<img src="https://ws.zoominfo.com/pixel/KRrgUcTGWvWgFi4b3mCo" width="1" height="1" style="display: none;">

ThreatSwitch Blog

Learn about security best practices, software updates, industry news, and more

Every month ThreatSwitch hosts a webinar on a topic of interest to the security and compliance community. Thousands of security leaders and practitioners have attended these webinars, but not everyone has an hour to spare. That's why we'll be sharing our CEO's lessons-learned each month right here on the ThreatSwitch blog. 

If the industrial security community learned anything at all from 2020, it's to be nimble enough to dodge the fastballs aimed at our heads. But what about 2021? In a terrific and varied conversation with Heather Sims, industry spokesperson for the NISPPAC, we explored trends for 2021, with a teaser of our own 2021 Industrial Security Benchmark Study. Read on for my 3 key takeaways.

Industrial Security Trends for 2021-1-1

1. NISPOM is becoming part of the CFR, and there are changes you need to know about

While it seems like NISPOM becoming part of the Code of Federal Regulations (CFR) is just an administrative change, there are important revisions to NISPOM that we all need to be tracking. The rule is effective on February 24, 2021 and industry will have 6 months to comply with all provisions. Important changes include:

  • The incorporation of SEAD 3, which is a significant change to industry reporting requirements
  • Implementing section 842 of the 2019 NDAA
  • Adjustments to FOCI and requirements for national interest determinations

2. Strategic industry NISP priorities give hints on future regulatory direction

Heather didn't just cover the regulatory changes happening now, but also the priorities for industrial security that will shape policy for years to come. 

  • Personnel Security Reform & Trusted Workforce 2.0 are pillars of near-term priorities for personnel security that focus on transfer of trust, information sharing, and continuous evaluation and continuous vetting.
  • Supply chain management and "Delivering Uncompromised" are even more important after the supply chain attacks of late 2020. Specific focus on NDAA sections 889, 847, and 842 demonstrate the community's concern over every tier of the supply chain
  • CMMC, COVID, remote work, changing oversight, the new NISPOM rule, system changes like JPAS to DISS and NCCS all add weight to an already heavy load for the industrial security community

3. NISPPAC is a crucial community for shaping trends and policy

Heather is in a crucial role at a crucial time for the NISPPAC.  You can learn more about the group at https://classmgmt.com/nisppac.php or contact Heather and team directly at nisppacindustry@gmail.com

If you missed Heather's webinar you can always head to our resources page to view the recording, along with many other great speakers and tools to help you succeed. 

ThreatSwitch puts employees at the center of your security and insider threat program.
Schedule a demo to find out just how different we are.

Schedule a demo

 

Full Transcript:

SPEAKERS

John Dillard, Heather Sims

John Dillard 00:00

Okay, hello, everyone, I think we're ready to get started. Welcome to the next, running in the threat switch webinar series. We are going to be talking today about 2021 Industrial security trends with Heather Sims who many of you know, and I've know got to know a little bit in our community. Certainly Heather's name that is familiar to many of us. She is currently with the dispatch and is the industry spokesperson for that group, in addition to her role as in industrial security strategy, and planning, any collaboration and General Dynamics. So we're pretty excited to have Heather. I’m john Dillard. As many of you know, since you're seeing a lot of familiar names in the list, the founder and CEO of threat switch, and you guys know a little bit about what we do. We're providing compliance management software for NISPOM, and CMMC, and NIST and all the other things that we'll probably talk a little bit about today. So before we get started, I want to offer a couple housekeeping items that should be familiar to all of us. Since we live in zoom all the time. These days, you can submit questions using the q&a function in the tool, so you see a little q&a bubbles, you should be able to ask any of the questions that might come to mind throughout the webinar, we'll be watching those as we go, we're gonna get to as many as we can, if we don't get to your questions, we're gonna do our best to respond afterward to make sure we get those answered whether they're for Heather or for us, we have a lot of ground to cover. So you know what we will do our best. We usually have a few hanging chads at the end. So but we'll get through a lot of them. I think we've allocated a good bit of q&a time since Heather, I'm sure is the perfect person that many of us want to ask questions to. This is being recorded. So we will get you the slides and the recording and the transcripts so that we all had available to everybody, once we're done. And that's pretty much it. With that I want to introduce Heather. And as I mentioned, she's with General Dynamics now with industrial security strategy, planning and collaboration. Prior to that, she served as Assistant Deputy Director for industrial security Field Operations at what we used to call DSS now DCSA. And before DSS she was St. Louis Field Office chief responsible for supporting 700 facilities across the Midwest, before she joined before working for DSS. So she, again is industry spokesperson for the NIS back so she is in the middle of all of this stuff, I had the pleasure of listening to Heather give an update to the into security policy reform Council, I guess what about a month ago, Heather wants to go. And fantastic content. I mean, we had a heck of a year last year, we know. And we're in for another interesting one this year. So I think we've got a lot to talk about. So before we get started with Heather, I want to set the stage a little bit about teasing some of the things that we researched in December, many of you participated in the survey. And it's, it has very connected to what Heather is going to be talking about today. And that's what we're seeing our peers say about what they're worried about. We conducted a survey over the course of about six weeks, with the usual kinds of companies you expect to see in our community, heavy aerospace and defense, consulting, information technology, lots of members from INSA, and NCMS, in particular, so we're really talking to people who live this all the time, we asked him about top risks. And you know, this is in the report. But I thought I'd tease a little bit of it, it's interesting to see how cyber threats kind of bubbled up to the top of the things that people were concerned about. And there are a few things that they're not concerned about that I thought kind of thought that they wouldn't be like supply chain security. So it was a really interesting set of findings. The thing that I think is striking, and maybe good news for us, is that it seems to be across the board across many different company sizes, people expect to be spending more money on managing security this year. So they expect a bigger budget. So Heather, that's probably good news for us trying to deal with all of this stuff. And that's even with folks knowing that we'd have a new administration and, and maybe a little bit of a tighter defense budget in general, but maybe not for security. So we'll see what happens. So with that context, just kind of get our minds going on this a little bit. And you'll be able to get I'll send this link out to everybody. So you'll be able to see all the details of the results of that survey. I'm going to hand it over to Heather, and let her jump into the updates that she's providing for Miss Pac stop sharing so that you can take over. And we will love to hear how what you guys are planning aligns to what we've seen in the survey and what's next. So with that hasn’t Please take it away and tell us what's coming.

