When the government vets people for security clearance, some small differences show up in how it looks at federal employees and contractors. That’s the conclusion of a detailed study conducted by the Intelligence and National Security Alliance. Here with details, Michael Hudson, the senior director of government solutions at ClearForce, joined Federal Drive with Tom Temin.
Insight by Cloudera: Learn about what a few federal agencies are doing to tackle data security challenges and improve their cyber data posture in this exclusive e-book.
Tom Temin: Michael, good to have you back and we should point out that you’re speaking kind of as an adjunct faculty to INSA in this case and not for ClearForce. You helped with that study?
Michael Hudson: Yeah, that’s right. And I appreciate being back.
Tom Temin: All right, so what did you, first of all what was the genesis of the study? Why did you look at security clearance contractors, vis-à-vis government employees?
Michael Hudson: Yes so there was a kind of a conversation taking place that would say government employees were vetted differently than civilians working in the defense industry, right? So individuals who had potentially at one point served in the government served in its military, kind of like myself in this case — 30 years in the Marines and now I worked for a defense company. We were somehow looked at through a different set of lenses and the reality is we’re not. The process is the same as it was even when I was serving. I mean, they’ve made clearly improvements, but in essence it’s this: You go through a background investigation that’s initiated by a standard form 86. So that collects —
Tom Temin: If you could get through that form, you’re halfway home.
Michael Hudson: Right? That’s 120 pages, I think the last time I looked. So that’s not a trivial event. Now the good news is, when I filled out the first time, I was using a pen and paper. Today it’s a digital system through an e-QIP process. So that’s actually better, streamlines the information getting into the system and enables information sharing as relates the investigations.
Tom Temin: And by the way, can you start the form and then go back to it later? Do you get an account, so to speak?
Michael Hudson: Yeah, that’s interesting. I haven’t filled out the new e-QIP. So the last time that I applied for a security clearance or had my periodic re investigation, it was through a manual process. So I filled out a significant amount of those 120 pages.
Tom Temin: All right, so anyhow, INSA decided to look at the differences, if there were any, because of suspicion that maybe government employees were getting a little easier rides, perhaps, than contractors?
Michael Hudson: Yeah, I think that’s true. That was one of the drivers of why we looked at it and I said earlier, the reality is that they’re both being vetted through that SF 86 then they go to the National Background Investigations Bureau. The federal investigative standards are applied. The adjudicated guidelines, the 13 of them are equally applied against the application for a suitability or fitness determination that allows them then to be issued a clearance, and then granted access at the appropriate level by the agency that controls that information.
Tom Temin: All right, so then the report found nothing, no difference between the two?
Michael Hudson: What I found is, it t’ed up a couple of conversations. So one is we’re looked at the same way, whether you’re in the federal government directly employed, have worked for the federal government now on the outside, or you work for a defense contractor or in the defense industry, and you apply for access. So the process is in essence the same. We found where some of the differences were, and once you get issued that clearance is how do they continually evaluate it or monitor, right? Because a background check is really a snapshot in time looking backwards, and the goal of that is to say, well, based on historical data at this moment in time, we think this individual going forward should be granted access. So the government now is doing this continuous evaluation. You’re seeing that they’re looking at ways, continuous review, at ways to constantly update that process. And so we found some little bit differences in there. One is in use of social media. The government has not fully embraced bringing that on though they have some guidance out there — security initiative directive number 5 talks about how social media can be used. You find some of the defense contractors, the defense companies are already bringing some of that in as a way to see the difference. And the other big challenge we discovered was some of the information sharing, and I think that’s another key component. So there’s requirements if you are a cleared defense contractor, cleared defense company that if you have derogatory information of one of your employees that has a clearance and has a clearance of working on the government site, you’re required to share that information, right? There’s processes and pathways to do that. Conversely, if that same employee is working on a government site, for the government to share that information back to the company, there are some barriers in that, and that makes it a little bit problematic.
Tom Temin: The government can’t share information about a contractor working in the government back to that company?
Michael Hudson: Yeah, there are some restrictions in there around privacy — a lot of that is.
Tom Temin: Got it.
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Michael Hudson: Right, and then there are some processes. What is the mechanism for the government writ large? So let’s pick an intelligence community. I’ll just grab one, say the FBI. So they’ll have processes and how they move information internally. Then for the FBI, there, to go back to say my company, ClearForce. There are processes that they would have to follow, and in some cases those become impediments to information sharing, especially in real time.
