Continuous evaluation is a major discussion in security clearance reform today. A recent white paper produced by the Intelligence and National Security Alliance was titled Same But Different: Security Clearances for Contractors and Government Employees. It specifically addressed some of the disparity in continuous vetting and particularly the reporting processes between government employees and contractors from the agencies they support.
Recently, ClearanceJobs chatted with Joseph Kraus, senior vice president at ManTech and a contributor to INSA’s report. Kraus noted how a recent INSA event highlighted how the current issues with information sharing in continuous vetting programs aren’t necessarily born out of the Privacy Act, but related to individual agency policy – and those can be changed. And with the current momentum between government, congress and industry, Kraus is optimistic that positive change will happen.
“Last year in the signed NDAA, the National Defense Authorization Act, there is now language in there that requires the security and suitability and credentialing executive agents to come up with a pilot program for two way sharing of information from the government to industry…within 180 days,” noted Kraus.
That legislation is just an extension of the inroads made, and the path created toward better symmetry between government and industry.
“The partnership between industry and government in my view have been doing this for 40 plus years is the most positive that I’ve ever seen,” said Kraus.
Insider Threat Programs In Action
Continuous evaluation is moving forward for the government, but we’re also seeing more robust continuous vetting programs from industry members, evaluating their own employees. Booz Allen implemented its own continuous vetting program, and it noted the positive effect on its workforce, including early detection of potential (but mitigatable) issues like financial difficulties.
A 2016 change to the NISPOM, the manual that industry follows in its national security programs, defined the minimum standards for contractors handling classified or sensitive positions, noted Kraus. With that policy in effect, reporting adverse information about employees is a requirement for contractors looking to do business with the government. And while the NISPOM and executive order spells out the requirements, both industry and government have different programs – but there is a good reason for that.
“Industry, depending on the size of the company and the mission portfolio that they have, they certainly differ,” said Kraus. “Because I think you would agree a tier one large company probably has more robust tools and monitoring systems than a small business. I think you would say the same thing for the government. I would say that an intelligence community agency probably has a more robust continuous monitoring and evaluation program than the Social Security Administration. So, I think it’s all predicated on the mission and the requirements and the risks that’s involved with that mission.”
That sentiment is born out in the government’s new Trusted Workforce 2.0 program, which is looking at a more holistic picture of security. Rather than relying on rote classification markers or old policies, the government is asking industry to look at what their crown jewels are – what information is sensitive, and what isn’t. And what steps do they need to take to protect that information, and what adjudicative guidelines need to be used to vet talent.
The implementation of continuous evaluation has prompted some to ask if vetting programs will be a hindrance to government hiring professionals – Kraus doesn’t see that as an issue within his company.
“I will tell you that today I have the pleasure of meeting just about all the new employees that come into ManTech,” said Kraus. “And I could tell you what they are articulating is they understand that holding a security clearance is a privilege and one that carries special responsibilities. If there is a concern, the concern really is the speed to bring clear and trusted new workforce to the government and industry to meet the national and defense strategy requirements. So really, it’s the speed to bring on these new cleared and trusted employees, versus any negativity about monitoring or polygraphs or anything like that.”
The good news is security clearance reforms have reduced the security clearance investigations inventory to a steady state, and background investigation timelines are beginning to drop. And while there is still progress that needs to be made between the government and industry, the benefits of continuous evaluation outweigh the negatives.
“The upside certainly is the ability to receive near real-time alerts and flags on employees when an issue may come up,” noted Kraus. This differs from years ago when those red flags wouldn’t come up until a five-or-ten year reinvestigation. “The upside is the near real time alert and flag, so that either the government or industry has the opportunity to engage with our respective employees and probably mitigate whatever that flag or issue was before it grows.”
“The downside is, again, I would go back to the two way information sharing,” said Kraus. The government and industry share the risks, and share the design to protect their enterprise IT systems and supply chain – and it will take an ‘all of government trusted workforce,’ notes Kraus. “And to be able to do that we have to have that information shared with us that maybe the government might have the ability to obtain it, since a lot of our employees, as you well know, are on government locations that we might not necessarily pick up with our own continuous evaluation program.”
“That shows you the criticality of that two way information sharing,” said Kraus.