Key Issues > High Risk > Government-wide Personnel Security Clearance Process
High Risk Medallion

Government-wide Personnel Security Clearance Process

This information appears as published in the 2017 High Risk Report.

View the 2017 Report

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 
This area was added to the High Risk List in January 2018 and does not appear in the published 2017 report.
 
A high-quality and timely government-wide personnel security clearance process is essential to minimize the risks of unauthorized disclosures of classified information and to help ensure that information about individuals with criminal histories or other questionable behavior is identified and assessed. As of October 1, 2015, the latest date for which data are available, approximately 4.2 million government and contractor employees, at nearly 80 executive branch agencies, were eligible to hold a personnel security clearance. 
 
The Security, Suitability, and Credentialing Performance Accountability Council (PAC) is the government-wide entity responsible for driving the implementation of and overseeing security and suitability reform efforts. The PAC is led by four principal members:
  • The Deputy Director for Management of the Office of Management and Budget (OMB), in the capacity as Chair of the PAC; 
  • the Director of National Intelligence (DNI), in the capacity as the Security Executive Agent; 
  • the Director of OPM, in the capacity as the Suitability and Credentialing Executive Agent; and 
  • the Under Secretary of Defense for Intelligence.
GAO has previously identified personnel security clearance processes as a high-risk area. In 2005, GAO added the Department of Defense’s (DOD) personnel security clearance program to its High-Risk List due to long-standing issues with timeliness and a growing backlog. In the 2007 high-risk update, GAO identified additional issues related to the quality of the Office of Personnel Management’s (OPM) background investigations and DOD’s adjudications. However, the program was removed from the List in 2011 because DOD had made substantial progress in rectifying these issues. 
 
After GAO removes areas from the High-Risk List, it continues to monitor them to determine if the improvements previously noted are sustained and whether new issues emerge. If significant problems again arise, GAO will put an issue back on the list, as it has done in this case, due, in part, to significant challenges related to the timely processing of security clearances, the implementation of key initiatives of the security clearance reform effort, and ensuring the quality of investigations.
  • Timeliness and investigation backlog: The executive branch has been unable to process personnel security clearances in a timely manner. This has contributed to a significant backlog of background investigations at the National Background Investigations Bureau (NBIB)—the entity within OPM that has responsibility for conducting personnel background investigations—that totaled more than 700,000 cases as of September 2017. Moreover, for fiscal year 2016, the PAC reported that the government-wide average for the fastest 90 percent of initial secret clearance investigations ranged from 92 days to 135 days. Investigations for the fastest 90 percent of initial top secret clearances ranged from 168 days to 208 days. In both areas, these timeframes significantly exceed established timeliness objectives.
  • Reform progress: While the PAC has made progress reforming the security clearance process since the passage of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), several critical areas of the reform effort—such as the implementation of continuous evaluation, and the issuance of a reciprocity policy—remain incomplete. Over the last nine years, we have made 43 recommendations to executive branch agencies to improve the personnel security clearance process; however, only 12 of them had been fully implemented as of January 2018.
  • Investigation quality:  While the executive branch has taken steps to develop quality assessment standards and a quality assessment reporting tool, it has not established measures for the quality of background investigations. Establishing performance measures is one element of a framework for effectively managing program performance to achieve desired outcomes.
In December 2017, the National Defense Authorization Act for Fiscal Year 2018 was signed into law. This legislation will have a significant impact on the personnel security clearance process by transferring responsibility for conducting background investigations for certain DOD personnel from OPM back to DOD (Pub. L. No. 115-91, § 925(a)-(d) (2017)).   Continued and coordinated focus on the challenges GAO has identified, and the personnel security clearance process generally, will be necessary to facilitate the transfer of background investigations from OPM to DOD. Additional policymaker and stakeholder attention will also be essential to help ensure the smooth and timely processing of personnel security clearances government-wide.   
 

The government-wide personnel security clearance process is experiencing challenges in six key areas, as identified in GAO-18-29 and GAO-18-117.

(1) Investigation Backlog. NBIB documentation shows that its backlog of pending investigations increased from about 190,000 in August 2014—before OPM decided not to exercise subsequent option periods for its largest investigative fieldwork contract at the time—to more than 700,000 investigations, as of September 2017. While NBIB has taken steps to increase its capacity to conduct background investigations as well as identify and address challenges in the investigation process, NBIB leadership has not developed a comprehensive plan with goals and milestones to reduce the investigation backlog to a manageable level.

