The Office of Personnel Management announced this week it has completed its initial mailing of notifications to the more than 20 million affected in a July breach of federal background investigations. OPM was able to notify 93 percent of those affected; a current address was not available for the remaining individuals, and they will have to use OPM’s online verification system to determine if they were impacted.
That announcement comes as the results of a 90-day review of the security clearance process nears release. Government and industry officials have begun hinting at the results of that investigation, including the likelihood that background investigation oversight will likely move from OPM to a new agency.
“I’m not sure where it’s going to land yet,” said Doug Thomas, director for counterintelligence operations and corporate investigations at Lockheed Martin, during a Dec. 7 panel discussion on overhauling the security clearance process. “It’s going to have a new director, it’s going to have a new focus. So I’m trying to remain optimistic about that.”
A Human Resources Organization with a National Security Mission
OPM has been the target of a series of critical reports about the investigations process, from the data breach to how individuals such as Edward Snowden and Aaron Alexis were able to sail through the security clearance process. Security clearance attorney and former background investigator Sean Bigley points out that OPM deserves credit for addressing the horrendous backlogs in the security clearance process, and for their efforts at efficiency in a program with a very high volume of investigations. But even given those accomplishments, there remains a strong case for moving the investigations process to a national security agency.
“OPM is, at it’s core, a human resources office – not an investigative or intelligence agency,” Bigley notes. “That means you have agency leadership with no law enforcement or intelligence experience promulgating policies that directly impact national security. In practice, those policies wind-up becoming bureaucratic box-checking exercises that turn investigators into mere note-takers. I can’t tell you how many times I’ve seen investigative reports that spend pages addressing utterly irrelevant details (per OPM policy) only to gloss over real counter-intelligence concerns. Personally, I think we should be more concerned about an applicant’s online activities than we should about the fact that they didn’t list a home telephone number on their SF-86.”
Others have speculated moving background investigation responsibilities back into the Defense Security Service, operated under the Department of Defense.
“In my experience as an applicant, clearance holder, security manager, investigator, and adjudicator I have been interviewed many times, have interviewed many others, and read many ROIs. By far the best ones were written in times before we were just worried about timeliness, quotas, and the bottom line,” writes Marko Hakamaa, a former OPM contract background investigator and current security specialist and civil servant.
Individuals involved in the security clearance process are quick to point out that any reforms need to occur with changes to focus and processes, not just leadership.
“Ultimately, I do think that the background investigation process belongs with a national security agency – and the momentum appears to be moving in that direction,” said Bigley. “But regardless of which agency controls the program, the problems will not be solved without serious reforms in the investigative process.”
William Henderson, president of the Federal Clearance Assistance Service, agrees the current conversation needs to extend beyond simply who’s conducting background investigations, but rather how those investigations are carried out.
“In my opinion the “experts” are focusing exclusively on the automated systems (big data, social media, etc.) for improving PSIs and failing to look at how field investigations are managed,” noted Henderson. “Automated systems have a tremendous potentially for finding information that can be used to flag a case for an “Expandable Focused Investigation” (EFI), but automated checks alone cannot be used to deny or revoke a clearance. A flagged case has to be turned over to a field investigator for issue resolution. These are the cases on people like Manning, Snowden, and Alexis. There are myriad problems with field investigators and the organizational structure /culture they must work within.”
As far as reform efforts go, OPM remains mum on the results of any internal investigations, but continues to focus its guidance on what those affected by the breach can do to stay safe. It’s most recent press release offered the following advice:
- Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
- Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the FTC website, www.ftc.gov.
- Review resources provided on the FTC identity theft website, www.ftc.gov/idtheft. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
- You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.