if you would please take your seats, we aregoing to get started. So, first we are going to start with an announcement. All attendees are invited to go to the Archivesgift shop after the presentations in the session, you get a 15% discount today. It’s located a floor up from the theater. And we also I’ll echo the archivist’s statement that we invite all of the attendees to visit the archives exhibits and the museum and the rotunda following the presentations. Three speakers for this session. The first is Mark Riddle. He is a senior program analyst on the controlled unclassified information staff. He co-authored the National Institute forstandards and technology special publication 800-171 protecting controlled informationin non-federal systems and organizations serves as lead for implementation and oversight within the CUI program and is responsible for monitoring and evaluating agency efforts related to implementation.efforts for implementation. And a substitution in the program following Mark’s presentation will be Bill Cira our acting director speaking up on the inter-agency security classification appeals panel. Known as ice cap. And finally we will hear from Ellen Knight,a senior program analyst working for the information security oversight in the classification management directorate. And she assists in the development of security classification policies for classifying or declassifying and safeguarding national security information generated in government and industry. Her main duty consists of assisting the Public Interest Declassification Board,an advisory committee to the president established by congress in order to promote the fullest possible public accessto a thorough, accurate and reliable documentary record of significant US national security decisions and activities. And prior to coming to ISOO she worked atthe Richard Nixon presidential library and join before joining staff at the NationalArchives Ellen was an archivist at the national security agency at Fort Meade let me inviteMark up — let me invite Mark up on the stage. >> Thank you, very much. Okay. I got a wireless mic on so hopefully everybodycan hear me if I am I will try to talk louder. I like to pace around so I can get the lookof everybody’s faces and I can point out anybody sleeping in my presentation. I don’t like that it’s in the — not the afternoonthere is no excuse. I apologize up front, there is a good chanceI won’t get to your questions here today, the presentation generates more questionsthan it answers. What I want you to do is take note of theE-mail address the last line of the presentation or find me on the website. Send me an E-mail with the question set upa Q and A session so we can increase your understanding of the CUI program. The goal is for you to walk away with a betterunderstanding of what the CUI is about. So you can speak with a level of authoritywhat it takes to implement the program and the key features. These are some of the things we are goingto cover today the Executive Order. Some of you are familiar with the ExecutiveOrder. We are going to kick this thing off with this. We will go into the 32 CFR 2002 more importantlyit’s how we got the program we have today it’s important when you think about implementingthe program where we get the information that makes up the 32 CFR 2002. Then the contractor environment which is nota big mystery we use contracts and agreements to get there. I will speak to guidance documents that wehave listed in the 32 CFR 2002 that will kind of shed light about how we are trying to to protect CUI and why we have certain things in place. And phased implementation. It’s a fancy term what do you have to do andwhen do you have to do it. It’s nuts and bolts about why you are here. If you went to our booth and website you willnotice we issue a CUI notice 201601 this document is entitled implementation of the CUI programit highlights what you need to implement the program but I will connect the dots. I encourage all of you to go to the websiteor out to the table to grab a copy of this things it’s a nice place to start when itcomes to implementation. Lastly, I will go over the nuts and boltsand key features. Some of the things that you are going to seethat I will talk about today are things that you probably already have seen at your agency.
you probably already have seen at your agency. It’s going to be very familiar to you. There is a reason for that. I can’t say this enough, and I will say ita bunch of time, if it’s important you are going to hear it a couple of times. But keep in mind that the CUI program is basedoff existing agency practices. This isn’t something that we just made upin a dark room somewhere. We consulted with agencies and took the bestpractices and incorporated them into a regulation that hopefully everybody can live with. We aren’t going to say everybody is happywith it. There are folks in the room are not happywith the way the CUI program fell out. I apologize to those folks, this is what wehave here today. Keep in mind with any information securityprogram they are all subject to change. We are getting ready to have a new presidenttake office, right? With every new president there is reevaluationof a policy and reform that comes into play. Unlikely the CUI will be reformed when itcomes out of the box, but likely the next president the changes we see there are necessarythrough implementation we will pursue those. We are going to get right to it. Why is the CUI program necessary. Real quick who got a letter from OPM sayingthe government handles your privacy information poorly? All right. Real quick, that information that they mishandledwas CUI privacy information is CUI that’s one of the biggest questions we get. What is CUI I will cover it, why it the programnecessary? That incident is exactly why it’s necessary. Everybody wants to know what is the governmentdoing to protect our information, are we going to bomb somebody or do cyber attacks on themmaybe? I can’t speak to that but I can speak to theCUI program. That’s what we are doing to protect our information,to prevent incidents like the OPM breach and keep that stuff happening again or lessenthe impact so it doesn’t hit everybody with an active security clearance. Also, let’s look at the existing practices in the government today. You have Department of Defense, I am surethey are here somewhere, they call sensitive information FOUO and the Department of State the call it sensitive but unclassified information. The department of Agriculture calls it sensitive security information. FAA and Department of Transportation callsit sensitive unclassified information it’s alphabet soup out there. Not only agencies are calling sensitive informationdifferent things they are protecting it in different ways also. What happens when agencies protect informationthat’s pretty much the same in different ways? I want to highlight impediments to authorizedinformation sharing. What happens when agencies start protectinginformation in different ways? When one agency let’s say protecting informationlaw enforcement information, they know how to protect it. They are putting it up on the ciper net Iassume you know what that is. This agency is putting all of their law enforcementinformation up on ciper net and protecting it. They are meeting the standard of what it takesto protect that information. Let’s suppose that that agency needed to sendthat information to another agency. One that didn’t have a ciper net. Like Social Security Administration. They got it but they don’t have as much ofit. One agency who has the information needs tosend it to the other one there is a conversation that takes place. The agency has it asks the one that doesn’thave it do you have ciper net. The agency doesn’t have it, no we don’t. The other agency says: Good luck, then youaren’t getting it because you can’t protect it the way we protect it.
it the way we protect it. So information stops flowing when agenciesprotect information not classified at different ways at different levels the CUI program was meant to address that. Of course everybody is calling it somethingdifferent. Now, it’s an issue. Because all of those definitions don’t actuallyall mean the same thing. Everybody knows what privacy information is,but if I said what is sensitive unclassified information, I would get five different answers. The CUI program is necessary we are tryingto define the scope of what we are try to go protect in the government. We are trying to establish a standard howto protect the information and also develop methods and acceptable standards for sharingit among other agencies. So that brings us to Executive Order 13556. The Executive Order you can think of it asa line in the sand, acknowledgment by the Executive Branch or the President that theExecutive Branch handles sensitive information badly. We don’t do a good job. This is an acknowledgment of that issued in November 2010 it was a great document. Only two and a half pages long but it saysa couple of things. I am going to highlight this on the page startfrom the bottom work my way up. So, if you notice this last bullet herethe bottom bullet it says key term we say a lot in the CUI law and government-wide policy. That’s the definition of what CUI is it gaveus the definition of what we were supposed to protect in the government. Why was that important? Right now in every agency every major componentin the Executive Branch it’s the wild west for information security. We have agency heads operational