Government-wide Personnel Security Clearance Process
We placed the government-wide personnel security clearance process on the High-Risk List in January 2018 because it faces significant challenges related to (1) the timely processing of clearances, (2) measuring investigation quality, and (3) ensuring IT security, among other things.
Timeliness. The executive branch has been unable to process personnel security clearances within established timeliness objectives, contributing to a backlog that the NBIB reported to be approximately 565,000 cases as of February 2019.
Quality. A high-quality personnel security clearance process minimizes the risks of unauthorized disclosures of classified information and helps ensure that information about individuals with criminal histories or other questionable behavior is identified and assessed. While the executive branch has taken some steps to address quality, it has not established measures to ensure the quality of background investigations and adjudications, and instead focused on reducing the backlog and redesigning the investigation process.
IT Security. DOD is building and managing the development of the NBIS, but security concerns posed by DOD regarding OPM legacy IT systems may delay planned milestones for the new system. OPM did not effectively monitor actions taken to remediate identified weaknesses in its IT systems to ensure that key security controls are in place and operating as intended.
Since we added the government-wide personnel security clearance process to our High-Risk List in January 2018, the executive branch has taken some action and made some progress addressing our criteria for removal. The executive branch has met the criterion for leadership commitment, partially met the capacity, monitoring, and demonstrated progress criteria, and has not met the action plan criterion. In addition, the administration proposed transferring the background investigation function from the Office of Personnel Management’s (OPM) National Background Investigations Bureau (NBIB) to the Department of Defense (DOD) in June 2018, and plans to issue an Executive Order regarding the transfer.
Leadership commitment: met. The Security Clearance, Suitability, and Credentialing Performance Accountability Council (PAC), chaired by the Deputy Director for Management of the Office of Management and Budget (OMB), is the government-wide entity responsible for driving the implementation of and overseeing security clearance reform, among other reform efforts. The chair of the PAC, who is concurrently serving as the Acting Director of OPM, stated that the security clearance reform process is one of her top three government-wide priorities. Further, according to officials, the PAC assembled teams of stakeholders who meet regularly to focus on developing solutions to specific problems within the security clearance process. OPM and the Office of the Director of National Intelligence (ODNI) also issued a memo in June 2018 containing measures to reduce the backlog of background investigations. While the PAC has prioritized the prompt reduction of the backlog, it has not finalized a plan to reduce it to a manageable level or prioritized improving the timeliness of investigations.
Senior DOD officials expressed commitment to the administration’s June 2018 transfer proposal and have planning efforts underway related to the transfer and the modernization of the personnel vetting process. Continued and coordinated leadership by the PAC will be important as it works to complete other long-standing key reform initiatives, including the government-wide implementation of continuous evaluation. Focused leadership will also be critical throughout the transition of background investigative functions from OPM to DOD, as proposed by the administration, particularly during senior leadership changes at OPM and DOD.
Capacity: partially met. NBIB officials reported that NBIB has increased its workforce to approximately 8,700 federal and contract investigators to help address the investigations backlog. However, NBIB has not reported goals for increasing total investigator capacity or completed the development and implementation of a comprehensive strategic workforce plan, as we have recommended. Completing the workforce plan would better position the bureau to meet current and future demands for its services.
In addition, in August 2017, DOD submitted to the congressional defense committees a plan for the transfer of certain DOD background investigations from OPM’s NBIB to DOD. This plan included estimates of the number of full-time equivalent employees necessary to execute the transfer. However, officials told us in November 2018 that the department is no longer using the plan because it was overcome by the administration’s June 2018 organizational reform proposal for the complete transfer of the NBIB background investigation program from OPM to DOD. According to officials, DOD is now preparing for the transfer of all NBIB investigative functions by developing a new plan which is based on the total inventory of OPM’s background investigations. In preparation for the transfer, DOD should consider our recommendation to the Director of NBIB to develop a strategic workforce plan as it assumes these responsibilities.
