OPINION — “It’s unacceptable how we got to where we are, and we need to turn this thing around…We’re eight and a half years into a three-year program. We’ve spent $1.345 billion on a $700 million dollar program that was begun in 2016. That’s why I also have a sense of urgency…That’s why we did this 90-day review.”
That was David Cattler, the relatively new Defense Department (DoD) Director of the Defense Counterintelligence and Security Agency (DCSA), speaking last Thursday before the House Oversight Subcommittee on Government Operations and the Federal Workforce. Cattler was talking about turning around a long-delayed computerized personnel vetting system to modernize security investigations, evaluations, and adjudications for 95 percent of all Federal government employees. That was why the subcommittee hearing’s subject was: “Security at Stake: An Examination of DoD’s Struggling Background Check System.”
Cattler’s agency, DCSA, is the Federal government’s largest investigative service provider. Last year the agency conducted 2.7 million investigations, 668,000 adjudicative decisions, and the continuous vetting of over 3.8 million Federal employees.
Cattler, who has been on the job only three months, is a former Navy officer who has served at the Defense Intelligence Agency, the Joint Staff, National Security Council, Office of the Director of National Intelligence, and for the past four years was Assistant Secretary General for Intelligence and Security at NATO.
Some background is needed to understand better what is going on.
A China hack – nearly a decade ago
Back in 2015, the Office of Personnel Management (OPM), which manages the Civil Service employees of the Federal Government, had its records hacked, purportedly by a suspected Chinese security agency. OPM provides background investigations to federal agencies for security clearances or suitability determinations, and one result of the breach was that personal information of more than 22 million people, all of whom had completed forms for security clearance investigations and submitted fingerprints, was obtained by the hackers.
This massive breach led to the security clearance process being shifted to DoD, along with 95 percent of all background investigations for more than 100 agencies, plus most of the continued personnel vetting of the entire Federal workforce.
In 2016, DoD, through DCSA, began creating a new, innovative, computerized, personnel vetting information technology system called the National Background Investigation Services System (NBIS). It was supposed to be a “one-stop-shop” system, covering all phases of personnel vetting – electronic forms, managing investigations, recording decisions and much more.
One more bureaucratic layer to this effort was established after the OPM hack in 2016: the Security, Suitability, and Credentialing Performance Accountability Council (PAC). The PAC has four principal members: the Deputy Director for Management of the Office of Management and Budget (OMB), the Director of National Intelligence (DNI), the Director of OPM, and the Under Secretary of Defense for Intelligence and Security.
PAC is responsible for the government-wide implementation of personnel vetting reforms, and as such is involved in setting requirements for NBIS. The PAC’s aims were to cut the time needed to bring new hires on the job; enable job mobility within the Federal workforce (i.e. quicker transfer of security clearances); and improve vetting of employee behavior while mitigating risk. To accomplish those aims, the PAC sought to reduce and eventually eliminate the backlog in security investigations and establish a government-wide, continuous vetting system.
DSCA began in 2016 to develop the NBIS system to help implement these aims, replacing all OPM and other legacy computer systems supporting background investigation processes and personnel vetting programs. In 2019, DoD officially established DCSA to assume responsibility from OPM for conducting national security background investigations for most executive branch agencies.
That was the plan.
A deadline come and gone
At last Thursday’s hearing, Subcommittee Chairman Rep. Pete Sessions (R-Texas), said, “We are now in 2024. Initially, DoD said the system would be fully operational in 2019. That deadline has long passed. Next, they said the system would be fully up and running at the end of fiscal year 2024.”
However, as Cattler later testified, while 115 Federal agencies and 10,000 corporations can now use NBIS, they can do so only to handle the first planned capability — the initial electronic application portion of the investigative process – for a system that was supposed to begin operations back in 2016. Cattler also said the Federal employee continuous vetting service, to replace periodic reviews of Federal employees, is being used across the DoD, and that more than 90 non-DoD entities with more than 3.8 million personnel are currently enrolled. Wider expansion of the program is planned for later this summer.
Rep. William Timmons (R-S.C.) asked Cattler, “Is every member of military, civilian workforce, and contractor with a security clearance currently subject to continuous vetting? If not, when will that be the case?” Cattler responded saying they were enrolled, but that continuous vetting is currently limited and being applied based on “how long they have been cleared for and also we look at the nature of the position that they’re in.”
Also at the hearing, Rep. Kweisi Mfume (D-Md.), the ranking Democrat on the subcommittee, pointed out that the GAO in 2023 “found that after $654 million was spent, and eight years of development, along with $835 million spent on maintenance of the (OPM) system that NBIS is supposed to replace, DoD still lacks a reliable schedule and cost estimate for fully developing NBIS.”
One result of the delay, Mfume said, was that the GAO earlier this year found that “of 31 surveyed Federal agencies, more than 50 percent don’t trust others’ security clearances, vetting processes, or anything else, and that more than 50 percent feel the need to complete on their own duplicating efforts which in turn then prolongs the hiring efforts.”
Cattler later testified that so-called reciprocity transfers into the DoD – passing personnel security data from one agency to DoD – which in 2020 took 65 days, now takes only one to three days. He also said investigations for secret clearances now take 92 days, a 30-day improvement over the past. The more complex investigations for top secret clearances now take 188 days; that is seven months less than it took in the past, according to Cattler.
“That time is slower than the target due to surging demand,” Cattler said, “but frankly we have more applications now – between 10,000 and 11,000 new applications per week — and that’s added to quite a number of cases the team has to process.”
To help run the project, Cattler has hired a new NBIS program manager and executive officer for DCSA, with plans for new individual hires and contractors as well.
Cattler said by October he would have an updated, independent cost estimate for NBIS and an 18-month roadmap for NBIS, but he warned completion will extend beyond that time period.
GAO’s Director of Defense Capabilities and Management, Alissa Czyz, who also testified at last Thursday’s hearing, said the GAO was “looking forward to seeing the new roadmap and plans.” But, she cautioned, “I will say we have reviewed multiple NBIS roadmaps over the years and none of them had reliable schedules. In fact, when we did a review in 2021, it was unreliable, and our 2023 report, when we relooked at the new roadmap, the schedule was actually worse than 2021.”
Another cyber problem
Czyz also pointed out that DCSA has not fully planned for the cybersecurity controls needed to protect NBIS and legacy systems, or fully implemented measures to manage privacy risks. For example, in a report released June 24, GAO said DCSA used an obsolete version of government-wide guidance to select the cybersecurity controls for six NBIS and legacy systems GAO reviewed.
This is a bit ironic, since it was OPM’s cybersecurity failure that got DCSA the role it is playing.
Cattler said at one point, “What we are trying to balance are two things — getting it right and taking the time to do so, but also recognizing that we are well behind and it is unacceptable, so we are trying to move with an appropriate sense of urgency, but we are doing so responsibly.”
Both Cattler and Czyz were told by Subcommittee Chairman Sessions they would be called back in October for a followup hearing at which time both the roadmap for completion of NBIS and its budget were expected to be available.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to [email protected] for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