commandersreaching out and touching a data set or piece of information and saying hey guys we aregoing to protect this as for official use only or whatever they call it. They do not have a basis in law regulationor government-wide policy to do so. So the President, you know wise guy, he actuallycomes out says okay you know what we are going to do? Limit protection to only information typescalled for protection, in law regulation or government-wide policy. So the high-level lawyer definition of whatit takes to be CUI is you have information type, it says please protect it or share it in thisparticular way. Or it just means protect it, that’s kind of the world of CUI. I will talk more about that when — what thatmeans. Every good security information program needs somebody to lead the charge especially at the government-wide level here at the National Archives we werecalled out inside of the Executive Order as the executive agent for the program whatdoes an executive agent do we oversee agency actions to implement. Eventually we come out to inspect you. You know from the archivist presentation thismorning like everything in the government it kind of flows down here it gets down toISOO here we are today right? The top bullet is really important. This Executive Order established the CUI programand then a sub-bullet in consultation with affected agencies. What does that really mean in government-speak? It means we needed to have a conversation. This directed ISOO is the executive agentnot to just close the door and come up with something. Information security is our business we couldhave came up with the regulation but we needed to work with you. We asked agencies two questions, the answerto these two questions formed the basis of the CUI program. We asked what are you protecting and why. I am going to talk to that in a minute whatthe answer to that looked like. We asked agencies how are you protecting thatinformation?
brain teasers riddles We asked agencies how are you protecting thatinformation?
We asked agencies how are you protecting thatinformation? The answer to these two questions give usthe CUI program. That leads us to right here. CUI registry. The first question we asked is hey guys whatare you currently protecting the President and Executive Order gives us a kind of a broaddefinition. He says whatever we are protecting needs tobe linked back to a law regulation or government?wide policy. I am going to call that authorities. Occasionally I let it slip out again, andI apologize. So, the CUI registry is the world. It’s the answer to that question of what weshould be protecting. It gets down to the very detail of what CUIactually is. Nobody is going it read the Executive Orderand figure out what it means for information to be referenced in one of these authorities. If you go to the CUI registry you know exactlywhat CUI is. It comes down to 23 categories of informationand 84 subcategories of information, all of which can be linked back to a law, regulationand government-wide policy. Now, of course this data call everybody submittedstuff it was 2200 submissions from every agency of course ISOO rack and stacked these things and formed this registry in 2011. So, this is the world of what we should beprotecting. I want to say a couple of notes on the CUIregistry before I push on. A lot of folks see the registry as somethingthat you use once you implemented the program, this is a valuable tool when it comes to planningfor implementation. Because this tells you exactly what the governmentshould be protecting right now. In accordance to law regulation and government-widepolicy. From implementation standpoint you can usethe registry to identify what you should be protecting. Bounce that off the agency policies they aren’t goingto go away we need them. Ensure that your agency policies align towhat we have in the CUI registry. This brings us over to 32 CFR 2002 this isthe answer to the second question. Agencies how are you protecting this information? ISOO loves to do data call. If you have been in contact with ISOO we havedone a number of data calls saying here is a bit of policy what do you think. You provide feedback shaping what the CUIprogram is going to be. After six years, you notice the ExecutiveOrder was issued in November of 2010 we have this issued in September of 2016, six yearslater, we have us an implementing directive. How did we get this thing? We formed a CUI advisory council. Have you seen the movie Twelve Angry Men? It’s a jury story about 12 dudes coming intoa room try to go find out who is guilty or innocent. The CUI program was formed like that. Imagine 50 angry people in the room arguingover every aspect of what the program should look like what color should the cover sheetbe where should a comma go in this particular paragraph. It’s a fun process I like to highlight AdamHuddleson up there everybody take a look at him. This is a changed man. Six years ago he was a completely differentindividual. (LAUGHTER)>> This process changed him immensely. He used to be a very positive guy. (LAUGHTER)>> Anyway, but so what we have with the Executive Order of course due to a large effort by Adamand the folks here in the CUI staff is a regulation. Now it’s a regulation that not everybody is completelyhappy with but a regulation that establishes the baseline for protecting information throughoutthe government. Really, you know the CUI program is basedoff law regulation and government-wide policy. Laws and regulations are those authoritiesnot necessarily not created equal.
Laws and regulations are those authoritiesnot necessarily not created equal. I want to call your attention to the bottombullet here, emphasize the unique protection described in law regulation and government-widepolicy. Why is it important? Certain laws regulations got it right. You have certain laws that just say, pleaseprotect this information. Right? You say here is an information type pleaseprotect it and agencies try to define what protection means. For the most part the 32 CFR will define protectionsso agencies don’t have to. When a law, regulation government-wide policyis prescriptive in nature meaning this information needs to be destroyed like this or markedlike this or only shared with these people, those unique protections need to be honored. Because they are prescribed in law. The program put a magnifying glass over theauthorities and says you must follow these too. We call that CUI-specified. I will go into that in the back half of thepresentation. What you have in the CUI regulation is a lifecycle of information type. You have designation of it all the way downto its destruction. And handling is in between. How do you mark this information and shareit with others. Of course how do you de-control it that’swhat we call declassification in the CUI program. I will going to push on, again, hopefullythis is answering a lot of your questions, to give you a nice overview. Our E-mail address is at the end I encourageyou to contact me. Oftentimes people do. You know, and I will be happy to answer anyquestions that you have off line. At the end of this I will take some questions. Now, in this special publication 800171 thisdocument some of you may know was issued in June of 2015. Now keep in mind our CFR was issued in Septemberof 2016. A year later. This is a key policy document in the CUI programit actually referenced in the 32 CFR 2002. Why did you issue this a year after the CFRcame out? Want to guess? Government doesn’t do anything unless it hasto unless somebody puts feet to the fire and says you must do this about this. This is the NISP when the 171 was issued inJune of 2015 in direct response to incident involving information entrusted to contractorsbased off of guidance that agencies were giving them on how to protect the information inconsistentguidance not satisfactory to protect the information incidents happened in 2013 and 2014. Of course incidents any time something hitsthe news and the White House is aware the CUI program is pursuing something to strengthenthe protections around sensitive information. The White House said we can’t have this happenagain and again. We said, we are working with NISP we havethe idea they loved the idea give it a name put it out for public comment we want thatthing on the street. We are trying to prevent recurrence. We don’t want to be hit again with informationsecurity incident involving sensitive information and what will be CUI. Of course the 171 there is highlights here. I don’t want to go too deep I suspected wedon’t have a lot of I.T. folks in the room there are certain instances you use this documentto protect CUI. There are some instances of course when youwouldn’t use this document. Some of them are of course if somebody isoperating a system meaning industry folks, are operating a system on your behalf or theyare performing a function for the government, that’s when you would use your own. Technical standards. If we are only concerned about the confidentialityof the information conducting a study we are asking the university to do some kind of analyticalwork or produce a product for the government. That may include some sensitive informationor CUI this 800171 will take hold. These slides will be made available to youafter the presentation shoot me E-mail I will send it out to you. There are instances where It’s appropriate to push your agency policieson to a contractor when they are basically acting as you. So, the federal acquisition regulation thisis a nice recap slide on