NARA NISPPAC meeting from November 18, 2020

• [Woman] Welcome and thank you for joining today’s NISPPAC meeting. Let me now turn things over to Mr. Mark Bradley, the director of the Information Security Oversight Office, as well as the chairman of NISPPAC. - [Mark] Thank you very much for your time and introduction. Morning, everybody, welcome to the 65th meeting of the National Industrial Security Program Policy Advisory Committee, commonly known as the NISPPAC. We appreciate your patience as we navigate through these difficult times, this is the second NISPPAC meeting that’s being conducted 100% virtually.

00:31 - At the conclusion, we will provide a survey to find out how this worked for everyone as we did for the last meeting. We’ve incorporated the comments you were kind enough to send along last time. So again, if you have anything else we can do to improve, please let us know. If you’d like to be contacted regarding survey responses, please include your email in the comments box, so we can get back to you personally. If you’d like to receive information on future NISPPAC meetings, my staff is no longer sending calendar invitation, we’ll be able to get all the pertinent information about the upcoming NISPPAC meetings or signing up the ISOO overview blog or going to the federal register.

01:10 - Please send an email to NISPPAC at nissppac@nara.gov if there are any questions, any problems about accessing that. Might be available, agenda, slides, and biographies can be retrieved by doing a Google search on NISPPAC records on committee activities and clicking the first link. Again, do a Google search for NISPPAC records on committee activities and click the first link and all speakers have slides or biographies. This meeting will be through the phone line only.

01:42 - This is a public meeting just like all of our NISPPAC meetings are that will be recorded. Recording along with the transcript and minutes will be available in 90 days on the NISPPAC reports on committee activities page I just mentioned. We’re planning on a five-minute break during the middle of the meeting, so I will flag that as we move closer to that. But again, by taking attendance for the meeting, the government members first, I’ll state the name of the agency, your agency member will reply by identifying themselves. Once I’ve gone through the government members, I would then proceed with the industry members.

02:23 - After the industry members, I will then proceed to the speakers. Please keep your phone on mute until I have stated your agency. If you do not have a mute button, please hit star six on your phone to mute and unmute. As a reminder, NISPPAC members, speakers, and ISOO should have called on the speaker line not the participant line. We’re also gonna start with a roll call. I’ll start with the ODNI, who is present for the ODNI? - [Kyla] Hi, this is Kyla Power. - [Mark] All right, welcome.

02:57 - You’re replacing Valerie Kerben today, right? - [Kyla] Yeah, unfortunately Valerie wasn’t able to make it today. - [Mark] Not a problem, okay, thank you. DoD, who’s representing you today? - [Jeff] Good morning, this is Jeff Spinnanger - [Mark] Hey Jeff, how are you doing? - [Jeff] very well, sir, and you? - [Mark] Good, just like you, okay. The Department of Energy, who is representing you. - [Tracy] Good morning, this is Tracy Kendall. - [Mark] Morning, Tracy, all right, NRC? - [Chris] Good morning, this is Chris Heilig - [Mark] Hey, Chris, DHS? - [Rob] Hey, good morning, this is Rob McCray here. I am replacing Mike Scott.

03:45 - - [Mark] Okay, hi, Rob, welcome, DCSA? - [Keith] Keith Minard, good morning. - [Mark] Hey, Keith. CIA, okay. Again, please, CIA? anyone from CIA on the phone call? All right, there are not, all right. Department of commerce. All right, Department of Justice. - [Christine] Good morning, it’s Christine Gunning and Kathleen Barry. - [Mark] Hi, Christine, Kathleen, NASA? - [Ken] Good morning, Ken Jones here. - [Mark] Good morning, NSA, National Security Agency. - [Shirley] Good morning, Shirley Brown.

04:38 - - [Mark] Hi, Shirley, I’m gonna slip over here, hold on a second. Department of State? - [Kim] Kim Baugher, good morning. - [Mark] Morning, Department of Air Force? - [Jennifer] Jennifer Aquinas here from Air Force. - [Mark] Morning, Department of Navy? - [Randy] Good morning, Randy Acre from department of Navy. - [Mark] Hi, Randy, Department of the Army? - [Jim] Good morning, Jim Anderson Department of the Army. - [Mark] Morning, Jim. I’m gonna turn to the industry members.

05:17 - Heather Sims, are you present? - [Heather] Good morning, Heather Sims. - [Mark] All right, Dan McGarvey. - [Dan] Good morning, I’m here. - [Mark] Dennis Arriaga, are you here? - [Dennis] Good morning, sir, Dennis Arriaga, here. - [Mark] Good to hear from you, Dennis. Rosie Borrero? - [Rosie] Good morning, Rosie Borrero here. - [Mark] Okay, Cheryl Stone? - [Cheryl] Yes, this is Cheryl Stone, - [Mark] Great, hi, Cheryl, Aprille Abbott? - [Aprille] Yes, good morning, April Abbott here. - [Mark] All right, Derek Jones. - [Derek] Good morning, Derek Jones is present.

05:55 - - [Mark] Ah, great, Tracy Durkin? - [Durkin] Hi, good morning, Tracy Durkin present. - [Mark] Hi, now I’ll do a quick roll call for our speakers, all right. William Spitzau, are you here? Well, let’s hope he shows up, all right. Stacy Bostjanick, are you here? All right, Gary Russell Hunter? That’s just an inauspicious start for our speakers. All right, Devin Casey? - [Devin] Good morning, Mark. - [Mark] Hey, Devin, thank God.

06:35 - You kept me from going O for four, Donna McCloud? - [Donna] Good morning, Donna’s here. - [Mark] Right, all right, Selena Hutchison. - [Selena] Good morning, everyone, I’m here. - [Mark] Great, lovely. All right, is anyone else speaking during the NISPPAC that we have not heard from or I don’t know about? please speak now. - [Keith] Mark, this is Keith, missed the retrial. - [Mark] Yeah. All right, thank you. All right, we’ll keep our fingers crossed as we continue on here. All right, we’re expecting this to be a fairly large audience, think last time we had over 800. Because of this, we will not be taking questions, please email NISPPAC@nara.gov with your question or questions, and someone will get with you offline. Somebody from my staff. Only ISOO and NISPPAC members will be authorized to ask questions through the meeting.

07:41 - We request that everyone identify themselves by name and agency, applicable before speaking each time for the record. As I said, this meeting is recorded, so it’s important that we’re able to match the speakers up with the question for comments. Again, as I always do, I want to remind government membership of the requirement to annually file a financial disclosure report with the national archives and records administration’s officer of general counsel, same form for financial disclosure used throughout the federal government. So, if you need form 450 satisfies reporting the quorums. You’re not being has to do this twice. We have several changes to the NISPPAC membership I want to bring to your attention.

08:19 - Now, we’d like to welcome Matt Lows as we go. As the new alternate representative from the Defense Counterintelligence and Security Agency, he’s replacing Carl Hellman. We’d also like to welcome Felicia Gess along with her alternates, Michelle, Caroline and John Kiesling from the Central Intelligence Agency. Mike Scott, the primary with the Department of Homeland security has left us. He’s been replaced by Robert McCray. Mandy Acres, the alternate with the Navy will be leaving us in about a week.

08:48 - Replacement for him has not yet been named. We are also welcoming our two new industry representatives to the NISPPAC whose turn started October 1st, 2020. Derek Jones and Tracy Durkin replacing Bob Harney and Brian Mackey. For those departed members, thank you all for your contribution over the years, we look forward to continuing the work you’ve done with the new representatives who I’ve just named. As a reminder, the agenda slides and biographies for speakers are located on the NISPPAC reports on committee activities webpage, all right, Greg, I’m gonna turn this over to you, you’re gonna address status of action items from the July 15th, 2020 meeting. - [Greg] Okay, thank you, Mr.

Chair, 09:31 - this is Greg Pannoni, good morning, everyone. First, the NISPPAC minutes from the last meeting, those were finalized on October the 10th and they’re posted on the ISOO website and then we had four action items, so the first was for industry to provide instances of delayed processing of National Interest Determinations, otherwise known as NIDs by Cognizant Security Agencies and Offices also known as CSAs and CSOs. This is considered close due to the elimination of the NID requirement for a substantial majority of otherwise affected NISP contractors, this was fomented by section 842 of the National Defense Authorization Act of fiscal year 2019 that removed this requirement for entities that were under the National Technology Industrial Base. If their FOCI emanated foreign ownership control or influence emanated. (indistinct) - [Mark] please mute your phone, whatever that is. - [Greg] Sorry about that, folks.

10:52 - So anyway, that was action Item number one. Action item number two was that ISOO would convene a NISPPAC NID working group with industry representatives. A government only meeting occurred on September the 16th, the next working group is scheduled for December 9th and it will include industry representation. We’ve also decided to rename the group that the Foreign Ownership Control or Influence group or FOCI working group need more representative of the issues that we’re discussing, it’s not just about NIDs. Action item number three concern DCA’s Industrial Security Letter, also known as an ISL on insider threat.

11:40 - The ISL is in the process of internal formal coordination at DCSA with their office of general counsel. Once promulgated decides that will replace ISL 201602 and DCSA will engage with cleared industry through the NISPPAC to update tools, resources, and required training. And then action item four was to schedule another insider threat working group meeting. This action is considered closed as the meeting was held on September the second. Do any NISPPAC members have any questions about the status of action items? Okay, well hearing none, back to you, Mr. Chair.

12:28 - - Thank you, Greg, for that summary, at this time, I’m pleased to introduce, we’re gonna go to our speakers and give an update. First on the block is Jeffrey Spinnanger, the director for critical technology protection for the office of the undersecretary of defense for intelligence and security. He will give us an update on behalf of DoD as a NISP executive agent, Jeffrey. - [Jeff] Thanks very much, Mark. Good morning everyone out there. Happy to be joining you today. Honestly, I’m not sure when it happened in my life that I’ve ever wished to make the trek up to Washington DC, but I wish I was there right now for sure. The importance of this forum and frankly, the opportunity for the candid discussions that happen before and during the breaks, and after, I miss tremendously.

13:23 - Basically, it’s an opportunity for people to help me be better at my job, and I look forward to getting that kind of guidance again here in the future God-willing. So with that, thank you again for the opportunity, we’ve adapted pretty well in the department, I think, and across the Federal Government to this operating environment that we find ourselves in. And since we were all last together, there’s been quite a bit that’s happened that I think is notable. First and foremost, I’m just gonna read a short excerpt from a Department of Defense policy document. So, if you’re students from this, I know pretty much everyone on this call largely is that our acquisition partners under the direction of Ms.

Moore, 14:13 - the under secretary of defense for acquisition and sustainment undertook just a Herculean effort to address the way acquisitions happens in the Department of Defense and to be more agile in those endeavors, and out of that was born something called the adaptive acquisition framework. And if you’re not familiar with it, I highly recommend that you become familiar with it, because it’s frankly, the anchor point on which much of certainly what we think about here within the Industrial Security Program. The capstone document within all the myriad policy that relates to acquisitions, and by myriad, I mean myriad, is the guiding directive, what we’re gonna refer to as the 5000.01. And so, very brief excerpt from there within the 5,000.01 is under the subheading of develop and delivers secure capabilities.