 

Heather Sims 04:36

About that had fun that unmute button on well. Thank you, john, thanks for the great introduction. It's a pleasure to be here today. Just when I think I have the most current update to what's happening in the queer community. We have some changes. So what I'm going to give you today is what we have is the most current changes as of today. And we know with all the new legislation that's being proposed out there, there's always going to be changes that I can't catch Real Time, but my hopes is for most of the audience if you're familiar with the National investment security program, and that is pretty much you know, all the cleared companies working on behalf of the federal government, I will touch on a few things that's going to cover our uncleared defense industry partners as well, simply because we'll talk a little bit about supply chain today. So every briefing I do on behalf of industry news pack I start with in this pack 101, just to kind of give a clarifying idea of what we do for the NIS pack on the industry side. So executive order one to eight to nine, talks about the Miss functions, and it was created in 1993, by executive order. So that's what creates them. This pack is comprised of 16 government members and eight industry members. And what we do is we advise the chair of the committee, who is also the icy director on all national industrial security policy matters, we recommend changes to the policy. And also it serves as a forum to discuss any policy issues that are currently in dispute, or ones that we want to bring into this dispute. So those eight industry, Miss Pac members, there's eight of us were elected every two years. So we always have two new members coming on board. But what we really want to do is making sure that we are representing the community at large and what I mean by that, not just large companies, which I work for General Dynamics, but we are representing the community. So we want to make sure we have small companies represented mediums large, the FFRDC community and those companies under focus. So we want to make sure that we're representing the community at large. This right here is the current Miss pack membership, I have the government listed there on the left hand side, the current industry members in the middle. And then what you see off to the right are the memorandum of understanding association that feed into the industry next pack members, we want to make sure that not only are we representing the individual company sizes, but also the association. So there's usually typically a monthly meeting between the industry members and the members just to make sure that we're speaking with the same voice, we understand what the issues are for industry at large, and that we're working as United industry body and not in conflict of each other. Now, we don't always agree. And the associations are more than able to go out and work those issues independently. But what we're finding is, when we unite, we can move our platforms a little bit easier if we're united with our with our voices. Now, this list is continuously changing, especially on the government side. So if you want the most updated list of the NIS pack members, I put the link down there at some at the archives under ISO and oversight, just in case you want to find out who the members are currently. Now we are we meet on a recurring basis. And what we do is two public meetings per year. And when we say public meeting that mean we have the government members, and we have the industry members. And then we meet when we discuss a bunch of topics, but those are recorded open to the public. But those happen two times a year, where we try to get the real work done is through this pack working groups. This is a representation of the current mso working groups. At the very top we have the policy and that's where we discuss, for example, right now the new this palm roll that was just released. We talked also about any other policies that may be affecting the NIST, you move on to the next one missile systems. That is anything related to the national digital security program, and a systems in bombed if you think JPEGs dis, Miss swift and this, we have groups that work on each of those systems with the government partners. Next we have insider threat. That's when we discuss effectiveness of the insider threat programs. How are we going to move forward with the new AI cells that we're anticipating next is under the foreign ownership control and influence Working Group, then we have the clearance This is probably one of our largest groups and that because it encompasses both personnel security as well as facility clearance groups. And last we have the missile working group. And if you think about the classified systems risk management framework, that's the working group who works predominantly on that function right there. And I this this chart kind of represents no group can work independently, they have to work in a cohesive group because some of the issues fall in more categories than just that one particular group. So here's the real meat potatoes of my presentation. Today we're going to talk about national level policy updates in this pond rule 32 CFR Part 117 was published December 21 2020. I did put note in there that C three is incorporated in that, and I'll talk a little bit more about that. But this is huge because this has been a project that has been in the works close to 10 to 15 years, a lot of partnership between industry and government took place to get this actually published. And out there. public comment period ends February 21 2021. That is really important, because anybody can comment on this rule at the moment. But for clarity industry, in particular, it's important to take a look at it. If you don't understand something need clarifying guidance, or just something is just not right, you want to make sure that you put your comments in there, you can do that one of three ways. You can go into the Federal Register, and actually put your comments, or you can email or call the point of contact on the Federal Register your comments. But if you want to be part of the process, please make sure that you put your comments in there before the deadline. Now where people get a little bit confused, not only industry, but some of our government partners is when does the rule actually take effect. The rule takes effect February 24 2020, some people get a little confused, because we're still making public comments. Now it's effective, but cleared industry does not have to comply until six months after the effective date of the rule. Now I'm and I'm already hearing from industry that some of our government partners are forcing them to comply with a new NIS pond rule now, but really six months after the rule is effective, which is February 24 2021. And dcsa. Just recently put out a great cross reference tool that takes you to the references listed in the role. Pretty easy to use, it's actually on the dcsa website. If you search cross reference tool, it'll take you right to it. I recommend you go out there and take a look at it because it does very easily take you to different documents that are referenced in the in this poem. I'm sure I'm gonna get a lot of questions about the the newness palm roll. But I'll wait until the the question phase. Now many people asked me what happened to all of those previously routed draft industrial security letters iisl. What's next? What's going to happen to them? There I listed the ones there on the slides that we're currently routed and that industry had an opportunity to take a look at. Some were already rolled into the newness palm roll, while others will we're waiting on a new ISIL to the new federal rule. So see, three were waiting on a new adverse information reporting clarifying guidance to this palm rule to come out no timeline on that. But we're we're anxiously waiting. And hopefully we'll get it before we're supposed to be in compliance with a newness palm. Some of the updates on the far and the D far clauses everybody should have heard by now because it was released August 2 2020, that the NCC s far clause was issued and effective. Now that doesn't mean automatically right away all of industry is going to be using nccs. What that means is the DLD will start using that. And many companies will start to see their dd 254 flow down in that nccs system. It's going to take a few years to get everybody on board. But once all of government is on within D od issuing contracts, more of industry can get on board with using the nccs system. The anticipated interim role for cmmc. The framework was effective November 30 2020. Many of us are getting lots of emails, lots of notifications about cmmc. I will say CMC cc MMC is works off of the C UI, which is not necessarily part of them. Yes, so I'll talk a little bit about it, but I won't go into too far of a detail. But this is the year of cmmc. Many of the clear companies and uncleared companies is working on D o d contracts, we'll get an assessment and we'll get a cmmc score. It's a hell of a