The rollout of the Defense Counterintelligence and Security Agency’s National Background Investigation System (NBIS) hasn’t been without quips and quirks. As its worked through the new system roll-out, however, it’s also had to deal with an uninvited guest at the dinner table – the Office of Personnel Management’s legacy background investigations systems, including those that were compromised by China.
“We took over a legacy IT system that goes back to 1984,” said William Lietzau, director of DCSA, at a briefing of the National Industrial Security Program Policy Advisory Committee. That legacy system is the Personnel Investigations Processing System (PIPS), among other legacy infrastructure, that has been behind systems including the Security/suitability Investigations Index (SII), and is used for case control as well as being the repository of personnel investigations that were conducted by OPM.
If it seems ridiculous that the federal government would be holding onto a legacy system that was decades old and already the victim of one of the most significant breaches in government history – you don’t know much about government IT. A 2019 GAO report analyzed 65 legacy IT federal systems, ranging from 8 to 51 years old. Legacy IT systems remain a problem across the government, not just for DoD and DCSA. And when it comes to legacy systems, the issue is that while it’s tempting to fully replace the technology – as in the case of NBIS – it’s surprisingly difficult to replace a legacy system whole cloth.
The system was placed on GAO’s top 10 risk list for legacy IT systems, but even at the time expressed concerns with the OPM’s efforts to update the system. It has now handed off the problem (along with personnel security), to DCSA. Lietzau said DoD adopted the system October 1, and while ideally NBIS would replace the old system, he said it “won’t be able to replace that legacy IT system in the near future.”
It currently costs $150 million a year to keep OPM’s legacy system up and running. But until NBIS is operational, DCSA will need to keep both systems up and running. Lietzau said the effort now is focused on ‘re-baselining’ the NBIS program and ‘trying to get some realistic expectations on the street. If that happens, they may be able to start sunsetting some of the legacy IT, and also move forward with the new capabilities needed to allow for Continuous Vetting and Trusted Workforce 2.0 initiatives.
JPAS to DISS
As it deals with it’s inherited legacy IT and the release of NBIS, DCSA is also addressing another major transition, one that affects nearly every new security clearance applicant even though they likely don’t know it – the transition from the Joint Personnel Adjudication System (JPAS), to the Defense Information System for Security (DISS). While eAPP and eQIP are the forward facing aspects of the security clearance process applicants see, JPAS and DISS are empowering the decisions behind the scenes, taking the cases and tracking progress. JPAS was set to sunset October 1, but that timeline was pushed to December 1 in response to concerns. Lietzau said he acknowledged and agreed with many of those concerns, and that led to creating a gap analysis and set of critieria around the sunsetting of JPAS over DISS. Lietzau said that December 1 remains the date for JPAS to sunset for now, but he hopes to move from date-based to a capabilities-based timelines for system changeovers.
Technology is just one aspect of the overhauls taking place at DCSA – but it’s an important one – and one of the biggest problems keeping the director up at night. with major wins in processing times and the backlog at steady state, the focus today and into the future will remain on transformation – with a heavy focus on IT.
“A lot of great work has been done by the agency,” said Lietzau. “My goal will be to keep all of those trajectories while also transforming the agency to what you want it to be.”