This is part II in a three-part series about security clearances, incident reports and whistleblower protections. Read more at Security Clearances, Blowing the Whistle and Eligibility – What are the risks?
A Simple Procedure: JPAS Incident Reports.
A wide variety of incidents may prompt a supervisor to file a report to the Department of Defense (DoD) Central Adjudicative Facility (CAF). D.C. attorney John V. Berry’s June 2012 legal blog “JPAS Incident Reports – The Impact on a Security Clearance” (available at http://www.securityclearanceblog.com) describes in broad terms how the report finds its way into the Joint Personnel Adjudication System (JPAS) and then explains the real complications associated with the report: “When issues arise with respect to one’s existing security clearance,” Berry writes, “they may be reported by an employer and placed in the Joint Personnel Adjudication System (JPAS). This type of reporting is generally referred to as an Incident Report.”
Berry continues, “A negative Incident Report can be reported by a supervisor and then to your employer’s Facility Security Officer (FSO), or by other governmental entities, investigators or others.” Berry suggests that once the Incident Report is in the JPAS system, elimination of the report may seem impractical.
By definition and in the eyes of DoD, a JPAS Incident Report is not in itself an adverse action, though everyone has to recognize that there may be second, third, and fourth order effects that an employee might find adverse. An Incident Report does not appraise performance; it only reports an incident – theoretically, an objective report of apparent facts. Indeed, a June 2005 training package titled “Joint Personnel Adjudication System (JPAS) Overview” takes pains to make clear that the JPAS Incident Report was only formerly known as an adverse information report.
But what has all this to do with the whistleblower and the security clearance? A quick and only basic survey of applicable law and regulation exposes the cleared employee’s vulnerabilities, in spite of the Whistleblower Protection Act and its progeny.
What the Protections Really Say.
Every self-described whistleblower is not one necessarily protected by the Whistleblower Protection Act (WPA) or its offspring, the Intelligence Community Whistleblower Protection Act (ICWPA). And even employees whom WPA or ICWPA protects are not immune to incident reports related to their security clearances and whistleblowing activity.
5 USC Section 2302, Prohibited personnel practices: According to Title 5 of the United States Code, Section 2302, for an employer to take – or direct others to take – any personnel action for disclosure of information an employee reports if the employee “reasonably believes” the information represents evidence of a “violation of any law, rule, or regulation” or “gross mismanagement, a gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety.” Note that the law does not prohibit just adverse personnel actions, but any personnel actions.
Section 2302(a)(2)(A) of the title explains which specific personnel actions Congress had in mind when providing these protections. According to Section 2302(a)(2)(A), a “personnel action” means “an appointment; a promotion; an action under chapter 75 [adverse actions] of [title 5] or other disciplinary or corrective action; a detail, transfer, or reassignment; a reinstatement; a restoration; a reemployment; a performance evaluation under chapter 43 [performance appraisals] of [title 5]; a decision concerning pay, benefits, or awards, or concerning education or training if the education or training may reasonably be expected to lead to an appointment, promotion, performance evaluation, or other action described in this subparagraph; a decision to order psychiatric testing or examination; the implementation or enforcement of any nondisclosure policy, form, or agreement; and any other significant change in duties, responsibilities, or working conditions.”
Note that a security-related incident report, nor anything like a JPAS Incident Report, falls under the law’s definition of a personnel action. And the legal terms in the law make it more complicated than it first appears: terms like “reasonably believes,” “gross mismanagement,” “gross waste of funds,” “abuse of authority,” “substantial and specific” are defined by degrees established in legal precedent (in other words, their meanings are established by way of previous, settled cases). What exactly is reasonable for one to believe? How much mismanagement is gross mismanagement, and how much waste is gross waste? What exactly is a substantial danger, and how specific is specific enough for an employee to report the danger?
Language that at first seems an impenetrable wall around an employee starts to crumble, and language of WPA and ICWPA is no more invincible.
Whistleblower Protection Act of 1989 (Public Law 101-20): The Department of Defense Inspector General asserts that “Whistleblowers are protected by various government statutes and acts that prevent federal employees from taking any personnel action against an employee who has engaged in protected whistleblowing.” But as any IG will tell you, not every act of disclosure is necessarily whistleblowing and, therefore, not every act is protected.
The Whistleblower Protection Act of 1989 was meant to give more teeth to 5 USC 2302(b)(8), to “strengthen and improve protection for the rights of Federal employees, to prevent reprisals, and to help eliminate wrongdoing within the Government by . . . mandating that employees should not suffer adverse consequences as a result of prohibited personnel practices.”
But remembering that a JPAS Incident Report is not an adverse consequence, what, exactly, are adverse consequences?