cyber score of that particular company. So I'll talk a little bit more about that in a couple slides. On newly released was a GSA announcement about Black Label phase out of the GSA containers, basically meaning and it has a black or silver label, it will be phased out. It's a phase out of GSA approved consumer security containers and bolt doors manufactured prior to 1989. Yes, there are some out there that are in the 50s. So we're looking at years 1954 to 1989 and over a period of four years, starting October 1 2024 Excuse me. So what that means is industry at large. If you have classified information at your site and you have GSA containers or bolt doors, you're going to be really looking at the safes taken an inventory, does it fall under those categories? Does it have to be removed or replaced budget for and then get the new safes and bolt doors in there. This is really largely going to affect the majority of the large contractors who have large holdings of classified. Now, for that one, I did ask for GSA during the next scheduled Miss Pac public meeting to provide an oversight briefing to the Miss Pac members. And this will be a public meeting. So anybody can call in and listen to gsase announcement and what the phase out plan will mean. This is a security executive agent directive seeds. Many of you have heard of the seeds, it's currently eight I put on there, what the effective days what the effective dates of each of these are. Most of the time, we don't work off of the seeds, we work of iisl, the clarifying guidance to clear to industry, but most importantly, seed three reporting requirements for personnel with access to classified, this is what we're talking about the industrial security letter, or clarifying guidance to industry for the NIST palmeral. It's going to require industry to report foreign travel for not only your clearance holders, personal or professional travel, but also their personal travel. And that's a departure from what we've done in the past. So really, it means you have to have a plan to reach your personnel that are traveling overseas, debrief them when they come back, but then also report it to the government as well. I'm not going to go in depth about the seeds considering our timelines, but all seeds can be found at the website link provided. So not only do we have some policy updates, but how does that affect industry cleared industry at large, I would like to say that the industry Miss Pac members can keep up with all of the priorities that's happening within the industry. But unfortunately, there's only eight of us, we are volunteers, and we do have full time jobs. So we do the best we can to represent industry at large. But the only way we can really do that is if we think strategically and look at within this priorities and align with our mlu partners. So I have a few on here. It's not an all combusting list of industries concern. But again, those strategic industry priorities. Hopefully you've heard by now trusted workforce 2.0 personnel security reform is really gonna revamp and reshape personnel security, as we know it for the federal government. You see off to the side there. Trusted workforce. 1.2 1.5 2.0 2.0 is the end state the desired end state. And the only way to get there is through incremental accomplishments. And that's why you see the 1.2 1.5 it gets takes us out to that 2.0 through different phases. But really what we're looking at is that transfer of trust and proving that many of us still know that as reciprocity, but the new terminology is transferred for us. It makes no sense for somebody who has already been cleared by for the federal government, simply because they left one. This is say for me as an example, I left government service and moved over to industry. And then I want to go back to government do I have to go through a whole new process to get a whole new clearance even though I maintain the same clearance level? Simply because I went to industry and coming back from government. So look, taking a look at that of how we transfer people and people's clearances to new positions. If it's the same access level. I personally have seen a lot of improvement even though we're not adjusted workforce 2.0. So the government is really doing their due diligence with with improving that transfer of trust, a lot more room for improvement, but I'm already seeing it. information sharing and I think all of us suffer from times when information sharing from whether it be the government to government, government to industry or industry to industry has affected our companies. And what we're working with the government is how can they better share with us derogatory adverse information when it comes to personnel security, insider threat information, or even critical asset protection, threats against things that we're making for the government. So how do we improve that information sharing, and a lot of people only think from government to industry, that we really need the government to be able to share a little bit more freely with other government agencies. And we need industry to be able to share with industry without the fear of reprisal from lawsuits from employees, many times We know of individuals who have problems. We don't call that next company that we know that they're going to for fear of reprisal from lawsuits. So how do we improve them? And last in this section is continuous vetting. Many of us know this by continuous evaluation, how do we continuously work with the government to veteran individuals to make sure that things aren't happening between periodically investigations to make sure we can get real time information that could potentially save our intellectual property and help our ability to save, protect that classified information? We're entrusted with a lot to do there with that personal security reform. But I believe we're moving in the right direction. And the good news is government is really reaching out and asking what the effects are for industry and how they can do better. So a lot of partnership in this area right here specifically. The next section I'll move on to is supply chain risk management. A lot of his hurt is delivering uncompromised, and really, that's what we're trying to do. We're trying to deliver our products that we were contracted with federal government to make sure that it's not compromised when we give it back. Now, I'll start with the NDA section eight, nine, and that's barring the agencies from Pickering occurring and obtaining or extending or renewing a contract for cert from certain Chinese entities. And many of our companies have already submitted at a station saying that we are not using certain Chinese products, or utilizing certain Chinese entities in our businesses. But really, that's what it's getting to is making sure we have a secure supply chain, and NDA section 847 mitigating risk related to foreign ownership control and influence for department of defense contractors and subcontractors. Really what the dcsa and do do right now are they're taking a look at the supply chain and vetting process of companies that are already doing business with God, making sure the concentration in the past has always been on foreign ownership and control. And that's pretty easy to identify. But that influence part is a little bit more or less tangible, really taking a look at you know what foreign nationals you have working in your company, where you're unclear supply chain coming from taking a look at that total holistic look at the company of what kind of foreign involvement they have. And then lastly, I'll put on here at section NDA section eight for two elimination of the mid requirement for covered National Technology and industry base that was effective the first of October 2020, this was a huge win. If you're already working with the federal government, you already have a contract, what was really the risk of getting a national interest termination prescribed information when you're already awarded that contract. So this was a huge win, I believe, for industry to keep companies moving forward. Now, what I put under the supply chain risk management is just three NDA sections that occur under the current 2020 and 2021. NDA. There are a lot more out there when it comes to supply chain risk management. What are you going to see a lot of correlation between a lot of different new legislation where the government's moving and the different vetting processes that the government is developing to look at clearly industry, just to make sure that our supply chains are mitigating the risks that are known and being able to detect those risks that are unknown. Our biggest business biggest impacts to industry continued is I think, near and dear to my heart is the new and emerging processes and guidance changes that we're seeing. We've been working under COVID now for just about a year. And we're many of us are operating remotely. And this is going to be our new reality in the future. Many of us will not go back to office space, and how do we operate in the future, not only not only amongst