Sweeping changes to the suitability, credentialing and security clearance system are supposed to be — pending the president’s signature — right around the corner.
Agencies will begin to dramatically ramp up their existing continuous evaluation and vetting programs over the next few years, with the goal of expanding those capabilities to the point of nearly replacing the five-year periodic re-investigation.
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
But as agencies prepare to expand their use of continuous evaluation and vetting capabilities on clearance holders, industry is urging government to consider how it might share the data it collects on its employees through automated records checks.
That information, contractors argue, could help serve their own insider threat and vetting capabilities.
Cleared defense contractors are required, per a 2016 change to the National Industrial Security Operating Manual, to operate their own insider threat programs.
Those programs were designed to prevent the “next Edward Snowden.”
Not sharing that kind of information with contractors about their employees, poses too much risk, both to the government and cleared industry partners, Kevin Phillips, ManTech CEO, said Thursday at an Intelligence and National Security Alliance panel discussion in Arlington, Virginia.
For Phillips, ManTech and other cleared contractors have little to no insight into the behavior and performance of their own employees, which they hired to perform defense and national security work on behalf of the government.
“We also have people on site who have access to data and they have access to enduring secrets, yet we don’t get information from people on site if their behaviors are bad, because they can’t be shared,” Phillips said.
Cleared industry also has little to no insight into the work, performance and behavior of employees as they move from one contract to the next.
“We interviewed Edward Snowden,” Phillips said. “We didn’t hire him, but there were no bad indicators. How do you think that makes me feel as a CEO?”
Ask some current and former agency general counsels, and they’ll say the Privacy Act of 1974 prevents them from consistently sharing insider threat data with industry.
Others might point to an exception within law and argue the statute gives agencies the authority to share insider threat indicators with government contractors.
Agencies are inconsistent in how they interpret the Privacy Act, and they all have differing repositories and systems for collecting and keeping insider threat data, said Betsy Ames, privacy and civil liberties counsel with the CIA.
“Each agency is going to have a different system of record notice, and each agency is going to have a routine use that’s going to apply to those systems that they have,” she said. “Depending on the agency, some will have an insider threat system of record notice. Other agencies will just have a personnel security notice. Some will just use an SF-86 notice. We’re also pulling in human resources information, which might be subject to its own notice. You have this disparity in how they’re [handling] this information.”
Phillips can attest to the inconsistency. About 23 agencies across government have investigative authority to vet and grant security clearances to their employees and contractors. Ask them about their propensity to share insider threat information with cleared industry about their contractor employees, and they all have a different answer, he said.
The inconsistencies have led INSA to form a legal affairs working group, which is discussing how new policy guardrails could allow agencies to share insider threat information with industry.
New policy could, for example, require agencies to make information available, but only for the purposes of sharing that data with a contractor’s security officer — for use within a company’s insider threat program.
“If the information goes to every insider threat lead for every company, that’s great,” Phillips said. “They’re going to be trained. They’re going to be expected, if that’s the security professional, to be the same person.”
Still, the potential to create an insider threat information sharing network opens up even more questions. Agencies want to ensure employees have an opportunity to appeal if insider threat information is used to revoke a security clearance or take disciplinary action.
And industry wants to ensure agencies aren’t sitting on information collected through continuous evaluation that’s months old — or inaccurate.
After all, continuous evaluation is supposed to help agencies find potential indicators of troubling behavior or distrust within a vast trove of personal, financial and travel data. It’s like searching for a needle in the haystack, said Perry Russell-Hunter, director of the Defense Office of Hearings and Appeals.
“The premise behind continuous evaluation was always that when we discovered something that was of significance it would feed into an expandable, focused investigation,” he said. “That premise is important. We’re not talking about information sharing of all information. All information is not created equal.”
Phillips said he and his industry colleagues aren’t interested in insider threat data for the purposes of tracking or taking employment action against their employees. Instead, they’re more interested in using that data to prevent and mitigate potential harm to their people, facilities and data, he said.
“To date, it’s more about tracking and recording,” Phillips said. “Let’s identify somebody, show that they’re starting to make it on the wrong tracks. But we’re not sure [today] if we can tell if the person owns the track or the person owns the train, and we don’t know who can tell the person to stop the train. All we’re doing is moving the National Transportation Safety Board up while the train is moving. We can’t do that [today]. We have to get to the next mile. We have to get to where we stop something by making a risk-based decision.”