170 likes | 307 Vues
ISOO Update. William J. Bosanko, Director, Information Security Oversight Office Dallas – Fort Worth JSAC April 15, 2009. Agenda. Information Security Oversight Office (ISOO) National Industrial Security Program (NISP) Recent and Upcoming NISPPAC Efforts
 
                
                E N D
ISOO Update William J. Bosanko, Director, Information Security Oversight Office Dallas – Fort Worth JSAC April 15, 2009
Agenda • Information Security Oversight Office (ISOO) • National Industrial Security Program (NISP) • Recent and Upcoming NISPPAC Efforts • Controlled Unclassified Information
What is ISOO? • Oversight and reporting entity for the Security Classification System and the National Industrial Security Program. • Created in 1978. • Director appointed by the Archivist of the U.S. with the approval of the President. • Policy guidance from the NSC. • Recent changes.
ISOO Functions (E.O. 12958, as amended) • Implementing Directives and Instructions • Liaison, Inspections, and General Oversight • Security Education and Training • Complaints, Appeals, and Suggestions • Statistical Collection, Analysis, and Reporting • Spokesperson to Congress, Media, and Public • Executive Secretary for: • Interagency Security Classification Appeals Panel • Public Interest Declassification Board
NISP Overview • Background • E.O. 12829, as amended of January 8, 1993 • Policy Oversight • Operational Oversight • NISPOM • NISPPAC • Current Situation
National Industrial Security Program Policy Advisory Committee“NISPPAC” • Advises the Chairman (ISOO) on all matters concerning NISP policies. • Includes changes to those policies reflected in the Order, its implementing directives, or the NISPOM. • Serves as a forum to discuss policy issues in dispute. • Members include representatives of those agencies most affected by the NISP: AF, Army, CIA, Commerce, DoD, DNI, DSS, DOE, DHS, Justice, NASA, NSA, Navy, NRC, NSC, OPM (observer), and State. • Includes non-Government representatives of contractors, licensees, or grantees involved with classified contracts. • Represent industry rather than company.
NISPPAC Industry Membership Member Company Term Expires Tim McQuiggan Boeing 2009 Doug Hudson JHU/APL 2009 “Lee” Engel BAH 2010 Vince Jarvie L-3 2010 Sheri Escobar Sierra Nevada 2011 Chris Beals Fluor Corporation 2011 Scott Conway Northrop Grumman 2012 Marshall Sanders SRA 2012 Contact your representative via nisp@nara.gov .
Recent and Upcoming NISPPAC Efforts • Personnel Security Clearances • Foreign Ownership, Control, or Influence (FOCI) • Information Systems Security Issues
Contractual Sensitive Information Inconsistency in SBU policies greatly increases the likelihood of erroneous handling and sharing of information. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users.Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism formation that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. LOU SSI Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. OUO Across the Federal government there are at least 107 unique markings and over 130 different labeling or handling processes and procedures for SBU information. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its AIUO Trade Sensitive Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users.Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism formation that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policictices that confuse both its producers and users. urrent sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users.Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism formation that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users.Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism formation that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive But Unclassified FOUO Current SBU sharing practices not only impede the timeliness, accuracy, and ready flow of information that should be shared, but often fail to protect information in a consistent and transparent manner. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Current sharing practices not only impede the timeliness, accuracy, and ready flow of terrorism information that should be shared, but often fail to control the flow of information that should not be shared. Sensitive but unclassified (SBU) information is shared today according to an ungoverned and diverse body of policies and practices that confuse both its producers and users. Law Enforcement Sensitive (LES) SBU information is currently shared according to an ungoverned body of policies and practices that confuse both its producers and users.
The Presidential Memorandum on the Designation and Sharing of Controlled Unclassified Information was released on May 9, 2008. • This Memorandum: • Adopts, defines, and institutes “Controlled Unclassified Information” (CUI) as the single categorical designation for all information referred to as “Sensitive But Unclassified” (SBU) in the Information Sharing Environment (ISE); and • Establishes a corresponding new CUI Framework for designating, marking, safeguarding, and disseminating information designated as CUI; and • Designates the National Archives and Records Administration (NARA) as the Executive Agent, to oversee and implement the new CUI Framework. The purpose of the CUI Framework is tostandardize practicesand therebyimprove the sharing of information.
