The Office of the Director of National Intelligence said it’s planning to offer up clear, specific guidance on a question that nearly every federal agency must grapple with — but one that’s also prompted mixed results across government.
Who do agencies trust to work for their organizations, and how do they measure and track that trust over time?
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
To better answer those questions, ODNI is developing an enhanced security framework. It will include a common set of adjudicative and investigative standards that all agencies can use to evaluate a person’s suitability as a federal employee or a contractor or as a security clearance holder, said Sue Gordon, principal deputy director of national intelligence.
“We have had so many tiers, so many levels, so many definitions of suitability and security, and the question is how do you bring those together to this notion of: what are you protecting, [who] is a trusted person, and how do you build standards that have to go back to that?” Gordon said Tuesday morning at an Intelligence and National Security Alliance discussion at George Mason University.
Gordon said those standards should be finished and promulgated to all agencies in the form of a policy document by the end of 2019.
A backlog that once topped nearly 740,000 and the coming transfer of the governmentwide background investigation portfolio from the Office of Personnel Management to the Pentagon have earned much of the attention around security clearances this year. However, ODNI believes common standards will truly evolve today’s outdated and confusing processes for the 21st century.
Industry has been and is involved in ODNI’s efforts to develop these standards. After all, each agency often uses different standards to determine a contractor’s suitability and trustworthiness. At the Homeland Security Department, standards differ among the agency’s subcomponents.
“Industry then can use the same standards to define its trust and put into its insider threat,” Kevin Phillips, CEO and president of ManTech, said of the framework. “Without that and information sharing, the insider threat is hollow, because we don’t know what our reports are doing at a government facility. If we’re going to be co-responsible for people of trust, which we should be, then we have to figure out how to do that together and make it uniformly applied and available to the entities that hold trustworthy individuals.”
Phillips has gathered the CEOs of 16 large contractors to discuss their concerns with the suitability and security clearance process.
Senate Intelligence Committee Vice Chairman Mark Warner (D-Va.) has also been pushing for a common risk framework.
“Everybody’s setting their own standards, and now we’re trying to force them into some level of compatibility,” he said. “My hope is with this new basic framework of responsibility, you almost start with the … premise of everyone in the bucket, in terms of common standards and reciprocity.”
Warner said he wants the Performance Accountability Council (PAC), a body comprised of the Pentagon, the Office of Management and Budget, OPM and the ODNI, to develop and report a framework to Congress. This mandate is one of many provisions in the Intelligence Authorization Act, which still awaits a full vote in the Senate.
Some agencies have been more receptive to this idea than others, but Warner said he wants to keep pressure on the PAC to hold all agencies accountable to these common standards once they’re finalized.
“As we started this process, DoD and IC were pretty good,” he said. “OMB was a little slow to the table. DHS is still slow to the table, so we have to keep urging them forward. But they have to set the framework. We’re not going to mandate in legislation that basic framework.”
Common standards, however, are just one half of the equation. Helping agencies implement the framework will be another battle, Gordon said.
“How do I work with all the organizations that have to implement this? That’s when we have to deal with big data differently. We have to look at modernization of our processes, and that will come too,” Gordon said. “But I really do believe that common standards, common understanding of what that framework is, is an important move.”
Common standards may also bring industry closer to another concept that it’s been pushing in recent years. Contractors want the flexibility to take a security clearance with them as they move to new agencies or even different contracts with the same agency. That’s not possible today.
“In many ways, particularly for our contracting community, we have to recognize very few people either on the governmental side or the contracting side are going to work for the same firm for 35 years,” Warner said. “They’re going to move around, they’re going to move around to different contracts.”
This “clearance-in-person” concept may also cut on the investigative workload, which OPM and the National Background Investigations Bureau (NBIB) had been struggling to control.
The security clearance backlog today, however, is dropping. It now stands at about 600,000, Gordon said. By the spring, Gordon believes the community will cut it in half, to roughly 300,000 pending matters.
This is due, in part, because the Defense Department and ODNI have been ramping up their use of continuous evaluation (CE).
ODNI’s continuous evaluation program uses seven different data streams to consistently monitor cleared employees and contractors for signs that they may become a risk to the organization.
Gordon said 20 agencies have signed up to use ODNI’s continuous evaluation program to date. Fifteen more are developing memorandums of understanding to join the program, she said.
DoD has said CE sits as the cornerstone of its plan to transfer defense-related investigations — and now the entire governmentwide security clearance portfolio — from OPM and NBIB to the Pentagon.
The goal, officials said, will be to use CE in place of the periodic reinvestigation process altogether.
“It should,” Gordon said. “It should be able to get there. But there’s still a gap we have to cross. People who do adjudications have to be able to use the data, send it in real time and then be able to make a decision such that they don’t have to go back and do something [else.] That is absolutely the goal, so it should be able to replace [periodic reinvestigations]. Think about what that does in terms of investigative resources that allow us to work off the people who have never had a clearance.”