IC falling behind on plans for continuous evaluation of cleared personnel
The exact size of the security clearance re-check backlog is closely held by the government, but it could affect more than 1.1 million individuals.
The government is facing a backlog of required periodic rechecks of federal employees, military personnel and contractors with active security clearances. The current backlog was not disclosed by federal officials, but an interagency report ordered in the wake of the Navy Yard shooting indicated that in March the backlog affected about 22 percent of cleared personnel -- more than 1.1 million individuals.
Potentially making the backlog worse, the Office of Personnel Management recently cut loose contractor USIS, which was a key player in handing clearance investigations for the government, after revelations that the company had dumped incomplete investigations to meet performance targets and earn bonuses.
KeyPoint Government Solutions, which is picking up some of the work USIS used to do on behalf of OPM, is looking to hire more than 1,700 new investigators and other personnel in order to handle demand, according to a company spokesperson. This pool includes "some excellent candidates who were employed by USIS," the spokesperson told FCW, but also candidates from the technology sector, the military and law enforcement.
"We expect there will be impacts to timeliness until there is capacity to manage workload," said Lisa Loss, who heads external affairs for the Federal Investigative Services at OPM. She spoke at the Intelligence and National Security Summit in Washington, D.C., on Sept. 18.
Any time you have an enterprise-wide complex IT project, getting used to that and getting oriented and fine-tuning is going to take up time and resources.
The government is looking to a technical solution to automate part of the reinvestigation process, and detect potential insider threats arising from individuals who have already made it through initial clearance investigations. (Navy Yard shooter Aaron Alexis and former NSA contractor Edward Snowden fit that bill.) Continuous evaluation is just what it sounds like -- the use of technology to monitor in an ongoing way the activities of individuals who are cleared to work with the nation's secrets. Putting a system in place that allows for such real-time review forms a big part of the federal Cross Agency Priority Goal of mitigating insider threats and building a trusted workforce.
The Office of the Director of National Intelligence is falling behind on plans to put continuous evaluation in place, according to published progress reports. The interagency report put out 120 days after the Navy Yard shooting called for ODNI to have continuous evaluation in place for employees and contractors with the most sensitive TS/SCI (Top Secret and Secret Compartmented Information) clearances by September 2014, and for all TS/SCI personnel by 2016. A quarterly CAP goals update from the Office of Management and Budget rescheduled the goal for December 2014, to "accommodate servicing agency IT development," and cautioned that hitting even the delayed goal was "at risk."
"Any time you have an enterprise-wide complex IT project, getting used to that and getting oriented and fine-tuning is going to take up time and resources," said Brian Prioletti, assistant director of the Special Security Directorate, Office of the National Counterintelligence Executive in ODNI. Prioletti, who also appeared at the Sept. 18 event, cautioned that continuous evaluation was meant to "fill in the gaps between the periodic [reinvestigations]," not replace them.
Kirk McConnell, a staffer on the Senate Select Committee on Intelligence, told the same industry gathering that "there are some impediments to change that have been around for a long time, and there's no reason to think that magically those impediments are going to disappear because now people are really serious about reform."
Sen. Jon Tester (D-Mont.) is one of those people who are serious about reform. From his perch as chairman of the Homeland Security and Governmental Affairs Committee's Subcommittee on the Efficiency and Effectiveness of Federal Programs and the Federal Workforce, Tester backed legislation (now law) to allow the Office of the Inspector General at OPM access to funds to investigate background checks. His legislation, designed to prevent contractors from checking their own work on clearance investigations passed the Senate on Sept. 18. He's also backing a separate bill that would debar feds and contractors who have compromised background checks from working on such investigations in the future.
"The bottom line is that our nation must be secure. That means limiting clearances only to those folks who need access to classified information to do their jobs and having a process in place to make sure red flags are raised if any of these folks compromise the integrity of their clearances. The government is making progress, but I will continue to provide strong oversight to make sure candidates are properly and thoroughly vetted and that agencies keep better tabs on those who already have clearances," Tester told FCW in an emailed statement.
We tend to overestimate amount of change [that can take place] in a year, and underestimate what we can change in 10 years.
Ongoing pilots of an Army platform called ACES (for Automated Continuous Evaluation System) have shown some success in identifying relevant derogatory information about subjects between scheduled reinvestigations. The Department of Defense is on track with its goal to put 100,000 military and civilian personnel and civilian contractors in the ACES system in October, according to Stephen Lewis, deputy director for personnel, industrial and physical security policy in the Directorate of Security Policy and Oversight in the Office of the Undersecretary of Defense for Intelligence. Speaking at the Intelligence and National Security Alliance event, Lewis said, "this is the future of [continuous evaluation]; not just make a one-time query, but get updates as they occur."
The Defense Department shed some light on what kinds of records it will be checking in a July 30 notice in the Federal Register.
The ACES platform will have access to financial and credit databases with an eye to monitoring personnel for "unexplained affluence," as well as arrest and court records in state, local, and tribal governments. In addition, public-facing news media and social media will be included in the mix, whether it is "about or generated by the subject of continuous evaluation," per the notice. The system will also be looking for "information about and evidence of authorized use of information technology systems." This last piece may have been driven by revelations that Snowden was a regular commenter in online technology and hacking forums. The Defense Department plans to expand continuous evaluation to 225,000 by the end of 2015, scale up to 500,000 by the end of 2016, and 1 million by the end of 2017.
"This is going to be a long slog. I hope we're all prepared for that."
A Tester aide told FCW that ACES seems to be DOD's best option, but cautioned that the promised scalability has yet to be proven.
The people managing the interagency insider threat mitigation program, which includes the goal of reducing active security clearances by 10 percent by the end of 2014, are confident that they are on the right track. OMB's Carrie Wibben, who heads program management at the Performance Accountability Council, said, "We tend to overestimate amount of change [that can take place] in a year, and underestimate what we can change in 10 years."
McConnell was more pointed about the potential for ongoing problems.
"Law enforcement, counterintelligence, HR, physical security, cyber, network monitoring -- all these stovepipes you have to automate and connect up and link with personnel security systems at the same time," he said, making for an interagency, interdepartmental, multidisciplinary set of problems. "This is going to be a long slog. I hope we're all prepared for that."