15:11 - Cybersecurity and protection of critical technologies at all phases of acquisition are the foundation of uncompromised delivery and sustainment of war fighting capability. Now, that’s not new, some of that lexicon, some of the verbiage there is not new to this audience, this idea of uncompromised delivery has been something that grew out of what was VSS in my former boss, Mr. Stevens, as we give him credit, I’m gonna decide whether he’s Ben Franklin or Thomas Jefferson in that scenario, maybe both, but the concept has grown into a thing, and the importance of the partnership that we see emerging here with this kind of renewed partnership that I should say that we see with our acquisition partners here, putting that in a directive, making that official Department of Defense policy really reinforces maybe what most in on the call today know, and that is that the protection of critical technologies, the development of those technologies, the delivery and sustainment of those technologies is a team sport. And for everyone here, again, kind of obvious, but I still think there’s repeating the center of how that all happens and begins is the Industrial Security Program. And so it’s interesting for all of the focus on kind of the challenges that we see here and this idea of the rise of great power competition that we need that reminder, but I think it’s very, very important, and I thought it was definitely worth calling out.

16:53 - A policy was issued in September of this year, if any of you who were former government officials know what it’s like to issue par policy within any agency, it’s a super fun time that like going to the dentist without the benefit that novicane. So, all that to say that the importance of the NISP has never been greater because when we get to this idea that security, cybersecurity and protection are the foundation of that, right? So, well, the most important component of that foundation, of course, is the Industrial Security Program, and I think that that’s gonna be I think further exemplified has spent some time since we’ve had a senior acquisition official from the department that brief and NISPPAC us. I was thinking back, Mark, and I think, maybe I’ll be wrong here, but I’m pretty sure Brett Lambert, I remember him coming once or twice back a long, long time ago, but, I think just as a forecast of things to coming to progress rest of the briefing. So, if the Industrial Security Program is as important as we all think it is, then that brings us kind of center stage to the NISPOM. And so for those of you who, as I’m sure all of you know, that we’ve been working the rewrite and reassurance of the NISPOM for quite some time, and we are in sight of our goal, that’s really the bottom line up front to get to what’s called an interim federal rule.

18:24 - And so, I described earlier the joys of issuing policy within a defense agency, that is now second to the real joy, which is issuing federal policy for the Federal Government. And so, I hear a little bit of chuckling, I think that might be you, Mark, and so we’re doing this the first time, I got nothing. It is a challenging, challenging endeavor, I think that would be the way to describe it. We went into the 60-day comment period back in the latter part of September, and we’ve been back and forth kind of receiving comments from many folks and agencies that are represented here today. And presently, the NISPOM is back with the office management and budget.

19:19 - It would be foolish of me to forecast that success is imminent, but all I can say is that all of the things that need to happen to get to success are continuing to happen. And so I will say that we remain cautiously optimistic. However, timelines would be if an interim federal rule is ultimately granted, that will happen sometime, we believe before the end of the calendar year, if an interim federal rule does not happen, then at some point, rulemaking will kind of go into abeyance, and sometime in the spring time of 21 of the process, we’ll reset some and we’ll move forward again from there. And so, we’ve got rabbits feet and all kinds of trinkets and good luck charms out there to try to think that we’re still on the glide path to get the interim out, and we’ll see where that leads us. So, that’s that. Couple other things I wanted to push out. So again, since we were last together, the department of Law is a very public, what we called an OPSEC campaign.

20:35 - The secretary just leaks and just all kinds of things that had occurred that had frankly frustrated the secretary and think of many of his predecessors, and he had sort of a watershed moment and said, okay, enough is enough, we need to kind of get back to basics, and that’s exactly what this campaign in its essence was, it was a reminder of things that, again, most of folks who are security professionals, which is probably the vast majority of folks on this call. There wasn’t anything, any cosmic revelations there except one and that was at the highest level of the Department of Defense, there was a call to action to kind of tighten our seals and get it together. And so, again, just in keeping with, as I mentioned before on the acquisition side from the 5,000, the department in its issuances, if you hadn’t seen it and I hope that you did, right? But the department put out a very short notice and the DoD remains committed to transparency to promote accountability and public trust, however, it is important to emphasize that unclassified information is not publicly releasable until is approved, or at least by any appropriate authorizing official. And as an exemplar of that, those of you who can have visibility on our slide can see that we went through and we have the clear for open publications. These are processes that existed, I’m sure there are variations on these processes across all agencies, but not hard to do, but speaking with a uniform, and so that we’re level set we’re accurate in what it is that we’re intending to put forward and put out there, and we do so through the official processes, that’s something that we really wanted to be able to say as being very, very important.

22:34 - And mostly, with kind of an eye for this, the concept of accountability here, right? And that accountability, I didn’t realize that the vast majority of folks on this call are not government officials, but it was a reminder to government officials that accountability begins with the person that you’re looking at in the mirror. So, it begins within the government and then makes its way out, and that that is basic hygiene things, marking, obtaining release, all those internal hygiene components that the secretary expects to see. And so, with a nod to the folks on the CUI into this agenda later in the day, you’ll be pleased to know that the executive secretary of the Department of Defense will not process a package or signature by the secretary or the deputy secretary that is not properly marked in accordance with the DoD issuance on controlled and classified information. So, that’s pretty good from March til now that took place in about the beginning of October of this year, and that’s been really great. So, everybody know I named Michael Russo who runs the CUI program for us.

23:50 - And so, there’s a lot of learning by doing going on. And finally, then I really wanted to kind of talk a little bit about where our priorities lie for this year. I know 842 will probably come up again. Greg mentioned it this morning, 842 nests with 847, we couldn’t say enough about how much we appreciate the importance of the NISPPAC to get us to where we are today. The patients of industry, the persistence of industry, the facts and data that came from industry and frankly, the open-mindedness of our partners, particularly in DOE and DNI to get us to where we are today with 842, I think it’s really quite good, I mean, it’s incumbent on us to kind of examine what it took to get where we are and then we’ll use that as a springboard as we start to think about and move forward on 847 and the broader concept of folk guide, which again, I think you’ll hear about among later speakers in which we cannot underscore the importance of the working group process and the transparency that the NISPPAC affords us to get to where we need to be on this. And frankly, that’s a nod to the last bullet on my slide there where you have skiffs and set backs, and so, again, the staff enterprise folks, the director of DoD Safco, are undertaking kind of a broad initiative for which a number of attendant security processes are a part.

25:29 - And so, it’s not for mine to speak on those elements of the broader objectives of that. Those of you who do a lot of work with the DoD special programs are probably becoming aware of that. But for us, I put skiffs and setbacks out there, that has definitely been something that has risen up in the era of COVID, it’s been out there for a long time, a couple of jobs ago, I remember this being an issue, and it continues to be one today, but with an eye for how we got to where we needed to be with respect to National Interest Determinations, I wanted to put that out there, one, it’s a priority for us to kind of work across and two, to say that getting the right data, getting data in cooperation, collaboration with industry will help us to make the right decisions, and both with those for which we have control within the department and those for which frankly, we’re gonna need assistance in collaboration, cooperation across the other CFAs. And so, we look forward to that moving forward as the year progresses. And with that, Mark, I’ll stop right there and thank you very much for the time.

26:39 - - [Mark] Anybody have any questions for Jeffrey? Any questions for Jeffrey? All right, thank you, Jeffery. All right (indistinct) Yeah, sure, it was very comprehensive. I’m pleased to introduce now, William Lietzau, director of the Defense Counter-intelligence and Security Agency. After bill is done, we’ll have some questions I’m sure, hi, bill, please. - [William] Hey, thanks very much, Mark, and I appreciate the invitation to talk.

27:36 - I think this is my first opportunity to address the NISPPAC certainly as a director of DCSA. I can’t remember what the conflict was during the July meeting, but I am certainly pleased to be able to be here today, talk about some of the things going on at the CSA, I think I’ve got a couple slides. So, if you have access to ‘em, if you just turn to the one that’s at least in my deck, I got my name on one that’s probably not worth pausing on, but if you go to the next one, it’s just a graphic depiction of what’s happened in the last year or so. I know I’ve had a chance to speak to a number of the MOU groups that are part of the NISPPAC, but so there could be a little bit of repetition for some of you, but for the NISPPAC in general, I think it’s worth just pausing to reflect on the fact that DCSA has been undergoing a lot of change any way you look at it, we all have, everyone who’s dealing with COVID right now, this will be a special year on anyone’s calendar, changes the way we do business in lots of different ways, but it kinda got piled on top of pretty massive changes. You could say changes to DCSA, but really it’s changes that created DCSA as this slide kind of depicts in the two bottom corners, left and right, you have the two October 1 transfers, one a year ago, and one just a couple of weeks ago.

29:16 - A year ago was the big numbers of people dollars where if you were to technically look at it as a lawyer might, really what happened is defense security service acquired other components and changed its name into DCSA, and in that regard, it went from an 800 man, $800 million organization, into a 12,000 men, two and a half billion dollar organization. And then there’s other metrics that you can see there, 167 field offices around the country and things like that that were added to it a year ago, and there’s been a lot of transition, as you can imagine, whenever you do that. More mission sets were added just a few weeks ago. The NBIS program came over from DISA. DIS came over from DMDC. You see the polygraph school from DIA, you just talked about it, well, Jeff just mentioned the skiff accreditation. Well, actually, I don’t know if he did mention Skiff accreditation, but he did mention skiffs, and in fact, just days ago, the undersecretary of defense for intelligence and security, Joe Kernan, just before he left, signed out a memo shifting that mission over to us and several other IT systems.

30:46 - Some people don’t realize for instance that yes, we took NBIB from OPM a year ago, but a few weeks ago, a legacy IT system that goes back to 1984 when it was first put in place and yet this was the one that was hacked into by the Chinese a few years back. That also came under DCSA’s cognizance in the last few weeks. So, if you just look at the transfers themselves, all of those different organizations and offices that are kind of depicted graphically on that slide have come together to form what’s really a new agency DCSA, really just kind of finishing up its first year of existence in only the first few weeks with all of these mission sets together. So, even if there wasn’t COVID, we would be undergoing a lot of change. And if you go to the next slide at least on my deck, it says slide three, you see a fairly common representation we use just kind of a way of graphically depicting the transformation that DCSA is going through.

32:00 - We kinda have it separated into phases, a transfer phase where we’re bringing in the different components, a transition phase, which is the same kind of integration that every company goes through when it has mergers or acquisitions, government agencies do the same thing. And then it kind of a larger, more profound transformation phase, which is designed to make DCSA be the implementer that everyone on this call would want it to be if we were gonna have the kind of personnel vetting that you would want the United States government to have if you were gonna have the kind of industrial security that we would want the US government to have, basically, that’s bringing us solidly into the 21st century with the appropriate innovation and optimization of the different components to what DCSA does so that we’re putting it all together in a way that best protects our security. And that’s kind of so I guess my main point would be, we are in a time line where we have completed most of the transfers, there’s a few more things that are happening a year from now. We’re in transition, I think we can go one more slide, I’ve asked them to put out there my transitional organization chart. And then we’re in the thick of transformational efforts right now as a new organization.