Executive Order 13467, as amended, which establishes the PAC, among other things, assigns the Secretary of Defense the role of developing and securely operating IT systems that support all background investigation processes conducted by NBIB (Exec. Order No. 13467, § 2.6(b), as amended through Exec. Order No. 13764, 82 Fed. Reg. 8115, 8126 (Jan. 17, 2017). In addition, the National Defense Authorization Act (NDAA) for Fiscal Year 2018 included a provision that DOD conduct a review of the National Background Investigation Services (NBIS), the IT system it is developing to support background investigations, to determine whether certain enhancements are necessary (see Pub. L. No. 115-91, § 925(f) (2017)). According to officials, DOD has in place the resources needed for the development of NBIS, is actively identifying necessary system capabilities, and has begun small preliminary pilots of its services. However, according to officials, the necessary resources for full implementation of NBIS and the administration’s transfer proposal remain unclear.
Action plan: not met. The leaders of the reform effort have developed various plans for more than a decade to improve the process. Most recently, in March 2018, the Director of National Intelligence (DNI) issued implementation guidelines for continuous evaluation—a process to review the background of clearance holders and individuals in sensitive positions at any time during the eligibility period. Further, DOD has begun reorganizing certain entities within the department that will enable DOD to begin the transfer of investigative functions from OPM’s NBIB. While the DNI and OPM have issued a joint Executive Correspondence that contains measures clarifying and adjusting certain elements of investigation requirements, the PAC lacks plans, including goals and milestones, to (1) reduce the backlog to a manageable level; (2) meet timeliness objectives for security clearance investigations and adjudications; and (3) assess and address the potential effects of continuous evaluation on agency resources.
Officials from ODNI, DOD, and the PAC told us they are working on an initiative called Trusted Workforce 2.0, an effort to transform the fundamental approach to workforce vetting, and supporting policies that will also overhaul business processes and modernize the IT architecture. According to officials, this effort is an expansion of reform since our January 2018 high-risk designation that will consider both risk and trust. PAC and ODNI officials said Trusted Workforce 2.0 will focus on timeliness and quality goals in a future phase, after reducing the clearance backlog to a manageable level. The DNI and former Director of OPM committed to issuing this new policy framework and plans to transform vetting for the Executive Branch by the end of 2018. Officials told us in early 2019 that the issuance of related policies is expected throughout the calendar year.
Monitoring: partially met. The NDAA for Fiscal Year 2018 required the DNI, in coordination with the other PAC principals, to annually report for the prior fiscal year on the timeliness of initiations, investigations, and adjudications, by clearance level. This report is to cover both initial investigations and periodic reinvestigations for government and contractor employees (see Pub. L. No. 115-91, § 925(k)(1)). In November 2018, the DNI informed executive branch agencies that it intends to fulfill this and other legislative reporting requirements through a consolidated data call.
In September 2018, NBIB reported to Congress, for each clearance level, (1) the size of the investigation backlog, (2) the average length of time to conduct an initial investigation and a periodic reinvestigation, and (3) a discussion of the factors contributing to investigation timeliness. The PAC is also reporting publicly on the progress of key reforms through www.performance.gov, where OMB began tracking security clearance and suitability reform as a cross-agency priority goal in March 2014. For fiscal year 2018, www.performance.gov contains quarterly action plans and progress updates, which present figures on the average timeliness of initial investigations and periodic reinvestigations for the executive branch as a whole, investigation workload and backlog, and investigator headcounts.
Our analysis of the latest available timeliness data showed that the number of executive branch agencies meeting investigative and adjudicative objectives decreased from fiscal years 2012 through 2018. Furthermore, the PAC has not implemented our December 2017 recommendation to conduct an evidence-based review of the investigation and adjudication timeliness objectives for completing the fastest 90 percent of initial secret and initial top secret security clearances. In addition, the PAC has not yet established performance measures to monitor investigation and adjudication quality, continuous evaluation implementation, and government-wide reciprocity.
