Federal agencies require individuals with security clearances to promptly report a wide range of security and suitability issues to their security officers. These requirements vary somewhat from agency to agency, but many follow the reporting requirements listed in DoD Regulation 5200.2-R, “Department of Defense Personnel Security Program.” The term, “self-reporting,” only applies to: 1) individuals with active security clearances and 2) applicants for security clearances who have already submitted a Questionnaire for National Security Positions (SF86) and are waiting on a clearance determination. Self-reporting is different from the requirement to disclose unfavorable information on an SF86 when applying for a security clearance.
The Defense Industrial Security Clearance Office (DISCO) receives about 8,000 “incident reports” a year on cleared federal contractors who have had security-related problems. These problems range from bankruptcies to drunk driving arrests to security violations. Most of these incident reports are based on information self-reported by the cleared contractors to their security officers. Others are based on information reported by supervisors and coworkers. Since DISCO has security clearance authority for one million federal contractors, a mere 8,000 cases a year suggests that the majority of security-related incidents go unreported. One reason for this is that cleared personnel often don’t know what types of events must be self-reported. Many think that it’s unnecessary to report any unfavorable information until the next periodic reinvestigation for their clearance.
What information needs to be reported?
Paragraph C220.127.116.11 of DoD 5200.2-R states:
Become a Certified Ethical Hacker
Moreover, individuals having access to classified information must report promptly to their security office:
- Any form of contact, intentional or otherwise, with individuals of any nationality, whether within or outside the scope of the employee’s official activities, in which:
- 1.1. Illegal or unauthorized access is sought to classified or otherwise sensitive information.
- 1.2. The employee is concerned that he or she may be the target of exploitation by a foreign entity.
- Any information of the type referred to in paragraph C2.2.1. or Appendix 8.
Appendix 8 is the Adjudicative Guidelines for Determining Eligibility for Access to Classified Information. Issues identified as potentially disqualifying conditions under the 13 criteria in the Adjudicative Guidelines must be reported. Most of the situations listed at paragraph C2.2.1 duplicate those in the Adjudicative Guidelines, but a few are stated more broadly, such as:
- 7. Disregard of public law, Statutes, Executive Orders or Regulations including violation of security regulations or practices.
- 8. Criminal or dishonest conduct.
- 9. Acts of omission or commission that indicate poor judgment.
- 10. Excessive indebtedness, recurring financial difficulties, or unexplained affluence.
- 11. Habitual or episodic use of intoxicants to excess.
Some of these reporting requirements are almost void for vagueness. The problem is that paragraph C2.2.1 and the Adjudicative Guidelines were not written with the intent of providing guidance to cleared personnel who might encounter problems that could affect their continued eligibility for a clearance; they were written for security clearance adjudicators. Many of the criteria in the Adjudicative Guidelines are clear and require no interpretation, such as a drunk driving arrest, illegal use of drugs, security violation, acquiring foreign citizenship, inability to satisfy debts, and employment or service to a foreign government or company. Other criteria are vague and require a subjective interpretation. For example: 1) When does a foreign connection create a potential for conflict of interest or a heightened risk of foreign influence? 2) What constitutes “inappropriate behavior in the workplace? 3) Is attending an annual family reunion “association with persons involved in criminal activity” if a drug-using cousin is also present?
The questions at sections 19 through 29 of the SF86 provide examples of reportable events. But there are differences between the “issue” questions on the SF86 and the potentially disqualifying conditions in the Adjudicative Guidelines. For example: 1) All situations listed in the “Financial Records” section of the SF86 are events that must be self-reported, except for the question regarding credit counseling if a person has not become delinquent in paying debts. 2) Most mental health counseling that must be listed on an SF86, does not necessarily have to be self-reported.
Many agencies also require that the following events be reported:
- Change in name or marital status.
- Change in job assignment that eliminates the need for access to classified information.
- Any situation related to actual, probable, or possible espionage, sabotage, or subversive activities directed against the United States.
- Any known or suspected security violation or vulnerability.
SCI, SAP and Special Requirements
For individuals with access to Sensitive Compartmented Information (SCI) or other Special Access Programs (SAP) there is an additional requirement to report foreign travel. Some intelligence agencies require self-reporting of any contact with individuals from “designated” countries and visits to any foreign embassy or consulate.
Department of Energy (DOE) Manual 470.4-5, “Personnel Security,” is more specific than DoD5200.2-R, but fails to cover many reportable situations, such as illegal drug involvement, security violations, misuse of IT systems, and inability or unwillingness to satisfy debts other than those resulting in bankruptcies and garnishments. Chapter 5 of M470.4-5 states:
- 3. SPECIFIC REPORTING REQUIREMENTS.
- a. Legal, Employment, and Medical Information. Access authorization applicants and holders must provide direct notification to the cognizant DOE personnel security office of the following (NOTE: Verbal notification is required within 2 working days followed by written confirmation within the next 3 working days):
- (1) Any arrests, criminal charges (including charges that are dismissed), or detentions by Federal, State, or other law enforcement authorities for violations of law within or outside of the U.S. Traffic violations for which a fine of up to $250 was imposed need not be reported, unless the violation was alcohol or drug related;
- (2) personal or business-related filing for bankruptcy;
- (3) garnishment of wages;
- (4) legal action effected for a name change;
- (5) change in citizenship;
- (6) employment by, representation of, or other business-related association with a foreign or foreign-owned interest or foreign national; or
- (7) hospitalization for a mental illness; treatment for drug abuse; or treatment for alcohol abuse.
Paragraph 3 of Chapter 5 goes on to specify reporting requirements regarding spouses and cohabitants and unauthorized attempts to access classified information or Special Nuclear Material.
Failing to Report an Issue
Failure to self-report a security-related event is a security violation that compounds the original problem and increases the risk of having a clearance suspended and/or revoked. Under DOD 5200.2-R supervisors and coworkers “have an equal obligation to advise their supervisor or appropriate security official when they become aware of information with potentially serious security significance regarding someone with access to classified information employed in a sensitive position.”
As a separate but related requirement, all DoD military, civilian, and contractor personnel, whether cleared or uncleared, also have a responsibility to report counterintelligence indicators detailed in an extensive list in DoD Directive 5240.06, “Counterintelligence Awareness and Reporting.”
Only through proper indoctrination briefings and annual refresher briefings can people be made aware of their reporting responsibilities and the multitude of reportable events. Unfortunately the written material covering this subject fails to address many of the common events and situation that should be reported. The Defense Security Service (DSS) has handbooks for cleared personnel and their supervisors that briefly cover reportable events. These handbooks provide guidance, but they are not policy.
Within the federal government there is a hodge-podge of self-reporting requirements for cleared personnel. Some requirements are clear; others are ambiguous. Attempts have been made to supplement regulations with guidance documents, but guidance documents often do little to expand on or clarify self-reporting requirements. There should be one reasonably comprehensive list of reportable events for collateral clearance holders and another list for SCI and SAP, but the possibility of such lists being promulgated in the near future appears remote. DoD 5200.2-R has not been updated since February 1996 and is riddled with obsolete information. Director of Central Intelligence Directive (DCID) 6/4, which covered SCI eligibility, had a section on individual responsibilities and reporting requirements, but this regulation was superseded by Intelligence Community Directive (ICD) 704 in October 2008 and ICD 704 contains no self-reporting requirements.
All original material Copyright © 2011 Last Post Publishing. All rights reserved.