33:50 - I guess, before I get into how specifically we’re transforming, I would like to just pause for a minute to reflect on the last year, a little bit of bragging on behalf of my agency and the people who work at DCSA, because I would say that it’s difficult to change, everyone knows that, change management is one of the most complex leadership challenges that people have. In this case, we’ve got all this change happening while going through COVID, I think for those who were around my change of directorship with Charlie Fallon took place here in the conference room at DCSA in Quantico where I am now. And there was maybe three or four people in the room, and we didn’t even shake hands, I think we touched elbows ‘cause COVID had just started. So, it was already difficult on the agency, it became more difficult, but during this period, the way I often describe it, and probably some of you were on a call yesterday with our stakeholders where I did it that way, where it’s like we’re in charge of changing the engines in this airplane while it’s flying, we’ve got to keep our missions going, our industrial security mission continues, our personnel vetting mission continues, we’ve gotta continue flying the plane, but we need to change it from a turboprop into a jet while we’re flying it and make sure we don’t lose altitude while it’s happening. So, that’s what this team has been doing, and that’s kind of what I mean by wanting to brag about the work they’ve done, because during this year of pretty substantial transition that’s been going on, our background investigation team has further reduced its inventory from what you all know at one point was a 725,000 case inventory and is now hovering around a steady state, 200,000 cases.

36:02 - You know we were looking, I’m sure everyone on this call is familiar with the amount of time it took to complete an investigation to get a top secret clearance or a secret clearance, nowhere near our up to timelines yet in the fourth quarter of FY 20. During COVID, we actually, for the first time in I think about eight years, hit the T5 80-day opti goal for a top secret clearance, we’re hovering around 55 days right now for a secret clearance and our adjudication facility, the consolidated adjudication facility, which handles about 89% of all of the adjudications in the US government, they had a fairly significant back log a year ago as well. They’ve reduced it to a steady state and they’ve fallen well within all the optid timelines of under 20 days in some cases hitting 10, 11 days for a top secret clearance. So basically, while the transformation’s been taking place, the guys who were actually doing the work out there at the pointy end of the spear have been keeping the mission going in a way that I couldn’t be prouder of ‘em. That’s just the background investigation when I mentioned, obviously you’re familiar, the kind of heart of the agency, our industrial security mission that reaches out into all the others has also been making massive improvements during the same timeframe.

37:40 - You know, our FOCi mitigation assessments are being done in about a 40% shorter timeframe than they were, same as true with our facility security clearances, of course we’ve had challenges with COVID and everything, but at the same time, we kept up that processing and are improving also the kind of the level of sophistication of the vulnerabilities that we’re looking at. Part of that as I think a lot of you know, as you’ve heard in the past, things like DSS and transition and Rizzo and things like that that have not always, from my understanding, been received with enthusiasm for good reason, but our attempts to change for good reason too, because we’re moving from a vulnerability system that was kind of checked list-based where we’re simply looking at vulnerabilities, we call ourselves the gatekeepers, we’re essentially looking at whether the walls in the gator and on a firm footing, and we’ve moved into a 21st century where we’ve got a much more sophisticated threat and we cannot just simply look at a checklist vulnerability kind of assessment, we’ve got to look more specifically at the threats, ‘cause they’re already inside the walls if you will. They’re behind the gate already, and in that regard, we have a counter intelligence capability that has been blossoming in recent years. I could get similar performance metrics for them if we wanna do, they’re about three and a half percent of DoDs counter intelligence assets, but we’re producing about 40% of the IIRs associated with emerging and disruptive technologies. They’ll probably produce about 6,000 IIRS today, about 20,000 raw industry reports, that’s something that wasn’t even really happening a decade ago.

39:45 - And then our training mission, CDCE, we also have a national training center and of course the polygraph school we just adopted. similar situation there, during transition, during COVID, they didn’t really ratchet back the work they were doing. In fact, we’ve probably this year tripled the number of course completions as you can imagine during COVID, one of the things you can do is take online courses. So, there was a much bigger demand signal put out to our CDCE team and they responded by stretching all of our IT systems to the limit as they move forward. So anyway, a lot of great work has been done by the agency, my goal will to keep all of those trajectories for our mission areas while also transforming the agency into what you want it to be, and there I have a new office called the chief strategy officer or chief strategy office.

40:53 - It absorbed what was previously, some of you heard of a personnel vetting transformation office, I was involved in that before I came in as the director here and that office, we have a number of objectives that we’re using to move forward and basically having a greater customer focus, coming up with an operating model that’s more efficient, that makes sense, continuing kind of better optimizing or leveraging of technology in innovation and then kind of optimizing the organizational efficiencies we ought to be able to get by coming together. That team is working through the transformation initiatives that are gonna take us to where we need to be, and there’s another component to it, I should just pause for a second ‘cause I know it is an area of concern across the organizations represented in this meeting and that is some of the IT architectures, you’re familiar with the legacy IT, probably doesn’t give a lot of heartburn to most of the people on this call. That’s because you don’t know what I know about the vulnerabilities of that architecture, and it’s probably the one that gives me the greatest heartburn. OPM was the plan originally a year ago was that OPM would continue to run the legacy IT architecture, PIPS, it’s sometimes called that’s just one of 80 some components to it, but your taxes are paying about $150 million a year to keep that thing up and running. And OPM recently told us they weren’t going to, they just weren’t staffed to be able to keep it running in spite of the original agreement. So, DoD had to adopt it on October 1st.

42:56 - Now ideally, we wouldn’t need it anymore, because I think what you’re all familiar with is NBIS, we’d probably need a new name for that. National Background Investigation System was supposed to be up and running to replace the legacy IT system. It’s not, it won’t be able to replace that legacy IT system in the immediate future, so right now we’ve gotta keep both of them running. We also just adopted the whole NBIS program management office on October 1st of this year, some of you have heard about that program. I think in some ways, some of the advertised capabilities that it was gonna provide were based on the kind of technological development as opposed to a operationally relevant capability, and in that regard, some of the promises, some of the expectations were more sanguine than they should have been.

43:55 - One of the first things we did and it was taking place as I was taking over as director was a rebased lining of the NBIS program, trying to get some realistic expectations on the street, and a more thorough coordinated, integrated master schedule that would be capabilities based so that we could actually start sunsetting the legacy IT structures while we were building NBIS. And then also building it in such a way that we could factor in the new trusted workforce, 2.0 requirements of continuous vetting that included some high side capabilities that weren’t originally factored into NBIS. So, that’s kind of one of the big moving parts, and then the one that I think has a lot of people understandably concerned, it was brought to my attention. I think, Mark, you might have signed that letter from ISOO, I’m not even sure, but I certainly got a wake-up call soon after coming in as director when there was concern expressed from our industry partners that the DIS capabilities weren’t quite up to where they should be before we’re ready to sunset JPASS.

45:05 - And so, we took a hard look at that, and in fact, I came to the conclusion that the concerns were well-placed and we’ve recently just adopted the DIS program from DMDC and other DoD components a few weeks ago, and we have done a pretty hard look at that and come up with a gap analysis and a kind of set of criteria that we’re gonna use before we sunset JPASS. Right now, I think technically it is still scheduled to sunset on December 31st of this year. I am pretty certain that it will not be sunsetting there, we’re going to probably be extending that. In fact, I have a meeting with the new undersecretary of defense for thousands of security tomorrow, and probably will raise that issue with something, we’re just gonna have to change that target date so that the chalk line that we were snapping at one point was a date based kind of a calendar chalk line, it was originally gonna be October 1st, I think, and then it moved to December. It’ll now be a capabilities based chalk line, but we are gonna have to move forward fairly soon as we try to get our IT architecture up and running to support the new DCSA submissions. Now I’m getting to the end of the time.

46:32 - So, let me ask you to just turn to that last slide, the fourth slide. This was just recently done. What this is, is the transitional organizational chart, you had org charts for many of the different components and BIB had its own org chart within OPM, DSS had an org chart, the CAF had an org chart, we have various offices that have joined. Like every major organization, we will undoubtedly be reorganizing again in the future. what I have here though, is kind of a transitional org chart. On day one a year ago, Charlie Fallon and I agreed that the thing that made the most sense was to put together an organization that caused the least disruption and change to the ongoing missions at that time.

47:26 - At some point where now the transformational organization that kind of integrates the missions better, this is what I’m calling the transitional organization chart. The bottom row is what’s most significant, these are our mission areas. Obviously, the pointy end of the spear are regions and field offices, they don’t dwell on those very much here, they’ve stayed the same, we have not merged them yet. We have slightly different regions and office locations in the personnel vetting space that we have in the industrial security space and in counterintelligence space, I broke out counterintel so then you move one line up and you see that what I’m calling the seven kind of major mission areas of DCSA. These would be the assistant director level leads, and I broke out counterintelligence from what was then seen as a larger critical technology protection.

48:21 - Next one over, it’s called critical technology protection, that’s really where your industrial security sits, and I will admit that I almost changed its name to industrial security when we came up with this transitional org chart, but I got enough internal pushback that will let it ride for a while, but that is where a broader, what I conceive of is a broader industrial security set of missions resides primarily. Background investigations you’re familiar with, but for a brief period, it was a much even a bigger organization called personnel vetting, but we’ve broken it out to be product offerings. Background investigations is probably manpower wise is the largest part of DCSA. Adjudications is about 600 people, adjudicating mostly for DoD, and most of the people on this call should be familiar with the V rock, which is also why we left that name in place, but the V rock is kind of mixing the industrial security component of personnel vetting, but it’s also where we’re doing the most change right now with respect to continuous evaluation, continued vetting, and new products on the street that can be used by the 120 odd agencies that we support as well as industry as we’re looking at moving into a continuous vetting framework, Didmac you’re familiar with in looking at a clock, training I’ve already spoken of a little bit. These are our major mission areas as you look up, these are the support elements are up above, I will say the program executive office, which is what houses NBIS right now.

50:05 - That’s a little bit more than a support element in that if you really look at the mandate for NBIS, it provides a architecture that can be used by other investigative branches within the US government, not just by DCSA and the agencies that we support, so it’s got a little bit of an outward facing component too. That’s the big picture of where we sit today, we’re in the process of continuing to transform this organization, but to try to keep the missions going as we are. And I’ll pause there, Mark, because I do wanna leave room for any questions that someone might have. - [Mark] Sure, Thank you. So please, anyone have any questions for bill? I can’t imagine that they don’t. Bill, you just did such a superb job, I guess you answered all the questions.

51:06 - (indistinct cross talk) - [Greg] it’s more just for future planning, looking at the DIS and by the way, fantastic, kudos to all of you, Bill and everyone at DCSA for what you’re doing. - [William] Absolutely. - [Greg] The transitional organizational chart, can’t help but notice the rest of the world is overlaid there or underlaid, and forgive me if it’s already in existence, there was a time when DSS, DIS had a presence in European and Asian theaters. And today, of course, global is more than ever, and many of the folks on this call are with companies that have global presence. So, the question is simply is there a plan in the future for DCSA to establish a presence, either Europe, Middle East, or virtually anywhere in the world? - [William] Hey, thanks, Greg, that’s a great question, and that’s actually one of the things we are looking at now. The presence that I think you’re describing from the past, the history that I’ve learned upon coming here is accurate, to some degree that’s been pulled back and it’s supported from headquarters here.

