Continuous vetting is the most significant aspect of security clearance reform that has been accomplished in the past year. While it’s opening up opportunities for the government to identify issues sooner, it doesn’t eliminate the need for both self-reporting and reporting insider threat behaviors seen in coworkers or others.
Security Executive Agent Directive (SEAD) 3 outlines reporting guidelines for cleared personnel. The policy is fairly straightforward on what needs to be reported, but the requirement to report to ‘agency heads or designees’ can leave some clearance holders confused about who exactly to report an issue to. Whether it’s a DUI or a suspect coworker, the friction in figuring out who and how to report an issue can cause some individuals to delay or neglect the obligation altogether. For individuals with a small office structure and easy access to their company’s Facility Security Officer (FSO), it may be simple – just send Bob or Sue an email. But if you’re within a large company or agency, with multiple degrees of separation between you and your company’s security enterprise, the process can be confusing. It may be even more so if you’re a contractor working on a government site, and your company FSO is different than your agency security officer.
Here are a few do’s and don’t for security clearance self-reporting.
1. Make the request in writing.
Especially if it’s self-reporting your own issue, it will be important to report the issue in writing. DCSA has a process for FSOs to reach out to get personnel vetting status and information – but is not designed to take self-reporting requests directly from applicants. If you don’t know who your FSO is, query your human resources office or department, and they should be able to direct you. But don’t settle for just stopping by someone’s desk and mentioning your new cohabitant or criminal conduct issue. You’ll want to put the information in writing. Be brief, be specific (noting dates and any mitigating steps you’ve already taken), but don’t feel a need to overshare details that aren’t pertinent.
2. If you have an issue in a government office, report the issue directly to the government security officer.
Jack Teixeira highlights an example of how unaddressed security violations can lead to grave insider threat issues. The Manning leaks were similar. If you see something, say something – even if you’re a contractor or outside of the immediate chain of command of the individual you notice violating security processes, self-reporting policy requires you to report to the agency designee. You may want to also notify your contractor FSO, and they may be able to help connect you to their government counterpart. But you’re likely most effective to reach out directly to the human resources or government agency contact.
3. Reporting security issues is proactive, not punitive.
Many individuals fear reporting issues -about themselves, or particularly about others, because they fear a knee-jerk overreaction that will result in a denial or revocation. That’s simply not how the process works. A reported issue may not even result in further investigation – it may simply need to be noted in the security clearance system of record. If an issue does result in an investigation, and if a clearance revocation results, there is a chance to appeal the decision. Due process does apply.
In the future, under the National Background Investigation Services, there may be a process to submit a security ticket to note security issues without the juggling between government or industry contacts, and navigating which one to address for which issue. In the meantime, know if you know or see an issue that is suspicious, it’s better to report it.