ourselves, but with our industry partners. So what we're looking at what's going to be the next iteration of government oversight, and that's whether it's a god or the four other CSIS. What does it look like? How are we going to implement the newness palm roll? And what are those changes mean? What new processes are we going to have to develop along the way? And lastly, the NIST systems what's the strategic plan of communication when the government rolls out any new systems that affects cleared industry? Often it's not understood what the impacts the industry base is going to be, you know, when it comes to data entry, or systems that simply just don't work. And being able to convey those impacts back to the government and I put in a few examples, many of us are dealing with the JPEG to dis transition right now. And what we didn't understand when we were working on that initially is the monetary and resource impact it was going to have on industry as they roll those out. And then how industry is going to implement nccs and then the end bis rolled out so a lot of things Considering this coming year of what the impacts and how we're going to roll these things out, we got a lot of things going on at once. I mentioned at the beginning of that section of the policy updates, that industry news pack is focusing focusing on those strategic things. That doesn't mean we're not helping or assisting or trying to understand what are some of the other industry issues or topics, or even just plain concerns that are affecting industry at large? The administrative change, we're seeing a lot of new executive orders, and we're trying to work through what does that mean to the cleared industry base as well as the uncleared defense industry base out there monitoring legislation for news impacts. And we're doing this as best as we can. There's a lot of movement on the hill now with personal security, clearance reform and other things. So we're monitoring that and engaging when we need to when we think something might not be going down the right direction. And again, we're trying to do this in a non political way. But what is the benefit to the federal government and clarity industry as a whole? We're closely watching see three foreign travel implementation, how are we going to do this? How's it going to work? And then lastly, how is the government going to oversee industries implementation of this at the company level? we're well aware of the risk management framework timelines and some of the inconsistencies. So we've been engaging at dcsa and D od, specifically on identifying the issues. And then how can we fix this? How can we move forward and get this working a little bit better? everybody's seen the messages the government is taking a look at how do we get to keep things moving and potentially process classified at home? Right now, it this is not a blanket agreement, where industry and everybody can work on classified at home, it is really contract specific and driven by the government customer. So this is not a whole, you know, everybody can work on classified at home though me that would be a nightmare. But no doubt, it may have to happen in certain circumstances. But that's going to be dictated again by the government customer. We are very closely watching controlled unclassified information. So UI, and C MMC, you can't have cmmc, if you don't have C UI, so really taken a look at how that's going to impact us. I will say some of the main concerns right now are, are we spending more time on sci fi than we're actually spending on protection of classified information, sci fi being over classified. And really just people who are marking the material understand what sci fi is, I'm already hearing concerns that some of the the government at the base level are just marking things randomly without any sense of understanding once UI is increased mandate of training outside contractual requirements, there is a cost, resource and monetary associated with that. So understanding what is required by contract what's required by NIST, and then who is actually requiring that training, not understanding that contractual agreement. One of the mo use is actually working on co utilization of skiff and special sub f locations. So I won't talk too much about that. But they are making some some good headway on that it may take another few years to get where we need to, but it only makes sense to start, you know, utilizing that those those those locations. And then lastly, on this one, the FedEx, United States Postal Service classify deliveries. I think everybody who who actually processes classified or handles classified saw that message that the FedEx drivers and the UPS truck or United States Postal Service drivers were not requiring signature for classified delivery. So they put a message out saying that we could only use if they're following the requirements, that had a huge impact to industry. And so we're trying to work with the ISO attorneys to make sure that we can find some kind of middle ground to where we can still send deliveries if need be. Now, this is not an all encompassing list, we understand that a lot of times fsos, at a more local level have issues. And we do ask that they work at the lowest level possible work within Dessel security rep, work with their field office chief and then work their way up the chain. But if helps needed, please reach out and I have some email address where people can contact us directly. So really, the National Security Program is evolving. What we're trying to do is be more proactive on the industry side instead of something coming out and then we constantly complain. Understanding the impact to what industries operation is, is really my main goal is working with the government if we hear that a proposal to develop a new process, a new system, being able to understand what that process is, but more importantly, being Be able to convey what the impact to industry is. And we can only do that if we're we're aligned. And we're united as an industry as a whole on what the basics are understanding changes in advance and how those changes will affect security operations and that of our supply chain. Understanding what we can expect in the future for oversight perspective. Simply right now, we're kind of not sure how a government agency is going to come over and provide that oversight. It's almost like a guessing game. So just better understanding that. And probably the most important thing that I constantly say to the government is, anytime a new process or procedures asked of industry, it adds additional administrative and resource burdens on us. So it should be something important, not simply because a new person wants to add something, because it really takes us away from our real misc, risk management and security responsibilities, were asked to do risk based model security. But if we're constantly in a data entry mode, where do we draw the line, you know, it has to be really impactful into the mission, if we're asked to do it. And then industry needs to be united in voice, it makes no sense for me as the industry spokesperson to say one thing, and then another government, or excuse me, industry, Mo you are another news pack member says something that's contradictive, we need to be aligned in our voices and actions. And we need to be engaged at all levels. And often. And one thing I hear and it's so disheartening to me considering did come from a government agency is identify issues quickly and partner with the government, don't be afraid to bring up issues, that relationship should be fostered to ensure that you have open communication that you can convey, here's the issue. And either I need help solving it, or here's how I'm going to mitigate that. So I hear often that, you know, people are afraid of their industrial security reps. And it should never be like that. And so please, please just try to work out those relationships if you need help reach out. That's a lot a lot of updates. And I put it in just a little bit of time. But besides that, you know, really how are things going? And that's a question that I think we'll answer during our q&a. I'm almost finished here. We can be found, we industry in this pack can be found on the CMS website, we do host the members, we have a couple mru groups, some resources, timelines, and a link to the official site for industry news pack. And then lastly, we developed a email address where you can reach the industry members of this pack, it can be just how do I get more involved? Here's the issues I'm dealing with, can you point me in the right direction, we're open, I try to respond within 24 hours. But we put that out there because we want to hear from the industry base, just how things are going or if you need help. So that's two places where you can actually find us. That concludes my my formal briefing, I will stop sharing. And then take as many questions as I possibly can I left plenty of room, because I know I'm gonna get lots of questions. So I wanted to make sure that we we left plenty of time for q&a. So thank you.

