts.
05:14 - And so far in FY21, we received 19,000 industry alerts on 14,000 unique industry subjects of which 8,000…
05:25 - Wow, this is a lot of numbers or 48% were not previously known.
05:30 - So, what does that mean? It means that these alerts represent information that should have been self-reported.
05:37 - And our goal moving forward is to encourage self-reporting of information as early as it is known as it will avoid future Continuous Vetting alert.
05:50 - Moving on to the next slide about the CAF. Today, the CAF continues to apply portfolio management techniques to deliver national security suitability and credentialing adjudication.
06:02 - Our readiness portfolio represents those adjudicated actions designed to get people to work where the risk management portfolio manages risk within the Trusted Workforce.
06:14 - So, in FY21 through the second quarter, the CAF adjudicated to your background investigation product in an average of 16 days for initials or 92 days for periodic re-investigation.
06:26 - For the industry population, we did the same work and adjudicated initials in an average of 17 days or 119 days for periodic re-investigations.
06:36 - We do expect that adjudicative timeliness performance for PRs will continue to be higher than historical averages due in large part to the changing derogatory nature of the periodic re-investigations we’re receiving for adjudication.
06:50 - Coupled with delays related to COVID-19 and obtaining additional information from subjects.
06:56 - Our current total industry inventory is about 30,000 cases.
07:01 - 59% of which are within our readiness portfolio and the remaining 41% in risk management.
07:08 - The CAF is continuing to focus on processes on improving processes, timeliness, implementing Lean Six Sigma improvements and increasing efficiencies as we continue to work with our colleagues in the background investigation and the vetting risk operation group to implement the Trusted Workforce strategy.
07:27 - We will also continue to focus on preparing our workforce for these challenges while also striving to continuously improve our services and support to your mission operations and needs.
07:38 - Some of our focus here is for the remainder of this fiscal year include reciprocity as an update because I know this is a sensitive subject for those on this call.
07:48 - Last year, the CAF and VROC executed a joint Lean Six Sigma project focusing on improving the end-to-end reciprocity process.
07:57 - Last month, DCSA deployed a change in the Defense Information Security that allows industry reciprocity customer service requests to go directly to the CAF.
08:08 - This update of process is functioning without any technical issues and it’s already improving the end-to-end timeliness.
08:15 - Over the next month, the CAF anticipate further process improvements as we implement the remaining Lean Six Sigma efficiencies and we will be bringing DCSA to full compliance with the DNI five-day end-to-end processing requirements.
08:30 - We are also looking to deploy an adjudicative assistance tool, which is designed to implement machine learning, focused on enhancing adjudicative quality assessments and training programs.
08:42 - And as you heard Valerie talk about earlier, today, we are continuing to focus on mental health care and de-stigmatizing seeking mental health care treatment for cleared personnel with losing a security clearance.
08:56 - We started that process in FY20 and we’ll continue to do so through FY21.
09:01 - We’re expanding our messaging through the DCSA web portals, social media outlets, frequently asked questions and other information located in the DCSA CAF resources webpage.
09:15 - Our mental health campaign efforts also include external outreach engagements with clinicians, psychologists, security managers and defense organizations.
09:24 - And again, we’re trying to get our message out.
09:26 - It’s simply seeking mental healthcare treatment, is not in and of itself, a reason why people lose security clearances.
09:34 - I would like to call to your attention some amended COVID-19 extension processing at the CAF.
09:40 - Last year at the beginning of COVID-19, we evaluated our processes and implemented basically hold, if you would where we were not receiving responses to our requests for additional information or other actions related to COVID-19.
10:01 - We recently re-evaluated our current operating procedures and are reinstating our pre-COVID business processes and procedures regarding correspondence requirements for responses.
10:12 - We will no longer be issuing indefinite automatic extensions related to the COVID-19 pandemic.
10:18 - And subjects through their security managers and facility security officers will have 30 days from the date of our requests for an action in the Defense Information System for Security to comply with that official request for information.
10:31 - If you have any questions, please send those to us through the DIS portal.
10:35 - We’ll be happy to answer any questions that you may have, although you can find some additional information on the DCSA website regarding this announcement.
10:44 - Lastly, I’d just like to call your attention to the bottom of the slide, where I’m proud to share with you the DoD CAF’s first annual report hovering FY20.
10:54 - It highlights many of our accomplishments and continuous efforts to improve the DoD assigned adjudications and related personal security eligibility determinations.
