The security clearance process has been on and off the Government Accountability Office (GAO) high risk list for several years. The GAO high risk list flags programs ‘vulnerable to waste, fraud, abuse, or mismanagement, or in need of transformation.’ Despite the government’s Trusted Workforce 2.0 effort, the GAO continues to flag security clearance reform progress including topics like the National Background Investigation Services (NBIS), and topics like reciprocity Alissa H. Czyz, Director, Defense Capabilities and Management, discusses a recently released GAO report on the transfer of personnel security clearances.
Lindy Kyzer (00:30):
Hi, this is Lindy Kyzer of ClearanceJobs.com, and welcome. There was recently a report released by the Government Accountability Office about the security clearance reciprocity process. If you are working in national security, you have probably heard of reciprocity or now transfer of trust. The notion is that if you get a clearance, you should be able to transfer that clearance to other agencies as long as there have been security clearances. However, there have been issues with this topic of reciprocity and actually being able to transfer that eligibility without a redundancy of effort. It’s something that the government accountability office has looked into. So today we’re talking with Alissa Czyz. She is the director of the Defense Capabilities Management at the Government Accountability Office author, this recent report about security clearance reciprocity. Thank you so much, Alyssa, for chatting with me today. I really appreciate your time.
The personnel security process has been on and off the GAO’s high risk list it’s currently on. Before we kind of dive into this reciprocity report, I was hoping you could kind of talk about what it means to be on the GAO high risk list. How does a program get on there and what does that entail?
Alissa Czyz (01:39):
Happy to. So GAO has a list of high risk programs across the federal government. We have criteria for this list and really in a nutshell, it’s programs that are either at high risk of fraud, waste or abuse or in this case it’s programs that are in need of significant transformation. So you’re right, we put the government-wide personnel security clearance process on our list in 2018. It had been on their previously, we had taken it off after seeing some progress, but we put it back on in 2018 primarily for a couple reasons. One, we were seeing delays with the clearance process overall there was a lack of quality measures for the process and then also a lot of challenges for the information technology systems that agencies use to manage the personnel security clearance process. So it’s been on there for about six years now. We do an update every couple years. There’s been some progress in the area and in fact we continue to see some progress in some of the recommendations that we’ve made. But it is still on the high risk list primarily because of issues with the IT systems.
Lindy Kyzer (02:52):
You’re talking all my love languages. So I like to say I’m perpetually positive, so I appreciate progress, but IT systems I feel like shows you actually understand this process. I feel like there’s a lot of talk about the personnel security vetting process without an acknowledgement of NBIS, the National Background Investigation Services, and all of the IT systems that are underpinning it. So I appreciate hearing that talk about this reciprocity report. I wanted to discuss your latest research around this. What prompted you to write this report on security clearance reciprocity? Maybe what are some of the key findings or takeaways?
Alissa Czyz (03:22):
Sure. So this was a request from the House Committee on Oversight and Accountability. And they were interested in exactly what you previewed at the beginning of this interview, how well reciprocity was working among federal agencies. We did also look a little bit at contractors too that do work with the federal government. So we have a little bit on that, but we are primarily focused on what we call the transfer of trust, right? If somebody has a security clearance or a vetting determination at one agency and wants to take a job at another agency, that agency in general is supposed to accept that previous personnel vetting determination. So our client was interested in finding out how the process was working, the extent to which there was reciprocity and what are some of the key challenges in that area. And I should also say too, we didn’t just look at the personnel security clearance process. We looked at personnel vetting in three different areas. So one is just employment with the federal government. Another one is access to federal facilities. And for both of those areas, the Office of Personnel Management is in charge of those vetting processes. And then the third one being security clearances. So access to classified or sensitive information and the office of director of National Intelligence overseas, the security clearance process for the federal government.
Lindy Kyzer (04:48):
That’s a great nuance to point out. It’s something that comes up often at ClearanceJobs when we’re talking about this because we have the security clearance process and we know it’s very clear the policies around that. I think there’s a decent amount of transparency around the security clearance process for a program that’s all about keeping secrets. But the employment, like you said, the facilities, the suitability side of it is often we refer to that as the wild wild west of kind of the onboarding and vetting process because there can be a lot of requirements and a lot of different processes happening when it comes to suitability that aren’t necessarily a part of the security clearance process. I believe the report touched on that a little bit, but you want to speak to that suitability versus security clearance piece of it.
Alissa Czyz (05:27):
So I can back up a little bit and say the main focuses of our report. So one was looking at these three processes and the extent to which OD and I and OPM have reliable data on reciprocity. So in looking at the suitability and fitness piece of this and credentialing piece, that would be OPM that we took a look at how they’re collecting data on reciprocity in those areas. And then with ODNI, it was the security clearance process and we really found some on all sides, right? So with OPM, we found that they don’t collect information and the system, the IT system that they’re using does not collect information on reciprocity for that suitability and fitness. They have some measures that are close but not quite, but it’s a limitation of their IT system. They do, and you referenced earlier but the national Background Investigation Services system that is being developed, that system is supposed to allow for that measurement of reciprocity for suitability and fitness.
