A new audit of the Office of Personnel Management’s handling of security-clearance background investigations urges the agency to “strengthen” its oversight of contractors who review case files.
The OPM Inspector General investigation revealed shortcomings in the steps taken by OPM and its contractors to make sure background investigations undergo quality reviews.
The review pointed to a lack of oversight on OPM’s part in making sure contractors actually review cases and said some of the companies that employ case reviewers failed to keep track of records showing the contractors had undergone proper training.
OPM’s handling of background investigations has been under scrutiny for much of the past year. Beginning last summer, it was revealed the same company, USIS, performed investigations of both National Security Agency contractor Edward Snowden and Navy Yard shooter Aaron Alexis.
Insight by LookingGlass: Federal technology experts provide insight into how agencies are approaching cybersecurity in the new virtual climate in this exclusive executive briefing.
Later, the Justice Department joined a False Claims Act suit against the company, which is the largest private provider of background checks, accusing it of signing off on at least 665,000 investigations over a 4 1/2 year period that had never been properly vetted. DOJ’s complaint, however, is unrelated to the investigations of either Snowden or Alexis.
‘Abnormal’ caseload went undetected
The IG’s report, which covered background investigations conducted and completed between October 2012 and the end of August 2013, uncovered two instances where USIS employees, responsible for conducting quality reviews of cases before sending them to OPM, had signed off on an abnormally high number of cases.
For example, one USIS reviewer completed 15,152 case reviews in a single month, “with most of these occurring within minutes of each other on multiple days,” the report stated.
While OPM’s Federal Investigative Services, which oversees the process, was able to identify and take action against one of the employees, the other employee’s abnormal caseload went undetected, according to the IG report.
The IG’s investigation was able to conclude that in some instances, contractor companies — including CACI and Keypoint Government Solutions, in addition to USIS — had not completed initial, first-line quality reviews but had collected payment for incomplete work anyway.
In a selected sample of 328 cases, the IG reported that 17 reports-of-investigation, or ROIs, had not been properly reviewed: three from USIS, four from CACI and 10 from KeyPoint Government Solutions.
“As a result of no reviews occurring on these ROIs prior to submission to OPM, the contractors have not complied with contract requirements and have been paid for work that was not reviewed,” the report stated. “In addition, the lack of reviews can lead to inadequate work being performed and background investigation cases being potentially compromised.”
In a response to the IG report, director of the Federal Investigative Services Merton Miller said OPM has asked the contractors to update their quality-control plans. Meanwhile, each company’s program director has to certify to OPM on a monthly basis that the first-line reviews are taking place. FIS has also created a new inspection team to monitor contractor compliance.
OPM: Investigations weren’t ‘compromised’
However, there’s disagreement between OPM and the IG’s office over the extent to which the companies’ failure to perform the first level of quality reviews put the background-investigation process at risk.
The first level of review undertaken by the contractor is only part of OPM’s quality-assurance process, Miller emphasized in his comments. All cases are also re-checked by final quality reviewers at OPM.
“Therefore, the effect of the contractors’ lack of reviews does not lead to background investigations being potentially compromised,” Miller said.
But the IG’s office maintained that for the broader quality-assurance process to be effective, all parts of it must work as designed, auditors said in the report. “Since the fieldwork contractors’ review is a part of the overall … process and it is not working as designed, there is a potential risk that a background investigation could be compromised.”
Since February, final quality reviews have been performed solely by OPM. Prior to that, though, USIS also performed some final reviews under a support-services contract with the agency. Shortly after DOJ’s complaint against USIS became public, OPM announced it was ending USIS’ role in performing final reviews.
In fact, since only federal employees now conduct final quality reviews, Miller said OPM is now considering whether to stop requiring contractors to conduct first-line reviews entirely. In his comments on the IG report, Miller said FIS is conducting an assessment of the costs and benefits of the separate contractor quality review process.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
“OPM FIS acknowledges that this requirement may provide added value to our process, but this needs to be carefully weighed with the cost of this requirement, the oversight that is needed to monitor this requirement, the system changes to support this requirement, the federal review process we have in place, and the ultimate benefit that is received,” Miller said.
In addition, the IG report was unable to verify that nearly half of the USIS reviewers it sampled had undergone proper training. Of 50 USIS personnel reviewed, auditors could not verify training documentation for 24 of them.
“Based on the results of our review it is clear that USIS lacks internal controls over the retention of training documentation,” the IG concluded.
But USIS was not alone in apparently lax recordkeeping. The IG was also unable to verify training documentation for five of the 25 KeyPoint reviewers it sampled and said the company did not maintain any formal records of their reviewers’ initial training.
Miller said FIS plans to modify the companies’ contracts by Sept. 30 to require contractors to maintain “formal, complete” training records that can be provided to OPM, if requested, within 24 hours.
Congress continues search for fixes
The civil case against USIS was recently moved to Washington, D.C. However, last month, the judge ordered a stay in proceedings following a motion filed under seal by DOJ. The company has maintained the activity alleged in the government’s complaint “is inconsistent with our company values, culture and tradition of outstanding service to our government customers,” according to a statement.
Meanwhile, Congress has also stepped in, seeking to patch up the background-check process.
In February, President Barack Obama signed the OPM IG Act into law, which has provided the agency’s top watchdog with an additional source of funding to conduct audits and investigations.
“We’ve made progress in strengthening accountability in the security clearance process, but this troubling audit shows we have to do more to tighten controls over the system and its contractors — such as automated review and more rigid oversight,” said Sen. Claire McCaskill (D-Mo.), author of a bipartisan bill that would require random automated checks of clearance-holders.