“Having a top-secret clearance may no longer be the insignia of an intel worker, according to the intelligence community’s national counterintelligence chief.
“The IC’s [Intelligence Community] culture used to look at having a top-secret clearance as a “pass-fail” test to get in, [William] Evanina said, but that doesn’t mean employees can’t do their jobs from home — as long as it’s done securely.”
“We are just as successful, with some exceptions, with people working at home than we were before. And I think we have to be flexible and look at our private-sector model and maybe extrapolate that into our intelligence community,” National Counterintelligence and Security Center Director William Evanina said during a May 13 INSA virtual event.
Evanina said he could see not requiring clearances for some positions in the next few years due to teleworking abilities. “Just because you work in the IC, and just because you have a top-secret clearance, does that mean that everything you do is classified?”
“Right now, our communications from home to work is not safe, whether it’s in the private sector, especially not in the government,” he said. “We have to find effective security solutions to get to where we want to be.”
The government rolled out its much-criticized Trusted Workforce 2.0 framework in 2019, aiming to reduce the amount of time needed to clear new employees and re-investigate those moving across agencies.
The IC merged two hiring processes, for security clearances and employee suitability, into one earlier this year. The move was meant to clarify the role of human resource officers in ensuring candidates were right for job demands.
Evanina said the security clearance backlog has dropped to 180,000, with upwards of 50% more new applications coming in compared to 2019. That target beats the one set by the President’s Management Agenda at a 200,000 caseload of active investigations, and it is a significant dip from the reported 231,000 cases in January.”
“The RAND Corporation, which recently studied agencies’ continuous evaluation programs, estimated government could save as much as $30 billion over the next 25 years by phasing out the periodic reinvestigation process and moving more federal employees and contractors with security clearances into CE.
These costs would occur once as the Defense Department completes an initial investigation of a federal employee or contractor. But if enrolled in a continuous evaluation program, the costs of reinvestigating a clearance holder could be minimal, as much as $5 a month according to private sector estimates, RAND said.
Assuming a total population of 5.1 million secret and top secret clearance holders, RAND estimated agencies would spend about $2.16 billion over the next 25 years. Considering these costs of a CE program, RAND estimated agencies could save around $27.8 billion over the same time period.
“By augmenting the standard security clearance, investigation and adjudication process … with continuous evaluation, the organization can cut down on the cost of doing so many of those investigations and adjudications and have a near, real-time monitoring of the workforce,” David Luckey, a senior international and defense researcher with the RAND Corporation, said in an interview. “By cutting down on those periodic reviews of the population, we found that there [are] potential savings.”
RAND’s estimates, of course, are merely rough projections.
DoD, which sponsored RAND’s study on continuous evaluation, is already deploying this tactic as it prepares to assume responsibility for the governmentwide security clearance and vetting program from the Office of Personnel Management and National Background Investigations Bureau.
The Pentagon has been enrolling cleared individuals up for periodic reinvestigations into its continuous evaluation program, and defense officials have said that will continue.
It’s also unclear exactly how much agencies like DoD or the Office of the Director of National Intelligence have spent over the years to stand up continuous evaluation pilots and further capabilities and automation systems.
“These estimations assume some constants, such as reinvestigation costs, employees remaining at the same level of clearance and time between each reinvestigation,” the RAND report reads. “We used the liberal estimate of $5 per employee per month as a buffer for additional costs potentially incurred, but we did not account in our estimates for in-depth reviews of individuals who are identified by CE as needing additional attention. While these examples do not provide a true number of potential savings in leveraging CE as opposed to reinvestigations, they do suggest that the savings could be substantial.”
Continuous evaluation, as DoD and other administration officials have said in multiple arenas, will be a key part of the Pentagon’s plans to continue NBIB’s recent progress on the security clearance backlog.
CE, or continuous vetting, is also a signature feature of the Trump administration’s attempts to modernize the suitability, credentialing and security clearance process, which hasn’t gotten a serious update in several decades. Specific policies for this initiative, called Trusted Workforce 2.0, should begin to surface toward the end of the year.
Still, RAND sees room for DoD to clarify and improve public knowledge about continuous evaluation — what it is, what it isn’t and how it can help agencies protect their employees, resources and classified information.