 

John Dillard 33:16

I couldn't find the mute button. Thank you, Heather. Awesome stuff. Really good information chock full. We've already got a bunch of questions teed up. And really appreciate that we're gonna pause for one second, as we usually do in our webinars, one to give everybody the chance again, click that q&a button and type your question in the q&a screen. And we will go through those and make sure they get asked. While we're doing that, we want to we always ask a poll at this point. And you'll see a screen pop up that you can answer very quickly. If you'd like to hear from the fine folks at the red switch and talk about how we help solve some of the problems that are talking about with our software then just indicated there, no pressure to do so and be happy to reach out. They're very friendly, they don't like. And we'll give that about 25 or 30 seconds that everybody has a chance to click the button. And then we'll jump into questions. So if anybody has heard, you're welcome to sing the Jeopardy music while we wait for people to respond. I'm not going to do it. I tried once it went badly, a lot of booze, a lot of people hung up, so I'm not going to. Alright, so it looks like just about everybody has answered. So we'll end the poll and jump into questions. So lots of really good ones here. And you know, I could start all over the place. But I'll jump in with a couple. This one's from john. Lots of discussion about the shift from Miss palm to CFR. And the question is, does that I mean, just the fact that it's CFR mean anything for us? Right? Is it is that a is that distinction important or is it only matter it as much as the Nussbaum has changed a little bit and those are the things we need to worry about does the CFR itself

 

Heather Sims 35:00

Give it more teeth. Does it change anything about how we how we manage our programs? Well, I will say I get that question almost every single day. So one of my comments for the public feedback on the Federal Register was for government to provide a clarifying response to that, what is the difference between the NIS POM manual and the the CFR now, so I won't give the official answer, I'll give you what we know. Currently, the format is totally different. And it reads very differently. So what I did is I requested a a word copy of the CFR so companies can do a side by side comparison. So where they see where the differences are. But really, when it comes to the national security program, there is not much of a difference for us on a day to day basis. But I'm going to hold on that one and allow God to provide a formal response of what that means between manual and CFR in terms of government regulation.