(2) Investigator Capacity. As the backlog has grown, NBIB has taken steps to increase its capacity to conduct background investigations by increasing its own investigator staff as well as awarding new contracts, effective in December 2016, to four contractors for investigation fieldwork services—two to incumbent contractors and two to new vendors. However, OPM officials acknowledged that the four contracts and its federal investigator staff do not currently provide enough capacity to reduce the pending number of investigations to a manageable level. Moreover, NBIB leadership has not established long-term goals for increasing total investigator capacity—for either federal employees or contractor personnel.

(3) Clearance Processing Delays. The number of executive branch agencies meeting established timeliness objectives for initial secret clearances, initial top secret clearances, and periodic reinvestigations decreased from fiscal years 2012 through 2016. For example, in fiscal year 2012, 27 percent of the agencies for which we obtained data met investigation and adjudication timeliness objectives for at least three of four quarters for initial secret clearances, and 59 percent met timeliness objectives for initial top secret clearances. By fiscal year 2016, that decreased to 2 percent and 10 percent, respectively. The Office of the Director of National Intelligence (ODNI) has not conducted an evidence-based review to ensure the current timeliness objectives are appropriate or developed a government-wide approach to help improve timeliness. 

(4) Lack of Quality Measures for Investigations. While the executive branch has taken steps to establish government-wide performance measures for the quality of background investigations—including establishing quality assessment standards and a quality assessment reporting tool—it is unclear when this effort will be completed because there is no milestone for their completion. Our work on personnel security clearances has identified concerns about the quality of background investigations and has highlighted the need to build quality throughout the process for almost 20 years.

(5) Security Clearance Reform Effort Delays. While the PAC has reformed many parts of the personnel security clearance process, some long-standing key initiatives remain incomplete. For example, the original milestone set by the government-wide reform effort for implementing continuous evaluation—a process to review the background of clearance holders and individuals in sensitive positions at any time during the eligibility period—was the 4th quarter of fiscal year 2010. However, this milestone was not attained. While ODNI took an initial step to implement continuous evaluation across the executive branch in October 2016, it has still not been fully implemented and ODNI has not set a milestone for when it will occur. In addition, the issuance of a reciprocity policy to guide agencies in honoring previously granted clearances by other agencies remains incomplete. 

(6) IT Security. Executive Order 13467, as amended, assigns the Secretary of Defense the role of developing and securely operating information technology (IT) systems that support all background investigation processes conducted by NBIB (Exec. Order No. 13467, § 2.6(b), as amended through Exec. Order No. 13764). DOD is building and managing the development of the National Background Investigation System, but security concerns posed by DOD regarding OPM legacy IT systems may delay planned milestones for the new system. Although OPM has taken steps to address these issues, both GAO and the OPM Inspector General have raised concerns about various aspects of IT security at OPM, including OPM legacy systems used by NBIB[1].  For example, since the 2015 data breaches, which included a compromise of OPM’s systems and files related to background investigations for 21.5 million individuals, OPM has made progress in improving its security to prevent, mitigate, and respond to data breaches. However, we also found that OPM did not effectively monitor actions taken to remediate identified weaknesses.


[1] GAO, Information Security: OPM Has Improved Controls, but Further Efforts Are Needed, GAO-17-614 (Washington, D.C.: Aug. 3, 2017); GAO, Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems, GAO-16-501 (Washington, D.C.: May 18, 2016); OPM, Office of the Inspector General, Federal Information Security Modernization Act Audit Fiscal Year 2017, 4A-CI-00-17-020 (Washington, D.C.: Oct. 27, 2017); OPM, Office of the Inspector General, Audit of the U.S. Office of Personnel Management’s Security Assessment and Authorization Methodology, 4A-CI-00-17-014 (Washington, D.C.: June 20, 2017).

 

To address the identified challenges, action is required by the four PAC Principals. Specifically, action is required in all five criteria that GAO uses to assess progress in addressing high-risk areas: (1) leadership commitment, (2) agency capacity, (3) an action plan, (4) monitoring efforts, and (5) demonstrated progress. 

OMB

In the past 3 years, we have made 1 recommendation to the Deputy Director for Management of OMB, in the capacity as Chair of the PAC, related to the personnel security clearance process. This recommendation remains open. 

  • To assist executive-branch agencies in budget planning to implement the 2012 Federal Investigative Standards and obtain needed personnel security clearances, develop long-term funding estimates for changes to the federal government’s investigation practices resulting from the implementation of the standards. These long-term funding estimates should include but not be limited to: (1) costs related to information technology adjustments to enable government-wide data sharing; (2) costs related to implementing continuous evaluation of clearance holders; and (3) costs related to additional personnel resources for twice-as-frequent reinvestigations. OMB agreed with this recommendation.