Information shall be designated as CUI… Information shall not be designated as CUI… • a statute so requires or authorizes; or • the head of the originating department or agency, through regulations, directives, or other specific guidance to the agency, determines that the information is CUI. Such determination should be based on mission requirements, business prudence, legal privilege, the protection of personal or commercial rights, or safety or security. Such department or agency directives, regulations, or guidance shall be provided to the Executive Agent for his review. • To conceal violations of law, inefficiency, or administrative error; • To prevent embarrassment to the U.S. Government, any U.S. official, organization, or agency; • To improperly or unlawfully interfere with competition; • To prevent or delay the release of information that does not require such protection; • If it is required by statute or Executive Order to be made available to the public; or • If it has been released to the public under proper authority. The Memorandum articulates what CAN and CANNOT be designated as controlled unclassified information.
All CUI will carry one of the following three types of markings: 1) Controlled with Standard Dissemination 2) Controlled with Specified Dissemination 3) Controlled Enhanced with Specified Dissemination The Memorandum describes two levels of safeguarding and two levels of dissemination. Two levels of safeguarding: “Controlled” or “Controlled Enhanced” Two levels of dissemination: “Standard” or “Specified” Safeguarding and Dissemination Requirements
Certain regimes, not fully accommodated under the Framework, will be considered Exceptions to the CUI Framework. The CUI Framework shall be used for such information to the maximum extent possible but shall not affect or interfere with specific regulatory requirements for marking, safeguarding, and disseminating. • 6 CFR Pt. 29 – PCII (Protected Critical Infrastructure Information) • 49 CFR Pts. 15 (DOT) & 1520 (DHS/Transportation Security Administration) – SSI (Sensitive Security Information) • 6 CFR Pt. 27 – CVI (Chemical Vulnerability Information) • 10 CFR Pt. 73 – SGI (Safeguards Information) The affected department or agency is authorized to select the most applicable CUI safeguarding marking for the regulation. Any additional requirements for the safeguarding beyond that specified under the CUI Framework shall be appropriately registered in the CUI Registry. Any regulatory marking shall follow the CUI marking, and a specified dissemination instruction shall articulate any additional regulatory requirements.
National Archives and Records Administration (E.A. & Chair) Federal Bureau of Investigation Department of Justice Department of Commerce Department of Homeland Security Office of Management and Budget Office of the Director of National Intelligence Department of Interior Department of Energy Department of State Department of Defense Joint Chiefs of Staff Department of Health and Human Services Department of Transportation National Counter Intelligence Center Department of Treasury Program Manager for the Information Sharing Environment Central Intelligence Agency Environmental Protection Agency Nuclear Regulatory Commission Two State, Local, Tribal Representatives Two Private Sector Representatives Governance: The CUI Council is assigned the following functions as directed in the May 9, 2008 Presidential Memorandum. Council Membership • Roles and Responsibilities: • Serves as the primary advisor to the Executive Agent on issues pertaining to the CUI Framework; • Advises the Executive Agent in developing procedures, guidelines, and standards necessary to establish, implement, and maintain the CUI Framework; • Ensures coordination among the depts. and agencies participating in the CUI Framework; and • Will resolve complaints and disputes among departments and agencies about proper designation or marking of CUI.
FY09 Goals • Develop Implementation Plan • Implementation priorities intended to assist departments and agencies’ in budgetary planning • Develop and populate CUI Registry to include markings and instructions regarding CUI • Develop centralized CUI Training (“CUI 101”) • Establish training schedule • Aid in the development of stakeholder-specific Implementation Plans • CUI Training (“CUI 201”) • Continue development of Implementation Policies • Develop detailed guidance on CUI Life Cycle • Address Regulatory Change necessary for standardization throughout departments and agencies
CUI & Industry • No change at this time. • Policy being developed with Industry input. • NISPPAC Representative. • Additional input/comment planned. • Stakeholder specific outreach and training. • Serves as an opportunity for Industry. • Questions, etc. – send to: cui@nara.gov
Contact Information Information Security Oversight Office National Archives and Records Administration 700 Pennsylvania Avenue, N.W., Room 100 Washington, DC 20408-0001 (202) 357-5250 (voice) (202) 357-5907 (fax) isoo@nara.gov; cui@nara.gov; nisp@nara.gov www.archives.gov/isoo www.archives.gov/cui