When the Information Security Oversight Office (ISOO) drops its annual report, it doesn’t usually trend on TikTok. But for the cleared community, this year’s FY 2024 Annual Report is packed with insights that hit close to home: ballooning clearance costs, classification headaches, and the slow-burn rollout of CUI (Controlled Unclassified Information).
What does it all mean for security clearance policy and for the professionals and contractors who live and breathe this ecosystem?
Clearance Investigation Cost Confusion
The Information Security Oversight Office (ISOO) tracks cost data for the Classified National Security Information (CNSI) system each year, but recent numbers highlight just how volatile those figures can be. Reported agency spending on security clearance investigations and reinvestigations has swung wildly: $1.5 billion in FY 2021, $714 million in FY 2022, $300 million in FY 2023, and then back up to more than $983 million in FY 2024. These sharp fluctuations — sometimes more than 200% year-over-year — raise questions about whether agencies are using different accounting methods or whether actual spending is truly this inconsistent. Either way, the lack of stability makes it difficult to draw reliable long-term conclusions about clearance costs across the government.
Classification Guidance Still Needs Work
ISOO inspectors keep finding the same problems: classification guides that are missing, outdated, or just sloppy. Some agencies even failed to remove personnel who didn’t complete required security training.
For cleared professionals, this translates to real risks. If classification rules are inconsistent, you’re left in the dangerous middle ground of overclassifying (slowing the mission) or underclassifying (risking exposure). Neither is sustainable.
CUI Implementation: Halfway There
Controlled Unclassified Information (CUI) was supposed to standardize how sensitive but unclassified data is handled. Agencies are making progress, but adoption is patchy — about half have policies in place, fewer have fully implemented physical and IT safeguards.
If you’ve ever bounced between contracts and noticed CUI rules change at every stop, you’re not imagining it.
For contractors, this means uneven expectations across programs. Companies that can demonstrate they understand and comply with CUI standards will stand out in competition.
Oversight Is Getting Smarter (and Tougher)
ISOO isn’t standing still. They’re refining how they inspect agencies, folding classification guide reviews into onsite visits, and using risk-based models to focus on the biggest problem areas.
That means agencies, and by extension, their contractors, can expect more scrutiny. For cleared professionals, it’s another reminder: compliance isn’t optional.
Looking Ahead for classification reform
The ISOO FY 2024 report is a snapshot of a system under stress, but also evolving. Clearance processes are expensive, unclearly tracked, and strained, classification needs modernization, and CUI is still maturing. But the through-line is clear: trust and compliance remain the foundation of national security work.
As we look toward AI, advanced tech, and ever-more complex missions, one thing won’t change: the need for a cleared, vetted, and trusted workforce.
The challenge is substantial, to shift the structures – and cultures – of a system that has operated largely unchanged for over seventy years,” wrote Michael Thomas, director of the Information Security Oversight Office in his letter to the President to introduce the wrote. “But it is a challenge that is more than balanced by the scale of the opportunity that awaits us, when we, with your leadership, unlock the full value of our information, making good on our promise of efficient, effective government, and in so doing, advancing America’s security, prosperity, and values.”