where we have gone so far. So you have the Executive Order which is ourline in the sand what we need to do with acknowledgment we need to fix something. CUI registry is what we are trying to protect. The 32 CFR 2002 is how we protect that information. And the 32 CFR 2002 will call for agenciesto modify their agreement to align with the standard of the CUI program. So, once you implement the CUI program youtarget these agreements and contracts and real them in. There is one concept I will hit on the backhalf of this presentation that is common in the Executive Order and also the 32 CFR, itis the limitations on the applicability of agency power. Agency policies pretty much right now arethe reason why we have inconsistent safeguarding practices across the Executive Branch it isn’tyour fault you have done the best you could. Meaning you had a law protect something youwent out and developed a policy that said this is how we are going to protect. The problem with protection and defining itif you went around the room or asked five people how do you protect sensitive informationyou get five different answers. Imagine that multiplied by hundreds of thousandsof organizations and suborganizations throughout the Executive Branch? So, back to the federal acquisition regulation this speaks how we are to convey safe-guarding guidanceI to industry. into contact with them. So, you already are going to be required tomodify your agreement especially when it comes to contractors some of you will take stepsto modify the agreements the federal acquisition regulation is the last step of implementationbecause it’s going to standardize the way in which you convey guidance. Let me give you a much tighter frame of thesecurity requirements. It can speak to oversight methodalogies. I am not going to talk about the ISOO methodologybecause that’s another briefing I am more than happy to engage in other discussion howwe evaluate and monitor your effectiveness with implementation. We are going to have it in one year. If the White House fast tracks it sooner youcan expect the clause to be issued November of next year. So, this slide here is the attachment to theCUI notice 201601 speaking to the implementation of the CUI program what agencies need to doand when they do it. We use this fancy term day 0, this is thejumping off point thats November 14 2016 for agencies to begin implementation. Coming out of the box is policy. Policy is why we have this problem that wehave here today. Inconsistent safeguarding practices involvingsensitive information. In order to make the change happen we haveto change our agency policies. We have to narrow the scope in those policiesand limit what we are protecting to only those information types that can be linked backto law, regulation and government?wide policy that’s step one. Don’t panic when I say this from Novemberwe are going to give you 180 days to develop and publish agency level policy that’s exciting,huh? (LAUGHTER)>> Does anybody in the room think it’s actually possible to develop an agency level policyin six months I want to shake that guys hand. Nobody can do it, right? 180 days is extremely aggressive to developa policy the CFR took us six years. How do we ask you to do something in six months. Let me tell you how we get the numbers weask agencies not what are you protecting and how, but we ask the question how long is itgoing to take you to implement this. Agencies gave us back a response oh, yeah,probably a year, year and a half maybe two depending on the climate and interagency commentperiod. That’s great. What we did we submitted those responses fromagencies to OMB it says we have to consult with agencies and of course OMB. We sent these realistic timeframes to OMBthey came back and said you know what tell them six months. (LAUGHTER)>> So, I didn’t just say that this isn’t being recorded thank God. (LAUGHTER)>> No, but really that’s how it works. One thing you keep in mind when we say producepolicy in 180 days, we mean we want you to take aggressive steps to implement the programas soon as possible. We need to shore up our protections around sensitive information. 180 days is aggressive. If you have agency 10,000 people or less youhave a shot. Year, year and a half is more realistic. What ISOO’s job is in the Executive Branchin regard to the CUI program we are monitoring steps to implement the program. So at the 180 day mark, that’s Around May you will see a data call I knowyou will I will be sending it. Agencies, how are you doing on implementingthe policy or implementing the CUI program you are going to counter where you are inthe process with draft internal coordination, you aren’t even close, but we are going toask another question. (LAUGHTER)>> The other question that we are going is ask of course is: Give me a date. When do you expect you have the policy inplace that’s what we are going to report to the White House. We are going to have a realistic expectationof what and when it’s going to take to implement the program after the May timeframe. Somebody tackle me when I get close to theend of the time, I will keep going. All right. When it comes to policy you will notice somethingunique on the chart here we have policy and then component policy. What is the reach of ISOO’s oversight armwhen it comes to the CUI program? We are only concerned with parent agencies. Right? So, let’s say the Department of Justice orDepartment of Transportation for example. We want the Department of Transportation asa parent agency to develop and publish a policy to implement the program. Major components that exist under that agencyhave to implement a program a CUI program based off of that parent agency. There is a good reason for this. Think about information types. Think about the mission that you have. Social Security Administration has a uniquemission so does the IRS compared to Department of Justice and defense we are talking aboutdifferent information types and different unique handling associated with them. So, every agency’s policies should be a reflectionof those information types. And if it isn’t in the parent policy, youwill see those information types reflected down in the components. Let’s move on down to training. Training is dependent on your agency policy. The reason why? You can’t develop training until you knowwhat your agency policy is. So, once you have a policy in place, it doesn’thave to be six months but once you have it in place you are going to kick off trainingefforts within our agency to develop training that speaks to the information types thatyour folks handle. I don’t want anybody to panic when it comesto CUI training the CUI program is based off of existing agency practices. I have been to a number of Executive Branchagencies I found you already have policies. You already are training, your workforce howto protected sensitive information. That’s what you need to target for implementationpurposes. Those training courses need to be modifiedregardless. You don’t want to give you conflicting information. Why reinvent the wheel. Take the courses inject CUI concepts trainingshould be complete. I summed up an effort that will take you abouta year to do. But keep in mind, you have some things thatyou can lean on at your agency. CUI training is going to take thee distinctflavors throughout phased implementation three to five years to get everybody on board. Agencies will implement it at their own paceif you have a small agency inside of two years other agencies five. Throughout the implementation of the programfrom November you are going to see things marked as CUI. They will come into your agency. Your employees need to know how to react to the information. Prior to your implementation of the CUI programwhat you need to do is you are going to educate your workforce oh, my gosh this transportationis coming and here is what you do if you see information marked as this. That’s a key thing. As soon as we publish these markings to thewebsite people are going to start using them. It’s not based off of agency policy necessarily. The second level of training of course asidefrom general awareness before you actually implement is your basic CUI training. Now, we see CUI training for the agency tobe an all hands type of event. So, everybody in your agency is going to needto receive some level of CUI training it doesn’t need to be in-depth. Think about privacy 101 training everybodyhas to take that that is training for CUI. CUI specified you are trained on it. Now, this general awareness that you provideto your employees is going to tell them here is CUI this is basically how you identifyit and report an incident and this is who you go to for questions. This is basically how you protect. It can be high level stuff. To help you on the task you will have trainingmodules or tools you can download from the website and hopefully inject them into thelearning platform to help you on the way it’s not going to give you the answers but do agood portion of the work for you. The last element of training of course isspecified CUI training. What I call if you have super users in theagency everybody has them. You have folks in the agencies who handlea unique set of data it requires specialized handling. Remember the CUI program recognizes theseneed protections need to continue that are prescribed in law regulation government-widepolicy. You are training these people on how to dothat. Privacy 101 is an example of specified trainingso is the training of the HR folks and special agents your physical