The government has always emphasized the ‘people’ aspect of the security clearance process. It’s not just that the individuals awarded eligibility to access classified information are humans – and thus a ‘whole person‘ concept has always been applied to ensure a single issue won’t tank eligibility. The investigation process is a shoe-leather investigation, centered on a human workforce collecting information from other humans. Final determinations are made by adjudicators – who are looking at specific criteria, but ultimately left to make a decision based upon their own experiences and their agency’s preferences. The human aspect of security clearance eligibility continues in the years following a successful adjudication – security professionals are required to ‘self report’ potential issues in the five-to-ten years between scheduled investigations.
While the process is still human, now machines are getting a greater role. More than 1.4 security clearance holders are now enrolled in continuous evaluation, a system designed to take the place of the five-to-ten year interval periodic reinvestigation. Rather than waiting for self-reporting to flag issues, continuous evaluation takes machine learning and algorithms and applies them to the security clearance process. The data collected isn’t necessarily new (credit reports and criminal histories are the most significant data source), but the government is saying: we’re not going to wait for security clearance holders to report what we can easily gather ourselves.
There is good reason for the shift – Aaron Alexis certainly didn’t self report his mental health and criminal issues before he killed 12 of his Navy Yard coworkers. And Reality Winner didn’t self report her disenfranchisement with the federal government before she shoved classified information into her pantyhose and walked out the door.
The security clearance process is still human, but the human is now being balanced with the machine.
“A lot happens in a person’s life in 5 years, 10 years…and self-reporting wasn’t working,” noted Tricia Stokes, director of defense vetting at the newly created Defense Counterintelligence and Security Agency (DCSA), speaking on a continuous evaluation panel at the recent Intelligence and National Security Summit, hosted by the Intelligence and National Security Alliance (INSA) and AFCEA.
The panel discussed the government’s move to Trusted Workforce 2.0, and how continuous evaluation plays a role in the new definition of who is a trusted worker.
Privacy vs. Security? Security Always Wins
When it comes to the balance between security and civil liberties, panelists emphasized continuous evaluation is not going beyond what security clearance holders have already submitted to.
“We ask a lot from our security clearance holders,” noted Ben Huebner, director, Office of Civil Liberties, Privacy, and Transparency, Office of the Director of National Intelligence (ODNI). “We ask them to give consent to an enormous amount of collection…because we ask so much of them we have a huge responsibility to appropriately handle that information.”
Heubner said privacy is a consideration for the government as it implements continuous evaluation – and that’s important. It’s not a matter of after-the-fact oversight, but how privacy considerations can be baked into the program from its inception.
Continuous Evaluation: It’s Not Just for the Government
Booz Allen has implemented its own form of continuous evaluation, called enhanced evaluation. While 70% of employees have security clearances, the evaluation program was implemented across the entire workforce. There was a huge education process that went into notifying and enrolling employees, said Sharon Claridge, director of security services at Booz Allen. While enrolling in the program was made a requirement for continuing employment, just five employees opted to begin the exit process rather than submitting to monitoring.
The program pulls in similar information to that of CE, including publicly available electronic records checks of things like criminal, financial, and civil records. Claridge emphasized the company is very conscious of privacy, but the results – specifically the financial constraints of some employees – have been eye opening. The program has shown not only which employees may be at risk, but has shown how the company can help – including things like tuition reimbursement for those burdened by significant student loans.
The company is only notified unless a report is generated by the system, said Claridge.
The kind of data collection being done at Booz Allen is something leaders at DCSA continue to site as a possible area of opportunity – where the private sector is already collecting information from its employees, how can the government profit from that data collection, reducing redundant effort and saving money? The ability to transfer data from a private sector system into the governments CE efforts isn’t a reality today, but it may be in the future.
Trusted Workforce and CE
Trusted Workforce may be looking to update who makes the cut when the government establishes clearance eligibility, but panelists emphasized it’s not necessarily the adjudicative criteria that need to change. The issue in recent breaches isn’t that the adjudicative criteria weren’t applicable to the risks – it’s that the information wasn’t available.
The question moving forward is how we get the information, and how often, said Stokes. “Our community has not done a good job in the past of being state of the art, current.”
Continuous evaluation is about helping the government protect classified information, but also helping it protect the resource it continually sites as its greatest asset – its people. Panelists emphasized the point of continuous evaluation isn’t just to catch people doing things they’re not supposed to, but helping them protect the significant investment they’ve already made in the hiring, onboarding and security clearance process.
“How do we rehabilitate somebody who may be going astray because life happened?” said Stokes.
And that’s the people aspect of continuous evaluation that the government, private sector, and Trusted Workforce 2.0 initiatives are still considering.