Additionally, we made 1 recommendation to the Deputy Director for Management of OMB in 2012 that remains open and that we continue to track as part of our ongoing work examining opportunities for the federal government to reduce fragmentation, overlap, and duplication, as well as reduce costs and increase revenue. Specifically, we recommended:

  • To improve transparency of costs and the efficiency of suitability and personnel security clearance background investigation processes that could lead to cost savings, expand and specify reform-related guidance to help ensure that reform stakeholders identify opportunities for cost savings, such as preventing duplication in the development of electronic case-management and adjudication technologies in the suitability determination and personnel security clearance processes. OMB agreed with this recommendation.

ODNI

In the past 3 years, we have made 12 recommendations to the DNI as the Security Executive Agent related to the personnel security clearance process, all of which remain open.

  • In coordination with the other PAC Principals, conduct an evidence-based review of the investigation and adjudication timeliness objectives for completing the fastest 90 percent of initial secret and initial top secret security clearances, and take action to adjust the objectives if appropriate. ODNI did not agree with this recommendation.
  • In coordination with the Deputy Director for Management of OMB, conduct an evidence-based review of the timeliness goal for completing the fastest 90 percent of periodic reinvestigations. ODNI agreed with this recommendation. 
  • In coordination with the other PAC Principals, develop a government-wide plan, including goals and interim milestones, to meet timeliness objectives for initial personnel security clearance investigations and adjudications. ODNI did not agree with this recommendation.
  • Develop, implement, and report to Congress on government-wide, results-oriented performance measures for security clearance background investigation quality. ODNI did not state whether it agreed with this recommendation.
  • In coordination with the other PAC Principals, establish a milestone for the completion of government-wide performance measures for the quality of investigations. ODNI did not agree with this recommendation. 
  • To provide executive-branch agencies necessary information concerning incomplete prior investigations or adjudications, develop procedures to require information sharing between executive-branch agencies concerning incomplete investigations or adjudications that may affect the eligibility of an individual for a security clearance. ODNI did not state whether it agreed with this recommendation.
  • To provide Congress with information on the extent of personnel security clearance background investigation and adjudication reciprocity, require the development of government-wide baseline data on required reciprocity determinations to support government-wide metrics to measure the extent of reciprocity. ODNI did not state whether it agreed with this recommendation.
  • Issue a Security Executive Agent Directive for continuous evaluation to formalize the program, which includes, among other things, an expanded definition of continuous evaluation in advance of the next phase of implementation. ODNI agreed with this recommendation.
  • In coordination with the Continuous Evaluation Working Group, develop an implementation plan for continuous evaluation across the executive branch that includes a schedule with timeframes and expectations for agencies, such as the requirements (e.g., the size of the enrolled population in continuous evaluation) for future phases of implementation.  ODNI agreed with this recommendation.
  • Develop a plan for monitoring continuous evaluation performance, to include assessing continuous evaluation at various phases of implementation. ODNI agreed with this recommendation.
  • Develop performance measures for continuous evaluation that agencies must track and determine a process and schedule for agencies to regularly report those measures to ODNI. At minimum, these performance measures should be clear, quantifiable, objective, and linked to measurable goals. ODNI agreed with this recommendation.

In coordination with the Deputy Director for Management of the Office of Management and Budget, assess the potential effects of continuous evaluation on agency resources and develop a plan, in consultation with implementing agencies, to address those effects, such as modifying the scope of periodic reinvestigations, changing the frequency of periodic reinvestigations, or replacing periodic reinvestigations for certain clearance holders. ODNI agreed with this recommendation.

In addition, the DNI as the Security Executive Agent should also take the following action as part of its efforts to improve the personnel security clearance process and make progress towards the eventual removal of personnel security clearances from the High-Risk list:

  • Assist NBIB and those agencies that conduct their own background investigation to help demonstrate sustained progress in reducing the backlog of background investigations to a manageable level.
  • Assist NBIB and those agencies that conduct their own background investigation to demonstrate sustained progress in meeting established timeliness objectives for initial security clearances and periodic reinvestigations.
  • Demonstrate sustained progress in implementing GAO’s recommendations to improve the personnel security clearance process.

OPM/NBIB

In the past year, we have made 3 recommendations to the Director of NBIB related to the personnel security clearance process, all of which remain open. 