Demonstrated progress: partially met. The PAC has demonstrated progress in some areas, specifically related to a reduction in the backlog of background investigations. NBIB officials report that the backlog decreased from almost 715,000 cases in January 2018—when we added the process to our High-Risk List—to approximately 565,000 cases in February 2019. Those officials credit an Executive Memorandum—issued jointly in June 2018 by the DNI and the Director of OPM and containing measures to reduce the investigation backlog—as a driver in backlog reduction. The measures adjust investigative requirements by, for example, temporarily allowing for video or telephone interviews in certain circumstances. We will continue to monitor the backlog and efforts to reduce it.
While members of the PAC have taken positive steps to improve continuous evaluation and reciprocity, including the DNI’s March 2018 continuous evaluation implementation guidelines and November 2018 guidance providing requirements for reciprocity, the PAC has not demonstrated sustained progress to address other weaknesses we have identified. For example, PAC leaders have not completed the development of quality measures for investigations, and PAC officials told us they had not made plans to report quality to Congress.
Further, the PAC has not demonstrated measurable improvements with regards to the timeliness of background investigations and adjudications. In fiscal year 2018, the percent of agencies meeting the timeliness objectives in which the fastest 90 percent are to be completed within a specified number of days are presented in Table 9 below.
Percent of Executive Branch Agencies Meeting Security Clearance Processing Timeliness Objectives in Fiscal Year 2018
|Phase||Type||Objective||Percentage Meeting Objective|
|Investigation||Initial Secret||40 days||3 percent|
|Initial Top Secret||80 days||13 percent|
|Periodic Investigations||150 days||13 percent|
|Adjudication||Initial Secret||20 days||44 percent|
|Initial Top Secret||20 days||44 percent|
|Periodic Investigations||30 days||65 percent|
Source: GAO analysis of Office of the Director of National Intelligence data. | GAO-19-157SP
Agencies without delegated authority rely on OPM to conduct their background investigations, while agencies with delegated authority have been authorized to conduct their own background investigations. As such, investigative phase timeliness data for agencies without delegated authority is generally a reflection of OPM’s timeliness. While the data ODNI provided shows that timeliness continues to decline, OPM officials stated that NBIB internal monitoring shows recent improvement in investigation timeliness.
We have made numerous recommendations to PAC members to address risks associated with the personnel security clearance process between 2011, when we removed DOD’s personnel security clearance program from the High-Risk List and 2018, when we placed the government-wide personnel security clearance process on the High-Risk List. We consider 27 of those recommendations key to addressing the high-risk designation. Eight recommendations key to the high-risk designation have been implemented, including three since January 2018. Most recently, those recommendations implemented include ODNI formalizing plans and guidance for continuous evaluation. As of December 2018, 19 of these key recommendations remain open. Of the open recommendations, ODNI stated that it did not concur with our December 2017 recommendations on addressing investigation quality and timeliness, but did not provide specific information to explain why it did not concur.
In addition, in March 2018, we outlined necessary actions and outcomes—anchored in each of our five criteria for removal from the High-Risk List—and our prior recommendations that need to be addressed for this area to be removed. These actions and outcomes are outlined below and should be considered by all four agencies, unless a lead agency is indicated.
To continue to meet the leadership commitment criterion, these agencies should:
- continue to demonstrate that the PAC is prioritizing the (1) prompt reduction of the government-wide investigative backlog to a manageable level; (2) improvement of the timeliness of background investigations; and (3) completion of long-standing, key reform initiatives;
- continue participating regularly in leadership meetings of the PAC principals;
- provide the necessary oversight and support to PAC members to effectively accomplish assigned reform initiatives, in accordance with the roles and responsibilities outlined in Executive Order 13467 (as amended), as Chair of the PAC (OMB); and
- oversee and support NBIB and DOD during the transition period while DOD stands up background investigative functions, to include supporting resource needs.