security specialistsand general counsel they are getting information like federal grand jury information this ishow you specifically protect it. All of the things need to be on our radar. You need to track to ensure they happen froman oversight standpoint ensure that the concepts that are being conveyed in training can bemapped back to your agency policies and procedures. Physical safeguarding is something that weconsider to be a relatively low hanging fruit in the CUI program you will see a very broaddefinition in the CFR on how to protect CUI. We ask for it to be in a controlled environment. Unauthorized people not to be able to accessit and overhear conversations concerning CUI. How do you get there? You are already there. I went out and visited 30 or 40 differentagencies and components I found you have protection measures in place to prevent unauthorizedaccess to sensitive information sometimes the concepts are articulated in policy sometimesnot. From an implementation standpoint you needto identify how it’s protecting the information and in a policy somewhere make sure you aretraining to it and somebody evaluates against those standards that you articulated. Now, systems is a little interesting. It’s not based on agency policy it’s basedoff of the CFR. So what you can expect from the systems isthat 180 days from the issuance or the effective date of the CFR, agencies are expected todo an inventory. How many systems do you have. Do they contain CUI and how are they currentlyconfigured. Because I would say this: The CUI programis very strong in certain aspects it has some soft spots. When it comes to protecting CUI in the I.T.environment that’s the hard spot. We draw a line in the sand about how to protectinformation. Most lie laws are silent how to protect informationin the electronic environment. The 32 CFR 2002 says we will protect the information at the moderate confidentiality impact value for the I.T. folks in the room that means a set of security controlsthat are imposed to be able to assert that level of protection. I am going to talk about that a little bitlater on. That’s what you need to do. How many systems do you have do they containCUI how are they configured the next 180 days we want you to develop a plan. We need you to have a plan in place. You need the systems targeted and you needto say these systems are going to be transitioned to the standard if they are not there alreadyby this particular year. That’s what we are going to ask. Now, self inspection program. You need to evaluate yourselves. You need to monitor how well your trainingis being implemented, how many incidents you have and whether you are taking steps to preventthe current — that’s what we are looking for in the self-inspection program. But there is going to be a little bit moreinformation on that later on. Within 180 days of issuance of specific guidanceon what does it take to have compliant CUI program. That question is going to be answered foryou. So, within two years of the effective datewe are asking you to have the program in place in the interim you can expect ISOO will haveinterim data calls. Keep in mind November 1, 2017 is the firsttime that you will be required to report on the status of the CUI program to include theimplementation. It’s going to be standardized reporting whatwe have done for the classified program but a little bit different. The CUI program is (inaudible). Now, additional implementation concerns programmanage, when I say this from ISOO perspective, I need somebody to lead the large at youragency. It can’t just be you at headquarters level,you need to think about implementation concerns across your entire fabric. Major components probably need people to leadthe large too because you can’t be everywhere. So, we are asking every agency to designatea senior official and a program manager. The SAO is your SES – he is the guy who goes to jail if something goes wrong. the program manageris the dude, the boots on the ground, he is monitoring efforts for your agency and reportingthose efforts to ISOO. And then up to the president. The last bullet here for, underneath programmanagement is internal planning (inaudible). What does that mean? That means that you will to rally the troopsinside your agency you as program manager can’t do it alone. You don’t have the clout to reach across everyinternal line of business and bring people to the table that you need to start workingon it. Every agency handles different informationtypes different divisions they need to be sitting at the table. A lot of agencies, I could name a couple,have formed the groups to prepare for implementation it takes the entire agency to step in thatdirection. (inaudible) incident management of courseis a major element of implementation any time you tell people to protect information ina particular way. You have one guy that says I am going to doit this way. People are going to handle information wrongbecause you have drawn a line in the sand. What you need, from a CUI standpoint, youneed incident reporting mechanism within the agency. It needs to be highlighted in policy and conveyedin your training courses probably on posters everywhere too, right. Also this reporting system needs to be, oh,we have an incident, I reported it. There needs to be steps within the agencyto prevent recurrence. You can’t report we had 5,000 incidents anddidn’t do anything about it. I want to see that you modified policy, procedure,or training to address trends that occurred within our agency. That’s an information security program. The last bit here of course is contracts andagreements everybody has them, nobody does it all alone. You have to create this program with probablythe help of contractors in your handling information. HHS outsources a good portion of the claimsand process to industry. You need to look at the agreements you havein place and contracts see what safeguarding you are getting safeguarding guidance youconvey and target the agreements for modification. Once you implement the program don’t do itright now. Understanding the CUI program, I am actuallynot sure where I am at on time I will keep going. Understanding the program. What I am going to hit on now is of coursethe nuts and bolts I touched on these things I don’t want to spend too much time here hopefullythis will enhance your understanding. First, basic and specified these are key termsin the CUI program. They are not levels of protection they aredifferent. So basic CUI is where there is a law, regulationor government wide policy that says there is an information type protect it guys. The CFR defines protection when the law isvague. CUI based — specified is where the law, regulationor government wide policy is prescriptive in nature. That’s CUI specified that’s an important distinction. When something is CUI specified I have exampleson the slide here, you must call those information types out in document reform when you go tomark it share it you want to convey to somebody this is CUI it contains this specified too. Those are big concepts. Limitations on the applicability of agencypolicy, I hit on this before. Agency policies have conflicting information. So, what we want to do as implement the CUIprogram, we want to place strict limits on the policies if you come into agreement withsomebody and you are asking them to handle and protect CUI in some way you are not sayingdo it our way. Because you can always go above the base lane. Agencies can do that. But you can’t push at higher level of protectionout the door. You can’t do that anymore. We require systems to be protected at themoderate level. If you said we are going to go high. Go for it. But you can’t push that standard outside yourdoor. That’s limitation is only applicable to agencypolicy. There is a little bit more to it, it’s thegist of it. You are out there inspecting agencies ourown agencies look at those agreements. see if your pointing to an agency policy in how to protect it. now, general safeguarding CUImust be protected. Keep in mind the CUI specified thing floatingaround out there, there are certain categories and subcategories of information that requirespecialized handling of information. You have to look at the information typesto ensure you aren’t violating the law dropping it in a room somewhere with a locked door. Generally for protecting CUI you don’t needa true floor to ceiling room you need a space that’s going to control unauthorized accessand prevent people overhearing a conversation that contains CUI. There are a good reason people with HR shopthe HR people are located on a separate floor and suite. We don’t need to know what they are workingwith. Same thing with Department of Justice whenthey have forces on mission or working on cases that group is given a segregated worksite. Where they are kind of cornered off in onecorner of the office working on dedicated network drives. When you think about a controlled environmentextend your thoughts not just the physical environment but the electronic one. You want electronic segregation of the workforceaccording to mission and need to know what we call in the CUI program lawful government purpose. This graphic is meant to convey you can meetthe definition of a controlled environment in multiple ways some use PIV card or angryadministrative assistant controlling access. It’s completely up to you. I vote for the angry administrative assistantthey get it done. (LAUGHTER)>> That will inspire fear. That’s what we are going for. So systems requirement of