CISAC 2018 Spring Conference Wrap-Up

CISAC 2018 Spring Conference Wrap-Up

The President, Ms. Journalia C. McCloud gave opening remarks, thanked Executive Council members, reminded participants of the Fall CISAC Conference in October of 2018 with a special guest from DSS, and she introduced both guest speakers.

Mr. Devin Casey a Program Analyst for the Information Security Oversight Office (ISOO) discussed the implementation and guidance of Controlled Unclassified Information (CUI) programs. Key points of his discussion were as follows:

  • Executive Order 13556 provides the following definition of Controlled Unclassified Information (CUI): it is any information which is required to be protected pursuant to law, regulation, or government-wide policy.
  • Impact: OPM Breach – Cost the government $500 million (five-year cost). Lost an entire generation’s worth of privacy information.
  • 2 to 3 Years for full Implementation
    • Resource dependent
    • Policy, Training, Physical Safeguarding, Systems, Contracts
  • Protection Today: It’s an Information Security Reform
    • Clarifies and limits what to protect
    • Defines safeguarding
    • Reinforces existing legislation and regulations
    • Promotes authorized information sharing
  • CUI Registry: What we protect and why?
  • 32 CFR Part 2002 equals “how we protect”. Establishes the baseline and outlines how the government should implement the CUI program.
  • Other documents that support the program:
    • NIST Special Publication 800.171 (Revision 1) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Translates requirements to be implemented on a nonfederal information system.
  • Working on a Federal Acquisition Regulation (FY19) that will standardize the way the Executive branch conveys safeguarding guidance.
  • Each Executive branch department and agency will be responsible for administering CUI policy.
  • Contract awards consists of three levels: Certification, Request of SSP and Validation
  • No agency has a CUI program yet…you (Industry) do not have legacy information.
  • What is the difference between SBU and CUI? SBU, FOUO programs will become part of CUI. FOUO will be gone. Doesn’t think SBU will still exist either. Industry will only be audited through contracts. ISSO will audit Agencies. Compliance through auditing the agencies. Audits through annual reports and annual cycle visit to conduct oversight and audit of their practices (policy, training and oversight).
  • Is there policy/guidance existing that contractors can take to their management to say they need to develop a program to support CUI?
  • See ISSO website for all policies and information
  • Need a contract requirement for CUI
  • NIST 800.171a
  • Training: Agencies are responsible for ensuring that their personnel are properly trained in practices related to CUI.
  • Separate attachment to the contract to cover CUI – any plans to modify the DD254? ISSO couldn’t answer that. They do not have oversight of the DD254. DSS to have final say so…
    • Security requirements must be in the attachment (controlled unclassified information reporting requirements attachment).
  • Two types of CUI: Basic and Specified
    • CUI Basic: Laws, Regulations or Government-wide polices. Do not require specific protections.
    • CUI Specified: Laws, Regulations or Government-wide polices require specific protections (unique markings, enhanced physical safeguards and limits on who can access the information).
    • CUI must be stored or handled in controlled environments that prevent or detect unauthorized access. Control area and a locked barrier.
    • CUI must be destroyed to a degree that makes the information unreadable, indecipherable, and irrecoverable.
    • Marking CUI. (For more detail see https://www.archives.gov/cui/).
    • New version of marking book will be out mid-2018.
  • Compilation of information will be marked CUI if it qualifies as CUI.
  • Security Classification Guide review. If SBU or FOUO exist they will have to go back and fix them to reference the CUI category.

Ms. Journalia C. McCloud gave away three new memberships and informed the participants that there will be a Chew and Chat in July.  She also thanked the Defense Security Service (DSS) for their support followed by introducing DSS attendees. DSS also briefed the group on the iShare mentorship program. If participants are interested, they should inquire at dss.alexandria2@mail.mil.

Mr. Patrick M. Hogan from the Personnel Security Management Office for Industry (PSMO-I) gave an in-depth overview of the Defense Information System for Security (DISS) and its deployment schedule. Mr. Hogan also outline the major differences in communication in DISS versus the Joint Personnel Adjudication System (JPAS).

  • DISS is basically a replacement of JPAS.
  • New Terms:
    • Request for Action (RFA)
    • Customer Service Requests (CSR)
  • The primary goal of the DISS program is to accelerate the security clearance process, reduce security clearance vulnerabilities and decrease back-end processing timelines.
  • Phases of DISS Deployment:
    • Phase One: Migrating to a single system and making the terminology the same for everyone (SCRS, SF312, etc.). Greater means of electronic communication.
    • Phase Two: bulk of the functionality. Moving JPAS to DISS.
    • Phase Three: Clean up.
  • JPAS is still the System of Record for Clearance Eligibility
    • Submission of Incident Reports still in JPAS.
  • DISS Phase 1 deployment timeline is May/June 2018.
    • Phase 2 beginning in FY19.
  • Current preparatory activities:
    • SMO Clean Up
    • Ghost Clean Up
    • 30 days in advance before deployment to set up your hierarchies.
    • Opting Out not an option.
  • Guidance on DSS website. Personnel Security Section will soon say DISS.
  • Phase Deployment applies to both components:
    • Example: Visit Request if you see it JPAS it will be in DISS. Some tabs in DISS grayed out.
  • Owning and servicing relationships: Everyone is an owner in DISS - who initiates the PR? Will not change. Servicing is linked to access. Access is Phase II.
    • One account in DISS with a list of all facilities you have the ability to manage.
    • The system is very flexible. You can be in multiple parts of the hierarchy.
  • SCR/RFA is strictly in DISS but certain data fields will feed each other.
  • In DISS will we be able to see scattered castles record and can we get reciprocity? Answer: no to scattered castles and reciprocity the same as in JPAS.
  • How often is feed going to DISS? Near real-time updates (2 minutes). If it hasn’t happened in a 24-hour window should be manually updated.
  • Will there be a requirement to have 2 account managers? Looking into rewording/revisit the current policy but basically stays the same.
  • Regarding consultants managing your account: no change to this.
  • What is the increment of time before you log in before the account will be disabled?
    • 30 days suspension
    • 40 days deactivation
    • No particular training requirement that he knows of to reactivate an account but you should establish a new User Agreement if deactivated.
    • Notices are given prior to suspension/deactivation.
  • RRUs still accepted in JPAS for industry.

Ms. Journalia C. McCloud gave closing remarks.