52:29 - We do still have, now what’s interesting is as we merge the mission sets, I do have a background investigation presence that’s overseas, still overseas sitting there, but even that has ratcheted back a little bit during the COVID situation, so I didn’t talk too much about some of the changes that COVID brought about other than just bragging about the fact that we kept the mission going during COVID without too much of a hiccup, but you can imagine there were a number of hiccups, we did a lot of passing out of laptops and software that needed to replace some of the in-person things that were taking place, paper copies of things that we made more rapid, the shift from paper to if you were to visit Boyers, Pennsylvania, a year ago, you could’ve seen acres of file cabinets that looked like it was coming out of an Indiana Jones movie where the Ark of the Covenant was there. And those file cabinets are now gone and they’re replaced with electronic records. That’s a good thing, so all that’s a good thing, but part of it is the work we were doing in interviewing targets and the people we interview, I’ve lost the name for it, but those people over in Europe, a lot more of it was done by video conference and teleconference, and we’re looking at how we wanna go forward. I think all of us have learned things during COVID, we’ve learned about teleworking and where the limits are to what you can and can’t accomplish, but certainly our presence in Europe has reduced both on the industrial security side and on the personnel vetting side more recently, and we’re gonna look as we look at the operating model going forward, we’re gonna look at what makes sense for the future. - [Greg] Okay, thank you, appreciate it. - [Mark] Yeah, very good. All right, anyone else have any questions for Bill before we come to our next speaker? - [Dan] Oh, yes, I do, this is Dan McGarvey from NISPPAC industry and Bill, this is without a doubt, very impressive, and obviously very challenging.

54:54 - I would say that you’re not just rebuilding an airplane, you’re almost like rebuilding a city. One thought I had, as you go through your transformation process, it’s been noticed that it talks about an operating model implementation roadmap. It would be terrific if at some point in time, you could share that at least with NISPPAC industry as you move along so that we know where DCSA is going, and also where we could help in terms of supporting your different initiatives that take place, because you’ve got on your transition piece, transition for two and a half years, transformation two and a half years. And even though it doesn’t give a specific date, it looks like somewhere along the lines of maybe 2025 or something like that, so understanding where you’re going would really help us. But once again, it’s been a terrific presentation, thank you.

55:53 - - [William] No, thank you, Daniel, I appreciate the comment. And I also appreciate the request, I wanna pull back the 2025 to maybe 2024 and treat that first year as if it’s already gone by just ‘cause I keep, it’s funny, as you said, it would be good to see the implementation roadmaps. I’m sitting here in my office saying, yeah, I wanna see that out of my CSO office this afternoon too, ‘cause they wanted to delay the meeting yet again, and I said, no, we’re gonna do it today. So, obviously it’s not ready for prime time yet, it’s a work in progress, it’ll be iterative, it has been, but that’s a great point, we are getting close to having a more kind of a reticulated plan in place that we could share, and I will keep that in mind and we’ll find a way to, in the kind of public facing charts, like maybe this transitional org chart, we could also put a high level implementation plan in place, because that is the next step. But it is a one that right now, if you were to say, “Hey, could I look at that plan?” I’ve got several of them on my desk and none of them are quite right yet, but thank you, we will get there.

57:19 - - [Kim] Hi, this is Kim Baugher from State Department. I just wanna thank you for saying that you had thought about calling the program, keeping it industrial security ‘cause from someone who’s been at it for many, many years, I was a little disheartened when I saw the boxes yesterday and didn’t see the words industrial security, ‘cause it’s a program close to my heart. So, I’m glad that you struggled with that, and I know it encompasses a lot more than just industrial security, but I was just kind of glad to hear you say that, so thank you. - [William] Thank you, you’ve just encouraged me too, because depending on how you define industrial security, I personally think that’s broad enough that it could capture everything we do in critical technology protection, but there are people here who have different opinions on it. - [Kim] I would be on your side on that, okay? ‘Cause I’m an old person that doesn’t like change, but thank you though. - [William] All right, well good.

58:15 - what we’re obviously trying to do is because this is such a big, you know, the transformation as was just described, goes out a number of years, this isn’t one of those kinda changes where you can rip a bandaid off and just do it all at once, we’ve gotta phase it. And so really it was a question of all right, we’re gonna do so many changes on this kind of phase, but when we start implementing the op model, that’s when we probably will kind of nail down what our various organizational components are called. - [Kim] Thank you. - [Mark] Anyone else have a question for Bill? All right, Bill, that was an excellent presentation, and it’s good to know that you’re there during these tumultuous times and making some real progress and we couldn’t be happier the way that you run things, so keep it up, okay. All right, next speaker? Sure, no, no, my pleasure, next speaker will be Stacy Bostjanick, director of cybersecurity maturity model certification policy, Stacy. - [Stacey] Hi, good morning, how’s everybody this morning? I don’t know, did we send you guys a flight? I don’t think so, it doesn’t look like it, so I’m here to talk about the cybersecurity maturity model, I think everybody is fairly aware of why we’re doing the cybersecurity maturity model certification.

59:46 - And so, I was gonna give you an update as to where we stand,. So currently, we have moved into from possible making into an interim rule, which will become effective 30 November. We are in the public comment period, I think we’ve had like 36,000 views. I think right now we’re up to about 35 or 40 comments. And so, come November 30th, the interim rule will be in effect, which means we will be in a position to include CMMC as a condition of award.

00:26 - Ah, here we go, okay, so we do have slides. All right, so if you looked at the slide that we’re on now, we’re talking about the interim rule. So, as of November 30th, we can include the CMMC in select acquisition programs as a condition of award. Now, the one thing that we wanted to talk about was there are several different parts to the interim rule that we’re working with. As you all are aware that till to date, been doing the DoD assessments, which is the DCMA group of assessors that go out and work with companies to either provide them a basic or medium or a high assessment.

01:08 - The basic assessment is in line with what the original 252-204-7012 clause said, which is you need to self attest to the fact that you have a system security plan and a poem to be in compliance with the 110 controls required by the NIST 801-71. The medium assessment is where you get on the phone and you talk through your system security plan and your poem with the DCMA rep, so they have confidence and comfort with where you are with your plan, and then a high assessment is where they come out and they either come to your facility and do an over the shoulder look. So, they will do an over the shoulder view of what your system looks like and be in a position to validate that the system securities that are in place that you say they are, and they will give you a score with regard to that. So, one of the parts of this interim rule with regard to the DoD assessment requires that by November 30th, all DoD contractors submit their basic assessment in the SPRS database. There’s been a lot of confusion with regard to that, a lot of people are associating that with the CMMC rule, so I’ve been fielding a lot of questions on the SPRS database.

02:36 - There’s a requirement to go into that database, fill out the basic information of your system security plan in your poem to get there, and then you have to self score yourself, evaluate yourself as to what score you think you would achieve on the NIST 801-71 and the current DoD assessment methodology and have that in the SPRS database before December 1st. And a lot of the primes are letting the subs know that they cannot have their options exercised on existing contracts unless that information is in the database. So, if you have anybody questioning where you have information sheets that are gonna be on the DPC toolbox website that will give explicit instructions on how to do that. On the CMMC rule, we are gonna have a rollout of about 10 to 15 acquisitions in the first year. We’re currently working hand in hand with the services and the service acquisition executives to identify three to four programs within each service and three or four out of the fourth estate to begin implementation of CMMC.

03:53 - Now, what will happen, can you go to the next slide? Let’s see what I have on the next slide. Okay, so I’ll cut to this in a second. What will happen is as we identify those programs, in fact, Miss Lord’s getting ready to issue a press release with the first three or four programs listed so people can prepare and get ready and RFI will come out, we have model language that we’ve prepared and gone through in some of our tabletop exercises and our pathfinders that we’ve done, that will be sent out to the acquisition professionals for them to be able to put the proper language in their RFS and RQs for inclusion in those contracts. The contractor will be notified, they will be able to submit a proposal. The proposal will be evaluated, and if they are the apparent offer or they will have to have the requisite CMMC certification prior to contract award. Now, if you look at the second slide, this shows you the phasing of how the DoD assessments are gonna be phased over to the CMMC assessment essentially.

05:06 - And you can see it’s a very slow progression, okay? And that the number of contractors that we really anticipate at the CMMC level three is not that high. Okay, can you go to the next slide? Okay. So, I’ve already spoken to this, this is talking about the SPRS information that needs to go in that database and that every contractor needs to have that listed before December one to continue performance on their existing contracts and new contracts as well. Okay, can we go to the next slide? So, this is more explanation of that, I think, the scoring methodology is one thing that has got some people confused. So, this information is very important for different companies to have to make sure that they meet the need for that. We’ll go to the next slide.

06:16 - Okay, so again, these are our pilot programs where we’ve asked each service to provide us three to four programs. There will be managing CMMC level three, which is just basic CUI in the first year rollout, we will not address the higher critical technologies until 2022-23 timeframe. But currently, we’ve got provisional assessors being trained by the CMMCAD, I think we have about 75 to 100 assessors ready to start working. We’re working on the C3PAS. Now, those provisional assessors have yet to go through their background investigations, we’re gonna have for CMMC level one assessments, they will have to have a tier one suitability determination for anything above that, they will have to have a tier three suitability determination, the process, and I’m hoping the gentleman from DCSA is still online, because what we’ve agreed upon is that the CMMCAD will have an FSO that will work directly with DCSA to process and manage those suitability determinations for those individuals performing the assessment. Those assessors will work with C3PAOs, which are the CMMC third-party assessment organizations.

07:47 - Those C3PAOs will have to have their systems evaluated at CMMC level three, because it is our contention that the the assessment information that they will gather when they go out to these companies to do these assessments would be needed to be safeguarded at a CMMC level three and be considered to be controlled on classified information. Can you go to the next slide? Oh, I guess one thing I wanna make sure I’ve mentioned, that cots products are excluded from CMMC. They do not require CMMC certification. So, the slide you see here is our rollout plan, we plan to have 15 acquisitions in FY 21, 75 and 22 to 50 and 23, 479 in the last two years, and then after FY 26, all contracts will require CMMC other than the COTS products that are mentioned previously. Okay, can you go to the next slide? Okay, so you can see here on this slide what we talk about is the percentage of companies that we anticipate being level one through five. And it is our contention that about 60% of the DIB will only ever require CMMC level one, which is they’re in receipt of the federal contract information.

09:19 - One of the things that we’re working on with Mr. Spinnanger’s office is to come up with a guide for the acquisition community, because probably the toughest nut to crack is that when you have CUI at the CMMC level three, four, and five, how when you dis-aggregate that data and you start mapping it through the supply chain, where does it lose the requirement to be CMMC level three? Where is it no longer CUI? And I guess one of the best examples that I can give to Illuminate what I’m talking about is the theory went out to TRANSCOM and had to meet with a welder. And he was quite frustrated ‘cause he didn’t realize why he needed to have cybersecurity, he said, “I’m just a plain welder” and when she went to visit him, she said, well, “How do you know what to weld?” And he said, “Oh, they send it to me.” And she said, he had his Apple Mac laptop up on the counter. And she could see his Facebook Messenger blinking and his Amazon delivery popped up while she was standing there, and she said it was an AutoCAD program.

