The Archivist of the United States, Dr. Colleen Shogan, has appointed William P. Fischer, to serve as Acting Director of the Information Security Oversight Office (ISOO), until a permanent hire is made following the retirement of ISOO Director Mark Bradley on June 30, 2023. Mr. Bradley had served as ISOO Director since his appointment by the President in 2016.
Mr. Fischer will continue to serve as the Director of the National Declassification Center (NDC) at the National Archives and Records Administration, the position to which he was appointed in February 2019. Prior to his appointment as the NDC Director, Mr. Fischer served in a number of positions at the Department of State involving records management, declassification, and other information access programs, including the Deputy Director of the Office of Information Programs and Services. Prior to joining the Department of State in 2008, Mr. Fischer served in a variety of archival roles at NARA from 1998 to 2008.
ISOO is responsible to the President for policy and oversight of the government-wide security classification system under Executive Order 13526, the National Industrial Security Program under Executive Order 12829, as amended, and the Controlled Unclassified Information Program under Executive Order 13556. As the Acting Director of ISOO, Mr. Fischer serves as the Executive Secretary of the Interagency Security Classification Appeals Panel and the Public Interest Declassification Board, and as the Chairman of the National Industrial Security Program Policy Advisory Committee, the State, Local, Tribal, and Private Sector Policy Advisory Committee, and the Controlled Unclassified Information Advisory Council.
Today, ISOO published its FY 2022 Annual Report to the President. Each year, ISOO reports to the President on the implementation of the Classified National Security Information (CNSI) and Controlled Unclassified Information (CUI) programs, following requirements in Executive Orders 13526 and 13556. These Reports summarize ISOO’s oversight activities and make key recommendations that seek to improve the effectiveness of how our Government manages and protects this information.
On September 7, 2022, ISOO issued CUI Notice 2022-01. This notice provides Executive Agent guidance with respect to the White House National Security Council (NSC) Memorandum, “Initiating a Process to ReviewInformation Management and Classification Policies, dated June 2, 2022.
We will be offering a CUI Marking fundamentals webex on
July 29, 2021 from 11:00 am to 1:00 pm (EDT).
Participants will receive a completion certificate for attending the webex. In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternate Marking Methods)
Follow the prompts to connect audio by computer or telephone.
We will be offering a CUI Marking fundamentals webex on
April 30, 2021 from 11:00 am to 1:00 pm (EST)
Participants will receive a completion certificate for attending the webex. In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternate Marking Methods)
The conference begins at 11:00 AM Eastern Time on April 30, 2021; you may join the conference 10 minutes prior.
When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.
Need technical assistance? Audio Connection: 1-888-796-6118 WebEx Connection: 1-888-793-6118
We will be offering a CUI Marking fundamentals webex on
October 22, 2020 from 11 am – 1 pm (EDT).
Participants will receive a completion certificate for attending the webex. In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)
The conference begins at 11:00 AM Eastern Time on October 22, 2020; you may join the conference 10 minutes prior.
The conference begins at 11:00 AM Eastern Time on October 22, 2020; you may join the conference 10 minutes prior.
Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 7280179# Step 2: Join the conference on your computer.
When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.
Need technical assistance? Audio Connection: 1-888-796-6118 or 1-847-562-7015 Web Connection: 1-888-793-6118
The conference is from 1:00 – 3:00 PM Eastern Time on August 19, 2020. Step 1: Dial into the conference. Dial-in: 888-251-2949 or 215-861-0694 Access Code: 2563977# Step 2: Join the conference on your computer. Entry Link: https://ems8.intellor.com/login/830824
On June 3, 2020, ISOO issued CUI Notice 2020-03. This notice provides an optional Controlled Unclassified Information (CUI) non-disclosure agreement (NDA) template for executive branch agency use. Executive branch agencies may use the template when they determine that a CUI NDA is appropriate. The template is optional, and agencies can modify it if needed. A list of all CUI Notices can be found here
When working with CUI, it is required you establish a controlled environment that will safeguard CUI.
This means not just using information systems that have the necessary safeguards in place, it also means being aware of the other potential risks to CUI such as the presence of microphones and cameras in our homes. The microphones and cameras on our computers and mobile devices (phones and tablets) could place CUI at risk. If it is an electronic device it can be hacked, if it connects to the internet it can be hacked remotely. What level of safeguarding do you have on your devices with microphones and cameras?
Take a moment to think about how many internet connected microphones and cameras you have in your house.
Of course, we have our phones and computers, but what else are around?
Is the remote control to your TV voice controlled? What about your thermostat?
Do you have a voice activated personal assistant service?
How about devices other than your phone and computer that are voice activated and you can use WiFi to stream music on?
Some people even have appliances that are voice activated and connected to home WiFi, like refrigerators.
There are often more of these in our homes these days than we might realize at first glance.
Cyber criminals and foreign intelligence services know that with everyone at home they have rich and often less secured targets.
And it isn’t just these threats. If you read many application user agreements, they allow the application to collect data from device cameras and microphones even when the application isn’t in use.
These vary in how anonymized they are. Even if the user agreements say they are anonymized, there is a long history of business intelligence gathering to gain business advantage and contracts that were violated to obtain advantage.
To achieve a controlled environment it is important to be aware of your surroundings. If you have microphones in internet connected devices around, then take action to protect CUI. Keep conversations containing CUI to emails or other written communication on information systems that your agency approved to meet the requirements to handle CUI.
Though internet connected cameras are rare on anything other than phones, computers, baby monitors, and doorbells, if you have CUI on your computer screen or desk then make sure it isn’t visible to cameras on unsecured devices.
Some quick things you can do to make your home and devices more secure are:
Make sure to change the default username and passwords for all internet connected devices .
Make sure you update the firmware on your router, modem, and all connected devices regularly. Many of these updates are pushed out to address known security vulnerabilities. If you don’t know how, check the device website or call customer service.
Turn off and unplug unused devices, consider disabling or covering cameras when not in use.
Keep any security software or firewalls updated to the latest version.
There is a lot more you can do and some great information about how to do it found in the additional resources below:
FTC’s Online Security website: including information on Mobile Apps (applications) and IP Cameras, such as the ones used in baby monitors, toys, and door bells
FTC’s Video and Media website: including videos and games to help educate your family about a wide variety of topics including cybersecurity
GAO’s report in Information Security: including a look at mobile device security threats and vulnerabilities