OPM merges security investigation databases

The Office of Personnel Management hopes combining databases on those with access to clearance investigations will bolster security.

thumbprint

The Office of Personnel Management is streamlining a database with records on feds and contractors with access to security clearance investigative records, with the apparent goal of putting an additional layer of security over the actual contents of government background investigations.

The federal government is in the midst of an overhaul of the security clearance process, the result of reviews initiated in the wake of last year's deadly Navy Yard shooting, perpetrated by a cleared federal contractor with a record of mental health issues and violent behavior that did not show up in his security check.

A report to President Barack Obama released in February advised switching to an automated continuous evaluation method for updating clearances, rather than periodic reinvestigations, and using a risk-based approach to identify subjects for more intensive probes. The report also advised a coordinated, government-wide approach to managing the IT around clearance investigations and adjudications.

An OPM spokesperson told FCW that the planned changes put forth in a Feb. 27 Federal Register Notice were administrative in nature, and did not represent new policy. However, the planned changes mesh closely with the administration's goal of creating a collaborative, enterprise-wide, case-management tool for investigations. OPM plans to merge several internal databases – the Security Officer Control Files and the Adjudication Officer Control Files – with data on individuals with access to OPM facilities or systems, including OPM employees, contractors, and others who need access to OPM systems.

Notably, OPM plans to exclude records on employees and contractors working for outside agencies who were themselves the subject of investigations by OPM at the request of outside federal agencies. This would appear to constitute the meat of the OPM internal database – the case files containing information on suitability and security investigations conducted by OPM on behalf of federal agencies. The notice advises further that owing to these changes, "requests for background investigations maintained in the Adjudications Officer Control Files will be denied," presumably because they no longer reside in that system.

The changes to the records system was announced in the Federal Register as required by the Privacy Act of 1974.

It's not clear from the Federal Register notice how the investigation case files will be housed, or in whose custody. An OPM spokesperson did not shed light on the content of the notice in a brief conversation. However, isolating the investigative case files from OPM's internal employee and contractor files make sense in the context of building an interoperable system that can support the analytics necessary to conduct the kind of ongoing automated evaluations sought by the administration. However, there has been no public announcement of the creation of the kind of enterprise-wide case management system envisioned under the report to the president, so it's not clear whether the notice is part of a larger plan to prep clearance investigations records for an overhaul, or simple IT housekeeping.

OPM has also come under fire in recent months because its main investigative contractor, United States Investigative Services, is being sued for fraud over employee claims that it fast-tracked clearances without conducting the required investigations. The Justice Department joined the whistleblower suit, which is proceeding in the Washington, D.C., federal district court. USIS has until June 4 to respond to the charges. As a result of the controversy, OPM has put its own employees in charge of reviewing background checks before they are sent to the requesting agencies for adjudication.

OPM is also adding security checks to the merged system of records it is retaining. Employees will require a completed investigation or a grant of interim access before gaining access to the records contained in the unified database. Records themselves are to be stored as digital images on a secure, local network or in locked metal cabinets in a secure facility.