Increasing trust in how government determines who can access sensitive information is a critical success factor for security clearance reform.
Experience from industry practices and industry research regarding personnel security provide interesting insights and lessons learned for government to consider. These findings emerged from a recent roundtable discussion held in November and co-hosted by the IBM Center for The Business of Government and the National Academy of Public Administration. The roundtable intended to help identify commercial benchmarks that can inform government choices.
This non-attribution roundtable was designed to offer information for government to improve the management of the security clearance process. This mission is now a paramount goal for the new National Background Investigation Bureau (NBIB) at the Office of Personnel Management (OPM), working closely with the Department of Defense (DoD), Office of Management and Budget (OMB) and other key stakeholders.
The roundtable was designed to provide information that can help NBIB and other agencies to continue to make progress toward addressing key challenges in the background investigation process see discussion of first Roundtable). In this second session, security experts from the private sector and academia shared lessons learned, leading practices, and actionable recommendations in areas ranging from increasing capacity to process background investigations (BIs), improving timeliness, and leveraging technology to transform related processes.
In January 2016, the Obama administration announced a series of changes to streamline the background investigations process. This included the development of a revamped background investigations bureau to be housed within OPM that would improve how the federal government conducts and delivers high-quality BIs and addresses key challenges in the BI process. On Oct. 1, NBIB was established as the primary service provider of background investigations for the federal government. NBIB is handling the massive task of supporting the integrity and trustworthiness of the federal workforce and contractors through provision of timely and effective BIs that are needed by the government to deliver on its mission.
Industry can play an important role in supporting the government’s ability to complete BIs effectively and efficiently, and to supply cleared personnel and contractors to support agency missions. Industry experience with screening, clearing, and continuously connecting with employees and contractors can help enhance and augment government strategies to transform and modernize the ways it establishes and manages trust. Perspectives on commercial best practices can serve as an important touchpoint, given the connections across the public and private sectors, which are necessary to build trust in the process for security clearance, suitability, and credentialing.
Key points from the roundtable
Take a holistic approach and partner for success. No single solution or approach will solve all challenges. To successfully mitigate risks, incorporate people, process, and technology elements and invite key stakeholders — including federal employees, business partners, academia and law enforcement officials — to collaborate. A combination of policies, technologies, analytics, and human interaction can collectively help to address issues in personnel/trust assurance.
Leverage emerging analytics approaches to drive improvements, building on identity management techniques. Effective management of role-based access, while important, cannot by itself enable success in sharing vast amounts of data. Additional capabilities to consider include:
Additional technical algorithms, such as OPAL (Open Algorithm), which allows for a better aggregation of and access to data, and “tokenized identity,” through which sensitive information is replaced with a token or symbol that is randomly generated.
Understanding patterns of behavior can help predict anomalies and focus efforts on individuals of interest, using tools like graph technologies and vectors; however, models must be trained and outputs analyzed by human analysts.
The new technology of blockchain, which enables the trusted information exchange among multiple parties through a shared and secure information “ledger,” and also brings significant benefits to support secure and traceable data analysis.
Also, consider a data loss protection (DLP) program that includes an investigative backbone to ensure data integrity availability over time.
Plan and execute technology modernization carefully. Have clear priorities and allocate enough time for transition. When modernizing, focus on separating capabilities from data. For example, when transitioning to cloud, call for transition of services, not data stores per se. In addition, when making modernization decisions, beware of being sidetracked by sunk costs that complicate the modernization case because large amounts have been spent on legacy systems. Use agile techniques to build personnel assurance systems incrementally, but be aware that technology alone will not solve all problems, even technology that brings significant capabilities.
Focus on leadership and training to instill the right culture. Change the perception that personnel and data security are a hindrance, and incentivize actions that promote security. Managers must be trained to lead and promote an understanding that it’s everyone’s responsibility to alert the appropriate channels about suspicious activity. Encourage employees to self-report new information; a constructive but not retaliatory approach is key to promote a culture of awareness and transparency. The importance of data security should be built into employee performance assessments, across business, legal, and technical teams.
Prioritize the most important assets, then expand. Design monitoring techniques based on a risk-based classification of assets, where different types of assets receive different levels of attention. Place the most attention on critical assets that have effects that can propagate through an organization, such as source code, and on enabling employee access to these assets based on their organizational role. This can facilitate prioritization of access for employees with different responsibilities and is especially important because personal interaction with investigation subjects can become impractical when large numbers of people are involved.
Be nimble and flexible. Decide early whether to take an incremental or disruptive approach and choose people, partners and technologies accordingly. Organizations must constantly evolve to react to new and evolving threats — being a little bit unpredictable can help detect pattern-based problems. Build R&D into personnel assurance, and include a channel to update processes and technology based on R&D findings.
Don’t forget about privacy. Statutory limitations on sources and types of data collected on people can challenge government and industry alike. Involve legal experts early and often, and ensure that systems are architected to comply with the Privacy Act and other relevant law and policy. Consider addressing privacy issues by making monitoring event-driven, rather than identity-driven, by identifying risks from events and then collecting additional information.
Taken together, the experiences and expertise of industry and academic experts around personnel assurance provide important perspectives for government to consider in developing approaches for modernizing and transforming the security clearance process. The IBM Center and NAPA look forward to participating in continued dialogue to help generate and exchange new ideas and solutions for government leaders to consider.
Dan Chenok is the executive director of the IBM Center for The Business of Government.