Legislation announced last week puts the spotlight on the number of individuals with a security clearance. Section 9 of the Sensible Classification Act of 2023 states the ‘sense of the Senate’ that the number of individuals with access to classified information is too high. The legislation echoes statements made by members of congress in the wake of Massachusetts Air National Guardsman Jake Teixeira’s alleged leak of classified information, who have called the number of individuals with security clearance ‘crazy’ and ‘too high.’
Congress continues to cite the four million figure when talking about the number of individuals with a security clearance. Within that it cites a figure of 1.2 million individuals with a Top Secret security clearance and asks why so many individuals should need access to classified information.
The number of individuals with security clearances came up in a March hearing of the Senate Select Committee on Intelligence. When pressed by Senator John Cornyn on how they determine the number of security clearances issued, Deputy Director of National Intelligence Stacy Dixon clarified that congress provides the authorizations for the number of government personnel, and the number of contractors are hired based on the scope of the work. “The initial number is authorized by congress,” she emphasized.
Security Clearance Supply Demand Metrics
Today, the demand for cleared talent based on government contracting and position requirements far outpaces supply. Proposed legislation cuts the supply even further – without first addressing the demand. Existentially, addressing overclassification will help to draw down the demand for cleared talent – but addressing overclassification without re-writing current proposals and government contracts which have existing labor categories calling for a security clearance does nothing to help the demand issue – it only puts further pressure on both contractors and government agencies and supports a poaching environment for talent.
Terminology also matters here – does congress truly want to reduce the number of individuals with a security clearance, or simply tighten need to know? The former only increases the security risk by allowing unvetted individuals to be in facilities or around information that could be compromised. I’m a perfect example of this – I worked in the Pentagon for several years and I believe only once actually laid my hands on classified information. Did I need a security clearance? Not necessarily. But I did need to be eligible for one – due to the nature of my work, the information I had access to based on meetings and proximity, and in order to be able to assist when an issue occurred that would have demanded my expertise. My having a security clearance was less about my need to access classified information, and more about the government’s need to establish my capacity to maintain trust. It established that I was someone the government trusted with information – and also created penalties for my breaking that trust.
Do we Care About credentials or not?
Working in the government hiring space, I frequently hear conversations around credentialing. The government is barreling toward Cybersecurity Maturity Model (CMMC) compliance. The idea is that the government can’t simply trust that the contractors supporting it are keeping their cyber house in order – they’re going to require them to meet specific standards in order to be awarded contracts. For candidates, DoD 8140 is a basic credential required for many cyber jobs.
A security clearance doesn’t open up the crown jewels of the government’s secrets – at least it’s not supposed to. It’s designed to award eligibility. Does this person, or position, potentially require access to classified information? It is a credential that tells the government a person understands the critical role of protecting national security and protected information. A blanket request to slash the number of security clearances is saying, ‘hey, we’d rather not have individuals who understand how to protect classified information.’ And until contract requirements are changed, the demand vector for access to classified information won’t change at all.
Focusing on the people and the security process is the ‘known-known’. Unfortunately, it’s not the thing that addresses security or makes classified information safer. Protect the data at the document, and ensure you have a workforce qualified for the critical national security function it’s designed to perform. Current legislation is it’s proposed will have a vastly negative impact on the industry, the workforce, and the diversity and inclusion of our national security community. It will give us fewer professionals vetting for trust – and more employees with the potential to harm national security through a government mandate that reduces the supply of professionals in its talent pool without addressing the demand.