10:33 - And she said, “Can you zoom out on that “So I can see what the whole thing is?” She had the entire structural design of one of our tactical aircraft. And she said, well, “Don’t you think our adversaries “would wanna get ahold of that? “Or get in and change the tolerances “or the specifications of your weld “so now your quality goes down “and you no longer can garner work “and it arose our industrial base? “Or how about if he just wants to steal “your cage code information “so he can redirect your payment “to his account and steal your money?” And one of the poignant parts about that is why did that welder have the entire tactical design? If the prime had only taken the time to cut out each weld and send him the necessary information that he only needed to do his job, could he not have been in receipt of CUI and that that would not necessarily have been CUI, those welds, some of the spot welds. So, that’s one thing we’ve gotta work with our program managers and our primes to identify at what point does that CUI when it’s dis-aggregated from other things no longer hold the trappings of CUI can only be CMMC level one, because it doesn’t make good business sense, we probably can ill afford to have every number of procurements of CUI, CMMC level three, BCMMC level three if I’m just producing a bolt, then I only need to be CMMC level one, and we don’t need to have that contractor go through the expense of being CMMC level three certified. Okay, can you go to the next slide? Okay, so… this again is just a breakdown of the CMNC rollout and where we expect it to be.

12:38 - Can you go to the next slide? And this is a breakdown by entity side, I know we’ve gotten a lot of consternation from the small businesses as to what does this mean to me, and they feel like they have a lot of a heavy lift and expense to become CMMC certified. But if you look at this, I’m not sure that many of the small businesses will ever have to be anything higher than the CMMC level one, and the cost for that is actually fairly minimal. We also have, go to the next slide, I’m not sure if we have it in here. We have a lot of programs right now with project spectrum and the NIST NIP organization and the P techs that will be trained on CMMC so they can provide assistance to these small businesses as well to help guide them through the process, figure out where they need to be and what CMMC level they feel they need to have. There’s also language in the NDAA that talks about a grants program with funding to assist some of these small businesses, but as you all know, we haven’t gotten that approved yet, so we can’t hold our breath on that one quite yet.

13:52 - Can you go to the next slide, please? - [Woman] That looks to be the last slide. - [Stacy] Okay. well, so barring that, I will wait for any questions, I’m hoping I’m like the rest of the people, nobody has any, right? - [Mark] Yeah right. - [Greg] Well, I’ll break the ice again, it’s Greg Pannoni. Again, thank you very much, Stacy, great briefing. And I don’t wanna overplay this, but looking at that last slide that we see on the rollout by entity size, could you amplify a little bit on what the criteria is for what is a small entity versus another then small, or if that’s too much for right now, I guess, because I’m a little confused in terms of whether you’re small or not small, you still could be working on a very significant piece of technology.

14:51 - And I don’t know, I find it very interesting that none of them, as you pointed out, whatever go above a level three. - [Stacy] Yeah, well, So I think that I mis-characterized that if that’s the way you saw it, no. - [Greg] I’m sorry, very, very few would go above a level three, I see there are some in the out heres. - [Stacy] And well, so in our roll out plan in the first year, we are only going to concentrate on things that are level three, because our training and our information to the level four and five with CMMC with those highly critical technologies is not mature enough yet. So, we’re only gonna roll out at level three for FY 21, and that was our decision right now.

15:43 - What we have to look at is when you start talking about those things that rise to the level of the CMMC four and five, and they’re associated with the level of criticality of that technology through our research and information where what we’ve determined is not that many companies are actually going to be participating at that high level. Now remember, that doesn’t mean that they can’t participate on the program, but we don’t anticipate that their participation would require them to have a certification at that higher level. The other mainly the primes are doing the work at the big primes on that really critical, highly technical area. Now, that’s not to say that you won’t have one or two, right? And those types of things are going to be levels four and five are gonna be extremely expensive. And we’re anticipating that the costs up to level three will be incorporated in the overhead GNA rates and the indirect rates of the company.

16:56 - When you get to levels four and five, those would most probably be a direct charge to the program just because it is such an expense for the company that they would probably have a very difficult time affording it. So, the program will probably bear the brunt of the uplift from they’ll have to pay on their own to CMMC level three but four and five will be a direct charge to the program. - [Greg] Okay, thanks for amplifying on those points, I appreciate and caught that, that’s where I was going too, thinking about the expense involved in level four and five for those small companies. - [Stacy] All right, now the one thing I did find interesting was there was a group of, and I’m gonna probably be a little politically incorrect, but I’m gonna call them cyber geeks on LinkedIn, and they were lobbying for the CMMC team to move some of the requirements from CMMC level four down the CMMC level three, and we were all snickering because we never expected anybody to say, “Hey, you need to make level three harder.” And I’m quite sure that once we get through the public comment phase, we’re gonna reassess CMMC level three, and it’s quite possible that those additional 20 controls over and above the NIST 110 are gonna get looked at pretty closely.

18:27 - - [Greg] Okay, again, thank you, appreciate it. - [Stacy] You’re welcome. - [Kim] This is Kim Baugher from State Department. At the risk of in front of having the people, throwing my ignorance, I’m just kind of confused by this whole thing, which is on me, but this all talks about DFARS clause, which is DoD, and it keeps talking about DoD. So, I mean, I’m not DoD I’m State Department, non DoD agency. - [Stacy] Yes ma’am. - [Kim] How does this get implemented? And in the contractors that have State Department contracts don’t fall under DFARS, again, I’m (indistinct) - [Stacy] No, no, you’re fine.

19:06 - No, and it makes total sense that you would ask this question. So, to begin with, this is gonna be a purely department of defense requirement, and that’s why it’s being implemented in the DFARS upfront. Now, what I will tell you though, is we have a lot of interest across all of the Federal Government and are you familiar with the federal acquisition security council? Have you heard of that? - [Kim] Yeah, I think that we’ve been involved with them with some other clauses with regards to– - [Stacy] Yes, yes, State Department definitely has a play in the federal acquisition security council, and that is a council set up to help improve our cybersecurity and our acquisition in supply chain risk management across the entire Federal Government. So, CMMC came into play because we instituted the 252-204 7012 clause, which is DoD only. That said, if you’re gonna handle controlled unclassified information, you have to meet this NIST 801-71, 110 to 10 controls in your network to be compliant to handle it, which says you have enough protections in your network, they keep people from stealing this information that we hold as important.

20:31 - So, that was came into play at the end of December of 2017, there was an IG review and then a Navy cyber readiness review that went out and kind of said, hey, let’s see how contractors are doing with their selves at the station and the implementation of this clause that they were supposed to do. And they basically found out, sorry, no, they weren’t doing it, they were self attesting that they were, and they weren’t because they just didn’t understand or they wanted the business and they figured it’s self attestation, nobody’s ever gonna come look. So, we’ll just say we are when we aren’t. So, as a result of that, a couple of key companies were held to task under the False Claims Act, because they attested that they were compliant when they knowingly knew they weren’t. So, I think it was Rocketjet Aerodyne got hammered for that for about $14 million, and I think Cisco got in trouble for it for knowingly having a vulnerability in one of its products that they never bothered to fix. So, as a result of that, our secretary of defense said “Hey, we need to figure out a plan “to be able to get out “and start checking that these companies “are actually doing what they’re saying they’re doing.

” 21:51 - So, the DCMA assessment group, they call themselves the DIBtech. They began going and they began with all the major primes going and doing these assessments on the basicness 801-71, but we quickly realized that they didn’t have the bandwidth or the infrastructure to do all 300,000 companies in the DIB. So, we got together with John Hopkins ACL and Carnegie Mellon ACI, and we formulated the CMMC model, which is the five levels of CMMC from one to five, one being just federal contract information, which is a requirement in the far 52204-21 that everybody across the federal government is supposed to be in compliance with up to CMMC level five, which is highly technical, critical requirements for highly technical critical technology, and those requirements include things like a 24-hour sock. So, it spans the spectrum of what kind of CUI and how sensitive it is that needs to be protected. Now, for State Department, right now it’s as big of a deal for you to pay attention to, but what I will tell you is that there is a lot of chatter across the entire federal government.

23:13 - DHS is closely watching what we’re doing, treasury, we’ve been in touch with, and they’re very interested in adopting CMMC, and then this federal acquisition security council is also watching because a lot of people are looking at CMMC as maybe the foundational piece to help our nation’s industry become secure against a lot of these cyber attacks, because if you look across, I think around the world, it’s like $600 billion a year in intellectual property is stolen and was in just the United States is $175 billion of intellectual property is taken by our adversaries. And I know you’re probably aware that the F35 has had horrible problems, because we now have an airplane that looks just like it in China right down to the fact that they have the same problems with their canopy on their cockpit that we do, right? So, they even copied in the same flaws that we have. So, CMMC is a stepping stone to buying down the risk and stopping our adversaries from running away with all our data. So, you are correct at the onset, when we rolled this out in the next several years, it’s not gonna apply to State Department contractors. Now, if some of your contractors have worked for both DoD and the State Department, then they will be required to become CMMC certified.

24:51 - So, that was a long winded answer to your question, I hope I answered it correctly for you. - [Kim] Yeah, my technical mind’s a little tired today, but yeah that’s helpful because the term DoD sometimes, especially in the national security program, we’re a non DoD agency, but we’re part of the NIST and our contractors. But like, if we have a contractor that only has State Department contracts, then that wouldn’t apply to them, but if they had State Department and DoD contractor it would apply on their DoD contracts only then. - [Stacy] Yes, ma’am, yeah, I will- - [Kim] But there is a far clause that you gave it that if it’s DFARS, then its State Department ever did it, it would have to be in the State Departments, which is the DOSAR as opposed to DFAR, okay, all right. - [Stacy] Go ahead. - [ken] No, I’m good. - [Stacy] Oh, and there is a potential, and I think with the federal acquisition security council, that it will eventually become a far clause.

25:52 - I think everybody’s kind of watching to see how we do, if we fall flat on our face or we do a fairly good job of getting this implemented, then it will probably proliferate, and I will tell you, we’ve had a lot of international interest, we’ve got countries coming out of the woodwork that wanna implement it in their country as well. - [Kim] Okay, thanks a lot. - [Stacy] Oh, you’re welcome. - [Mark] Okay, well, thank you very much for that (indistinct) I think it answers a lot of questions. So again, thank you very much. - [Stacy] Oh, you’re quite welcome, anytime. - [Mark] Oh sure, no, no, no. At this time we’re going to take a very brief five-minute break and then we will resume with our next speaker, which will be from the ODNI, all right? Be back, it is 10:29, so we’ll set 10:34. Okay, and then we’ll resume, thank you. (tranquil music) I’m unmuted now, okay.

32:11 - All right, anyway, welcome back after that five-minute break. Quick admin note is apparently some of our slides and markers aren’t uploaded yet, but they will be, I guess, on our website within 90 days, and if you have any questions, please just reach out to us. All right, with that, I’m gonna turn to our next speaker, from DoDNI, Kyle, you ready? - [Kyla] I’m here, thank you. - [Mark] You’re welcome. - [Kyla] Great, thanks, Mark. So my name’s Kyla Power, I’m filling in for Valerie Kerben today. I heard a couple of mentions regarding the National Center for Credibility Assessment, so I’ll go ahead and start with C2, just a quick update on security executive agent directed.

