Is the National Industrial Security Program (NISP) — which we have come to know and (sometimes) understand — fulfilling the needs of the United States? Functions of the NISP have been distributed between a multitude of organizations, with the intelligence community (IC) opting to create a parallel universe. The cross-organizational functions have created bottlenecks in the security clearance process, in addition to occasional friction when competing remits collide and the industrial partner is left to sort things out with their customer, while those who “inspect”, “adjudicate” and “enforce” work within their regulatory bubble remain free of knowledge of the customer’s specific requirement (the need-to-know effect).
OPM and NBIB
The Office of Personnel Management (OPM) breach which put the identities of 21+ million individuals (and families) in the hands of an unauthorized third-party (as yet unidentified, but believed by many to be the government of China), was the impetus for President Obama announcing the creation of the National Background Investigation Bureau (NBIB). The NBIB is expected to work closely with the Defense Security Service (DSS) in ensuring only those who are eligible and meet the prerequisites for being granted the trust of the United States via a security clearance receive one. The NBIB remains, however, within OPM and will absorb OPM’s Federal Investigative Services (FIS).
Interestingly, the information technology infrastructure will fall under the remit of the Department of Defense (DOD), who will take on the responsibility for the cybersecurity of the NBIB. The President’s request for DOD comes with $95 million to re-architect and implement a secure system to support the NBIB.
Thus, the NISP role will remain: Protecting the nation’s most sensitive data while engaging with the private sector as they provide goods and services to the United States government, including the defense community.
The DSS will continue to enforce the security standards on the protection of sensitive information within the authorized private sector, leading with the requirement to ensure all personnel are appropriately cleared prior to engaging in sensitive and classified work. The Facility Security Officers at these facilities already have a data security requirement, and this does not change. We may, however, see a need for an elevated level and depth of cybersecurity expertise as DOD-created infrastructure for the NBIB is put in place.
The transfer of the information technology requirement to within the DOD should facilitate the DSS technology inspection function. Whether positions with appropriate cybersecurity backgrounds will be created or have them seconded from the Defense Information Systems Agency (DISA) needs to be determined.