A recently leaked review identified failures in the process that led to the positive adjudication of Eric Snowden’s security clearance. In the spotlight is the company responsible for investigating the periodic review for Mr. Snowden’s Single Scope Background Investigation Periodic Reinvestigation (SSBI-PR). However, does the fault lie entirely with the investigator?

THE SECURITY CLEARANCE PROCESS

Take a look at the purpose of the security clearance cycle. The justification and request for security clearance, investigation, adjudication, periodic re-investigation and continuous evaluation process, work together to find the insider threat to classified information. In this case, threat is any adversary (internal or external) with intent and capability to gain a security clearance and exploit classified information. Regardless of the threat’s (Snowden) motivation, countermeasures should be in place to identify and stop the threat.

There were failures along the way that may require some creative and necessary relook at the security clearance process. The process is supposed to capture the essence of a person to determine whether or not they can be trusted to protect classified information. The trick is getting all subjects, references, fellow employees, friends and family to report on the character of an applicant for a security clearance investigation or re-investigation.

 THE SCIENCE OF THE SSBI

The science behind the SSBI investigation begins with the security manager initiating an investigation. Based upon a justification the subject completes the SF-86, the security manager reviews it for completeness and accuracy, the investigator checks financial institutions, law enforcement records, agencies and public records; makes written queries of employers, neighbors and the subject’s own references;  and interviews the subject, spouse and ex-spouses. The piece de resistance is to “expand investigations” as necessary. In the security clearance cycle all steps should work together to determine a person’s trustworthiness before granting a clearance, while performing classified work and during future re-investigations.

 THE ART OF THE FSO

The art of getting employees to evaluate themselves and others for trustworthiness is much more difficult. For example, when the security manager reviews the SF 86, what does completeness and accuracy mean? A security manager might make sure that all data is entered in the appropriate places and as required (dates in proper format, references listed by category, etc.). However, the security managers can neither investigate the information nor approve or deny the request. They can seek to help the subject clarify answers in effort to prevent a delay in the investigation, but that’s it. The art is the ability to interact with the subject and work through determining the appropriate answers. This requires spending time with the subject reviewing the questionnaire and asking general follow up questions.

“I noticed you are married, why didn’t you list your in-laws? You left the field blank?”

“Well my in laws are deceased so I didn’t fill it in.”

“Oh, I see. Notice here that the instructions state that you should list them even if they are deceased.”

“Oh, sorry, the instructions are so small, I missed it.”

“No problem, that’s why we’re here.”

Notice that these questions were steering the subject to successfully complete the form. It’s not a license to pry into the lives of employees or invade privacy. According to NISPOM, the review is to determine completeness and accuracy. On the opposite spectrum, a security manager may choose to handle this via email; that’s science, but you lose the art.

THE ROLE OF THE INVESTIGATOR

The investigator is required to put all the pieces together. A recent Wall Street Journal article reported that the investigators may not have contacted all the references, even though the SSBI-PR requires the applicant to provide references. The investigator should also develop references during the investigation. The applicant lists references; the investigator contacts those references, asks required questions and develops a new list of people to speak with.

During interviews, references may be nervous, eager to protect the applicant, or may not cooperate beyond giving positive answers (especially friends and family). The investigator should have the skills to encourage conversation and compel the references to talk freely and provide information on the applicant that an adjudicator can use to make a security clearance decision.

CONTINUOUS EVALUATION

The most important but never covered process is continuous evaluation. All cleared employees are briefed on their security clearance responsibilities which include adverse information reporting. Co-workers, bosses, other cleared employees and even the subject are required to report adverse information on themselves and others.  The continuous evaluation process is outside of the investigation and begins as soon as the clearance is granted.  It is a countermeasure in place to detect suspicious behavior and prevent unauthorized access of classified information.

During the SSBI-PR The same 13 adjudication factors concerning allegiance, behavior and health are re-evaluated. During the time between investigations, cleared personnel should continue to demonstrate trustworthiness, if not, they risk losing their clearance.  Security managers develop training and policy at the local level to encourage cleared employees to report information either on themselves or fellow employees that could lead to compromising classified information. If an event is reported, immediate action is taken and information is submitted to the Cognizant Security Agency for further action and addressed if necessary during future PRs.

According to the article, red flags were raised, but the re-investigation did not address them. The red flags indicated that he left out information on his foreign travel, a big no-go and at the very least did not complete the SF-86 accurately or completely. In the end, he ignored the training he had received and gave away classified information. There were no reports of adverse information or investigations of suspicious behavior until it was too late.

The security clearance process is clearly outlined, but the cycle failed. Mistakes were made in each step, contributing to the failure of identifying the risk with allowing Snowden to maintain his clearance. In the end Snowden was authorized continued access to classified information and made his decision to release it and no one knew.

Related News

Jeffrey W. Bennett, SAPPC, SFPC, ISOC, ISP is a podcaster, consultant and author of NISPOM, security, and risk management topics. Jeff's first book was a study guide for security certification. Soon after, Jeff began writing other security books and courses, and started his company Red Bike Publishing, LLC. You can find his books, ITAR, NISPOM, PodCast and more @ www.redbikepublishing.com.