32:54 - Two, use of polygraph and supportive personnel security determinations for initial or continued eligibility for access to classified information or eligibility to hold a sensitive position. This scene was previously issued in 2014, and it was recently revised in light of the transfer of the National Center for Credibility Assessment, NCCA from the Defense Intelligence Agency to the Defense Counterintelligence and Security Agency. So, we just updated the authority section to reflect this transfer, and C2 is just two departments and agencies via the security executive agent mailbox. ISOO also distributed to NISPPAC members and in October so just recently, we’ve published this feed to the NCSC website, so you can find it there. Just transitioning to trusted workforce 2.

0, 33:54 - I know that was mentioned earlier as well. The executive steering group continues to meet virtually monthly and is committed to continuing to overhaul the security clearance process and the executive agents staff along with the pack PMO staff continued to meet regularly to work on policy constructs for the next set of documents in the policy framework or trusted workforce to point out kind of along those lines, the federal personnel core bedding doctrines went through inter-agency formal review with OMB and PAC PMO, in conjunction with PAC PMO, We provided a review with NISPPAC members to socialize distract policy, and right now, we’re waiting for final signature by both executive agents, and then once that’s done, it’ll be published to the federal register. Also, we just kind of wanted to remind everyone that in February, ODNI and OPM jointly signed executive correspondence titled transforming federal personnel vetting, measures to expedite reform and further reduce the Federal Government’s background investigation inventory, and this EC introduced important and trusted workforce 2.0 reform concepts and measures to drive early adoption, including compliance with periodic reinvestigation requirements through continuous vetting for individuals in national security positions enrolled in a CV program that meets minimum standards. Fact sheets describing and summarizing this EC were distributed to departments and agencies as well as the public, and we also provided a congressional notification sent to oversight committees along with the EC.

35:53 - We’re also working on an additional executive correspondence regarding trusted workforce and the transitional stages of trusted workforce, 1.25 and 1.5, as well as the future state of trusted workforce 2.0. This EC will provide policy and implementation guidance for moving towards continuous vetting to include how agencies will do automated records checks, and agency specific checks. All right, so transitioning a little bit from personal security and trusted workforce 2.0, I just wanna make a mention about a couple of things regarding national interest determinations.

36:33 - As Greg mentioned earlier, section 842, at fiscal year 19, NDAA, just some additional requirements came into play as of October 1st. So, in light of section 842, ODNI will no longer process national interest determination concurrence requests for covered National Technology and Industrial Base, or NTIB entities operating under a special security agreement as a condition for access to SCI. So, that’s happened, but I do wanna kinda just reiterate that ODNI still continuing to process concurrence requests for those companies that are not affected by section 842. So, that’s pretty much all of our updates, we’re still not operating at full capacity due to COVID-19, but we promise to continue the dialogue and provide updates on the industry forums like this one, as well as hosts meetings to share information with our partners as we move forward with things like trusted workforce 2.0. So with that, I’ll take any questions. - [Mark] Any questions for Kyla? Okay, well thank you very much, I appreciate it, good presentation. All right, next we have Heather Sims.

38:00 - Yeah, NISPPAC industry spokesperson will provide the industry updates. Heather? Heather? Listen to all your trouble here. Yeah. - [Greg] Mark, do you want me to go in the meantime? - [Mark] Yeah Greg (indistinct) - [Greg] Okay, I’ll try to be brief to keep us on track and hopefully everyone will get back on. - [Mark] Okay, got it, yeah. - [Greg] So, I’m gonna do the part with the NISPPAC working groups and some of the discussions that placed there, you’ve heard from the DoD and ODNI on some of the high level points that we discussed at the clearance working group. I’m just gonna say CWG from here on out. We had that meeting on October 28th and we’ll also get some metric data on clearances and information systems in a few minutes here.

39:17 - We also discussed at the CWG, an issue about the small business administration joint business venture final rule. This was a surprise to us at ICU NARA, I’m not really sure why NARA did not see that rule before it was promulgated, but in any event, the rule appears to eliminate the requirement for an entity, eligibility, determination. You know, what we’ve always called a facility security clearance for a joint venture. If the entities to the joint venture already have entity eligibility determinations. However, this contravenes the requirement in the NISP rule, the 32 CFR part 2004.

40:01 - Therefore, we in ISOO we’ll put out a notice. We expect to have a forthcoming notice that emphasizes the continuance of entity eligibility requirement for all legal entities to include joint ventures that enter into classified contracts with an agency of the Federal Government. Another item we discussed at the CWG was NISP entity cost collection methodology. This is a requirement for both the government agencies and NISP contractors specified in both the NISP and the classified national security information executive orders and their companion directors. We are holding a government only meeting on December 2nd to further discuss the cost methodology, totally transparent, we’ve had two prior meetings.

40:51 - The goal here is to have consensus within the government on this topic of cost expenditures. This by the way, is part of a larger effort within ISOO in terms of data collection to take advantage of technology and facilitate how we go about collecting various metric data that reveals how the CNSI, the classified programs and the NISP program and the CUI programs are doing as we report those to the president annually. So after we, the government, we want to achieve consensus on the cost expenditures that industry spends to implement the requirements of NISP. ISOO will then hosts a meeting of government and industry to garner industry’s input on this matter. And then finally, the NISPPAC will be provided a recommendation on the way forward for collecting these data cost elements for industries NISP implementation.

41:49 - Turning to metrics, we’ll hear from DCSA on their security clearance and information systems metrics along with NRC and DOE on their security clearance metrics. Last, the NIS, the National Information Systems authorization working group had a discussion with the National Security Agency where the National Security Agency representative regarding a sanitizing solid state drives known as SSPs. This issue was initially surfaced by the initial working group industry members in a white paper to ISOO on the use of cryptographic erase as a potential acceptable remediation method for SSDs involved in classified spillages. The NISA working group plans to continue the discussions with the CSSAs on this topic. So let’s just say, we’re gonna hear now from DCSA for their NISA update.

42:42 - But first we’ll have, excuse me, NRC provide their clearance metrics followed by DOE and then DCSA. So, I’ll hold off on questions at this point. So, NRC, are you on the line? - [Chris] I am, can you hear me? - [Greg] Sure. - [Chris] Yes, okay, I will not go through the entire slide deck and I’ll just focus on that first overall, 90% of reported clearance decisions slide so I don’t take up too much time. In general, in terms of initiation, we’re doing quite well over the last fiscal year and in adjudications, we’ve had a piece for the folks, you can see that we’ve exceeded 20 days a couple of times over the fiscal year, primarily in quarter four.

43:26 - I don’t have a specific reason for that, I think it’s a couple of things, staff taking leave, cases just slipping through the cracks, but overall, what we’re meeting or exceeding our adjudication timeliness, and despite all of the hurdles we’ve had to overcome over this past year of transitioning to basically 100% from home, I think we’ve done quite well. Again, quarter four of the fiscal year, We’ve experienced some blips, but I think having moved into fiscal year 21, we’ll get back on track where we’re hitting or exceeding our adjudication timeliness. That’s essentially it for the NRC again, since we’ve done well over the last fiscal year, I don’t have really much information to provide or reasons why we aren’t meeting those goals. - [Greg] Okay, thanks, let’s move to DOE, we’ll do the question at the end - [Tracy] Hey, good morning, and thanks, Greg. So, if the slides are up, and we can just move to slide two, I’ll go through the slides and give everyone an update.

44:39 - So, as far as our initial T3 and T5 adjudication timeliness went up by two days, but we’re still exceeding the timeliness goals. As far as top secret adjudications. we also increase sales by 280 and again, we’re meeting the time and it goes. As far as the secret investigation we saw two day decrease in adjudication time on this for the quarter, and T5 re-investigation, We have some substantial improvements in their adjudication, and we dropped from 40 to 14 days, and last the initiation timeliness with T3 ours decreased by six days, and we’re also meeting that time in this golden. if we can go ahead and move to slide three. So, for the last year, we’ve exceeded the initiation goals and adjudication goals, and we expect that those trends to continue, slide four.

45:42 - On average, we met our adjudication goals as it relates to the initial T3 and 15 days over the last year, but we did have some bumps in the road as it relates to adjudication for the month of June and July. We’ve been on a downward and steady trajectory since August for initiation timeliness and expect that downward trajectory to continue. Slides five, as far as T5 re-investigations, we’re meeting the initiation goals, but again as you saw on the second in this slide, we did have some challenges over the last year for adjudications, but since May, we’ve been both the initial adjudication timeliness goals, and we expect that trend to continue as well. Slide six, please. As far as the T3 ran investigations on average, adjudication is decreased from 18 to 13 days. And overall, we’re right below the initiation timeliness goals at 13.5 days.

46:49 - This concludes our briefing for DOE and then by answering questions. - [Greg] Okay, thank you, Tracy. We’ll do the questions like it say at the end, let’s move to the DCSA clearance metrics. I believe Donna McCloud, you’re gonna be doing– - [Donna] Yeah, - [Mark] Thank you, Donna - [Donna] Good morning, Donna McCloud from DCSA. And actually, I’m just gonna touch on additional metrics that the director actually shared on his comments this morning. So, I’m gonna present information on behalf of the background investigations, adjudication and the vetting risk operation set VROC, for the background investigation as a director shared our timeless inventory name stable for Q1 numbers for the T5 initials. Again, the director shared this out.

47:38 - timeless numbers are 81 days for T5 initials. If we would remove those cases that are impacted by COVID-19, that number was dropped to 77 and cases impacted by COVID, what that is, and in our inventory, we have some work that we can’t complete, because the sources or the information we need, we can get to it because the places may be closed down or inability to contact subjects and sources. So, what we have done is we have holding those cases into our inventory, so in doing that, when the case is closed, that’s gonna impact the timeliness of our cases, and that’s primarily on our T5 population. Approximately 10% of our T5 cases completing Q1 were delayed due to COVID. The T3 cases are not impacted as much. Our T3 initial timeliness is at 55 days, and the goal is to be at 40.

48:38 - Again, we’re still working through the inventory, but we are impacted by some delays due to COVID. As the director shared earlier, our inventory right now is around 200,000, over roughly 32,000, are our industry investigations, moving on to adjudication, the inventory for adjudication, the DoD cap continues to apply portfolio management techniques to deliver national security, suitability and credentialing adjudication. The two portfolios are divided into the readiness portfolio and the risk management portfolio. The readiness portfolio represents all the adjudication actions designed to get people to work with a risk manager portfolio, manage risks within a trusted workforce. Currently, the total industry inventory is a 27,000, 72%, which is within the revenues portfolio, and the remaining 28% is in the risk management portfolio.

49:39 - for adjudication, timeliness SY 224, the DoD CAF adjudicated teared investigations for industry in an average of 14 days for initial and 34 days for the periodic reinvestigation. The DoD of CAF is operating a full mission capability with modified operations to our customer service center due to COVID. We expect to continue to be fully mission capable throughout COVID-19 and to continue meeting adjudicative timeliness requirements for our investigations and products and services for the year. On to VIRAC, VROC is staying laser focused with all the VROC industry functions to include investigation submission, interims, PR, CE deferments, processing incidents report, and customer service, and balancing all of the timeliness to support the mission readiness in identifying and mitigating in cyber threat concerned. For the investigation submission and interim determination, the total industry for FY 20 investigation requests submission is 190,000.