(06:32)
There is a path to get there for OPM on that issue and ODNI, though they will not be using NBIS. So the intelligence community will generally not be using that system. So it’s really important for ODNI to come up with ways to get reliable data on reciprocity. We also found with ODNI that they were requiring agencies to report to them on a number of things regarding personal security clearances, reciprocity being one of those things. But there were a number of problems that we found with the reporting from agencies. And the bottom line there was that ODNI also did not have reliable data on reciprocity for security clearances. We did make a recommendation there with ODNI to look at their data reliability practices to follow best practices that GAO has published actually for data reliability because NBIS is not going to solve the issue for ODNI
Lindy Kyzer (07:27):
And maybe that’s a good thing because I’m waiting for NBIS to solve a lot of problems that seems to, it might never happen – more on that later. But I wanted to talk a little bit about something that I thought was really interesting from the report. You kind of surveyed these agencies about this reciprocity piece and of the 31 agencies you surveyed, 17 said they sometimes don’t trust the security clearance granted by another agency. And that’s a common thing that we hear. And I think this is one of the things that Congress kind of pushes back on like, Hey, why can’t we get reciprocity? And then when you actually look at this at the agency level and find the security folks working this piece of it, you simply do not trust the investigations that other agencies are doing. So the stove pipes are very real. And again, I think sometimes they can cloak that in suitability determination so that they have these additional requirements that their agencies require, but a lot of times they won’t even lift the baseline SF 86 data and trust that to transfer over. Can you kind of speak to that kind of what this culture of distrust amongst the agencies and is there any path out of that? You’re
Alissa Czyz (08:22):
Exactly right. I mean our report kind of identified a couple of different issues. Some being technology issues with IT systems, but others being cultural issues. And this lack of trust among some agencies to accept personnel vetting decisions from other agencies was a real issue that came up in our survey and conversations with agency officials. It’s a bit of a stove pipe. Agencies have their own processes and some of them we found were redoing investigations that they were generally required to accept. Some them, you alluded to additional requirements, they had different policies for what they would accept and not accept, but this culture of not trusting each other’s decisions did come up prominently in our survey. So we did make a recommendation to OD and I to develop and implement a plan to address agency’s concerns. And we do think that doing so could lead to a greater acceptance of reciprocity and kind of speed up the onboarding for folks if they move around the federal government.
Lindy Kyzer (09:27):
When you do these reports, you’re making recommendations to often the government agencies and also sometimes there’s recommendations to Congress to kind of create maybe accountability structures. Can you kind of talk about the different deliverables or things that come out of one of your reports?
Alissa Czyz (09:40):
Sure. So yes, when we do find issues with a federal program, often our first course of action is to make a recommendation to the agency or agencies involved in that program. And we do vet those draft recommendations with the agencies prior to developing our final report. We get their perspectives. We want those recommendations to be actionable to cost efficient, doable, and implementable. So we do have a lot of conversations with the agencies and we get formal comments on our recommendations from the agencies as well. That’s usually our first course of action. If we think it’s something that Congress could get involved in helping to address the issue by passing legislation or perhaps we’ve looked at the issue for a number of years, we have recommendations and the agencies haven’t taken steps to address those recommendations, we will make what we call a matter for congressional consideration where we would suggest to Congress that they may want to require the agencies to implement our recommendations or to take some actions.
(10:49)
I will say in this area. So for NBIS, actually, we did put out a report last summer finding that NBIS did not have a reliable cost estimate or schedule to make sure that it’s completed as it should be, and we know the full costs of bringing the system on board. We did that after making a recommendation to DOD itself for the schedule. And DOD had not fully done that. So we raised that to a matter for congressional considerations. So that’s an example of where we might direct something for Congress. In this report on reciprocity, we had eight recommendations and they were split between ODNI and OPM depending on which office had responsibility for the issue that we were discussing. So whether it was suitability and fitness or whether it was the personal security clearance process.
Lindy Kyzer (11:41):
I remember reading your NBIS report and kind of what some of the takeaways were from that. It kind of appears a little bit in this issue of reciprocity because so much of what the government is saying they hope to accomplish, especially with suitability and the transfer trust piece, they’re seeing Ibis is combining a lot of these disparate IT systems, which the ability of the IT systems to communicate is one of the biggest issues. How do the reports tie in together? So you’re doing a report about ibis, does some of that research kind of carry over into what you’re doing now? Do you see those correlations between you’re looking at this system and then it ties into what you’re doing with this report on reciprocity?
