In a wide-ranging talk, Information Security Oversight Office (ISOO) Director Michael Thomas connects America’s archival past to the realities of today’s data-driven security environment.
Speaking about ISOO’s newly released FY24 Annual Report, Thomas explains that the office reframed its public mission around four clear lines of effort—Oversight & Compliance, Guidance & Implementation, Data Collection & Analysis, and Administration & Engagement—to make work more intelligible to both practitioners and the public.
He details a revamped inspection rubric designed to reveal systemic weaknesses across the “security pancakes”—his memorable metaphor for layered protections. The objective: reduce over-classification, overcome infrastructure fragmentation, and improve the movement of information “at the speed of mission.” Thomas singles out Controlled Unclassified Information (CUI) as a space ripe for immediate improvements, arguing that consistent markings tied to security baselines beat legacy labels that were “just vibes.” Because CUI lives in the unclassified world, he sees it as an ideal testbed for automation and AI that can later inform practices in classified environments.
Weaving in history—from the National Archives’ stone guardians to Washington’s Culper Ring and Federalist No. 64—Thomas underscores a timeless mandate: protect what must be protected and share what should be shared. That balance, he says, builds public trust and strengthens national security. Looking ahead, ISOO aims to shift from reporting activities to providing a strategic picture of how information systems actually function—arming agencies and industry with the tools and insight they need to modernize.