course keep in mindwhen we settled on the standard for protecting CUI in the I.T. environment we ask the questionwhat are you doing now to protect sensitive information. The overwhelming response is the moderate confidentiality impact value, somewhere high. The reason why most systems are at the moderatelevel is because think of privacy. OMB Office of Management and Budget issuesguidance on how to protect privacy information. They drew a line in the sand and say if youhave privacy on your systems PII we want you to configure your systems to the moderateor high level. Most systems in the government are alreadythere. When you think about implementing the CUIfrom a systems standpoint you may already be there. Most agencies that I visit can assert withgreat confidence they are protecting CUI at the standard prescribed in the regulation. You need to know as planners the truth youcan assert it to me but I what I wanted to see –I want to see the documentation thatsupports that assertion at that particular level. Now marking CUI. This is the really exciting part. When you think about marking CUI expand yourthoughts on marking and what it means it isn’t just marking human readable things it’s alsoabout identifying CUI. What is the purpose of marking. It’s to identify or convey the sensitivityof the information that you have to somebody else. Right? You want to say, oh, my gosh this is a littlebit sensitive, I want to tell you it is how am I going to do that I will put a markingon it this is an example of CUI document could look like. Of course, we are looking at something a header,it has to be a header. Not a footer. So when you mark CUI document it appears thetop center of the page, it needs to say: Controlled or CUI I will talk about that a little more. Real quick on portion marking. Portion marking is optional in the unclassifiedenvironment. We encourage you to do it there maybe operationalneed within the agencies or components to do so we encourage you to look at that. If you want to do it please go forth. If you do it you have to do it our way. I had a good question from the briefing thatI had on Tuesday I believe what does U stand for unclassified? Oh, no. We invented something new we call it uncontrolledunclassified information. It expanded more accurate definition. When you see “U” it means something it meansthere is no basis to protect it under the classified program or the CUI program. It does not mean that you can just releasethat information to the public. All information within an agency is goingto be subject to a Freedom of Information Act policy. Keep that in mind. That’s what we mean uncontrolled unclassified. So the banner. The banner marking is the basic performanceof the CUI program. At its core CUI must be marked. That marking must appear at the top centerof the page. The first thing is a controlled marking thisis declaration to the intended recipient it’s CUI it’s the world controlled or the acronymCUI at the top of the page. For CUI basic and specified we have two types. The basic requirement is just the controlmark so if you have basic CUI meaning that the law wasn’t prescriptive in nature theword at the top of the page gets it done. If you have CUI specified where the laws prescriptivein nature they want to alert the intended recipient it’s prescriptive in nature howdo we do that? We apply the category mark. All 23 categories and 84 subcategories havea unique marking associated with them. If it turns out it’s specified we want tocall that out to the audience or recipient of course and say how do we know it’s specified. Before the category marking SP dash beforethe mark. That’s the second element that’s requiredfor CUI specified that applies to the category marking and precede that. The third element the banner marking is somethingcalled limited dissemination control marking everybody has a clearance you know what noforeign is no foreign national that’s dissemination control marking to limit the disseminationof information keeping it from foreign nationals. That’s what we have for CUI. Keep in mind the markings that you used forclassified information cannot be used with the CUI. Very powerful statement. What can you use? Of course you go to the CUI registry you willfind a list of dissemination controls you can use with CUI. I think no foreigns is one of them the jury is still out on that. We are working aggressively with agenciesto come up with a nice list that meets your needs your business needs to control informationbeyond the general marking. So, of course every element of the markingis separated by a double slash very familiar to you in the classified community. So, of course is it possible to mark everythingin the — I have 54 seconds, oh, my gosh I am done. No. Real quick on both marking, both marking reallyquick we real lays you can’t mark everything in the agency your senior agency officialsmay elect to I guess waive internal marking you have to have a good reason to do thisit’s overly burden some to the workforce. You want to alert everybody you are accessinga portal with a lot of CUI I don’t have to mark everything but the portal that they areaccessing to say this database I am going into contains CUI here is my alert or usebanner marks or storing a box somewhere. You don’t need to mark everything in the boxyou can mark the box saying this is containing CUI. I am almost done just a little bit more specifiedthe registry will indicate the laws regulations and government wide policies that are in factspecified we wanted you to go to the authorities and extract the specified bits and piecesand put them in your policies. This is what it looks like. Marking handbook is a wonderful product attributedto Adam’s hard work. It gives me a little bit of credit. I can take credit for the cover sheet thisis what they are. They are available out there download fromGSA optional form. If you are use — if you are going to usethem, these are the ones you use. Q and A section I am almost at the tail end. This is working out great. So, a little bit more on the cover sheetshere. All of these of course can be used. Optional form 902 that looks like a tablein it is an opportunity to populate the categories in the pack. Remember for CUI specified it’s required if you identify the markings on the document. Why use a cover sheet. You filled out SSA86 in tax returns. The problem is there is not a whole lot ofreal estate on the forms to convey to somebody this is CUI. You can use the cover sheet to meet that requirement. Optional form 903 is a great form it has abig text box where you can convey categories contained in the information but also in alaw regulation government wide policy PII or law enforcement category requires thatbig juicy paragraph to appear on the cover of the document that gives you the real estateto do it. But it has to be required in accordance tolaw regulation government-wide policy. If you use them please use these. Legacy information and marking thenI think I got one more slide and we will go into questions. This briefing usually takes two hours, I amlike a speed talker today. Legacy information. This is information that was marked priorto the CUI program. This is our FOUO, SBU’s and all of that goodstuff. Some of that information may legitimatelybe CUI. When do you re-mark that information? The policy is if it is CUI you have to re-markit. It does mean that you have to re-mark allof your legacy information. We recognize it’s overly burden some we gaveyour agency the ability to waive that type of marking when it’s overly burdensome. Look at it, you see that in your policy. When are you going to re-mark legacy information? When you are reusing it derivative classificationwill help you out you are extracting information from a — from an existing document puttingit on a new document. Evaluate the information that you want touse see if it’s CUI if it is mark it. If it’s not one thing you don’t do when youre-use a document you don’t carry the FOUO and the marks you want to know when it diesit dies when you re-use the documents. You don’t carry it forward on the document. It will stick out like a big red thumb. I will see an FOUO marking. Discontinue all use when you re-use. Discontinue all use of legacy markings whenyou re-use that information. This is my last slide I will open it up forquestions. I was really worried about this destructionwe have taken you on the designation of information the life cycle handling of it a little bitand how do you destroy the information when you are done with it. Remember I said there are hard spots and softspots. We are hard protecting it in the electronicenvironment and strong when destroying it. That’s driver’s license numbers et-cetera. How do you destroy it across all types ofmedia. The overwhelming response is the NISP SP800-88 document. It tells you how to destroy everything onpaper hard drives to iPhones. Any standard that you use for the destructionof classified information is acceptable to the destruction of CUI. I will talk about shred people corner me aboutthe shredders they are I am bedded in our society. People buy them at Wal Mart and Office Maxand proud of them. When you look at our shredder or the shredstandards indicated here you will see something. You will see a destruction band cross cutshredding that produces a particle that is one millimeter by 5 what does it look like? A lot of you stopped by and picked up a baggieshowing what the thread standard looks like. The other with the big red X you see on theslide here was a bag from