 

John Dillard 35:59

So that's the answer to that. Got it understand. Another one here, just in general, and you listed a lot of really good stuff that that we should be concerned about. I'm interested in this in part, because, you know, we saw in our survey results and things that you mentioned, like si si three that companies didn't seem to be that worried about some things that that line up, what do you think most companies are overlooking of the stuff that you've talked about? I mean, obviously, everybody's freaking out about CMC right now, because they have advertised the heck out of it. But what is under the radar that's going to catch us off guard this year?

 

Heather Sims 36:34

Well, I'm glad you asked that. Right now, companies are so concerned with compliance or making their compliance, overseers happy, that does not always translate to a secure, and a well rounded security program, what I find and I found this, this was very interesting when I came out from deep from old DSS now dcsa, is companies were really my company. Same is they shape their program based on how they were going to be inspected. And there was a lot of gaps. So really taking a look not just at the the self inspection checklist, but really taking a look at how are we protecting things that are important to our company. And that's the first thing understand what is important to your company, there might be a difference between what the government regulators think is important to your company should be protecting classified information, but leaving those gaps that are vulnerable when it comes to your intellectual property. It To me, that's what a lot of companies are overlooking. But you also supply chain, looking at that supply chain. And again, that's what's important to your company. And sometimes it has to do with

 

John Dillard 37:46

understanding who you're buying things from who you're hiring, what are your communication efforts outside of your organization? So making sure you're showing those up? That's where I think a lot of the companies are missing, maybe some of the gaps right there. Excellent. Another one here also from john, what's a security, right, if you were talking to a senior management official at one of these companies, and you know, most of us are in sort of the day to day, but if we get a chance to make that recommendation to the senior person in the company, who has the ability to pull the trigger on spending, what's the recommendation you would make for a company? Oh, that's a great question I actually had that kind of written down for the last question is,

 

Heather Sims 38:31

you have to be able to sell what you're doing understanding. And that means you have to really have a good understanding of what the company's does, what you're trying to protect, what are the threats against what you're trying to protect, and then being able to convey that to the senior management officials. Many times I see security people that are running security, the company doesn't have any interaction with senior management officials are so low on the totem pole, that they can never tell their story. And that really affects their budget. They only they only have the contact when something goes wrong. So I recommend it security professionals be more proactive and being able to tell your story. here's here's the threat. Here's what I'm doing to protect it. Here's how I'm going to keep our company alive. So being confident that you know, your business and being able to convey that story to your senior management officials. Make yourself invaluable. That's what you really need to do. Excellent. Good advice will always be better. It's definitely

 

John Dillard 39:30

lots of as you might expect several questions on C three. So it's specifically the foreign travel reporting requirement. And I think I'll repeat back what I think I heard you saying I just wanna make sure I have it, right. One is that we have six months. From the time it's released in late February was finalized late February. You from whatever you expected at some point us to get that clarification hopefully before the end of that six month period. Could you possibly start from the top a little bit on C 300.

 

Heather Sims 40:00

For folks who haven't really taken the time to study that foreign travel requirement, could you explain exactly what that obligation is? Whether it's all all people, only clear people, so only some clear people only criteria countries, all countries, because all of it gets reported to the government? Can we keep some of that reporting local to our company? Could you just kind of give us the overview of the foreign travel piece? Absolutely, I'll give you the main attend to. So for C three. It used to be you only had to report foreign travel if an individual had top secret or sci fi. And, and an individual had an obligation to report to certain personnel as well. What this changes is now it's all your clip personnel, your secret your top secret and your SCI cleared, people have to report. The other difference is it used to be professional training. Now it has to be your personal your professional training, if you're a cleared individual, what the iisl is going to do for clear to industry, it's going to tell us how we're going to report that into what system what's the frequency? And then also it's going to talk about some of the companies have individuals who travel on a weekly basis, do you also have to provide the security, the briefing the foreign travel briefing to that person, every single day try every single time they travel? Or can you brief them once per year. And so it's going to give that little clarity on the guidance on how often when and how we're going to report. But if you haven't read through the seed, and I provided the seed, a website where you can go actually read start reading, see three, then read the new Nussbaum role where it has it in there. And what the iisl is going to provide clarifying guidance on what's in there right now, because it is still a little bit gray actually, in this poem rule.

 

John Dillard 41:44

Got it very helpful. Sounds like almost no matter what it's gonna be a little bit more work, maybe a lot more work. And we're just gonna have to find out what it looks like.

 

Heather Sims 41:52

Maybe a little bit easier, but for those larger companies has 1000s of employees. Now you're going to have to start that process working with your employees. So they actually know it starts with training, advising them that they have to report.

 

John Dillard 42:04

Yep. A couple questions on the containers. And the requirements.

 

Heather Sims 42:12

Number one, Is there gonna be any waiver given for for the new rule? It sounds like no. Fortunately, no, there's not going to be and we'll definitely make sure it makes sure if if this is the first time you're hearing about it. Well, I'll provide Mr. Dillard the memo, but it's also going to be at the next netpac public meeting where GSA is going to speak about that. Got it. Excellent. And continuous evaluation. Is there anything that you know, the community needs to be doing to know whether or not their people are covered under CP? And making sure that we're doing what we're supposed to be on our side to make sure it doesn't hold? How does that work? Oh, great question. Under JPEGs, the previous system, it's you won't see it in there, you have to look into di SS disk. And you will be able to go in there and see if an individual has a different investigation as well as if they're under continuous evaluation. That's going to be the way now we are identifying some discrepancies currently in disk. So if you notice some discrepancies, I recommend you do a CSR and dis and notify dcsa that there is discrepancy there. We are we are identifying a lot of issues right now with some of the data. But that's the only way right now to verify that somebody is in continuous evaluation. Got it. Speaking of this, as I'm sure you might expect, there's always a dis question or two. isn't really the program of record. If not wins, it can be the program of record. Is there lots of the associated questions? I'm sure you know what they are? Your thoughts? Well, if you haven't seen, I just recently saw something on the dcsa site that identified that JPEGs will be going away the end of March, um, that I know that was a surprise to a lot of people in the community, considering that some things are not working. And what we're finding is it's just a lot of time and resources managing two systems that aren't talking to each other. So I think what the government is trying to do is get us to all one system and then try to fix that system that data integrity within the system itself. So I do not understand that the vcsa directors memo was not very clear on what the system of record is. But right now you have to almost use both systems with these. This is considered to the system of record, but a lot of the information and jape has is still being utilized. So right now you're having to use two different systems to but figuring out which is the correct information sometimes is a challenge. So I will say if you're having issues, call the help desk, or send a CSR.

