Government-wide Personnel Security Clearance Process – High-Risk Issue
A high-quality and timely personnel security clearance process is essential to help identify and assess information about individuals with criminal histories or other questionable behavior and to minimize the risks of unauthorized disclosures of classified information. The government-wide personnel security clearance process is a new high-risk area GAO added in 2018 due to delays in processing clearances and the need for quality measures throughout the process, among other concerns.
The executive branch has been unable to process personnel security clearances within established timeliness objectives—the percentage of executive branch agencies meeting investigation and adjudication objectives for initial secret clearances, initial top secret clearances, and periodic reinvestigations decreased from fiscal years 2012 through 2018. Further, there is a significant backlog of background investigations to determine clearance eligibility, which the Office of Personnel Management’s (OPM) National Background Investigations Bureau (NBIB) reports to be approximately 528,000 cases as of March 2019. GAO added the government-wide personnel security clearance process to the High-Risk List in 2018 due to significant challenges related to the timely processing of security clearances, completing the development of quality measures, the implementation of key initiatives of the security clearance reform effort, and IT security.
National Background Investigations Bureau’s Backlog of Background Investigations, August 2014 to March 2019
The Security Clearance, Suitability, and Credentialing Performance Accountability Council (PAC) is the government-wide entity responsible for overseeing and driving the implementation of security clearance reform, among other reform efforts. In April 2019, the President signed an Executive Order providing for the transfer of the background investigation function from NBIB to the Department of Defense (DOD), to begin no later than June 24, 2019. It is unclear what financial and investigative resources are required for the transfer, as an implementation plan has not yet been completed. In addition to ensuring a smooth, cost-effective, and timely transfer, the PAC faces challenges in four key areas:
- Clearance processing delays. Our analysis of timeliness data reported by specific executive branch agencies showed that the percent of executive branch agencies meeting established timeliness objectives for initial security clearances decreased from fiscal years 2012 through 2018, and reporting has been limited. For example, 59 percent of the executive branch agencies reviewed by GAO reported meeting investigation and adjudication timeliness objectives for initial top secret clearances in fiscal year 2012, compared with 8 percent in fiscal year 2018.
- Lack of quality measures. While the executive branch has taken some steps to address government-wide performance measures for the quality of background investigations—including establishing quality assessment standards and a quality assessment reporting tool—it is unclear when this effort will be completed. At minimum, the PAC needs to establish a milestone for the completion of this effort. Furthermore, the executive branch has not taken steps to develop performance measures for the quality of adjudications.
- Security clearance reform delays. The executive branch has reformed many parts of the personnel security clearance process, such as establishing common adjudicative criteria to be used when determining eligibility for a security clearance. However, some long-standing key initiatives remain incomplete —such as completing plans to fully implement and monitor continuous evaluation of eligibility for a security clearance.
- IT security. DOD is responsible for developing, operating, and continuously modernizing systems that support background investigation processes, and officials stated it is identifying system capabilities. However, DOD is concerned about the security of connecting to OPM’s legacy systems since a 2015 data breach compromised OPM’s background investigation systems and files for 21.5 million individuals. As of December 2018, OPM had not taken action on recommendations to update its security plans, evaluate its security control assessments, implement additional training opportunities, and update performance measures.
GAO-19-157SP: Published: Mar 6, 2019. Publicly Released: Mar 6, 2019.
Every 2 years, we report on federal programs and operations that are vulnerable to waste, fraud, abuse, and mismanagement, or that need broad reform—our High Risk List. Our 2019 report reviews the status of areas on the list and outlines steps to lasting solutions. The ratings for over half of the 35 areas on our list remain unchanged. Since our last update, 7 areas improved and 3 regressed. We...
GAO-18-431T: Published: Mar 7, 2018. Publicly Released: Mar 7, 2018.
Executive branch agencies have made progress reforming the security clearance process, but long-standing key initiatives remain incomplete. Progress includes the issuance of federal adjudicative guidelines and updated strategic documents to help sustain the reform effort. However, agencies still face challenges in implementing aspects of the 2012 Federal Investigative Standards—criteria for cond...
GAO-18-29: Published: Dec 12, 2017. Publicly Released: Dec 12, 2017.
Executive branch agencies have made progress reforming the security clearance process, but long-standing key initiatives remain incomplete. Progress includes the issuance of common federal adjudicative guidelines and updated strategic documents to help sustain the reform effort. However, agencies face challenges in implementing certain aspects of the 2012 Federal Investigative Standards—criteria...
GAO-18-117: Published: Nov 21, 2017. Publicly Released: Nov 21, 2017.
In October 2016, the Office of the Director of National Intelligence (ODNI) took an initial step to implement continuous evaluation—a process to review the background of clearance holders and individuals in sensitive positions at any time during the eligibility period—across the executive branch, but it has not yet determined key aspects of the program, and it lacks plans for implementing, mon...
GAO-17-614: Published: Aug 3, 2017. Publicly Released: Aug 3, 2017.
Since the 2015 data breaches, the Office of Personnel Management (OPM) has taken actions to prevent, mitigate, and respond to data breaches involving sensitive personal and background investigation information, but actions are not complete. OPM implemented or made progress towards implementing 19 recommendations made by the United States Computer Emergency Readiness Team (US-CERT) to bolster OPM's...
GAO-16-501: Published: May 18, 2016. Publicly Released: Jun 21, 2016.
In GAO's survey of 24 federal agencies, the 18 agencies having high-impact systems identified cyber attacks from “nations” as the most serious and most frequently-occurring threat to the security of their systems. These agencies also noted that attacks delivered through e-mail were the most serious and frequent. During fiscal year 2014, 11 of the 18 agencies reported 2,267 incidents affecting...