To make progress on meeting capacity, these agencies should:
- develop and implement a comprehensive strategic workforce plan that identifies the workforce needed to meet the current and future demand for its services, as well as reduce the current backlog to a manageable level (OPM, DOD);
- coordinate with responsible executive branch agencies to identify the resources needed to effectively implement personnel security clearance reform effort initiatives within established timeframes (OMB, ODNI, DOD); and
- develop long-term funding estimates for changes to the federal government’s investigation practices resulting from the implementation of the 2012 Federal Investigative Standards. These long-term funding estimates should include, but not be limited to: (1) costs related to IT adjustments to enable government-wide data sharing; (2) costs related to implementing continuous evaluation; and (3) costs related to the changed frequency of periodic reinvestigations (OMB).
To make progress on an action plan, these agencies should:
- develop a plan, including goals and milestones, for reducing the backlog of background investigations to a manageable level;
- develop a government-wide plan, including goals and interim milestones, to meet timeliness objectives for initial personnel security clearances, periodic reinvestigations, and adjudications; and
- assess the potential effects of continuous evaluation on agency resources and develop a plan to address those effects, such as modifying the scope of periodic reinvestigations, changing the frequency of periodic reinvestigations, or replacing periodic reinvestigations for certain clearance holders (ODNI).
To make progress on monitoring, these agencies should:
- develop and report to Congress annually on government-wide, results-oriented performance measures for the quality of security clearance background investigations and adjudications (ODNI);
- develop performance measures for continuous evaluation that agencies must track and regularly report to ODNI;
- develop metrics and government-wide baseline data for reciprocity determinations to measure the extent of reciprocity within the executive branch and report on those metrics to Congress (ODNI); and
- monitor the implementation of remedial actions intended to resolve known cybersecurity vulnerabilities, to include updating remedial action plans to reflect expected completion dates, and improve the timeliness of validating the effectiveness of actions taken to mitigate cybersecurity vulnerabilities that exposed agency information to cybersecurity incidents (OPM).
To improve on demonstrating progress, these agencies should:
- develop government-wide performance measures for the quality of background investigations and adjudications (OMB, ODNI);
- conduct an evidence-based review of the investigation and adjudication timeliness objectives for completing the fastest 90 percent of initial secret and initial top secret security clearances, and take action to adjust the objectives if appropriate;
- conduct an evidence-based review of the timeliness goal of 195 days for completing the fastest 90 percent of periodic reinvestigations and the associated goals for the different phases of periodic reinvestigations, and adjust the goal if appropriate; and
- improve and secure personnel security clearance IT systems, including implementing further security improvements to its IT environment, including contractor-operated systems, to ensure that key security controls are in place and operating as intended (OPM).
Congressional Actions Needed
GAO-18-431T: Published: Mar 7, 2018. Publicly Released: Mar 7, 2018.
Executive branch agencies have made progress reforming the security clearance process, but long-standing key initiatives remain incomplete. Progress includes the issuance of federal adjudicative guidelines and updated strategic documents to help sustain the reform effort. However, agencies still face challenges in implementing aspects of the 2012 Federal Investigative Standards—criteria for cond...
GAO-18-29: Published: Dec 12, 2017. Publicly Released: Dec 12, 2017.
Executive branch agencies have made progress reforming the security clearance process, but long-standing key initiatives remain incomplete. Progress includes the issuance of common federal adjudicative guidelines and updated strategic documents to help sustain the reform effort. However, agencies face challenges in implementing certain aspects of the 2012 Federal Investigative Standards—criteria...
GAO-18-117: Published: Nov 21, 2017. Publicly Released: Nov 21, 2017.
In October 2016, the Office of the Director of National Intelligence (ODNI) took an initial step to implement continuous evaluation—a process to review the background of clearance holders and individuals in sensitive positions at any time during the eligibility period—across the executive branch, but it has not yet determined key aspects of the program, and it lacks plans for implementing, mon...
GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.
In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting...