National Counterintelligence and Security Center Director Offers Insight into Counterintelligence Threats

Welcome. Thank you for joining us for today’s webinar. My name is Lindy Kyzer, I’m with ClearanceJobs.com. I’m super excited for today’s webinar, sponsored by Xcelerate Solutions and featuring Michael Orlando, the senior official performing the duties of the director of the National Counterintelligence and Security Center. Xcelerate provides expertise across policy, operations, strategy and systems to support personnel vetting and counterintelligence, with a mission to make America safer. ClearanceJobs recently sponsored with Xcelerate to produce our biannual state of the security clearance process white paper. It is a great action packed paper, full of insights about the security clearance process, personnel vetting, reform and other issues. So we’re really excited kind of as a part of that conversation, talking about counterintelligence, national security, to have this webinar today featuring Michael Orlando.

Thanks, Lindy. Thanks for having me on the record today, and thanks  ClearanceJobs.com for all you do to help communicate all the work we’re trying to do in the security and counterintelligence space, really important mission of what you guys are doing and help getting the word out. For the audience here, thanks for joining. I’ll talk to you a little bit about who we are, for those of you who aren’t familiar with the National Counterintelligence and Security Center, and then I’ll talk about security and the way ahead in 2023, and then I’ll talk about counterintelligence and the way ahead in 2023, and then I’ll wrap it up by bringing CI and security into one and how they kind of interrelate to each other.

So for those of you who aren’t familiar with us, we are the National Counterintelligence Security Center, NCSC. We lead both the counterintelligence and security community of the US government. And on the counterintelligence side, that is really about integrating the counterintelligence workforce, setting strategy, doing the threat assessments and working together on that side. On the security side, what people may not realize is that the director of national intelligence is the security executive for the US government, and NCSC houses that staff, the security staff to support her in that mission. And we refer to it as the SecEA. The SecEA is really, think of it as a policy shop for security, so we do a lot of policy work in the security arena.

And then we have some other small missions. We have the National Insider Threat Task Force, we help government agencies build and maintain Insider Threat Task Force, and we also have supply chain risk management. We help the federal acquisition community with counterintelligence supply chain risk management. And then lastly, we have a group that consults Department of State on construction overseas, we have some really wise people in technical security, we help consult with them.

So security. So the first group I’d like to talk to in the security realm are potential applicants, some tips that I’d like to kind of give you to help you on your way. So in addition, when you’re looking for a job with a security clearance. First, go to the website of the organization you’re interested in, and in addition to looking at those duties, look at the security and suitability requirements for that job. And when you’re talking to the recruiter, in addition to asking about the job, ask about the security and suitability requirements. And notice I said suitability requirements, suitability goes hand in hand with security, but sometimes I think it’s difficult for people to understand what they are. And one of the better examples for suitability, to explain the difference, would be drug use.

So for security clearance, the policy is pretty liberal, but when you get to a law enforcement organization such as FBI or DEA, who are part of the intelligence community, because they’re law enforcement, it may not be suitable for you to have the same level of previous drug use then for IC agencies, because you may have to testify in court, and so that’s where suitability comes in. So it’s important that you ask those questions. And then the next thing I would recommend you do is go online and look at the SF86, the security forms and those questions, there are 13 categories of areas that you have to look at. And I would also say that clearancejobs.com has a kind of state of security clearance handout that they’ve created, that I think is actually pretty good, go check that out. You can see the categories of unification that seem to trouble people and there’s 13 categories, but it’s a lot about foreign influence, conduct, finance, drug use, alcohol use and other things like that.

So take a look at those things and actually start working on the SF86 now, there’s just a lot of information and you can never start too soon on those things there. And then there’s the timelines of expectations. So generally we’re seeing secret clearances around 76, 75 days and top secret clearances around 120 or so days. Keep in mind that’s the clearance aspect, there’s also the HR onboarding and hiring that goes along with that, but those timelines seem long. They continue to decrease over time and we expect those timelines to continue to decrease. And then the last thing I’ll say before I talk about trusted workforce is just be truthful in the process, know that we’re looking for people of character, but we’re not looking for perfection. So you could have made mistakes in the past, there’s a lot of things that get weighed in from are there mitigating factors, how long ago did you do this, are there patterns of negative behavior? So with that, I wish you the luck in finding your job and hopefully you come join the intelligence community.

So for our security professionals, where are we and what is this Trusted Workforce 2.0, because I think at times people are very frustrated with the progress, but I think it’s important to note that this came online in 2018 as a whole of government effort to reform security clearance, suitability security clearance for the whole US government. So really think about that, this isn’t just one agency writing a policy, this is for the entire US government. And the first thing they did in 2018 was work to reduce the backlog to kind of steady the system. The backlogs were up over 700,000, in over a two-year period, they got them down to a steady state of below 200,000 in getting those timelines down. The second thing they did, starting in around 2019, was create this framework, what is this reform really about? And you may have heard this 1-3-5, which is one policy framework to combining security and suitability into one policy framework, to the best extent that we can.

And then having three investigative tiers versus the five investigator tiers to kind of simplify things. And then the five vetting scenarios of onboarding, transfer trusts, upgrading clearances. So they spent some time framing that out. And then now where we are in 2021 in 2022 is what I would call an implementation and transitional phase. So last year in 2022, we released a ton of policies. And although we feel like we did a lot of work, it’s an important note that you haven’t felt the effect of those policies because they haven’t quite been implemented yet. But there was a lot of work from very high level policies, to guidelines, to standards. And then in 2023, we are doing additional guidelines, particularly in standards, the national training standards, which I think is very important because it really lays out a guideline for the security workforce on what are those standards and how you implement it. So that will be coming out in ’23.

In addition to guidance to every agency, how do you implement all these policies that we’ve just rolled out in ’22? And then you should expect the new questionnaire to come out. We are streamlining the SF86 and the SF-85 into a, I think it’s called a personal vetting questionnaire. We’ve simplified the questions. I think you’ll find it a lot better than it is. And then in the last thing is DCSA NBIS, which is the system, the computer system, they’ve been doing a lot of work for years and they’re going to continue to make progress in ’23. And then separate from trusted workforce, but tied to it, is we have a small, what we call reciprocity working group. How does one person who has a clearance, let’s say at CIA transfer over to NSA, there’s always been some challenges with that. And so we have a working group who are really trying to map out what are those barriers and how can we resolve those things so people can move through government a lot easier, and that will transfer next year when transfer of trust is really on deck for trusted workforce 2.0.

Now moving over to counterintelligence: Let me just start, I think the history is a little bit important, I always say go back 20 years or longer to the Cold War. Mostly what our concerns were, were Soviet intelligence working out of the embassy here in the United States, trying to steal classified secrets or classified research. And over the last 20 plus years, I would say the dynamic has really changed a lot. We recently did, in 2022, our CI assessment, which we’re required to do every three years, signed by the president, it’s a top secret report, but I’m going to give you the unclassified version of it.

And the three wave tops of that is basically more threat actors, more threat vectors going after more things. And so let me break that down for you. So as I said in the past, it was a lot about intelligence officers under diplomatic cover targeting government secrets. Well, now where we are today, there are more threat actors. So now only do we have to worry about intelligence officers operating at the embassy, stealing secrets. But we have a whole range of asymmetric non-traditional actors, whether it’s using cover as students or business people. And we’re seeing foreign governments use kind of a whole of government enterprise of using non-intelligent people to acquire secrets, legally and illegally. And we’re seeing non-intelligent agencies, like the EPA and others, being targeted for non-classified information. And more importantly, increasingly we are seeing the private sector, their technology and their data being targeted by foreign governments using intelligence services and a whole range of things.

And in addition to the, I would say the high risk actors of Russia and China, we are seeing kind of the lower threat actors kind of increase their capabilities to be medium threats. So there are more actors on the playing field. Second, the broader targets, as I mentioned, non-secret private sector, but increasingly we are seeing talent, data and technology really being what foreign governments and intelligence services are going after. And they’re using a broader range of tactics, so not only are they using cyber intrusions, illegal cyber intrusions and espionage, but they’re using a whole range of legal and quasi legal techniques, such as mergers and acquisitions, joint ventures, talent programs, to acquire this technology in a whole of government effort, which really creates a number of challenges for the government and private sector to defend against those things.

There are a couple other trends we have observed. We are seeing a lot more collaboration between our adversaries and that is giving kind of the higher the adversaries closer geographic situation to us. And at the same time, those higher adversaries are providing capabilities to those lower adversaries, increasing their ability to harm us. And in addition, data, you may have heard that data’s the new oil, I don’t know that I like that sentence, but I think the sentiment is right, that data increasingly is becoming an important target. And when you get into the conversation of protecting data, it is important and here’s why. We are seeing trends in which emerging technology such as AI, quantum, biotechnology, autonomous systems – you can keep going on – are really important. This is the way of the future. Whoever dominates in these industries will really be the global leaders. And data often is the underpinning of these technologies and whoever has access to the most data and the most current data, certainly has a leg up in artificial intelligence and other things like that.

So these are the areas of the threat picture where we are, and this is particularly challenging for the private sector who’s really never kind of been under the threat that they are today. Now what are we doing at NCSC and the intelligence community? Well, in 2021 here at NCSC, we launched our emerging technology campaign, which was an effort to really educate those industries that I’ve mentioned, about the threat. And that is an enduring campaign. In 2023, we are going to do some really targeted approaches. We have identified what we call like our top 30 in each of those industries, where we could do some more targeted outreach. And then in 2022 we did our safeguarding science campaign, which was a great collaboration between us, the National Science Foundation, NIST and others, in which we created a toolkit, so academia and researchers or frankly, anyone, can build their own counterintelligence security program.

And it’s not just for science, any of you out there, if you go to our website and go up to the top link, you’ll see Safeguarding Science, hyperlink into it. There’s all sorts of tools for you to build insider threat programs, security programs, case studies, posters, it’s all there. So we’re really proud of that effort. And in addition, we continue to work with the community to do defensive counterintelligence, offensive counterintelligence. And our outreach mission is really, I would say, really more important than ever before, to try to educate people on the threat for what also to do about. Now in closing, how does CI and security come together? Well, it’s really important that we vet and maintain vetting of our employees. So couple of case examples for you. So go back to 2011, I think the Glenn Duffie Shriver case is an interesting one. Here was a student studying in China, who was recruited by the Chinese Intelligence Service to try to apply for a job at State Department at CIA and CI and security working together was able to disrupt that effort.

And I could tell you that he wasn’t the only one that he was targeting, and we had an outreach campaign, don’t be a pawn, subsequent to that arrest, in which numerous students had called State Department and said, “Hey, we think we’re being targeted.” So that’s why we have to have strong security programs. Now it’s not just 2011, for those of you who are like, “Well what about a little bit current?” Well there was Shapour Moinian, who was a contractor in aviation and he was recruited online, he was on social media and he got recruited under the guise of consultant and then ultimately passed things that he shouldn’t have to the Chinese government. So that is an enduring threat.

Now, despite all that, we have to have strong security, but on the security side, we have to do a better job of being more efficient because if we are not able to have more efficient processes, we are not going to be able to have the talent that we need to have in the intelligence community. And so there’s this balance of how do we maintain security, but at the same time, how do we do it in a really efficient way? So with that, I open it up to your questions.

Awesome, thank you so much. I love how you blend these two topics together because they are interrelated. I think obviously ClearanceJobs, we can tend to err on the side, if we’re talking about personnel vetting, a ton, just because obviously we have so many questions coming in from candidates, but you really can’t neglect the counterintelligence piece of it. I mean, this is why we’re vetting our employees because of these risks…sometimes educating them of the different risks that are out there is key. And so I think you’ve done that with the Safeguarding Science Initiative. I want to talk a little bit about the Nevernight Connection piece because that’s always … I thought that was an interesting, and ‘Think Before You Link’ and you bring up how I think our foreign adversaries are constantly kind of trying to pursue us and find different ways. And obviously social media is a key one now.

Do you think you’ve gotten the message across with that, or are we seeing more and more? What’s kind of the threat vector in terms of those threats coming in from online and how China and Russia are using social networking sites?

So I think those were great initiatives and that really helped get the message out there. And I think in the intelligence community, we’re able to have great awareness, but then I think once you leave the intelligence community, to the federal government, the non intelligence community, it starts dipping down. And then when you get to the private sector, I think the awareness really isn’t there, that we haven’t been able to really get the message out in a persistent sort of way. And it’s also very nuanced. I’ve been in counterintelligence for 20 years, I’m sensitized to it. But think about people who’ve never been exposed to counterintelligence, all they know about spying is what they watch into movies. They don’t really understand the threat, and trying to explain it can be difficult.

But we do want people to be aware of … we certainly want you to be on social media and all the platforms that you want to be on, but you also have to be very careful about who you’re dealing with and really kind of think through, as you accept a link, who is that person, and what do they want for you? And as they ask questions, is this natural? And particularly when you’re asked to consult on something for a foreign government, really think through what is this really about? And so I think there’s some common sense to it, but at the same time, I think there’s more we can do to be educating people on this so they can better protect themselves at the end of the day. I think we don’t want to be arresting people, we want people to kind of self-report, I see something suspicious and then kind of move on and not engage with the person.

Yeah, I think, well, because we talk about the counterintelligence threats and that’s one of the things in the white paper that Xcelerate and ClearanceJobs put together. We always kind of unpack the DOHA security clearance denials cases and we always talk about finances being the top cause of clearance denial and revocation, not necessarily because financial issues are the biggest risk. I feel like that kind of shows how the cycle for espionage can work though, because you see a lot of those cases boiled down to somebody with ego.

So if you’re just getting somebody who’s really pulling into your ego a little bit and then trying to use that as an avenue to find out what you work on for the government, that should set off some lightning bolts from people. And I feel like you read through a lot of those cases and it wasn’t folks who had access to things and they had somebody who was pulling at their ego and pulling at their sense of purpose, which is a positive thing we look for in the national security, but how do we pivot that for good and not for evil?

Yeah, I do want to add, so this is where kind of the insider threat programs come in. So we do a security clearance and everything might be good when you come in, but life comes at you and creates stressors around you. When you look, interview, asking about subjects, oftentimes they talk about a negative event that triggered them to commit this act. And so there’s two parts to the insider threat, how does organizations have really good culture that prevents employees from falling into negativity, but at the same time, you do have to monitor for behavior that’s not appropriate and try to interject and turn people around before it goes too far.

Yeah, well and that’s the key thing with continuous vetting, I think, that’s been definitely a success within the trusted workforce 2.0 movement, because there was so much talk about would employees be concerned about the government pulling in that information. And I feel like that has rolled out across now the entire national security workforce, without … I mean, if there are bumps, they’ve been classified. I don’t know, would you categorize it the same way, that that’s been a seamless rollout?

It’s been a pretty seamless rollout. I think we’re still working on how to read the triggers and balance that out, but I think over time, that’s going to really work out and I think the employees are going to have a better experience and we’ll be able to address things a lot sooner and it’ll be an efficient process than what the previous five-year reinvestigation process was.

Yeah. And the other thing I want to touch on before I will get some of the questions from the Q&A, is the suitability piece I think you brought up, which was great. So the pros and cons, as trusted workforce rolls out across the entire federal government workforce, that really opens up your opportunities to educate across the workforce. Suitability is kind of complicated as it is, and you mentioned the reciprocity piece and I don’t know if that ties in, so can you speak to that a little bit at all? Because you’re the one who brought it up, Mike, so the suitability and how it ties into all of that.

I think you’re correct, it gets complicated fast. So oftentimes suitability overlays on security and then times it veers off. And then in some government agencies we’ve noticed security has been asked to do the suitability piece for the HR people and it gives it a veneer of, well that was security, when in fact, no, it was HR suitability, and that’s why I tell people ask about the suitability requirements. The challenge in reciprocity, and one of the things the working group is trying to do is dissect and separate reciprocity issues that are security related and separate the suitability reciprocity issues and can we put them in like categories? So for instance, I mentioned the drug use is the easiest one. Well DEA and FBI are the two and only agencies that have a similar drug use. Well let’s make sure we create reciprocity between let’s say FBI, DEA on those like suitability things if possible.

And so we’re really trying to do the groundwork now to separate those things so we can make it a better, easier process to the extent that we can. But I also think it’s important, although we’re not the suitability executive, suitability is something really hard to do reciprocity on, given that it’s mostly about are you suitable for a specific job and not a broader thing. So you may be able to get a clearance and you have had a mishandling of a computer issue, but you probably shouldn’t be the computer guy. So that’s where these things kind of get complicated.

Okay. Well, and I want to get to some of the questions. So Christopher Burgess just submitted a question talking about how China has been systematically acquiring Western technologies, obviously, and not necessarily those just within the NISPOM. So I think that ties into the Safeguarding Science initiative, but what is NCSC doing or maybe even the broader government doing to address how China is really attacking companies and not necessarily just those who are operating within the NIST palm?

Yep, great point. And he’s kind of echoing what was in my talking points, about the private sector being targeted and much greater than just national security technologies. And so in NCSC, we’ve done our kind of rollout of emerging technologies and the outreach we do, but I can tell you across the intelligence community, particularly with DHS and FBI and others who are more at the local level, they do their outreach as well and they’re partnering with companies trying to help them better protect themselves and taking threat leads from them and educating them at the same time. And I think this is going to be an enduring outreach effort for all of us, is to continue to educate.

But I will say is when I do outreach to larger groups, the questions I’m now hearing now versus two years ago, two years ago, it was a lot of just entertainment type questions and trying to educate them on threat. Now I think companies do know there’s a threat and the questions are now becoming what do I do about it? And I’m noticing the sophistication of the questions are getting better and better, so it’s a sign to me that people are getting more aware of this and trying to think very thoughtfully about what to do.

Yeah, I mean, do you think it’s hard because NISPOM companies obviously have, I mean, they have specific requirements to do it. Do you think the companies who aren’t required to care, care or is there maybe enough legal frameworks in place about how we sell or share information with China, that kind of keeps them from doing more than they should as well?

So there’s really two parts and that’s an excellent question. The companies that don’t have a NISPOM, I think have a lot more freedom to be creative about how they create a program that matches them. The difference is does the company do it or not? And oftentimes what I’m finding is it’s depending how close they are to the threat. So take the semiconductor industry, in the news a lot in the last year, CHIPS Act, they realized they’re a lot closer to the threat, so spending a lot more time on the due diligence. Versus another company that may not have the awareness that they’re close to the threat, but might be, are probably not spending the time they need to. But I’m noticing more and more companies … I think the one positive thing out of the Russia, Ukraine incident was that companies realize that, hey, this could happen in China, Taiwan, and we better start thinking about what this means for us. And so I think those conversations have been helpful.

And we had a question come in from William, this is near and dear to my heart because it’s someone in HR asking, hey, how can HR tie in, or why does this counterintelligence NCSC piece, do they have resources for HR along with security? So I feel like this is my sweet spot with ClearanceJobs because I think the more we can all just hold hands and come together, but if your HR is in a stove pipe and your security is in a stove pipe, you probably have issues. The work that the NCSC is doing, why does it matter to HR as well as security?

Yep, great point. So in ODNI, they just hired a new HR lead and we met in held hands, as you just said. And part of our conversation was how do we make sure we tie each other and the HR and security community together at the hip, and how do we make sure that security people are sitting in the HR meetings and the HR people are sitting at the security meetings? Because when you really think about security clearance, it is a function of HR to a certain degree, and so there’s certainly a desire for us to do that at the higher levels.

But I sympathize with the person who asks that question, I do think there’s a major divide when you get out to the agencies, between HR and security, depending on what that agency is, and we have to really try to message them to sit together and talk together about these things. Because where we’re losing some time is HR passes it to security and it probably falls in a trough somewhere and it has to be pulled out, and then when security hands it back, it probably gets stuck someplace.

Yeah. Well, and Congress has given you a kick in the pants a little bit, with the IC, with the processing times and onboarding of personnel because that’s one of the things, if your company doesn’t potentially track that or if they’re tracking it and you’re responsible, that I think that’s where HR and security have to work together because if you have timelines for onboarding personnel, those two pieces of it have to come. And the last NDAA asked for the IC to get some feedback on how to speed up the hiring and onboarding. And that does involve both those elements, the personnel vetting and the security. So that’s one thing that companies can do as well. If they need a reason why, look at your onboarding times and if you have struggles there.

So I’d like to add to this. So Congress, you said Congress has given us a kick in the pants, that’s one way of putting it, I’d like to think they’re very engaged on the issue, which is positive that they’re interested in it. And the same thing with industry, I find industry is very engaged in it for the obvious reasons.

What I think would be helpful is that there’s a lot of people coming at us from different directions with their different friction points, and we only have so many resources. Like I laid out the agenda for 2023 on Trusted Workforce. In fact, we just sat with the Performance Accountability Council going through this agenda, what we can do and we can’t do. It would be really helpful for us if we can get the community to come together, not separate, and work with us to identify, hey, what are your most challenging issues, let’s prioritize the top three and what do we think we could do together in 2023 and do that every year, because otherwise we have a bunch of half baked cakes and a lot of complaints and nothing really getting done. And that’s kind of where we are today.

Yeah, no, and I think sometimes you get locked up in so many of those other initiatives and tracking and mechanisms, and don’t have a chance to see the progress that you’ve already made. So I will give you, there has been a ton of transformation and updates and things that have happened over the past several years, that you kind of just keep spinning through the cycle, and that’s what happens with change, you don’t get to sit and rest on your laurels for very long.

Yeah, it, you’re right. But you got to remember that Trusted Workforce is a iterative process and many of the things we are doing doesn’t give immediate feedback, but will make the system work in a year or two, but at the same time, the timeliness continues to go down and we’re making incremental improvements. And so I think people should know is like, hey, we’re continuing to be engaged and we’re going to be continuing to be engaged for the remainder of the decade and longer.

And our good friend Charlie Sowell is also on the call, and he asked about the Chinese police stations that are out there or kind of Chinese entities at work in the United States. Is that something that you’re kind of tracking in terms of a risk for the US population or is that more targeting the Chinese expat population that’s in the US?

So we’re tracking it, we track all the counterintelligence issues, that’s mostly in the FBI space. There’s a lot of things going on there that we’re not happy about. But one thing that I didn’t cover in my talking point, that you triggered for me is in 2023, we’re due for the rewrite of the National Counterintelligence Strategy. And we’ve actually been working on it for two years now with the interagency, FBI, CIA, DOD. And in ’23, as this rolls out, it’s not just a document where just people read it and say, “Hey, that sounds great.” We’ve already kind of laid the pipes with the National Counterintelligence Task Force, to actually implement strategy and it will address things such as the police stations and those other things. So moving out into the end of ’23 and ’24, you’re likely going to see a more coordinated counterintelligence community going after the highest parties and the highest threats.

Well, so we can’t have a conversation about counterintelligence without talking about Russia at least once. You can take your shot now everyone. So talking about Russia and their capabilities as we are still dealing with the war in Ukraine, it has not gone away. But the question specifically came in, do we think that’s reduced their threat to the US because of all of the distraction activity happening in Ukraine?

The answer is absolutely not. The Russian intelligence services is very capable, and despite the military losses that the Russians have suffered, you have to remember the sanctions are forcing them to illegally acquire technology. And we are certainly seeing an uptick in that capability, or in those efforts. And then Russia, as a cyber intrusion, is definitely another capable service. And depending on how this works out with Russia, you can’t take off the table of them doing cyber disruptions to kind of get their way. So certainly something that we’re vigilant about and concerned about.

Okay. And a question about the counterintelligence, how ODNI interacts with potentially military branches or other elements here. So I don’t know if that’s something you can speak to at all, but maybe the collaborative aspect of, obviously you kind of have mentioned on the call, of our FBI, there’s obviously all of the IC elements, ClearanceJobs has a huge DOD community as well. So maybe how is the kind of attacking some of these counterintelligence issues resolved across not just ODNI and the IC, but involving DOD partners and DOD counterintelligence elements as well?

I mentioned the CI strategy, and kind of our structure here at NCSC is by law we’re mandated to actually what we call a policy board, in which quarterly, we bring in the heads of counterintelligence agencies. And that includes USDI, army, J2, NCIS, Air Force OSI, they come to those policy board meetings. And then we have a number of, I would call them working groups beneath the policy board, that work on all these issues, that they participate in as well. And then the NCITF that the F FBI leads, is really the implementation arm and DOD, all those components have membership there. So I would say that we actually have a lot of participation from DOD and a number of our detailees on the counterintelligence side are actually from the DOD components.

Okay. Yeah, because we had another question too about the career field aspects. ClearanceJobs always has a ton of transitioning service members that come in. And so that was another question, was, hey, are there career opportunities across? I would just probably speak for your agency to say yes, if you’re probably looking for a career and you have a military background in counterintelligence, probably ODNI somewhere has a career opportunity for you.

Yeah. Come to the ODNI website, we do have job opportunities. I would tell you that it’s easier at the GS14 and below level to onboard you, a little bit more challenging at the GS15 and above, not impossible, but there is a lot of job opportunities. And if you’re already part of a community, we have a number of detailee assignments, so there’s a number of ways to work for us. And we also have a strong contracting workforce. So there’s opportunities in those kind of three areas. And that’s one thing that makes us unique, we have a mix of cadre, detailees from every agency, and then the contractors who often bring a lot of experience.

Yeah. I mean, some of my favorite people across the space have come from ODNI. So it seems like, I mean, I’m just going to throw in the commercial, you haven’t hired me yet, so clearly I’m not trying hard enough. But it does seem like you can come and serve and be really mission focused, and I’m sure it’s probably a lot of stress and a lot of activity. But I see a ton of folks who have been in ODNI and then spread out across both industry, commercial sector, private sector, other positions in government. It does seem to be a launching pad for just really smart, innovative people working across the government. So if you want a cool mission, seems like NCSC and ODNI have a lot going on.

Yeah, so first Lindy, we haven’t recruited you yet because we need you exactly where you are, doing what you’re doing. But to your point, one of the things that I think is unique about ODNI experience, you’re dealing with all sorts of interagency, you get an exposure to the whole intelligence community. And then at NCSC, we deal a lot with the non IC and the private sector. So the advantage point of what you learn, I think, is very good for anyone. And then if you leave and go on to an agency, you have that experience of what the bigger pictures are and the bigger challenges, strategy, budget, policy types up, that you don’t necessarily get at an agency.

We’ve talked about reciprocity, which is always one of those security clearance hot topics. We also had a question about interim clearance processing times – I know DOD has released theirs. The IC doesn’t do interim clearances, or am I wrong? So the question came about interim security clearance times, I don’t know if you have any thoughts, is that an option that there might … would the IC ever do interim clearances? Do they do it?

So here’s the thing that I think people have to keep in mind in the clearance conversation, because sometimes people say like, “Hey, why can’t you just have one standard for clearances?” Which is an excellent question. But then when you start unpeeling it, you realize that there’s about four million people with a clearance and how many of them just need a Secret clearance? And it doesn’t pay to give someone who just needs a Secret clearance, a Top Secret clearance, all the money that’s required to do that, it doesn’t pay to do it. And then you get into the Top Secret bucket and you have a population that doesn’t have polygraph and a population that does. And you may ask, well, why is that? Well, in certain IC agencies, they feel that given the level of access that you have to exquisite capabilities, they would like that extra level of protection.

And then for a particular entity like DOD, where they don’t always have polygraphs, their judgment is like, well, we don’t need it for what they have access to, so we’re not going to do that expense. So it’s a resource question to do those things. And so when you get into the interim things, you have to remember, when you bring someone on in an intern, you own them. And that’s where the reciprocity challenges come in. And if you come on as a, say a contractor or a joint duty and it doesn’t work out, it’s like leasing a car, it’s easier to off ramp that person and move them around, but when you hire them, HR takes over and it becomes very difficult. So when you come to interim clearances, if you take someone on and something happens to that clearance, well now what do you do about it? So this is how complicated this all is and why things aren’t as simple as we’d all like it to be.

Yeah, and it does, I mean, yeah, it’s a complicated part of the process too when it comes to that. But I do think the personal vetting questionnaire, I think will simplify that initial application process across the board. And I think all of the little steps that you can do to make some simplification for onboarding, regardless of interim, just seeing that form. I mean, again, my security clearance story is always that I worked at the Pentagon for months with the public trust, and people thought I had a secret clearance. And it’s because I was in my 20s and was dumb and had no idea there was a difference between SF85 and an SF86. When you’re filling it out, it looks the same. So I think having one form that has iterations of it already should streamline onboarding, and that’s kind of the idea of the interim process, is how can we get people onboarded, embedded efficiently, but also quickly.

So I do think when you get in the next couple years of Trusted Workforce, so the next phase really gets about transfer of trust and upgrading. So once NBIS is built and functioning, I think you’ll see how it’ll streamline this process. You’ll be able to upgrade clearances a lot easier, you’ll be able to transfer clearances a lot easier. The challenge is the system’s not built yet, and until that system is built and ready to go, we’re still going to be in this legacy transitional state for the time being.

Yeah. And then a question came about educational resources. I think those are the things that you’ve already spoken to already. So if you go to the NCSC website, they do have, again, videos, resources about the never night connection thing, the safeguarding science. I know there’s multiple buckets within that. Are there any other resources or tools that maybe folks should be aware of? Again, probably even speaking to that whole notion of how do we get HR, how do we get more functional elements within companies interested in security and not just that security team?

Yeah. So we have our website, but also I think a number of other government agencies do a really good job. CISA, although very cyber focused, I think has a pretty good website that touches into other things on insider threat, because remember, they’re responsible for protecting the critical infrastructure. And DOD does, I think a very good job. CDSE, their website is very robust in training material and just insider threat, programmatic type of stuff and all sorts of things on those websites. So I think between those, you’re pretty well covered on what I think you need from a security standpoint.

Awesome. Well, we’re getting close to time and I promised, as a former Army PAO, I keep the public affairs people happy because I know that if I break the rules, I will be in a world of hurt. But I wanted to give you a few minutes, so was there anything I didn’t ask about or didn’t touch on today that you wanted to mention or bring up before we close out?

So I always learned, when I’m asked that question, just say no. But being that you’re a safe person to be with, just for the audience, if you’re interested in being part of the government, please think about it. It’s a great career. I’ve been doing it for over 20 years. For those of you in industry who are part of the security clearing process, hey, please be patient, but please partner with us. I do think if we work together and prioritize things, we’ll get to a better spot. And then for those of you just regarding counterintelligence in the private sector, we really do have to have, this is going to be an enduring challenge and we’re going to have a really challenging decade, really trying to compete with China and Russia and others, and so we have to stay vigilant. So thank you for having me, it’s been a pleasure talking to you and happy to do it again some other time.