The Director of National Intelligence will soon ask agencies to use additional sources of information when periodically reviewing their security clearance holders, according to a provision slipped into the 2016 omnibus spending bill.
The legislation creates an enhanced personnel security program, which requires that agencies develop a plan for investigating existing clearance holders, under the direction of the Director of National Intelligence (DNI).
Those reinvestigations must happen at least twice every five years.
“The enhanced personnel security program of an agency shall integrate relevant and appropriate information from various sources, including government, publicly available and commercial data sources, consumer reporting agencies, social media and such other sources as determined by the Director of National Intelligence,” the bill states.
Specifically, agencies should collect criminal and financial information, such as a civil legal proceeding or credit score, as well as data on a terrorist or criminal watch list and any information that is already publicly available to conduct security reviews, the legislation says.
Agencies must implement their enhanced personnel security programs either within the next five years or before the backlog of overdue periodic reinvestigations is eliminated.
The specific inclusion of social media and publicly available electronic information is key, said Charlie Sowell, senior vice president for system and software engineering solutions at Salient CRGT and a former senior adviser to the Director of National Intelligence.
The term “social media” will apply to any information an employee publicly posts on his or her account.
“It’s interesting that they used publicly available and social media separately,” Sowell said. “What we call publicly available electronic information (PAEI) [is] anything that’s available online that a member of the general public could get without a subscription. It’s readily available, and social media is a part of that.”
Though the legislation generally says agencies should use social media when reviewing clearance holders, it doesn’t describe exactly how they should use it, what they should look for and how they should interpret the information they find.
Sowell said the Director of National Intelligence was supposed to issue a security executive agent directive, which would detail how the DNI expects agencies to use social media and other publicly available information in the security clearance process.
“Agencies, particularly in the Intelligence Community, have been waiting for the DNI to issue a top-cover for them to begin exploring the use of social media and publicly available electronic information in the normal clearance process, that is in the initial investigation and the periodic reinvestigation,” he said. “But frankly some agencies, which have started piloting the use of social media in investigations, have stopped because they haven’t gotten that top-cover, that policy document from the DNI that says it’s ok to use it.”
While the legislation directs that agencies use social media for reinvestigations, the DNI will still need to issue a directive permitting them to begin using that kind of information, Sowell said.
The legislation makes no mention of continuous evaluation — the practice of consistently conducting automated checks on an employee’s financial, travel and criminal history records — which some agencies have begun to experiment with.
“I’m not sure this is as practical as moving whole hog into continuous evaluation, because you’d have to set up random checks that launch for every single person at different intervals,” Sowell said. “It’s not 5 percent of the population; it’s everyone. So why not go all the way to continuous evaluation?”
Two years after its start, each agency’s inspector general will conduct at least one audit of the program using performance standards that the Director of National Intelligence developed.
Inspectors general will submit the results of their audits to the Director of National Intelligence, who will assess how well agencies are implementing enhanced personnel security programs governmentwide.
The 2016 budget also includes a resolution requiring the Director of National Intelligence to develop a plan to eliminate the security clearance backlog.
“The plan … shall use a risk-based approach to identify high risk populations and prioritize reinvestigations that are due or overdue to be conducted,” the legislation says.
That comes as the future of the federal security clearance process remains unclear.
Following multiple cyber breaches at the Office of Personnel Management, the White House mandated a 90-day review of the federal security clearance process in July. A request for proposal that OPM released in November for a workforce planning study of its Federal Investigation Services (FIS), indicates that the results of that review might be coming soon.
It’s still unclear which agency will ultimately own the security clearance process. A former federal counterintelligence official said the White House will create a new organization, the National Investigative Service Agency, which would assume oversight of the clearance process.
Other options included moving the services back to the Defense Department or keeping them under OPM’s oversight.
Previous attempts to reform the security clearance process have died in Congress.
The Enhanced Security Clearance Act, which had multiple versions and sponsors in 2013 and 2014, had marked similarities to the program included in the 2016 omnibus. It asked agencies to use publicly available information to review security clearance holders twice every five years.