Intelligence Community Whistleblower Protection Act of 1998: The real name of the ICWPA is “Whistleblower Protection for Intelligence Community Employees Reporting Urgent Concerns to Congress.” As DoD IG explains the law, “The Intelligence Community Whistleblower Protection Act (ICWPA) of 1998 provides a secure means for employees to report to Congress allegations regarding classified information.”
ICWPA protections are available only to certain employees: “employees (civilian, military or contractor) assigned to the four DoD intelligence agencies (DIA, NSA, NRO, and NGA), and ICWPA protections do not apply to “activities of the military services, combatant commands, or Office of Secretary of Defense.” For instance, Bradley Manning, in spite of all his now professed good intentions, is not protected.
ICWPA carefully describes what one can appropriately consider an urgent concern that warrants ICWPA protections, but the language here is no more certain than what we saw in 5 USC 2302 and WPA. According to ICWPA, an urgent concern is “a serious or flagrant problem, abuse, violation of law or Executive order, or deficiency relating to the funding, administration, or operations of an intelligence activity involving classified information, but does not include differences of opinions concerning public policy matters”; “a false statement to Congress, or a willful withholding from Congress, on an issue of material fact relating to the funding, administration, or operation of an intelligence activity”; “an action, including a personnel action described in section 2302(a)(2)(A) of title 5, United States Code, constituting reprisal or threat of reprisal prohibited under subsection (e)(3)(B) in response to an employee’s reporting an urgent concern in accordance with this paragraph.”
The language here – which makes itself more complicated by referring back to the legal terms of 5 USC 2302 we’ve already inventoried – begs the same questions, and more. For instance, how serious is serious, and how flagrant is flagrant?
Still, if a cleared whistleblower follows the protocols exactingly, a whistleblower’s security clearance should remain intact.
The Department of Defense is understandably strict on reporting requirements for incidents that could conceivably compromise national security or, as we’ll see, incidents that could suggest one might intentionally or inadvertently compromise national security. DoD would certainly encourage one to blow whistles appropriate to 5 USC 2302, WPA, and ICWPA. At the same time, DoD jealously guards its security clearance determinations. They want to know about any incidents that could indicate security vulnerabilities.
The National Industrial Security Program Operating Manual (NISPOM) DoD 5220.22-M, updated with Change 1 as of March 28, 2013, “prescribes the requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information.” Section 3 of the manual, Reporting Requirements, outlines required steps employers must take regarding “adverse information coming to their attention concerning any of their cleared employees,” as the manual describes: “Contractors shall report adverse information,” NISPOM directs.
NISPOM’s glossary describes adverse information as “information that adversely reflects on the integrity or character of a cleared employee, that suggests that his or her ability to safeguard classified information may be impaired, or that his or her access to classified information clearly may not be in the interest of national security.” Note that NISPOM’s definition does not require reportable information to meet every listed criterion: the coordinating conjunction or – rather than and – at the end of the list implies that an incident could meet any one of those criterion individually in order to make an Incident Report a requirement.
So more rhetorical questions are in order, and I hate rhetorical questions: What kind of information exactly reflects adversely on the character of a cleared employee? What kind of incident betrays an impaired ability? What all is not in the interest of national security? Is that short- or long-term national security?
Conventional Reasons for an Incident Report
Suppose a cleared Federal employee is convicted for driving under the influence of alcohol. Those familiar with the sensitivities of security clearances are not be surprised when the employee’s supervisor submits an Incident Report by way of the JPAS system. We are generally comfortable accepting that the DUI – especially if there is more than one DUI – could will compromise the employee’s security clearance. And once the employee loses the clearance, we are comfortable accepting that the employee is no longer eligible to serve in a designated sensitive position or position requiring a security clearance. We are comfortable expecting the same outcome for a cleared employee with growing, unmanageable personal debt.
Exponentially expanding debt and DUIs, personal indiscretions both, have nothing directly to do with one’s otherwise intact “ability to safeguard classified information,” as NISPOM describes it. But these sorts of indiscretions are perfectly valid reasons for a responsible, objectively acting supervisor to submit a an incident report about the conduct. If DoD pulls the security clearance after reviewing the reports, no one is surprise, even as the employee packs his desk and someone changes combinations to the file cabinets.
Ineligibility is, then, a residual effect of the technically unrelated behavior. To really understand the variety of basically reportable incidents that can culminate with loss of a security clearance, review DoD Regulation 5200.2-R, 1987, Personnel Security Program, appendixes 4 and 8, “Reporting of Nonderogatory Cases” and “Adjudicative Guidelines for Determining Eligibility for Access to Classified Information,” respectively. Do not miss this part: appendix 8 explains, “Each case must be judged on its own merits and final determination remains the responsibility of the specific Department or Agency. Any doubt concerning personnel being considered for access to classified information will be resolved in favor of the national security and considered final.”
Take that MSPB.