 

John Dillard 44:45

Got it. And while we're on that topic, another question from Richard. Any any sense of the whole of government switching to dis and nccs and whether that's on the table, or is it gonna happen? What what's your thinking in that

 

Heather Sims 45:00

One more time, the whole government all of us do using dis and nccs. Various things that some other agencies use unnecessarily sure about the whole of government. It's taken a big lift just to get God to use it at the moment. But the intent is God. And then anybody that has is a signatory of the NIS pomme. Those government agencies that are under the God, oversight will be rolling up into that our hopes are eventually everybody will be using it, because it'll be a good supply Train Tracker to figure out where subcontracts are being flown to. So I can't say for certain, but it's going to take a few years just to get all of God to utilize the system. Got it? And got another follow up question on the on the dis CD topic, we were on a couple of questions ago, can you give us some examples of what discrepancies we might be looking for. So the understand what the kinds of stuff that we're saying, to keep an eye out for? Absolutely. And for those who don't know, industry was so concerned about the shape as to dis transaction, it moving one system to the other, that I did send a formal memo through ISO to the dcsa, Director identifying a lot of issues, primarily, as some of the eligibility information is incorrect. People are missing completely out of this. And then you may find that people that you've out processed years ago are showing up in this. So there's some data discrepancies between what you had in JPEGs. And what you're seeing in disk. There's also some functionality issues that are just not working. Unfortunately, when the government creates a new system, and they're working through, you know, testing it, they don't always see what the interfaces on the industry side, they see what they see, but they don't necessarily see what industry sees. So some of the functionality we identified in time they do a new patch, we may find something wrong with the system. And there's not a report function that's working currently in this. So being able to run a report. So it's really an administrative burden right now for a lot of companies to be able to identify who's missing. Who's there that shouldn't be there, what eligibility is wrong?

 

John Dillard 47:15

A lot of information that's still not working very well. Yeah. No. Problem. So stop asking questions about about this, after this one. But I, there's a question about this topic. I've heard it before. So I got asked. Occasionally, you hear this rumor that they're already working on the next thing?

 

Heather Sims 47:35

And, you know, I don't want to put you on the spot. Feel free to no comment on that one if you want to. But what are what are your thoughts on on that particular remote? Well, I will tell you the goal for industry and government at large for many, many years is to get to one system, we used to have FCL, and then ISF D, and this and this and JPEGs, the goal is to really get to one system, or at least have them all interfacing into one system. So many of you have heard of NBI s. And so that is supposed to be the system that will be replacing many of the existing systems that we currently have. But how nice would our world be when we can have one system where we can go and check clearances, we can check to ORS, we can check many other things in there information about our companies. And so, yes, things are already under under underway for new systems. And for those who are worried about that particular topic. I mean, I'm in the software business. We're always looking to build a next Oh, I don't know that that's necessarily wildly unusual. And if the dis timeline is any indication, it could be 10 years. So that's, that's one of the things I have a question from previous webinar guests whose donkey and friend Friend of the community.

 

John Dillard 48:51

I'll read it because she she she worded this beautifully. First of all, she says Nice to see you Heather. In light of violence directed at government facilities over the last few months, should we be working on working to reframe questions in forums like the 86 and 85 addressing participation or affiliation with the anti government activities? Currently, these questions are worded in a way that circles around rather than specifies engagements in those types of activities. What are your thoughts? That is a great question, and I will say some of the new legislation recommendation around that is a little bit scary.

 

Heather Sims 49:25

Partly because, and I'll use as an example, if we all know that the riots up on the hill a couple weeks ago, many people were criminally charged. What does that mean for the declared people that were out on the yard had no idea that there was criminal activity, they were there for peaceful protests, supposedly. So balancing those freedoms we enjoy as US citizens. Also with the educative guidelines. While I think that there's going to be some changes made, we're trying to make sure that it's Non politicized, and then it also protects the freedoms of the US citizens involved. So and I always recommend that people just, you know, use the adjudicator guidelines, but also use some common sense in those. And really, that's what we're asking, I would say or fsos to do when they are determining whether to report something or not use the guidelines, they are guidelines, not all in constant convincing. But really, if the individual is a threat or danger or not trustworthy, it should be reported. So being able to make those determinations of what should or shouldn't be reported. But when in doubt, report, and then let the government do their investigation.

 

John Dillard 50:40

Got it? Good question and get answer. Question on the FDA section 842. On the nid. The question is from Christian, does this only apply to companies under a quarter in the UK, Australia and Canada? Or maybe that's all five of us? What is the scope of the application of that? I'll tell you what, what I can do is I can send you out the full scope of that NDA of the 842. I'll send it so you can share with the audience exactly what it is because it's a little bit more detailed. And then we're also waiting for the federal government to issue the letters for the companies that it applies to. So I don't want to get too far out ahead of them when they're working through who it applies to. It doesn't apply to what our hopes are in one day hoping to get rid of the knits altogether.