Alissa Czyz (12:16):
This is key to kind of overhauling the personal vetting process for the federal government. So we’ve been following it since its development several years ago. It did surface again on the reciprocity. You’re absolutely right because some of the reasons for the challenges with reciprocity were because the IT systems for example, couldn’t record multiple personal vetting determinations. And so you need an IT system as in this is supposed to do that will correct that issue. Another issue where in this came up as needing to be there was for OPM, their system doesn’t include descriptions of somebody’s core responsibilities. And why is that important? It’s because maybe their background and things in their background, it depends on what position they’re taking. So if they’re not working, for example, in a law enforcement position, maybe having a criminal record depending on what the circumstances were, would be okay for that position they’re in, but they want to move to another position that involves law enforcement where that would not be correct.
(13:23)
But OPM system doesn’t have any details about why somebody did or did not get a personal vetting determination and what core responsibilities or position description that they had. So that’s another area where nbu will hopefully step in and correct those issues. And then another one I’ll highlight too, and it was a problem with both OPM and OD and I was the IT systems not having accurate or complete information. Sometimes that information was outdated and it’s a very manual process in some instances to enter the information that agencies and this should help to try to automate things where it can again ODNI won’t be using NBIS, but I think in general, once that system does come on board, there is potential to correct a lot of these issues.
Lindy Kyzer (14:16):
I mean the data entry point is a great piece of it. The GAO report, had a great little graph in it that I really appreciated that kind of outlined some of the key plans are addressing these challenges and plans are not addressing these challenges. The IT systems having incomplete or inaccurate information was one of them. And that’s something that comes up. And we talked about DCSA had this where they were doing this swivel chair model for a while as they were kind of getting from JPA to DISS where they’re asking folks to put in information twice. And I love the security profession, but there’s a lot of humans in that profession. So I think reports like this highlight that data entry matters. I know it can seem very mundane and rote, but it really can affect somebody’s eligibility down the road as they try to transfer trust if they have incomplete information in there just because somebody got too lazy or missed the mark. But we see that all the time at clearance jobs, kind of those employment impacts as a result of just simple things like not having great data and IT systems management and accountability around that. So I do appreciate that your report highlights that and I hope across workforces they kind of highlight that of saying it’s a simple thing, but kind of having better data management around this and making sure records are complete to the extent that they’re built are usually helpful.
Alissa Czyz (15:28):
And we found that with ODNI’s process too with these agencies having to report to ODNI about personnel security clearances. There was a lot of inconsistent reporting. Some of the agencies were kind of rolling up all of their data at a headquarters level. Others were reporting by component. Some of them weren’t filling out all of the data fields. Some of them didn’t know that they had to report certain things. So it was a very manual process there as well. And that kind of led to OD and I not having reliable data on reciprocity for the security clearance process too. Definitely agree the more automation and less reliability on manual processes has the potential to improve things.
Lindy Kyzer (16:12):
Even just simple things like not allowing an incomplete record to be put in the system. I think there’s hopefully a lot, I think we’re hoping that NBIS can accomplish a lot. Your report was certainly significant when it was released, and I think we’re seeing some of that come into fruition because without the lack of accurate timelines and cost estimates, I feel they keep kicking the can out on that. So we’re like, will it ever come? I do not know, but I think that’s one of the key reasons why we’re going to see the personnel vetting process continue to be on this high risk list for a while until they kind of get that system in place.
Alissa Czyz (16:46):
On a positive note, DCSA did agree with the findings of that report that they do need to have a cost estimate and a reliable schedule. So we know that they are working toward that, which is a good thing. They’re not quite there yet, but again, are seeing progress. So we’re hopeful that they will get that soon.
Lindy Kyzer (17:05):
I’m rooting for DCSA, I’m also not going to hold my breath, I’m allowed to say that. Are there other projects or things that you’re working on? I’ve seen this NBIS report, reciprocity, when it comes to the research on personnel vetting or kind of the things that the GAO is looking into. Are there other key areas that you’re currently exploring or topics or issues around this process that are within your research purview right now?
Alissa Czyz (17:27):
So we continue to follow up on our high risk area and have regular conversations with OMB and OPM and ODNI on the personal security clearance process and personal vetting process as part of our high risk. We also have two new reviews that have just started. One is for the House Services Committee and we are looking at, interestingly, timely for this conversation, the reliability of data in the personal security process. So we’re going to really dig into what data do agencies have, how are they capturing that data and what ODNI is doing to improve the reliability. So it’s kind of a jumping off point from this report. The second review that we’re starting up, we’ll be reporting both to the armed services committees and the intelligence committees on looking at Trusted Workforce 2.0. And we were asked to do a survey of customers of Trusted Workforce 2.0 and get their perspectives on how that transition is going and if there are any challenges there too.
(18:36)
So we’ll be surveying some select federal agencies and contractors and perhaps even some applicants to get a range of perspectives. So we have both of those things that we’re just starting up. They’re very early in the process, but we’ll be reporting on those later on.