50:50 - 90% of all initials investigation had an interim determination made on average within five to seven days, but we did have some system challenges in October, which has since been resolved, but they did result in a longer than usual lead time for interim determination. So, we’re now averaging 25 days for interim, but we anticipate to be back at our steady state within a few weeks. We appreciate your patience during this time. On to our PR deferments for industry, PR is deferred to CE today, over 100,000 have been deferred, VROC will send the FSO a JPASS message when subject investigator has been stopped in JPASS, and it’s subject is enrolled in CE. FSO has shared the fact that the PR has been deferred into CE with the subject.

51:44 - All industry differed CRS are enrolled in a fully compliant CE program. For CE, about 2.3 million subjects enrolled in CE data, 2.3 DoD subjects are enrolled in a continuous evaluation data sources via DoD system, meaning partial CE data category requirements, approximately 455,000 of which are industry subjects, which represents approximately 21% of the population. All industry differed PRs are enrolled in all seven data categories and compliant with the C6 to further support reciprocity. You will see enrollment increase significantly in it’s FY as we work to achieve the goal of all clear population into a trust workforce compliance. What we need from you is to be responsive if you have any overdue PRs, or if we request an out of cycle SF86 to be submitted.

52:51 - Enrollment requires a minimum of the 2010 version of the FS 86, which we do have most of them, but since the 2010 was not deployed until the 2012 timeframe, we may have to come back and ask for updated SF 86, new SF 86. Industry and government customers can confirm CE enrollment in their history in DIF, government customers can email VROC for CE enrollment verification, CE industry FAQs are posted on the DCSA website under IMFSO, FAQ to see questions or numbers, 35 through 46. And as a reminder, please remember to get provisioned in DIS, JPASS will be decommissioned and it’s imperative that everyone is provisioned. And that concludes my metrics update for DCSA. - [Greg] Okay, thank you very much, Donna.

53:56 - Again, we’ll roll right through to the NISA, National Information Systems Authorization working group, and then we’ll do with the questions. So, Selena Hutchison, are you on the line please? - [Selena] Yes I am. - [Greg] Okay, please go ahead, thank you. - [Selena] Good morning, everyone. I wanna start by congratulating a cleared industry for the hard work that we put in on eMASS. I wanna share a fun fact of the newest version of eMASS is the second largest instance in DoD.

54:29 - The largest instance is the Navy, it’s been in effect for over eight years and they have over 7,000 users. A one year anniversary for the NIS eMASS was in May of this year. We have the second largest essence due to the number of containers. We have 6,300 systems included approximately 3,400 users and 2100 containers, and the container is based cage codes and systems that put there. This would not be possible without the hard work that’s been provided by clear industry over the last year to make this possible.

55:05 - So, I wanna thank you for that, and clearly, most of you are not winging it, but for those of you are, we ask that you really pay attention to the eMASS routes and help us keep this system where it should be. So, I just want to begin with that. Most of you know that curl Helmet left the agency on September, I’ve been acting for Curl since that time, the Southern region AO, Ron Donley, retired at March and David Scott has been acting there. Tyqueesha some avail that’s acting in capital right now. We have approximately 82 ISSPs on board, we are averaging about one, there was a one ISSP for 75 systems. So, what you’ll find is that the ISSPs are also working AIs and ECPs and ESBAs and CM and out meet.

56:01 - our average days stage of authorization is about 60, so we’re still within that timeframe. If you would go to slide two, please, the dapper released in September covered two specific things, primarily type authorizations. There were some inconsistencies for how it was being applied, so we want to clear that up. The Federal IS that was also clarified in that version has been a major issue for us. We continue to see a misinterpretation of what a Federal IS is, this Federal IS will lead to a government to government conversation.

56:40 - And any exception to that policy will be granted by USDI. And keep in mind too, that a federal IS exception to policy would be only a temporary measure to get you to compliance. But I wanted to stress that. slide three, eMASS we just talked about briefly, clearly, most of you are doing very good work here. We have a small staff, so in those instances where eMASS is not being used in the proper workflow, it creates problems for everyone. So, some of the common issues we see is incorrect registration, improper rally to the wrong field office system descriptions are improperly recorded, using the incorrect overlay, missing artifacts, all of these things just kinda add to a situation that we don’t need, so a little bit more care and rigor would be very helpful here.

57:34 - We ask that you visit the eMASS site and use those documents that we put out there for you all internal training that will help the consistency across the regions, and also help us to do a better job doing our reviews. On slide four, nothing much has changed for us during COVID except for the delay and getting to on-site activity. And keep in mind that when we do go back to work full time, we will have to adhere to state and local policies as well. We are working to continue to extend these systems, working to get the IFSPs to triage and give you guys an answer without waiting to the last day to turn these plans that all these things are being worked. You see some numbers here from each of the regions.

58:24 - And in summary, I just wanna say, we wanna continue to work with you identifying gaps, correcting those gaps and inconsistency in policy. We are going to be focused on improving quality as the year goes forward and having all the leaders in the region work towards these and consistency issues that we’re seeing. We’re trying to reduce the impact of how work comes in as this piece, which is why we consistently ask that you submit a complete system security plan, because we’re not resourced to review 10 controls and send it back to you, and then have you sent it back to us. Those type of processes just kind of eat the clock up. So, that’s all I have. Hope I didn’t rush through that too fast. - [Greg] Thank you, Selena. So, are there any questions about any of the working groups or their updates? Hearing none, I think we have another slight change.

59:32 - Heather has been emailing me, Heather Harris from our ISOO indicating that Perry Russell Hunter would like to go next. I defer to you, Mark, it– - [Mark] Yeah, lets get perry on, yeah sure. - [Greg] Okay, let’s promise industry, next time you will be the first on the agenda. - [Mark] Yup, yup, yup. - [Greg] Okay. - [Perry] Well, I can return the favor by being very brief. So, my Doha update is that we are finding ways to be productive in the age of COVID and I have to give a very public shout out and thanks to the leadership and the personnel at the DoD CAF, because thanks to Mariana’s leadership at the CAF and the professionalism of all the adjudicators there, we’ve been able to stay current in the legal reviews of the statements of reasons in industry cases.

00:40 - And that turns out to be really important, because when the statement of reasons is issued, it is the notice to the individual, the contractor, employer, employee rather who of what the government’s concerns are, and so we don’t want that to be a mystery, and so we didn’t want there to be any delays there, and just to give you an example, in fiscal year 2019, Doha conducted over 2,500 legal reviews of statements of reasons for the DoD CAF, that was 2,571 to be exact, but in the current fiscal year, the fiscal year just ended, fiscal year 2020. Doha was able to conduct a 3,248 legal reviews, and we and the CAF are completely current in terms of issuing statements of reasons, and that’s really important for getting the word out for the employees as to what’s gonna happen next in administrative due process. Now, the other thing that’s going to happen next year, and we’ve been working diligently toward this, obviously, COVID has been a factor in this is that at some point next year, Doha will start issuing the industry statements of reasons directly to industry contractor employees. Now, those of you who remember back before 2012, remember that Doha used to do that in the past where we will be returning to that mission with an agreed transition taking place between Doha and the DoD CAF, and we are working out the details and the implementation on that right now. But the agreed implementation of the process, obviously was delayed by the pandemic.

02:45 - The good news though, is that the pandemic did not stop us from returning to holding in-person hearings, which we did in June of this year. In addition to some rigorous health and safety protocols, which quite frankly, we took from the federal district courts that were in the highest COVID areas. So, we require masks, we have gloves available, we have plexiglass, and we also have a new amplification system in the hearing rooms, and of course, the reason for that is because we’ve discovered that it is important to keep people masked, even when they’re speaking and testifying, but the amplification system helps them be heard and understood, so that’s actually working very well and we’ve successfully continued to hold in-person hearings. We’re also developing and expanding on our existing remote video capability. The idea is that right now, many of you know that we’ve been using video teleconference technology for many years to reach out to remote places where contractors are located, but now we we’ve just procured a brand new video teleconference system that will work more effectively with the JSP firewalls and be able to go more places.

04:14 - We’re also working on the ability to conduct hearings remotely where people will be able to be invited into a secure system from their remote computers. That has not yet been unveiled, but we’re working on deploying that in the very near future. And that’s all I have, thank you. - [Mark] Thank you, Perry. Greg, do you wanna go to Devin next? Just so we can finish this part of it and then go back to Heather? - [Greg] Sure, I mean, Heather, are you on the line though now? Are you able– - [Heather] I am, yes, can you hear me? - [Greg] Why don’t you do us a remark I would suggest at this point? - [Mark] all right, Heather, let’s get you while we can, please go. - [Heather] I appreciate that, I was on the line, for some reason, I couldn’t get unmuted. I’ll try to go as quickly as possible, but cover my material.

05:10 - It’s a pleasure to provide the industry perspective today on a variety of topics, many of which we already talked about, (indistinct) like to go ahead, and I know it was already mentioned before, but to thank the outgoing industry NIST type members, Robert Barb, Bob Forney, and Brian Mackey for the years of support, and then also welcome Derek Jones and Tracy Durkin, and do look forward to the next couple of years working with a dynamic team. I wanna say my perspective on industry has certainly changed over the past few years since moving from government to industry. I’m finding a balance knowing firsthand government’s role in this NISP with now having a glimpse of the demands and limitations put on clear companies who truly wanna do the right thing. The past year, the NISPPAC industry members, along with a memorandum of understanding industry association members have worked hard to bridge the gaps between government and industry. Industries encountered an enormous amount of change and much of which was certainly needed, but nonetheless, the past few years have been pretty hectic on industry and industry is encouraged though however, about the increased level of partnership and collaboration by the government are large.

06:18 - I do have five current top five NISP priority watch list items for industry on the slide and that was provided, but there are no particular order. And I’ve said it a few times already this year, but I also wanna offer our thanks again to the TAC Timo, OBNI and OPM for their willingness to proactively understand impacts the industry on personal secure reforms as it begins. Industry understands we have a long way to go until full implementation, but we’re sure that our voices will be heard throughout the process. Next on foreign ownership control and influence was typically reserved as a concern to only limited amount of cleared companies or new companies waiting to be cleared that were usually under foreign ownership. Industry has already begun to see a shifting in the government’s focus, FOCI to the control and influence people portion where the code of federal regulations to CFR part 2004 clearly defines ownership part of FOCI, it really doesn’t do justice in defining the influence they control.