 

Heather Sims 51:24

Got it? And another Well, I'll I won't say the system name out loud. There was a question about submitting bars and whether we're going to use the old system and the new system and how that's going to work. For the ones that have already been put into the old system. Do we need to reenter them? what's what's the thinking on that? Well, just when I think I have it down, I would I it changes. So to be honest, I don't know if it's going to pass from one system to the next system right now, when it shuts down when j Pez totally shuts down. So I'm going to wait for more government guidance on that. But I will say one of our things that we're going to look at here in the in the future, I'd say this year, for for at least for industry side, the mo use and then industry news pack members is taking a look at do we even need to do vowels anymore, or bars anymore, you know, potentially making doing away with that altogether?

 

John Dillard 52:14

Excellent. I'm sure nobody will be very upset.

 

Heather Sims 52:19

So particularly those of us who would like to throw the fax machines away.

 

John Dillard 52:26

This is kind of a nice question to to wrap up on before we kind of close things out. And it's from Richard on, he noticed that the salary baselines for fsos in this bomber are really low, it seems like they don't really value the role very much. And yet, you know, this is, um, that was Richard's question, I'm going to editorialize to sort of set you up for some closing comments. This community, especially fsos, but not just FSS, right, there's really everybody who's even touching any of this. And even some of the other folks and legal and HR, who we're a little adjacent to this program are getting a lot of new jobs, a whole lot of new jobs, expensive jobs that are very time consuming, lots of administrative burden, but also a lot of lot more analytical stuff that we haven't done before. And yet, the value of that position, at least, you know, as Richard pointed out, doesn't seem to be escalating with the expectations of the roles. So in sort of closing, if you could talk a little bit about from where you sit and talking to folks in government industry, and then is back, and obviously the career you've had, how do you see the role evolving? Do you think that the perception of the role is becoming more valuable? And if not, what can we as a community do to do to elevate how our leadership and the government perceives the industrial security community more valuable? What? Well, this is an excellent question. And I touched on this on my last next pack, public meeting, is traditional security seems to be going to the wayside. And that is a big fear of mine. When I think about many of the companies when their their chief security officer leaves, it seems to be the role seems to be rolled up under the the cyber position or the computer side of the house. And that lets me know that it more and more is happening where traditional security is being viewed as a extra and not the priority focus. So it's definitely a concern. And Richard, you're exactly right.

 

Heather Sims 54:24

The government pushes us in a direction when they set new policies and procedures. And many of that is data entry or an administrative role. At the same time, they wish us to take a more risk based approach. And the only way you're going to get that is get the right people in the right positions. And if you pay somebody too high to understand the risk management role, they're not going to want to do the data entry at me. I'm in that one right now. I got to tell you, you probably couldn't pay me enough to be an FSO at the moment just simply because the data entry would drive me crazy because I would want to get to the roll, roll Risk Management, understanding what I'm trying to protect what the threat is, and then how do I mitigate those threats. And I can't do that by sitting there hand jamming information into jape hazard discern this, unfortunately. So what we're trying to do is trying to get it to where it's more of an active role and trying to get security properly funded on the front end of a contract, making sure we have the right person to do it. And the only way to do that is again, to be able to make sure you're talking to your senior management officials, having them understand what the importance of your role is. And if you're not there, how it could affect their company, and then also being able to understand how contracts are awarded. And making sure you're embedded there during the acquisition process is the only way to do it. Oftentimes, fsos are cut short when the contract is already awarded, and they don't understand all the security requirements that go into that particular contract. So making sure you understand what's expected of you being able to front load that cost for security on the acquisition process early on.

 

John Dillard 56:03

Outstanding. Well, Heather, I mean, fantastic closing to a great session, it has been absolutely wonderful having you just chock full of stuff, we've covered a lot of ground. So really, really appreciate the time you take. And we are unfortunately out of time, we could keep talking for two hours if we wanted to. But as I mentioned the beginning, we will be sending out the full audio recording and video as well as a transcript and the slides. So and I think, you know, Heather is also going to toss over a couple of additional pieces of information that will include including contact info, and you know, the public meeting info for this back and how to find that information, as well as a few other links that will be helpful for everybody that we asked about during the q&a. So I've listed the information here that you can use to contact us if you have questions, please come check the other resources out. We do this once a month. As I also mentioned, our resource report, which I teased in the beginning will be released. sometime in the next two weeks, it's going through final QA. So look for that, as well. When you come download Heather's slides, and you can download the resource research report at the same time. And we will have of course another webinar in the first week or so of March. That will again get into 21 trends in a little bit more detail. So look for the details on that soon. And I thank everybody especially Heather for attending. Everybody have a fantastic week and give get to work on this stuff. Have a good day.

 

Heather Sims 57:29

Thanks!

 

John Dillard

John is the Founder and CEO of ThreatSwitch, and has worn many hats including CIA Analyst, Navy Officer, and Facility Security Officer. He is an author and speaker on security subjects nationwide.

View All Articles

Topics from this blog: Featured Compliance SEAD 3 Security Policies

Subscribe to our Publications

Recent Posts

Transform your security processes

We help organizations save over 60% on training, personnel labor, and other manual security tasks.

Talk to us to find out how we can help you overcome your security compliance challenges.

Learn how to save over 60% on training and reporting costs.