a shred company that was asserting that this shredder candestroy something in accordance with the CUI program it is not. It was a cross-cut shredder that produced particles 4 millimeters by 40 millimeters that’s not close. You see the font, we kind of mimicked theSocial Security number 5555555. Everything. You can see everything. So, be aware when you start to implement theCUI program you have to take inventory of how you are currently destroying sensitiveinformation across your agency, identify shredders and you probably need to go out with securityfolks and say with a little sticker and say not approved for CUI. Approved for CUI. This equipment is evaluated by the CUI programmanager or office. A little bit of be aware of that. That’s out there now we have contact withsome of the companies to try to steer them towards modifying the website because theyare going to cost the government a lot of money. With that happy note, I would like to thisis my E-mail address you can have a copy of the slides and of course this is my attorneyyou don’t like anything I said you can contact him. Brian Oakland is a key feature, key memberof the CUI staff. He is the guy who evaluates laws, regulationsand government wide policy to see if they meet the standard to see if they can be onthe CUI register. I encourage and he encourages everyone toreach out to him, if you want to talk about the regulations if you have a question noton the — he can tell you why the regulation is there or not there and how to get somethingon the register. I am the lead for implementation and oversight. Right now I go out to agencies and get theirarms around what does it mean to implement the CUI program. I am happy to come out to you. This is the short form. I usually rattle on for a couple of hourson this topic. And you know, engage folks with questionsas we go. I would like to open it up for anybody withquestions. Just kidding. I don’t want any questions. Please can you go to the mics? Okay.>> (inaudible) >> So, the question is: How is the unclassifiedportion marking going to affect the standard of when you co-mingle. The answer to that is going could be comingfrom ISOO we have to answer that question. The marking handbook is going to be addresshow information is going to be commingled with the classified document. Adam is leading the — we know how we aregoing to do it. I can speak to it from a high level and ofcourse engaged more off line. When CUI is commingled with a classified documentit must be identified in the document. In the classified document you are going tosee U uncontrolled unclassified information. You can actually see CUI// and a portion thatsays can possibly a category or subcategory of information so the U right now that yousee in classified documents as we implement the program is going to be expanded a littlebit. People will ask the question: Is this reallya “U” or is this in fact CUI. Once it is once you implement the programyou will start incorporating the markings you will look for the guidance coming fromISOO we will brief to it but available on the markings website and people engage indirect conversation if you want to see snapshots of what it looks like. Great question. Anybody else? I will repeat the question because I thinkI can hear everybody you don’t need to run to the mic.>> (inaudible) >> Yes, sir. >> (inaudible)>> Okay. The CUI program, we don’t declassify CUI. Right? We de-control CUI. What that really means in the CUI programwhen you de-control something it means it’s no longer going to be a CUI. Sometimes when you de-control something yougive it up to the originator, he can determine when you are going to de-control this informationby a date or event and sometimes that de-controlled date is required by statute. Meaning that those laws and regulations mayprescribe exactly when you de-control or when you can de-control this. That’s our fancy term. That is something you need to beef up insideyour policies to make sure you get your arms around the information types. Make sure you don’t violate any laws theyare prescriptive in nature when it comes to the control as far as when you can de-control information. That’s our fancy term. We love inventing new terms. De-controlled. Any other questions? Yes, ma’am. >> (inaudible)>> Oh, that’s a great question. It’s about NATO. How do other countries come around to ourway of thinking. If you look at the registry it’s interestingthe categories and subcategories that can be referenced to laws and regulations whenyou look at NATO it’s different you have to go by the USAN it’s based on internationalagreements and understanding how this information can be marked and conveyed. Of course we have to — we have to respectthat CUI markings you don’t remark it to be CUI//NATO, NATO takes precedent to that. Keep in mind that there are some specifiedauthorities out there that prescribe safe or markings for information what do you doin the case of SSI or federal tax information examples of categories where the authoritysays hey mark it this way. We can’t tell you to violate law. If the law says mark it that way you mustmark it that way. However, you must also apply the universalCUI marking on top a declaration this is in fact CUI. It may be burden some but pretty much if theregulation says mark it that way that marking has to appear in addition to CUI with theexception of NATO any other questions? Yes, sir, you have one? >> (inaudible)>> Yes, sir. Were there any at categories of informationunder review for addition. The registry is a living thing. As agencies and government entities can pursuelaws and regulations as soon as they think they are going to create something that isgoing to prescribe protective measures for information they usually reach out sometimesthey don’t but these do. Right now we have what we call provisionalcategories. Meaning that an agency has asserted they aregoing to pursue a regulation to protect a certain information type there is a processassociated with it if you go to the website you will see a little bit of that processthere. But I think DoD has a couple of categoriesDepartment of Justice has a couple as well. We don’t advertise them we don’t wanted peopleto mark them yet there are provisional categories. Yes, sir? You have one? Okay. Anybody else? Yes, ma’am. >> (inaudible)>> Oh, that’s a great question. — question. How is it CUI going to be displayed what areyou leaning towards right now. You have the classified banner CUI bannera big juicy thing at the top classified. CUI is a little bit different remember whenI said limited dissemination controls cannot be used with CUI and vice-versa. What we are doing to protect CUI in a commingleddocument there are two banners you can find it this is CNSI banner at the top andI banner at the top CUI banner underneath I am dead serious you are going to love itI tell you what. (LAUGHTER)>> There is actually a very good reason for this. When you go to de-classify a document, howare you going to protect that information? So, when you de-classify that document andit no longer is going to be classified that information in there is still CUI. It needs to be protected in accordance withlaw. So you take a black marker and cross out the de-classification lline. CUI controls will take hold and ensure protections of that information. >> Let me throw in one thing. He just gave a very good answer as to whywhen you de-classify the CUI banner is already set up. Here is the deal it has to be marked CUI two ways to do it. Integrate with the banner you know and love screwing up the way you do everything. (LAUGHTER)>> or add a new banner. And that’s what — for a very long time whatwe are going to do is make you integrate the banners, hate us yell at us you don’t havea choice you have to mark this stuff because the laws say you do the regulations say youdo we can’t tell you, you don’t have to. So we brainstormed a bit and came up withwhat he just said which is okay fine, we will leave your banner alone the I used to be DNIguy I know it too. Leave that alone and ask the CUI below itand then they don’t roll up together they don’t combine they roll up to the one CUIand just the one that’s classified. >> (inaudible)>> All right, no, no. We want to keep ourselves on schedule I encourageeverybody to contact us after this meeting I have 30 seconds>> on that note see you. (LAUGHTER)>> We have to turn it over to another presenter. Take down my E-mail address contact me withyour questions and concerns involving the CUI program. Keep in mind the CUI comment period is passed. The CUI regulations are out there that’s it. We have to find a way to make this thing work? It isn’t the perfect solution it is a solution. It will make information security better. We had nowhere to go but up. Remember everybody got a fancy letter sayingthe government did a no-no. Hopefully I ask that question ten years fromnow half the people will raise their hand or maybe two people because we did our jobimplementing the CUI program I would like to turn it over to Bill Cira thank you verymuch. (APPLAUSE)>> Thank you Mark that really was a great overview. I am glad that we came up with something thateverybody could find exciting there at the end. (LAUGHTER)>> Get things stirred up but good. So, I am — I want to note Bill Carpenterhe is our team leader for the ice cap team he does the job superbly marvelous at it heloves what he does enthusiastic about it. But unfortunately yesterday he had a deathin the family, so I am going to be pinch hitting for him today. Using