11:03 - Our adoption of streamline business processes for security clearance processing timelines and a return to healthy and stable inventories.
11:12 - We are committed to working with you, our customers and continuing to build strong partnerships to increase information sharing and to support your operations and mission readiness.
11:22 - So, if you can, take a moment to share and read our annual report in the link at the bottom of the slide.
11:28 - And pending your questions, that’s all I have for this morning.
11:33 - - [Greg] Well, thank you Marianna for that excellent comprehensive overview of…
11:38 - Does anyone have any questions? Next, we’re going to hear from Tracy Kendall to provide some DOE update metric data.
11:52 - Tracy. - [Tracy] Good afternoon, Greg and everyone.
12:02 - I’m Tracy Kendall and thanks for the opportunity to provide the DOE personnel security update.
12:09 - I know Mark spoke earlier, but just for those who didn’t know that we do have a new secretary and her name is secretary Jennifer Granholm.
12:20 - The next thing I’ll talk about is that DOE personnel security statistics.
12:25 - And currently we’re meeting the ERPTA. Timeline is go for all investigators tiers based on the February, 2021 statistic.
12:35 - For our initial, our T5 initial, we met out our goals, 11 out of the last 12 months and we expect that trend to continue.
12:45 - For the T3 initials, we’ve met our goals over the last six months and we expect that trend also continue.
12:54 - For T5Rs, we met those goals over the last nine months and again, we expect that to continue.
13:02 - For T3, we had one hiccup in June of 2020 with our initiation process.
13:10 - But since that time we’ve been meeting our goals and again, we expect that trend to continue.
13:15 - That’s really all I have right now, Greg, for the personnel security statistics pending anyone’s questions.
13:25 - This will conclude my briefing, pretty short.
13:30 - - [Greg] Thank you, Tracy. Anyone have any questions? Okay, next we have NRC.
13:38 - Now, I believe Dennis Brady already gave some data on the personnel security metrics, but we have Chris.
13:45 - Heilig, do you have anything additional to add? - [Chris] I spoke early.
13:51 - I don’t have anything additional to add. I would clarify, we are meeting our ERPTA guidelines for adjudications.
13:58 - And as I mentioned earlier, we didn’t experience any slowdowns during COVID.
14:02 - So, we would assume everything goes back to normal sooner than later as the COVID restrictions are lifted.
14:08 - That’s really all I have. - [Greg] Thank you, Chris.
14:12 - So, unless there’s questions for Chris or any questions overall, with respect to the Working Groups, from what you’ve heard this morning, I’ll turn it back over to the chair.
14:26 - - [Mark] Thanks Greg. All right, now we’re gonna hear from Mr. Perry Russell-Hunter from the Defense Office of Hearings and Appeals, known as DOHA.
14:34 - Perry. - [Perry] Thank you. Thank you, Mr. Chairman.
14:37 - Thank you, NISPPAC members. DOHA is continuing to make maximum use of telework, except for the personnel who are conducting and supporting the in-person administrative hearings, the DOHA administrative judges, department council and support personnel.
14:58 - Obviously, the hearings are a core part of the DOHA mission.
15:03 - So, by total, having everybody else telework, we’re maximizing the safety to everyone who’s involved in those in-person hearings.
15:14 - But leveraging telework, has not affected DOHA’s productivity.
15:18 - And that’s in large part, thanks to the great partnership between DOHA and the consolidated adjudications facility, the leadership of Marianna Martineau, who you just heard from and the excellence and expertise of her staff and the adjudicators of the CAF.
15:40 - Calendar year 2020 was actually the highest average year for total numbers of statements of reasons reviewed and issued since 2016.
15:52 - And statements of reasons are still going out in typical numbers and are timely.
15:57 - We currently have 330. And so, our reviews pending, which is a atypical number.
16:05 - At the end of January, we had 390 pending. Considering that DOHA reviewed and the CAF issued over 3,100 draft statements of reasons during the period between March of 2020 and March of 2021, we’re in great shape and we’re current.
16:26 - The first four months of fiscal year 2021, we reviewed and the CAF issued 1200 statements of reasons.
16:36 - So, there’s gonna be a shift later this year where DOHA will begin providing the SORs directly to industry employees and also tracking them.
16:48 - So, that’s something that we’ve mentioned before, but that’s gonna be happening over the course of the next year.
16:57 - And while the pandemic was impacting the hearing process because DOHA was having challenges with conventional video teleconferencing due to the simple fact that there would often be no operators available at the other end of the line where DOHA needed to reach.
