House lawmakers to OPM: Security clearance reforms headed for disaster

Congress isn’t confident the administration’s plan to overhaul the federal security clearance process can right a broken system. And some members question whether creating a new agency is merely “putting a fresh coat of paint on a house with a bad foundation.”

The goal is to achieve initial operating capability for the National Background Investigations Bureau (NBIB) and appoint a specific director to lead it by October 2016, Office of Personnel Management Acting Director Beth Cobert told the House Oversight and Government Reform Committee Feb. 25. The Defense Department will start building NBIB’s IT and cybersecurity systems in 2017.

OPM will set up its interagency transition team by mid-March, Cobert said.

But the committee doubted the administration could meet those targets, and had more questions about the funding, timeline and role OPM and DoD would play in the NBIB.

Advertisement

“I just think that’s happy-talk, that’s just dream-world stuff,” Rep. Stephen Lynch (D-Mass.) said of the NBIB timeline. “We’ve had terrible, terrible problems with just getting basic information up and running. We’re still doing stuff manually. … Interestingly enough, the only things that haven’t been hacked is the stuff we’re doing by hand. I’m sure that’s not intentional, but that just demonstrates the weakness of our system.”

Many members were skeptic that OPM remains involved in the federal security clearance process, considering the agency’s recent cyber breaches and the current clearance backlog. At the end of fiscal 2015, the backlog stood at 388,000 new background investigations and 117,000 periodic reinvestigations. 

Rep. John Mica (R-Fla.) questioned how OPM could be trusted to lead this new federal security clearance bureau, when the agency still processes the bulk of its retirement claims by hand.

“We’re headed for another disaster,” he said. “I’m telling you, you have to take this a bite at a time, you need to get contracts out, you need to get it out of OPM. It is designed to fail. We’ll be back here [in] the next Congress in 2017.”

Though the committee said it lacked confidence in OPM’s ability to lead security clearance reform, it expressed overall support for DoD and its ability to design, build and operate NBIB’s IT and cyber systems.

Yet many members took issue with the distribution of funding for the new security clearance process. President Barack Obama requested $95 million from DoD’s budget in 2017 to build the IT systems.

The NBIB will charge agencies a fee based on the number of background investigations they need, Cobert said. As the biggest customer for security clearances, DoD will pay more for NBIB services than other agencies.

But Rep. Steve Russell (R-Okla.) sees competing interests in authority and funding for DoD under the NBIB. He questioned whether the Pentagon would be better off solely handling its own background investigations or whether it should rely on “an amalgam of agencies” to process those applications.

“Now we’re turning back to [DoD], but we’re still going to keep it potentially in a convoluted authority structure,” he said. “This is a defense issue. This is a national security issue, and it still begs the question of whether or not DoD should be involved in its own personnel at all under an OPM structure.”

Bill Evanina, director of the National Counterintelligence and Security Center at the Office of the Director of National Intelligence, said the plan under NBIB is the best option.

Terry Halvorsen, DoD chief information officer, agreed.

“I don’t think you want DoD, Department of State doing different things with the investigations,” he said. “That … makes it more efficient but also creates seams that could be exploited. I think we eliminate those seams. I understand your issues about, are we going to be able to get the right authorities in place? I think we are.”

Questions of authority, accountability

The committee had many questions about who within the administration served what role in the new bureau — and what the chain of command will look like.

The President will appoint a specific director for the NBIB, who will not be confirmed by the Senate.

The OPM director has the authority to remove the NBIB leader, Cobert said.

Halvorsen described himself as the “senior accountable official in charge of building this system right.”

“In the end, DoD is in charge of the technical decisions,” he said. “But I will stress, we have worked well together with all of the members of this panel. We will continue to coordinate with all of the customers. We will continue to do this in a cooperative way. But in the end, I report to the Secretary of Defense. The Secretary of Defense is the biggest customer of the NBIB, and I assure you, I don’t expect any problems to come up.”

But Russell questioned just how much stake Halvorsen and his team would have in the NBIB decision-making process, and specifically, what would happen if DoD disagrees with OPM or other leaders on the Bureau.

“You have to have unity of effort,” Russell said. “And not just unity of effort, you have to have somebody clearly in charge. And here’s my big beef: if the Department of Defense is clearly going to have the greatest authority to protect these documents then they by golly better have the authority to make it good.”

No single inspector general will have oversight over the NBIB,  Halvorsen said, but the Pentagon’s IG will evaluate the Defense Department’s work on the NBIB IT systems.

Social media plans?

As the administration develops an IT system that will process new and periodic background investigations, it also is still considering other capabilities that could give agencies more information about their security clearance holders.

For example, the ODNI is developing an official standard for agencies to use continuous evaluation when performing periodic reinvestigations.

And most agencies have yet to incorporate social media in the background investigation process, and it’s unclear when they intend to do so.

ODNI  was supposed to issue a security executive agent directive, which would detail how the DNI expects agencies to use social media and other publicly available information in the security clearance process.

That directive is currently stuck in the Office of Management and Budget for review, Evanina told the committee.

Federal Chief Information Officer Tony Scott said he didn’t know the status of that social media policy.

The administration has been working on the policy for a few years, but privacy questions are holding up full implementation, Evanina added.

But for Rep. Jason Chaffetz (R-Fla.), the chairman of the Oversight and Government Reform Committee, those questions shouldn’t be so difficult to answer.

“This should be such a simple question,” Chaffetz said. “It should be on your form, show us all your online identities. As we’re doing a background investigation, how can you not go look at their Facebook page or their Twitter posts or Instagram or Snapchat or any of the other ones? We don’t do that? How moronic are we? I mean come on, my 14-year-old could figure this out. What’s the hesitation? This is the problem, it’s just silent.”