a good sports analogy the day afterthe World Series. I will go through it quickly we have only30 minutes let. But just overview on ice cap. And there is some details in the end I mighthave to skip over. But the ice cap was created by the ExecutiveOrder 12958 in 1995. The purpose of it is to provide the usersof the classification system with a forum or further review of classification decisions. Now, in Executive Order 13526, added anotherfunction so there is now a total of four. The first function to decide on classificationchallenges that might possibly reach the level of ice cap. Approve exemptions to de-classification as20, 50, 75-year marks and decide on mandatory de-classification of the appeals which isthe big thing that they do. And in 2009 the thing that was added was toinform senior agency officials and the public of its decisions. These are the members of the ice cap. As you can see here John Fitzpatrick who isthe former director of ISOO is now at National Security Council. He is the chairman. You can see the other members there, in 2009there was a little the big change that happened is that the DNI was in worked the DNI in there. What was worked out was that the CIA, whichwas — used to always be a standing member is now still a member, but only in situationswhere the discussions involve documents that have CIA equity. So if there are CIA equities in the documentthe CIA participates and they can vote on those particular decisions just like theyalways did in the past. So, it ended up not being a very big changebecause there is so many documents that come to the ice cap there is so many documentseverywhere with CIA equities they have to show up at every meeting and they still haveto participate almost all of the time. So, the members are senior agency people withinthe — the government. They appoint liaisons to come to the meetings. We are the executive secretary. We have six people all together who work onsupporting ice cap pull time in a mum couple of minutes you will see why. And the ice cap makes its decisions utilizingthe President’s authority to de-classify so at the end of every administration all ofthe ice caps records become presidential records. They are bundled up, boxed up and shippedto the new presidential library along with all of the other presidential materials. Classification challenges is one of the thingsthat can come to ice cap. It doesn’t happen very often, as a matterof fact the last one we had was in 2014. But it’s there for people to utilize, nevertheless. De-classification guides your order requiresde-classification guides to be updated every five years. And so, the de-classification guide is thevehicle by which an agency requests authority to exempt information from automatic declassificationand they request that authority to the ice cap. So, we are approaching that cycle once again,they are all due to be re-reviewed and re-approved in 2017. So that will be a large project for the icecap next year. Last time we went through this, there were23 agencies that received approval to exempt at the 25-year point. Twenty agencies this is the first time the50 and 75 years increments had been defined in the Executive Order. So, that was all new and it took a lot ofwork because it was new. But what came out of that was the 20 agenciesreceived authority to exempt some pieces of information some categories of informationat 50 years. And three actually came up with compellingjustification to receive exemptions at for a couple of topics at 75 years. So, and at the point of interest. The big thing of course that comes to icecap are the mandatory declassification review appeals, and they come to us, they can cometo the ice cap if the requester did not get a response from the agency within one year,or did not get a response to the appeal that they sent to that agency’s first decisionwithin 180 days. Now, Bill likes to stress the point that wedid put out a requirement there that even though the appellant has appealed to ice capit doesn’t mean that the work that’s going on in the agency on that particular MDR shouldstop. It should continue. And the reason why it should continue willbecome obvious in a couple more slides. And that’s because of the growing popularityof MDR and the number of MDR’s being appealed to ice cap. So, in 2015, we received I think so somethinglike 140 new MDR appeals and we thought that was a lot. Two years before that there was 167. We thought maybe it leveled off. Then we were really shocked when during thecourse of FY2016 we got 320. Why had it doubled — more than doubled inone year? We really don’t know. I guess it’s because — I think it’s becausethings have gotten to the point where it’s just too hard for agencies to get that oneyear, you know, response done. And so, if the requesters are using theirappeal preserving their appeal rights to appeal to ice cap when they don’t get it within ayear. And then the same time during the course of2016, only 31 were cleared by the ice cap. That came to 190 documents over 5,000 pages,which was a new record. It seems like every year for the past fouror five years we have set some sort of new record within the productivity of ice cap. To include this year there was a fair amountof motion picture film for the first time. And so what happens when an appeal comes inwe send letters to the agency saying we have this appeal we need your materials that youhave on it so that we can build the case. And then after the case is resolved we senddecision letters out to the senior agency officials. And they have within 60 days to appeal thatdecision. If they want to. They have to have the right to appeal icecap’s decision to the president. Very rare thing that’s only happened oncein — since 1995. Here is the — here is the reason why we likeour agencies to continue working on their MDR’s after they have been appealed to theice cap. As you can see here, a bottom line there isthe number of appeals that were succeeded in closing out every year. So, we are down to around 31. We received 320 this fiscal year. That top purple line is the growing amountof backlog that’s building up. So, how are we going to get through all ofthat still remains to be seen. And this is just another graph that showsthe levels of productivity as you can see here the production in terms of the numberof pages is still going up even though the number of appeals might not be. The appeals being closed out might not be. So, you know, one good question is: How areyou going to deal with this situation? We don’t have a lot of good reasons rightnow. But fortunately, the order does not requirethe ice cap to use a first in first out basis. We were able to pick and choose to a certaindegree. We leave that up pretty much with Bill carpenter. He has got very good sense of what is valuableinformation, what is valuable historical information. You know, he himself is a very strong backgroundin history. And even has a Ph.D. And so he does — ishe does a very good job of making these decisions. Of course the age of the appeal is a big factor. And then, we look at, you know, where do theappeals come from sometimes. We have super users of course like the nationalsecurity archive. And sometimes we get a person who has neversubmitted an appeal before. So, we have to give that special consideration. We look to see whether the topic is somethingnew, something that might create some sort of a break through in de-classification. And so the example that he has here is NATOexpansion in the 1990’s versus the Soviet space program which comes from one of oursuper users to the point where we are sick of seeing them. (LAUGHTER)>> Sick of seeing the documents. (LAUGHTER)>> Soviet space program. It’s the bane of all ice cap’s staff existence. In any case, of course looking for size andcomplexity of the case. And sometimes we allow the appellant themselvesto provide a self prioritization within the large body of appeals that they may have submittedto ice cap. And if a classification challenge comes inwe tend to move that to the top of the stack. So, just a little bit about how the ice capworks. It’s kind of like any other declassificationreview it’s done by a committee. And every case is discussed. And you know redactions are pro toed — areproposed or not proposed. And the discussions can become very detailed. One of the reasons why you know the productionis as low as it is it is because the ice cap liaisons like to focus on quality versus quantity. You cannot convince them that they need tomove faster. They just — they are overriding concern isgetting it right. So, if they — if we have to spend 15 minutesarguing about one word, then they will argue for 15 minutes about one word. And we have tried to stop them. And we just can’t do it. (LAUGHTER)>> Okay. So then we prepare the documents for release. There might be redactions for exempted material. Exempted from automatic declassification. If the agency has a statutory requirementto redact it. We can react those. And then the documents are released the appellantand originating agency. And they are also posted on the ice cap website. So, that’s something that we started justa couple of years ago. And it was our way of meeting that fourthrequirement that was added in 2009 to inform the public and the senior agency officials. So, you go there and you look and see whatcame out of the process. Just a couple of significant things that havehappened recently in ice cap. There was a big project on the U2 and A-12 Oxcartreconnaissance act. Aircraft 16 volume