  • In coordination with the Deputy Director for Management of OMB and the DNI, develop a plan, including goals and milestones, that includes a determination of the effect of the business process reengineering efforts for reducing the backlog to a “healthy” inventory of work, representing approximately 6 weeks of work. NBIB agreed with this recommendation.
  • In coordination with the Deputy Director for Management of OMB and the DNI, establish goals for increasing total investigator capacity—federal employees and contractor personnel—in accordance with the plan for reducing the backlog of investigations. NBIB agreed with this recommendation.
  • Build upon NBIB’s current workforce planning efforts by developing and implementing a comprehensive strategic workforce plan that focuses on what workforce and organizational needs and changes will enable the bureau to meet the current and future demand for its services. NBIB agreed with this recommendation.

Additionally, in the past 2 years, we have made multiple recommendations to the Director of OPM related to improving the security of OPM’s IT systems that remain open. We consider the following 5 recommendations to be key actions for OPM as part of our High Risk determination. 

  • Develop and implement role-based training requirements for staff using Continuous Diagnostics and Mitigation tools. OPM agreed with this recommendation.
  • Improve the timeliness of validating evidence associated with actions taken to address the United States Computer Emergency Readiness Team (US-CERT) recommendations. OPM partially agreed with this recommendation, but it did not specifically state the reason why it partially agreed.
  • Update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed, including a rationale if the control is not implemented, and where other plans are cross-referenced, ensure that the other system’s plan appropriately addresses the control. OPM agreed with this recommendation.
  • Provide and track specialized training for all individuals, including contractors, who have significant security responsibilities. OPM partially agreed with this recommendation, stating that it agreed with the intent but not the suggested approach. 
  • Re-evaluate security control assessments to ensure that they comprehensively test technical controls. OPM did not agree with this recommendation.

In separate reports with limited distribution, we made an additional 9 recommendations to OPM to improve upon actions taken to implement the recommendations made by US-CERT, and we made multiple recommendations to resolve access control weaknesses in OPM IT systems.

Moreover, as a result of the National Defense Authorization Act for Fiscal Year 2018, which was signed into law in December 2017, the responsibility for conducting DOD’s background investigations is being shifted from NBIB to DOD. Although it was not a recommendation in our recent work, NBIB will need to develop a feasible plan and organizational structure so that it can successfully scale its operations and effectively serve its clients. 

In addition, NBIB should also take the following actions as part of its efforts to improve the personnel security clearance process and make progress towards the eventual removal of personnel security clearances from the High-Risk list:

  • complete background investigations within established timeliness goals;
  • show sustained progress in reducing the backlog of background investigations; and
  • keep the costs of conducting background investigations affordable for executive branch agencies.

Department of Defense (DOD)

We have not made recommendations in the last 3 years to DOD related to the personnel security clearance process. However, DOD's role in the government-wide personnel security clearance process has recently increased significantly. Specifically, the Under Secretary of Defense for Intelligence became the fourth principal member of the PAC in September 2016. Further, the National Defense Authorization Act for Fiscal Year 2018, which was signed into law in December 2017, includes a provision that, among other things, authorizes DOD to conduct background investigations for personnel security clearances for its own personnel[1] —a function previously conducted by NBIB. Given these changes, DOD will have a key role in improving the personnel security clearance process. 

Some of the actions directed to other agencies will also be applicable to DOD as it begins the transfer of security clearance functions and resources from OPM/NBIB. Specifically, the security clearance functions are expected to reside within the Defense Security Service (DSS), which administers and implements the defense portion of the National Industrial Security Program, among other things. As DSS grows to handle its new mission, it will need to consider:

  • the appropriate mix of federal employees and contractor personnel for completing background investigations within established timeliness goals; 
  • conducting its own comprehensive strategic workforce plan that focuses on what workforce and organizational needs and changes will enable DOD to meet the current and future demand for its services;
  • coordinating contracted investigative resources with OPM; and 
  • in the absence of government-wide performance metrics to measure the quality of background investigations, taking steps to ensure it has in place the necessary measures to ensure the quality of its background investigations and adjudications. 

Moreover, as it implements the transition provided for by the National Defense Authorization Act for Fiscal Year 2018, DOD will need to ensure that DSS has the resources to complete background investigations within established timeliness goals. This should be considered as it conducts a comprehensive assessment of workforce requirements that is required by the Act.


[1] Pub. L. No. 115-91, § 925(a) (2017). Section 925 also requires DOD to begin carrying out a previously required implementation plan by October 1, 2020, and to take other actions regarding the transition. See § 925(a)-(d).

Looking for our recommendations? Click on any report to find each associated recommendation and its current implementation status.
  • portrait of Brenda S. Farrell
    • Brenda S. Farrell
    • Director, Defense Capabilities and Management
    • farrellb@gao.gov
    • 202-512-3604