Tom Temin: We’re speaking with Michael Hudson, the senior director of Government Solutions at ClearForce and a contributor to the Intelligence and National Security Alliance study of the security clearance process. Let’s go back to social media for a minute. Explain more about how that works. Companies often look at social media when vetting would-be employees. I don’t think the government does that at this point. Not so much for security clearance, we’re just talking about hiring. So how does that come into security clearance and how does it differ on the two sides?
Michael Hudson: Yes, so the way I think about social media is really through three principal bins. Its people, places and things. So you’re trying to discover activities within those bins using social media, and what you want to do is bring social media in either as a way to alert the organization, say “Here there’s some activity that’s potentially troubling,” right, about an individual, place or thing, and then you want to be able to fuse that or collaborate that information with other data to reach a conclusion on where your risk or risk may be not. So government is bringing that on, but I don’t think they’re as far along in the conversation as some of the cleared defense contractors are who are more aggressively bringing that in. And the key in all of this, though, all this we have to remember, is you have to build this trusted workforce. So that’s one of the challenges as well, right? So as we talk about social media people are like, “Hey, wait a minute, what are they doing?” The goal here of looking at individuals through a wellness program, followed by an insider threat program — those are designed not to find nails because your primary tools a hammer. That’s designed really to let organizations know that hey, we’re supporting the 99% of people that come to work every day doing it right. We want to become aware of risks that are potentially in their lives that they could bring into the workplace that could then come into the government space.
Tom Temin: So, in other words, a company might know a little bit more about a person than the government would know for purposes of security clearance?
Michael Hudson: Right, and that works both ways though. See, so if you think about some of the recent cases that have hit the news, these were employees of companies. The company did all the vetting to make the hiring decision. Then they went through the government security process and were found suitable and had the right level of fitness to receive a clearance. Then the company loses sight of them, they’re working on the government site every day. So if that company has a really good you know, “see something, say something” program, well if that individual never comes to work because he’s on a government site that kind of doesn’t help. If they have a really good cyber system but they never log onto that company’s network, kind of doesn’t help.
Tom Temin: So you can’t see the new Lamborghini they might have bought or something?
Michael Hudson: Well, absolutely. I mean, undue affluence is one of the things that they would look at, right? So it’s not just finances in the way of are they on a negative trajectory that would make them susceptible through outside bad actors potentially approaching. We’ve seen that in the news recently, both on the education side, the story about Harvard — that Harvard professor. You see some stuff down in Texas.
Tom Temin: Sure, right.
Michael Hudson: Where China uses finances as a way to approach an individual. Companies need to be aware that that individual is struggling financially in front of, and help shore that up, right? That’s kind of one of the key things. The social media part of that, in some cases can be helpful, where you can have access to and see potential activities that might be troubling or concerning.
Tom Temin: Yeah, it is, I guess, surprising what people are willing to tell about themselves in social media, as if their employer may not see it.
Michael Hudson: Yeah, that’s interesting. I have a low social media footprint, but then, you know, I have a 26-year-old and a 21-year-old and I’m constantly cautioning them, like “Be careful what you put out there because regardless of what you think it is, it doesn’t go away,” right?
Tom Temin: And let me ask you this: In studying the security clearance process, which has been revised and it’s changed ownership and so forth, been a lot of pressure on it, how does it look to you in general, relative to, say, 23 years ago?
Michael Hudson: Oh, absolutely moving in the right direction, I think. And that’s part of what INSA does. I mean if you think about INSA as a nonprofit, nonpartisan organization that works in the intelligence community, I mean they help set up venues where, in fact, there’s one coming up here in March, where we’re gonna talk about the trusted workforce and you have Senator [Mark] Warner (D-Va.) is gonna participate in that. Then you bring in the CEO prospective, right? So you’re bringing this right balance of government, senior defense leaders. And they facilitate these conversations, I think. So I would suggest that INSA and other companies are part of helping the government move forward in improving these processes. But I think there’s a lot of work on that right now.
Tom Temin: Michael Hudson is senior director of Government Solutions at ClearForce and a contributor to the INSA report on security clearances. Thanks so much for joining me.
Michael Hudson: Appreciate it, thanks.
Tom Temin: We’ll post this interview along with a link to the report at www.federalnewsnetwork.com/FederalDrive. Here the Federal Drive on demand. Subscribe at Apple Podcasts or Podcastone.