07:21 - Industry would like ISOO’s assistance in having a better understanding and definition of control of influence, FOCI, and how it applies to the NISP without a clarity system objective of what we’re trying to mitigate from all size CFAs and with a better understanding for industry of what they may be subjecting themselves to, it leaves a lot to the imagination. Understanding the risk tolerance thresholds and safety for the risk will be one of the areas industry would like to focus and discuss at the next scheduled NISPPAC FOCI working group meetings, transparency to clear the industry and the government customers in advancing the anticipated process changes only approves the ability to properly mitigate risk on the front end. Moving on to a supply chain risk management, it’s been a hot topic for many years, but we’re seeing action to the implementation of the many statutory and regulatory requirements. DoD already mentioned about the DoD adaptive acquisition framework, and industry realizes that many of the regulatory requirements are embedded in the acquisition process now, and not necessarily the NISP but it does have a direct impact on the NISP at large, and the supply chain of the NISP contractors. One specific example is NDAA section 889, where clear companies are making self-advocate a taste of expectations that they’re not utilizing their own products and services where industries struggling with the government provided all encompassing list of products and companies to ensure were attesting to the same thing and being consistent with our understanding of what is banned, we do ask COB to provide some guidance on what products and companies we should be looking for in our supply chain.

09:01 - There is concern that industry may be missing a product or service and NISP we’ll be putting our facility clarity and ability to bid on future contracts in jeopardy. There are other areas of focused on supply chain, but this is really at the forefront of industry’s mind today. And moving on, not only is our operating environment affected by COVID pandemic, we’re also challenged by the changing security landscape, thanks to the government partners for quickly adapting many of their processes and procedures during this uncharted time. In particular, thanks to DCFA for enlisting, and adjusting to keep industry operations still viable. Additionally, thanks to the DCSA director for his transparency doing reporter’s meeting yesterday on how you’re continuing to evolve from a service to an agency and absorbing the missions.

09:49 - Industry does understand that it takes time transformational changes in government, we do appreciate the updates. And I wanna add that traditional security in cybersecurity are no doubt shifting and the ability to maintain and pay those highly technical required workforce employees to meet the emerging regulatory requirements will no doubt have an impact in the foreseeable future. As baby boomers are retiring, they are being replaced by a much younger workforce to enjoy the agility of working remotely have the expectations are higher salaries and are not often wanting to work in a structured security environment. When we talk about implementing the correct security mitigation strategies to counter the threat, we also have to start having that conversation about properly funding contracts to account for the right workforce along with the best security posture to produce those products and services uncompromised for our customers. It also goes to the conversation of getting the support that security is not necessarily just an overhead with an industry.

10:48 - One notable area that industry has been exerting an enormous amount of resources to manage all the government systems developing, utilized and manage the NISP. Thanks to ISOO and the NISPPAC members for forming the NISP system working group, it was enlightened to see actually all the NISP systems that were out there being used by industry, whether it’s an increased partnerships on these systems being developed and tested, there’s still one standout concern for industry and government customers alike. The transition from JPASS to DIST is still a topic that requires much more conversation and a plan of action that includes functionality, corrections without integrity fixing, and training to be understood by all customers and government alike. And I’m looking pretty quickly here, but I’m doing over for my focus areas. Industry over the last year, focused on efforts of mutual benefit and addressing our collective concerns for the benefit of the entire cleared industrial base through increased engagement.

11:47 - We’re finding together we’re stronger and have a bigger voice when we work together. I asked NISPPAC industry members are utilized the greatest extent possible to address industry concerns with the government to ensure the full complexity of the NISP are considered when devising new and improved processes. Also, the industry associations reach out to other associations and industry NISPPAC members when working on the NISP efforts that affects cleared industry to ensure we’re all on the same page. It is a consistent comment from government that I hear that often we have conflicting industry viewpoint to being better aligned brings us closer to become the trusted and respected NISP partners. While industry’s making strides on collaboration with government, we’re still finding many industry partners are fearful from speaking up during assessments and to self-identify vulnerabilities to government overseers as some tend to be punitive in nature instead of working to the common goal of mitigation.

12:45 - Many times, we have very talented security staff within the industry, many retired government, senior leaders, senior level executives that have many years of threat mitigation experience, but are often overlooked due to being an industry. We must work together to respect each other’s experiences and expertise. Industry is hopeful that in the future as oversight models are evolving, that we get to the point where we can partner, provide full transparency of our security concerns, have a better understanding of a threat and work toward a truly NISP mitigation model to preserve national security. Industry is continuously attracting new legislation and policy changes that would have an overarching impact on our operations. In spite of the deceased CFA’s are transparent to the greatest extent possible, and at the local level, there’s consideration for what the primary role of the contract is, which is to produce a product or service to the government, albeit uncompromised, but we have to find some balance.

13:41 - What really I’m trying to say is when a new policy is developed, offering additional requirements added, not only is the policy changing, but industry also encounters additional add on non-contractual requirements, newly implemented training requirements and so forth. After a while, these items add up and could potentially lead to contract delays on deliverables lead to unforeseen requirements that were not anticipating the original contract award. While industry sometimes understands the importance of additional requirements, we ask for a well thought out plan that takes into consideration the impacts the agency’s operations. With the additional requirement, industry has also experienced an overlapping interaction, sometimes with oversight and possible fractioning of the NISP, and we asked that agency try to deconflict engage with each other before making contact with the industry. Prior to COVID, some contractor sites were visited by multiple government agencies reviewing the same material processes.

14:39 - Now, we’re about to add CMMC and gearing up for CUI oversight, and we looked to NISPPAC to work on potential resolution to avoid any duplication effort by Delta government and industry at large. And that was pretty quick, I cut some things out, but I also wanna thank everybody for their time today, and we look forward to a new year and looking forward to 2021 in strengthening our relationships with our government partners, so thank you for your time today. - [Mark] Thank you, Heather, for that presentation. Anybody have any questions for Heather? All right, thank you, Heather. Arr right, Devin, we’re gonna turn to you to give us a CUI update. - [Devin] Yeah, happy to. Good afternoon, everyone.

15:22 - My name’s Devon Casey for the CUI program. Just a quick update on where we are standing with the CUI program. Currently, our office is still receiving some of the CUI annual reports from agencies. The primary deadline has passed. However, there are some extensions that have been granted. Those should all be in by the end of the calendar year.

15:44 - We use those to get a better understanding of where agencies are in their implementation of the CUI program and provide a general update through our annual report to the president. The ISOO one about the status of agency implementation for CUI for the government. We did have two notices, CUI notices come out in October. CUI notice 2026 and 2027, 06 covers the marketing practices for waivers when waivers are in place to alert users to the presence of CUI, and CUI notice 2020 07 covers the use of alternate designation indicators or ADI with CUI why when they’re authorized by policy. One of the big things that’s definitely been going on in the CUI world has been DoD’s implementation of CUI, and we’ve got a lot of questions into our inbox and on some of our blogs as well about specific questions about DoD CUI implementation.

16:53 - So, I’d like to point everyone to DoD’s websites. dodcui.mil, where they have a contact us there. There’s also a link on the top of that website where you can look for the points of contact for the different components at DoD and their CUI point of contacts there as well as a bunch of information about DoD CUI program. It is generally where I’ll have to send you if you send us a question about DoD specific implementation questions or concerns. Final update, CUI for our case is still a little bit delayed based off of the prediction on the unified agenda, we’re nearing the closing time of comment for that and it hasn’t come out yet as predicted. So, still delayed, GSA will have a new estimated timeframe coming out shortly, and you can always find out an update or anything new about the CUI program on our CUI blog.

17:53 - We’ll also be scheduling shortly a CUI stakeholder meeting for December to go over updates to the CUI program as well, which is a great way to stay up to date on any development of a CUI program. That’s all I have have. Thank you, anybody have any questions for Devin? - [Jeff] Hey, this is Jeff Spinnanger, I don’t have a question, but just to comment to echo and (indistinct) something that Devin said, and thank you for mentioning it. But for those of you who have questions pertaining to the DoD CUI program, I cannot emphasize enough the importance of heeding Devin’s outstanding advice, and going into the DoD CUI webpage for your information. For kind of point of comparison, we’re like the beginning of our sophomore year of high school and the NARA page or CUI as grad school, we are working very full, we are focused very much on implementing and aiming at basically the full requirements, right? If you go to the NARA page with points pertaining to the DoD program, I think you’ll find yourself very confused, very quickly over. - [Greg] This is Greg Pannoni, I don’t wanna belabor it, but it is true as Devon points out, we do get a fair amount of inquiries in ISOO to the electronic mailbox and we divert them back to DoD.

19:21 - So, it comes from government and industry alike, but if you could just the word out, whether it be industry through your various MOU groups, just to start with most cases, it’s going to be DoD and or the DCSA, but not make ISOO slash CUI office your first stop because it doesn’t do anybody any good, ‘cause DoD needs to be aware of these issues, and we just pass to turn it around to them if we should receive it over, thanks. - [Mark] Okay, anything else on CUI? All right, I think we’ve got seven minutes left before we lose the bridge call. So, that said, let’s turn quickly to any new business, does anybody of the committee, the board has any new business they’d like to bring up? All right, hearing none, just anybody, and I’m referring here specifically to DHS and on the CNDOE who wanna update us on any of their doings during the COVID crisis here, I mean, how are you adjusting to it? Are you’re adjusting to fine? Are there any glitches, any problems? - [Tracy] Sir, this is Tracy Kendall from DOE. We had initially given a COVID update at the last NISPPAC. And basically, the secretary authorized the fourth maximum telework flexibility, and he also had issued some guidance as it relates to COVID that went out for about six months, and some of those things that the secretary had issued were extended last month for another six months.

21:16 - So, we’re still continuing along with the things that we’re doing from a COVID perspective and from a first perspective, we did adjust some of our reporting requirements, timelines, and due process actions for clearances. In addition to physical security and pacification perspective, we adjusted our required inventory, self-assessment and some of the framing timelines that we were having our contractor, partners adhere to. So, that’s for DOE as it relates to COVID, so really, we’re pretty much in the same status we were as we started in March. - [Mark] You and everyone else I’m afraid. Right, anybody else wish to chime in on that? - [Rob] Hey Mark, this is Rob (indistinct).

22:15 - So, similar to everyone else, we continue to be in a remote work environment, we really experienced no identifiable impact to our ability to continue supporting the industrial security side. And we don’t see any lag in processing 254s and then continuing to support our industry partners. So that’s about it from us. - [Mark] Okay, great. Okay, anybody else? All right, there’s no one else. Let me wrap this up. Our next NISPPAC is scheduled for April 14th, 2021. We’re gonna be dropping down to two NISPPAC meetings a year instead of three, as the jump to the last 10 years or so, we canvassed all the committee members, and that was the consensus that too would do it.

23:20 - If for some reason, two are not sufficient, we’ll revisit that that’s not set in stone, but that’s what we’re gonna aim for this coming year. The April meeting undoubtedly will be 100% virtual. I don’t see this COVID crisis ending until at least late spring or late summer, and that’s being optimistic. Let’s see. Well, obviously, once we get by the crisis, we will begin to hold meetings in person, again, at the McCallum Theater. As a reminder, all NISPPAC meeting announcements are posted in the federal register approximate 30 days before the meeting along with our own ISOO blogs, so you can always log into to our blogs, just probably get the latest, latest information.

24:05 - All right, before I adjourn, is there anything anybody else would like to say, comment on or bring to our attention before I put the gavel down on a meeting with three minutes left? all right, hearing none, I’m going to adjourn this meeting and wish you all a happy holiday season, so thank you very much for your patience as we struggle with this technology that we’ve got, but again, I think that the meeting went very well, and I appreciate all your help and cooperation. Okay, that’s it, goodbye. .