The organization conducting the vast majority of security clearance investigations is undergoing a massive logistical undertaking, as operations move from the Office of Personnel Management (OPM) to the Department of Defense. The new organization, which will be headed by the current chief of the National Background Investigations Bureau (NBIB) is the Defense Counterintelligence Security Agency (DCSA). What’s the key message DCSA has for security professionals? Sit tight and prepare yourself for big change.
At a recent gathering of industrial security professionals, an official from DCSA explained that the merger is now in its final stages.
“Obviously on October 1, we will officially be merged with the National Background Investigations Bureau and all of those employees who are currently working for OPM will now be DoD employees under the umbrella of DCSA,” explained the official.
The date is fast approaching and the logistical task before these agencies is now more prescient than ever.
DCSA Merger May Cause Temporary Headaches for Security Officers
This shift means the national background investigations apparatus will transition from about 1,200 government employees and full-time contractors, to 5,000 government employees. Including the total contractor support population, that number will be around 13,000.
“There is an immense amount of work that is currently going on at our headquarters, involving moving of personnel from one gate group to another within the federal government, changing timekeeping systems, validating benefits and leveraging all the sorts of information that it takes to move somebody from the Office of Personnel Management over to the umbrella of the DoD.”
“As a result our headquarters is, right now, in their final sprint. It’s both the end of the fiscal year, we’ve got financial obligations coming due, we’ve got funding requirements that are coming due, and we have this upcoming merger – not to mention performance evaluations.”
With all these obligations, the official made clear that DCSA will likely be less accessible to industry partners as this transition is underway.
“Especially over the next month or so, there’s a lot that’s happening with DCSA. Your field office teams are going to stay responsive, but the support that we can reasonably expect from our headquarters right now is not as high as what it was even six months ago. They are currently focused upon completely transforming the agency and onboarding more than five times our current workforce within the next month.”
As the Security Clearance Process Changes Hands, It Will Also Change its Approach
Moving past October, the official was quick to point out that the new agency will have a new approach to industrial security.
“DCSA as it currently stands does have a number of changes that are going on that are going to continue to be worked throughout this process. Then over the course of the next few years, you can expect additional changes in both how we approach the background investigation mission, adjudications, industrial security oversight, counterintelligence, and really our entire approach to partnering with industry in order to protect national security.”
This message is in line with what leaders at DoD, OPM, and Congress have been saying for months: we need to re-approach the way we do national security.
This will be easier to achieve now that the process will be under one roof. “As a result of our increased missions, trying to find deficiencies as we bring these disparate groups [DSS and NBIB] under a single umbrella, and as we also leverage changes in policy at the national level in order to be better at what it is we do.”
A Risk-Based approach to Industrial Security
The DCSA official encouraged security officers to think past “compliance” as this new approach takes hold. Merely following rules set out in the National Industrial Security Program Operating Manual (NISPOM) is not sufficient in today’s threat environment.
“The NISPPOM was very effective when it was first established at protecting classified information. But the way that you in industry and we in government have changed is that simply building a box around classified information is no longer sufficient to protect national security. You can be very good, you can be very compliant – and it is necessary to effectively protect critical technology and critical programs – but [you can’t] only look there. Our adversaries are hitting us outside of that box.”
He pointed out that the information our adversaries want isn’t starting out in a locked box at the Pentagon – it’s starting as proprietary information at American companies, research at our universities, and other publicly available or unclassified sources.
How Can Security Professionals Get in This New Mindset?
DCSA is encouraging industry partners to think basically about what kind of business they do in order to get to the core of how they can build the most effective security programs. This begins by asking two questions:
- What information am I trying to protect?
- Who would want to target my information?
Security officers need to have a clear idea of what their company really does.
“First, as a security professional, I encourage you to work very closely with your program managers and senior management officials to understand the business of the company,” explained the official. “Whatever it is your company does, what you are providing – whether it’s a service, whether it’s information, whether it’s a subject matter expert…you need the identification and realization of what you are trying to protect.”
That means thinking abstractly and going beyond merely complying with NISPOM. “If you don’t have an appreciation for what it is you’re trying to protect, you are going to have a difficult time. Being able to say ‘I know how to be compliant with the NISPOM is not going to equip you with the information you need to figure out whether or not your security program is currently being effective.”