17:17 - DOHA has now tested and is making a good and effective use of something called the Defense Communication System or DCS to conduct remote online virtual hearings for clearance holders and clearance applicants in locations where travel would still be unsafe or where we could not reach the individual using conventional video teleconference technology.
17:47 - And that is all I have pending any questions from the group.
17:52 - Thank you. - [Mark] Are there any questions for Perry? Thank you, Perry.
17:59 - All right, up next is Mr. Evan Coren from my staff of ISOO who will provide an update on the Controlled Unclassified Information program known as CUI, Evan.
18:11 - - Thanks Mark. As Mark said, I’m Evan Coren.
18:14 - I’m the team lead for CUI ISOO and I support the director of ISOO, who is the CUI executive agent.
18:21 - First one to start with a update for the CUI annual report.
18:26 - And I will first start with some data we wanna share with you, it’s the initial analysis.
18:31 - So, 90% agencies that have their CUI policy done by the end of 2021.
18:39 - And this includes 65% of the agencies who report that they had their policy done or would have it done by December of 2020.
18:50 - In addition, 80% of agencies have already began disseminating awareness products or training their workforce on the upcoming CUI implementation.
19:01 - In addition, 90% of agencies are reporting that they will meet the fiscal and cybersecurity safeguarding requirements by the December 31st, 2021 deadline.
19:11 - In addition and other good news, the National Information Exchange Model or NIEM has released NIEM 5. 0, which for the first time, includes a CUI metadata standard.
19:23 - For those not familiar, NIEM is one of the common metadata standards.
19:28 - So, this will significantly improve the (indistinct) consistency that occurs.
19:35 - Metadata is used in association with CUI. And CUI registry committee and ISOO will serve as the mechanism to update, and review changes to the CUI domain within…
19:48 - In another good news, NIST SP 800-172 has been published.
19:54 - This was formerly known as the draft NIST SP 800-171B.
20:02 - So, 172 establishes recognized security protections for non-federal information systems that processed or transmit CUI.
20:13 - It was released in final form, Feburary second of this year.
20:17 - It mainly evolves changes the narrative and boundaries and does not change the controls that are in place.
20:24 - The controls within the 172 are often used in the CMC…
20:32 - Sorry, CMMC Level 4 and Level 5 determined the contractors have the necessary controls in place.
20:43 - A lot of people have been following the issuance of the CUI FAR case.
20:48 - And right now it was projected to go out to public comment from March to May of this year, but since we’re already in mid-April, we are currently expecting to see a pushback for comment later.
21:01 - Once it is out for comment, we will hold an ad hoc stakeholders meeting that we’ll schedule at the beginning of the public comment period to address concerns and discuss the draft version that will be up for comment.
21:18 - Also, want to encourage everyone to take a CUI marketing trainings that we are offering at ISOO.
21:26 - My colleague, Charlie Wallace, who is CUI trainee to the (indistinct) training every a month or two.
21:33 - And we have announced that on our blog and I’d recommend following the blog for updates on when those are going to be.
21:41 - ISOO issues a training certificate. And to date she’s getting about 5 to 600 industry personnel attending each training as she has been doing that for now over a year.
21:54 - In addition on training resources that ISOO CUI website on this training page has a lot of training videos that the upload easily MP4 format right into learning management tools.
22:08 - And we highly encourage both agencies and industry to take advantage of that resource.
22:12 - That concludes the CUI portion of the update.
22:17 - - [Mark] Thank you. Does anyone have any questions for Evan on CUI? All right, we’re now at the point of the meeting where we ask for NISPPAC members to present any new business they may have.
22:32 - Anyone have any new business to discuss? All right, hearing none, do any other committee members have any questions or remarks before we close out this meeting today? All right, hearing none.
22:55 - Our next NISPPAC is scheduled for October 27th, 2021.
23:02 - I’m hoping to have the next NISPPAC in person, but we will also plan to have it 100% virtual if needed.
23:11 - As a reminder all NISPPAC meeting announcements are posted in the Federal Register approximately 30 days before the meeting, along with being posted to the ISOO blog.
23:26 - All right, with that, I’m going to wish you all a good day.
23:32 - Please stay healthy. And this meeting is now adjourned.
23:36 - Thank you so much, bye. - [Producer] That concludes our conference.
23:42 - Once again, if you have any questions, please forward them to the NISPPAC email address.
23:50 - And thank you so much for using Events Services.
23:53 - You may now disconnect. .