No definitions of continuous evaluation exist in government statute, according to RAND, and agencies have differing definitions of “insider threat” as well.
Other opportunities exist for DoD and the intelligence community to improve existing continuous evaluation programs.
“Whatever potential or actual shortcomings exist in continuous evaluation, it is clearly a step forward in our opinion,” Luckey said. “With that being said, things aren’t perfect. Systems aren’t perfect. The world is still evolving, and the information systems and data held in those information systems continues to evolve.”
Most existing continuous evaluation programs tap into a variety of data streams to track changes in a person’s credit or status with law enforcement.
But few CE programs have a technical way to truly map personality or other behaviors, which could predispose a clearance holder to acts of violence, theft or destruction, RAND said.
Embedding a standard technical solution to track social media behavior, for example, could help agencies address potential insider threats.
“People are the most important aspect of any organization, and the vast majority of employees, 99.9% of employees, are well-intentioned, hardworking, thoughtful, caring people,” Luckey said. “The issue is that [for the] one of a million or one out of 1,000 employees who goes wrong, organizations must have an ability to monitor their workforce and, when necessary, have an ability to weed out those hopefully potential insiders, before they threaten the organization or its employees.”
Most CE programs don’t have an existing mechanism to anonymously collect reports or tips about cleared individuals, which could point agencies to more easily recognize disgruntled employees.”
“Government is losing talent, productivity and taxpayer dollars as agencies often take several months to complete their own investigations of individuals who have already been reviewed and cleared by another federal organization.”
“Ambiguous, layered and outdated policies and practices are preventing federal employees and contractors with security clearances from moving top talent in and around government.
The Intelligence and National Security Alliance [INSA] describes in a recent report the challenges with a concept known as “reciprocity.”
“Reciprocity” refers to the idea that if one agency places trust and grants a security clearance to a federal employee or contractor, most other agencies — generally — should too.
But members of industry have, on multiple occasions, said this isn’t standard practice at some departments, and contractors generally have little insight into where their employees are in an agency’s investigative and adjudication process, INSA said.
Industry leaders say 10% of their cleared contractor workforce within the intelligence community are idle at any given time, because their employees are waiting for an agency to grant, update or transfer a security clearance. INSA estimates these reciprocity delays could total as much as 1,000 lost contractor labor-years and $2 billion a year, assuming an average annual cost of $200,000 per top-secret cleared contractor to the government.
Reciprocity delays across government could amount to some 90,000 lost contractor labor-years, according to INSA’s estimates.
“Industry currently has many thousands of personnel who were cleared on one government contract but who must wait weeks or months before being allowed to work on a new contract,” INSA wrote. “One large firm alone reported that it currently had more than 700 employees waiting for clearance transfers, and that on average its employees wait 94 days for their clearances to be accepted by a new agency.”
The Office of the Director of National Intelligence has tried to provide more clarity. ODNI’s Security Executive Agent issued a directive back in November 2018, which said agencies should “accept” existing security clearances and national security eligibility adjudications and determinations already granted by another executive branch agency.
But directives like this most recent one, INSA argued, give agencies too much room to interpret their own meanings, and in fact, they have.
“Individual agencies created internal policies and procedures based on their own interpretations of [Security Executive Agent] directives,” INSA’s report reads. “At larger agencies like the DoD, sub-departments including the Army, Navy and Air Force have further promulgated their own interpretations of both ODNI and DoD policy. This practice of agency-specific policy interpretation creates a web of inconsistent rules that complicate reciprocal recognition of clearances.”
In addition, the directive doesn’t mention how agencies should handle previous policies on security clearance reciprocity, which have been equally ambiguous on the topic, INSA said.
INSA described 14 recommendations to improve security clearance reciprocity. Many suggestions are detailed and describe highly specific policies and interpretations INSA believes need an update. But taken more broadly, INSA’s recommendations point to several challenges and opportunities to shorten the adjudication process and standardize both longstanding and emerging investigative practices.
“Right now we have a lot of work to do in establishing common standards,” Charlie Allen, a senior intelligence adviser and chair of INSA’s security policy reform council, said in an interview. “On reciprocity, we have significant inconsistency when it comes to policies and standards. We have a lack of transparency and information sharing, which bothers me significantly. The lack of information sharing really creates distrust when we don’t share information as we bring these people on.”
