New security clearance system is years late, its cost estimate unreliable
After a 2015 cybersecurity hack exposed personal data of more than 21 million federal employees and contractors, the Pentagon took over development of a new IT system from the Office of Personnel Management.
Defense Department officials launched plans in 2016 for a National Background Investigation Services (NBIS) system that would manage a range of employment-related functions, such as job applications; background checks for potential employees; and continual monitoring of current staffers, including those with security clearances, to ensure they remain fit for government work.
Things have not gone as planned.
The new system for employee vetting and security clearances was originally slated to be fully operational in 2019. Four years later, it is not yet launched, nor is it expected to be up and running until next year, according to a Government Accountability Office (GAO) report issued last week.
Furthermore, no one knows how much it will cost because previous estimates by the Pentagon’s Defense Counterintelligence and Security Agency (DCSA), established in 2019 to oversee the new system, have been “not reliable,” GAO found. GAO concluded that as a result, the agency simply “may be unable to effectively project” the cost of the system.
The agency conducts 95 percent of all federal background investigations for more than 100 agencies.
Another problem: one-quarter of the system’s program management office’s 149 civilian positions were vacant as of March.
Declaring himself “deeply disappointed” by the lack of progress, Sen. Mark R. Warner (D-Va.), chairman of the Senate Intelligence Committee, said that “our slow and inefficient background check system is bad for national security. Qualified talent ends up leaving for the private sector while awaiting their clearances, while recent breaches have illustrated that we’re giving clearances to people who can’t be trusted with our nation’s secrets.”
The security agency has scored some progress, notably in the development of an eApplication, or eApp, that applicants use to begin the employment-vetting process. Most agencies are expected to use eApp by September.
“DOD has delivered some NBIS system capabilities,” GAO wrote, “but continued delays hinder progress. Additionally, DCSA continues to lack a reliable implementation schedule for the NBIS program.” That’s despite previous audits, including a 2021 GAO finding that the Pentagon did “not have a reliable schedule to help manage” the system.
The new report is yet another example of why GAO has repeatedly proclaimed that the government’s cybersecurity operations are at “high risk.” GAO designated information security a government-wide high-risk area in 1997. Protection of critical cyber infrastructure was added to the list in 2003. It was expanded in 2015 to include protecting personally identifiable information. The government-wide personnel security clearance process made the high-risk hall of shame in 2018.
But despite GAO’s 26 years of badgering, Uncle Sam still has trouble getting his cybersecurity act together, so it remains at high risk.
“Since 2010, we have made more than 4,000 recommendations to agencies aimed at addressing cybersecurity challenges facing the government,” GAO wrote in an April high-risk report to Congress. “More than 670 of these recommendations were made since the last high-risk update in 2021. As of February 2023, more than 850 recommendations had not been fully implemented, including 52 of 133 priority recommendations, which we believe warrant priority attention from heads of key departments and agencies.”
Now, the August report calls for congressional intervention in the employee-vetting process.
“The lack of progress in addressing schedule weaknesses and the program’s unreliable cost estimate warrant congressional consideration,” GAO said, “because these issues could further delay the NBIS system’s planned replacement of legacy personnel vetting systems in 2024—nearly a decade after those systems were compromised in 2015.”
After $654 million was spent from 2017 through 2022, the Pentagon’s background investigation system cost estimate for fiscal 2023-2027 is $767.9 million. That’s pocket change in Washington, but the estimate might as well be tossed in the junk folder because “this cost estimate is minimally accurate, minimally comprehensive, not credible, and minimally well-documented,” according to GAO.
GAO also found that of eight schedule and cost-estimate best practices related to the new system, seven have been “minimally met” and one — the credibility of cost estimates — was “not met.”
Transferring security clearance operations from the personnel office to the Pentagon was never going to be a “silver bullet for the federal government’s security clearance challenges,” said Rep. Gerald E. Connolly (Va.), the top Democrat on the House Oversight and Accountability subcommittee on cybersecurity, information technology and government innovation. “DOD suffers from the same IT deficiencies as the rest of the government. It just happens to have more money and is more resistant to oversight and accountability. As we have seen with other persistent IT failures, DOD’s poor management of the NBIS transition is now harming agency operations.”
The Pentagon did not reply to questions from The Post, but it did agree with GAO’s recommendation that Congress require the Defense Department “to develop a reliable NBIS program schedule and cost estimate based on GAO best practices.”
Despite failing the best-practices test, Defense did get good grades from industry representatives who work with the security clearance system. In a GAO survey, they were generally satisfied with the security agency’s engagement, training and opportunities for feedback.
That’s encouraging to Max Stier, president and CEO of the Partnership for Public Service, a think tank focusing on improving the federal government. Yet, “security clearances continue to be a major … impediment to getting talent in the door,” he said. “It’s a big issue. It’s a really, really important issue.”
Government technology “is truly fundamental to good delivery of public service,” but it has “slipped substantially,” Stier added. “Unfortunately, this is the norm in our government.”