Agencies rely on IT systems to screen job applicants and manage employee data from background checks and other vetting activities. This helps to minimize the risks of having untrustworthy people in sensitive federal positions.
In 2015, a cybersecurity incident compromised this data in federal systems. The Department of Defense has since taken over responsibility for most federal personnel vetting and is developing a new IT system. Initial plans called for the system to be fully operational by 2019, but it's still in development.
Our recommendations would help DOD develop a reliable schedule and cost estimate for the new IT system, and more.
What GAO Found
The Department of Defense (DOD), through its Defense Counterintelligence and Security Agency (DCSA), conducts personnel vetting for the majority of the federal workforce. Since 2016, DOD has delivered some capabilities through a new information technology system—the National Background Investigation Services (NBIS) system—intended to support all phases of personnel vetting. NBIS system capabilities, once fully deployed, should enable users to complete electronic forms, manage investigations, record decisions, and more. However, DOD lacks a reliable schedule and cost estimate for NBIS.
Extent to Which the National Background Investigation Services Schedule and Cost Estimate Meets Best Practices
DCSA has deployed some NBIS system capabilities, such as an eApplication, to collect the necessary data to begin a background investigation. However, NBIS was originally slated to be fully operational in 2019. In 2020, DCSA revised NBIS program milestones, but it continues to face delays. DCSA now projects that legacy systems will be decommissioned by the end of 2024. In 2021, GAO recommended that DCSA develop a reliable schedule, which DCSA has not done. The lack of progress in addressing schedule weaknesses could further delay NBIS implementation and the planned replacement of legacy systems. Moreover, GAO found the NBIS program's cost estimate from 2022 is not reliable, meaning that DCSA may be unable to accurately project NBIS costs. Given that DOD has spent over a half a billion dollars on NBIS since 2016, a reliable cost estimate would help ensure that it is collecting the data necessary to match NBIS requirements to its budget and reduce risks of cost overruns that may hinder the program's progress.
DCSA has identified stakeholders for the NBIS program—including 115 federal agencies and around 13,000 industry organizations—and has worked with them while developing NBIS. Federal and industry stakeholders that responded to GAO's survey were generally satisfied with DCSA's engagement, initial training, and opportunities to provide feedback. For example, around 92 percent of respondents said they had engaged with the NBIS team. However, some stakeholders noted concerns with transitioning their respective organizations to use NBIS and the status of the NBIS system itself. Analyzing GAO's survey results could help DCSA identify areas where it can enhance its efforts to meet stakeholder needs.
Why GAO Did This Study
U.S. government personnel vetting processes, such as background investigations, rely on information technology systems to process and validate data on millions of federal employees and contractor personnel. In 2016, DOD assumed responsibility for developing new systems following a 2015 cybersecurity incident that compromised data from Office of Personnel Management systems. DOD is developing the NBIS system to replace those legacy systems.
House Report 117-118, accompanying a bill for the National Defense Authorization Act for Fiscal Year 2022, includes a provision for GAO to evaluate the NBIS program. GAO assessed (1) the status of NBIS system development, and the reliability of the schedule and cost estimate for the NBIS program; and (2) the extent to which DCSA is engaging stakeholders in the development of NBIS system requirements and capabilities.
GAO reviewed budget documentation, assessed DCSA's schedule and cost estimate for NBIS against GAO best practices, and surveyed federal and industry security personnel at 71 organizations, with an 86 percent response rate.
Congress should consider requiring DOD to develop a reliable NBIS program schedule and cost estimate based on GAO best practices. GAO also recommends that DOD assess and use GAO's survey results to improve engagement with stakeholders. DOD concurred with GAO's recommendation.
Matter for Congressional Consideration
|Congress should consider requiring the Secretary of Defense to direct the NBIS Program Management Office to develop a reliable program schedule and cost estimate for NBIS as defined in GAO's Schedule Assessment Guide, Cost Estimating and Assessment Guide, and Agile Assessment Guide. (Matter for Consideration 1)||
|We will monitor the status of this Matter for Congressional Consideration and update it as appropriate.|
Recommendations for Executive Action
|Department of Defense||The Secretary of Defense should ensure that the Director of the Defense Counterintelligence and Security Agency assesses and uses our survey results as a source of information to inform its efforts to improve engagement with stakeholders across both the federal government and industry. (Recommendation 1)||