Allen previously served as the first undersecretary for intelligence and analysis at the Department of Homeland Security after a decades-long career at the CIA.
Federal adjudication facilities also need more resources to more quickly sign off on completed background investigations, INSA suggested.
Allen described the adjudication process in general as a “painful and slow process,” and the latest timeliness data from Performance.gov prove his point.
Initial secret and top secret cases on average took 30 and 42 days, respectively, to adjudicate in the second quarter of fiscal 2019, according to a June update on Performance.gov. Periodic re-investigations took 100 days to adjudicate, data which is likely skewed to reflect recent Defense Department policy to forego those reviews in favor of continuous vetting.
Though not new to the intelligence and defense communities, continuous vetting is still an emerging concept for other agencies, and INSA argued it could also open up more uncertainty for security clearance reciprocity.
Adjudications are supposed to be completed in an average of 20 days, according to methodology from the Performance Accountability Council.
The Defense Department’s Consolidated Adjudications Facility has, in part, recognized its challenges to keep up with the National Background Investigations Bureau. But as NBIB has cut the backlog of pending investigatory matters by nearly 40 percent within the last year or so, that pace creates more pressure for DoD’s CAF to adjudicate more cases.
Though INSA described several existing challenges and made more than a dozen recommendations to clear up existing policies and create new ones, the organization is optimistic government will eventually act.
The reform council hosts meetings with industry, congressional staffers and senior government leaders like Principal Deputy Director of National Intelligence Sue Gordon, who discuss these challenges and coming security clearance policy plans. These discussions show all the appropriate parties are interested and engaged in improving the security clearance process, Allen said.
ODNI and the Office of Personnel Management are working on a top-to-bottom overhaul of the suitability, credentialing and security clearance processes as part of a “Trusted Workforce 2.0” initiative.
New standards for denying, suspending and revoking federal credentials were due last summer but new deadlines have been set, according to the recent Performance.gov update.
These initiatives, as well as the administration’s plans to transfer the entire security clearance, suitability and credentialing enterprise from OPM and NBIB to the Pentagon, has industry feeling optimistic about the prospects for true modernization.
“I believe it can be done,” Allen said. “The White House has to stay engaged. It can’t be something the White House throws over the fence.”
Some members of Congress have also recognized the need for modernization.
Sen. Mark Warner (D-Va.) is the author of several provisions designed to ensure agencies are meeting reciprocity guidelines and more easily transfer cleared individuals in and around government.
These provisions are part of the 2020 defense authorization bill, which cleared the Senate late last month.”
“The cost of security clearances next year will hold steady at 2019 levels, as the Defense Department prepares to assume responsibility over the governmentwide security clearance portfolio at the start of the next fiscal year.
The plan to keep prices consistent is a change from previous years, as the costs of conducting a background investigation have bounced around in recent years due to organizational changes and past data breaches
Costs, for example, went up in 2017 and 2018 as the National Background Investigations Bureau (NBIB) moved into initial and full operating capability at the Office of Personnel Management. OPM in July 2015 retroactively charged agencies more for security clearance processing to help offset costs of the massive data breach that impacted 21.5 million current and former federal employees, contractors and others. DoD alone paid more than $132 million more in 2015.
The Pentagon assumes the costs to run the DCSA will be slightly less in 2020 — $1.25 billion — than they were in 2019 under OPM and NBIB at $1.36 billion.
The Pentagon attributes the drop in security clearance revenue and operating costs to its ever-growing continuous evaluation/vetting program, which has already expanded over the past year to cover low risk periodic reinvestigations. A heavier reliance on continuous evaluation will cut back on the number of pending clearances in the inventory and will allow DCSA investigators to focus their time and attention on more complex cases, DoD said.
“While the 2020 budget submission assumes decreases in the overall budgetary requirements and workload due to CE/CV, DCSA will closely monitor the actual impacts,” DoD wrote in its budget request. “Conversely, agencies using CE/CV for non-issue cases in lieu of traditional reinvestigations may result in a higher percentage of more complex investigations in DCSA’s inventory, requiring contract modifications with vendors.”
The security clearance transfer and merge of NBIB with DSS will be made official with an executive order, which officials have said the President is supposed to sign “soon.” DSS is poised to take over the security clearance portfolio by Oct. 1, 2019 and has been making organizational changes to prepare for the move.
Interestingly enough, DoD assumes a smaller operating budget in 2020 than in 2019 but more personnel. The Pentagon projects 3,513 employees under DCSA’s personnel vetting directorate, about 300 more people than NBIB’s 3,216 federal workforce.
A phased transfer of security clearance work
The transfer of the governmentwide security clearance portfolio and merger of NBIB with the DSS will be made official with an executive order, which officials have said the President is supposed to sign “soon.” DSS is poised to take over the security clearance portfolio by Oct. 1, 2019.
According to DoD’s budget justification, the transfer of the security clearance program will occur in phases based on the ongoing development of the National Background Investigation Service (NBIS), the IT systems that the Defense Information Systems Agency had originally been charged to build for NBIB back in 2016.
The NBIS and the 40 people who manage it recently moved to the Defense Security Service in preparation for the security clearance transfer.
The new IT system will become operational in phases, with OPM continuing to secure, maintain and update the legacy systems necessary to the DCSA’s operations as new capabilities on NBIS become available. The first phase of NBIS will make Tier 1 investigation processing operational for a “select number of federal customers,” DoD said.
“During the transition phase, DCSA may utilize OPM’s existing processes and systems on a reimbursable basis and likewise OPM may utilize some of DCSA’s resources, also on a reimbursable basis, in order to complete the existing backlog inventory,” the Pentagon wrote. “As part of the transfer and transition from OPM to DoD, DCSA plans to increase its direct embedded staffing levels by up to 250 employees to replace support functions previously provided as part of OPM’s common services.”
Yet neither the DoD nor the OPM 2020 budget request includes an estimate for how much these reimbursable services may cost.
The costs of these reimbursable services may hold great consequence for OPM, which is expected to lose nearly $1 billion in revenue through the transfer of the security clearance business to the Pentagon in mere months time. The gradual loss of the security clearance business will also likely deliver a blow to other parts of OPM’s budget, namely the agency’s “common services.”
NBIB currently pays OPM to use the agency’s legal, IT and security services, for example, which funds other functions within the organization.
But based on the DCSA’s transition plan, OPM won’t lose its entire security clearance business at all once.
The security clearance backlog on Sept. 30, the day before the program’s transfer is expected to become operational, will be worth $546 million, according to OPM’s estimates in its joint budget request with the General Services Administration”
“DDS wants a security clearance system that accounts for subject information collection, background investigation with some automated processes, and adjudication, the team announced in a request for white papers Tuesday.
The team will use an “other transaction agreement,” or OTA, to acquire the prototype.”
“As the Pentagon assumes responsibility for the federal government’s security clearance functions, it has tasked its Defense Digital Service team with leading the acquisition of a modern and partially automated prototype system for clearances. ‘
The decades-old congressional authority [Other Transaction Agreement (OTA] allows federal agencies to craft prototype-development deals with nontraditional vendors at a much quicker pace, often less than 60 days. This specific contract will last nine months and be worth no more than $5 million.
“This prototype will require integration with a wide variety of U.S. Government and commercial databases to verify the Subject’s identity and background information,” the solicitation says. “Development of the prototype will be rapid and agile in nature, fielding new functionality to users for feedback every two weeks.”
The software prototype must be hosted in commercial cloud approved for DOD Impact Level 4, which accounts for the most sensitive unclassified information. The final product must be “capable of collecting Subject’s information for a specified population, executing a background investigation of a specified type (including automated record checks, deconfliction/entity resolution, and manual investigation notes entry), and recording an adjudication decision.”
Additionally, DDS wants the software to meet a few specific needs:
Place the subject is at the center of the process
Enhance transparency of clearances, adding to the subject’s visibility into the process
Improve “user experience, workflow and information management, and productivity for additional non-Subject user communities”
Reduce the timeline of investigation and adjudication
Facilitate enrollment in continuous evaluation
Congress calls for such advancements in the 2018 National Defense Authorization Act: “Current practices are mired in outdated methods and non-digital, non-automated technology. Expensive human investigative resources are consumed with fact checking and data collection functions (ripe candidates for automation) as opposed to investigating substantive issues about the actions and circumstances of prospective and current employees. A better model has been clear to policymakers for at least a decade: a ‘continuous evaluation’ concept based on automated access to a wide array of digital sources and records.”
Interested companies have until March 19 to submit questions and until March 26 to submit completed white papers.
This OTA comes as the Pentagon consolidates the security clearance and background check functions from across government into the Defense Security Service. As the solicitation explains, the current process, led by the Office of Personnel Management, “is spread across multiple federal agencies and has led to a series of overburdened queues, opaque and disjointed processing, and an on average 13- month turnaround for cases.”
“According to OMB, between February and September 2016, the backlog grew more than 22 percent from 464,000 to 569,000.
In a congressional hearing on Feb. 2, officials said the backlog was “more than half a million investigations.” All signs indicate it is still going up.
Processing times are also too long, nearly triple the goal of 40 days for secret-level investigations (averaging 105 days) and 80 days for top secret-level investigations (214 days).
For years, there have been too few people processing clearances and too little money to meet the demand. This affects agencies across the government, particularly those with the greatest demand. For example, when OPM raised the prepayment rate for a clearance request in 2015, Department of Defense funds to meet its pre-planned demand fell short by more than $60 million. The fiscal 2017 DOD budget request would have fixed that, but continuing resolutions made the funding shortfall worse. Civilian agencies also face funding shortfalls, though there is no readily available reliable information on their size.
Much of the backlog problem comes from using an antiquated, time-consuming background investigations process. Investigators ask basically the same questions they did 40 years ago, often going door-to-door and relying on face-to-face meetings with neighbors and friends. The government still relies too much on paper records and closed systems for collecting and sharing information.
Dozens of agencies require their personnel and supporting contractors to obtain and maintain security clearances, yet these agencies fail to accept clearances from one another. At a Professional Services Council event last fall, the Justice Department alone cited at least five different required sets of background information, with DOJ agencies failing to recognize the validity of similar investigations even from within the same agency. This only exacerbates backlog problems.
The OPM Data Breach
About the only area of the security clearance problem that has received plenty of attention has been the 2014 hacking of 22 million Office of Personnel Management data records. The records were so vulnerable to hacking, and government defenses so inadequate, that former Defense Policy Under Secretary Dr. Jim Miller described them as the equivalent of “leaving boxes of money on the front porch.”
However, while there has been little reporting on the OPM data breach impacts on security clearance backlogs, it is likely that government agencies have slowed their pace of activity in order to reduce their own vulnerability.
The biggest problem of all is that the federal government simply won’t acknowledge the depth and vectors of the problems. Current data on the backlog are hard to find and harder to validate. Public statements by senior officials ignore both the magnitude of the problem and its impact on government workload and workforce. Congress has devoted little attention to the backlog, and hearings have focused more on OPM actions rather than on the backlog and its impact. Comprehensive solutions are hard to find.
Impact on the Government
New government personnel (military and civilian) cannot perform their full duties without the necessary clearances. Supporting contractors cannot fill positions requiring clearances even if they are funded under existing contracts. Essential work goes unperformed, and contractors can even be penalized for contractual non-performance by the very agencies that are holding up the clearances.
Fixing the Problems
The National Background Investigations Bureau became operational last October, and it offers some hope. NBIB aligns OPM with the Defense Information Systems Agency for a new database and more system security. NBIB also promises additional consolidation in federal investigations management and additional investigators.
But NBIB alone won’t bring the backlog down. Fixing the problems will take a serious infusion of additional people and funds, and the longer we wait, the greater the backlog will become. Most importantly, Congress must address DOD’s $60 million funding shortfall (as well as any shortfall in the civilian agencies) when the current CR expires on April 28. Congress should also raise this issue with every nominee in the affected agencies.
In the longer term, we need to make serious changes in investigations processes, including developing and applying digital tools for conducting background checks, performing ongoing updates instead of periodic reinvestigations, reducing the over-classification of material and the number of positions that require clearances, and focusing adjudication attention based on risk to the government rather than on rote application of rules. ”