history of office of specialactivities the CIA, and all of these require close coordination with the agencies. You know, the liaisons, they don’t work ina vacuum to begin with. They represent agencies themselves. A lot of questions and ideas are taken backto their agencies. And so, there is a lot of agency input thatgoes into these things. And it’s very carefully done. Another thing that we did recently was weestablished an appeals log on the Internet. In which an appellant or actually anybodycan go up to the log and see where the status of their appeal is. So, we did that and — in an attempt to bea little bit more transparent on the process. And here is all of the contact informationthat you might need (indicating). And I think I am right on schedule I willturn it over to Ellen who will talk about the Public Interest Declassification Board. PIDB. (APPLAUSE)>> Hello again everyone, I realize you all had a lot of information thrown at you thismorning. I also realize I am the last briefing beforelunch, I promise to end on time. I am going to move at a pace probably throughthe first few slides to explain what the PIDB is and talk about why you should care andalso to plug our the next public meeting of the PIDB which will be December 8 from 9 to11 you can take out your phones and put that in right now here at the National Archives. And we are hoping to have a lot of agencyrepresentation and participation at that meeting. So, what is the Public Interest DeclassificationBoard? The board is an advisory group that is consistsof senior former senior leaders from government and outside industry and the group reallyadvises the President and other Executive Branch officials on high level policy mattersthat relate to classification and declassification. A little bit about legislation I will movethrough that. So the board assists of nine individuals,five appointed from the President and four from congressional leadership these individualsare preeminent in fields such as history national security foreign policy law, et-cetera. A lot of our members and former members havebeen heads of IC agencies. Ambassador ships and things of that natureformer congressional members. High level individuals familiar with a lotof the subject matter that we discuss and talk about when it comes to classificationand declassification policy. The reason why ISOO involved with the PIDB the director serves as the executive secretary. So, these are our current members we have7 members on the board two vacancies waiting to hear from congressional leadership. Our new newest are Trevor Morrison and James Bakerthe President appointed those individuals lasted June and Trevor is our new chair. The members of the board have been workingon high level policy initiatives, as I mentioned. They published three major reports, the firstis in 2007. On improving declassification report. This report has a lot of issues that it, itaddressed and also recommendations to the President and a lot of the recommendationsdirectly influence the last writing of the Executive Order 13526 including the recommendationsto establish the national declassification center. So, a lot of the policies recommendationsthat come out of the board are listened to by the Executive Branch and the president. Out of this report came a task from the Presidentand implementing memorandum of the order. Asking for the board to work with the nationalsecurity advisor on designing a fundamental transformation of the security classificationsystem. That’s just — that’s what the board has beenworking on since then. And the policy decisions and recommendationsthat the board put forth will have an effect on all of your agencies as it has up untilthis point. So in 2012 the board issued its report ontransforming the security classification system. In that report there are 14 recommendationsthat have to deal with classification and declass fix and use of technology at youragencies the first recommendation of the report was asking for the President to establisha White House-led steering committee to drive reform and change in this area that was adopted. The classification reform with John Fitzpatrick,he chairs that committee and it has been spending time recommendations from the PIDB and othersto figure out what types of changes perhaps need to be made to the next Executive Order. I want to point out two recommendations fromthat report also made it into the President’s open government national action plan includingreforming FRD information. And also, the pilot technology project inorder to find technologies to help reform and modernize declassification processes. In 2014 the board published latest reporton studying priorities. The idea was in the recommendations are reallythat the classification programs at your agencies there should be a focus on prioritizing therecords more historical significance and the records people care about. One of the most important recommendationsfrom this report was not only to prioritize records but also that your agencies need relieffrom automatic declassification with those that are familiar with that 25-year programand the resources that it consumes. So, what is the PIDB working on now? If you come to the meeting in December, wellthe board continues to study transformation recommendations and continues to engage withthe public in civil society and agencies through its laws and classifications which I encourageall of you to take a look at. And a lot of the push of the board right nowhas been on integrating and using technology and figuring out ways that agencies can haveleadership and resources devoted to pushing forward these reforms so that you all cando your jobs in more efficient and effective way. — there is a lot of informationout there as you know securing it making sure it’s protected but also making sure you candeclassify it and get it out the door so you no longer have to manage it when appropriate. That is that technology going to be the answerto help reforming the classification in those areas. As I mentioned before, the board is focusedon helping John and the classification reform committee sort of vet ideas and figure outwhat recommendations it will have for the new administration concerning the ExecutiveOrder we know traditionally the orders are reformed and there are edits and changes madethe board wants to focus the next six months or so in figuring out what it wants to pushforward in terms of recommendations to the new president. And so, the December 8 public meeting is anopportunity for the board to ask the public, ask the civil society, ask agencies who willbe represented there what would you like the next administration to focus on in the opengovernment transparency space in the declassification space and what recommendations for the order. The civil society groups will be there. They always are vocal and they have strongdialogue with the board. We want to encourage a balanced conversationthere which is why we are hoping for more agency representation and people to standup and speak and give their ideas and thoughts about what they would like to see in the neworder, what they would like changed or react — maybe some of the ideas put forward bythe civil society group. December 8 is a good opportunity to do that. As well as, you know, paying attention towhat the board will be working on in the next six months including taking a look at theblog and what kind of ideas and recommendations we are vetting for the public and for agenciesto look at when it comes to the next order. So, with that, I told you I would be brief,here is some of our contact information for the website as well as for the blog. And I am happy to answer any questions offline on your way out. I appreciate you taking the time to listenand hear about the board. I know it’s sort of a niche separate fromthe rest of the information security space that ISOO usually encompassed if you could consider coming to the December 8 that would be great we would like a lot of agency representationthere. And there are ways how to register and allof the logistics for the meeting is on our website. So, thank you. (APPLAUSE)>> I would just like to thank our presenters for their wonderful presentations, and justbriefly invite up I think we have probably time for two or three questions. Ellen, Mark and Bill feel free to shout themout, we can try to repeat them for or use the microphones on the side of the room. But folks a lot of staff will be stick — stickingaround the open house to answer questions as always feel free to E-mail and give usa call if anything arises. Any questions with that? No? All right. Well then, I will invite our acting directorBill back up for some closing remarks. >> All right. I just want to wrap things up today by — Ithought there was one more slide, I’m sorry. Thanking everybody for coming. And thanking the ISOO staff who almost allof them were involved in helping run this today. Especially Alegra Woodard our main coordinatorand all of the presenters. We hope that you found it all to be worthwhile. We are going to be — I am told that you areall going to be getting a survey, probably in a couple of weeks. And so, you can use that to let us know whatyou thought of this event and how would you like us to see do it next time. And we have already set a date for next timeas November 9th of 2017 you might want to make a note of that. And don’t forget about your discount in thegift shop. And thank you again for coming. And have a great rest of your day. (APPLAUSE)>> Thank you. (APPLAUSE)