IT systems for US security clearances at risk, GAO says

As the four-year-old U.S. Defense Counterintelligence and Security Agency (DCSA) continues to build out the National Background Investigation Services (NBIS) IT systems its uses to manage government-wide security clearances, it’s having to rely on legacy systems for which adequate cybersecurity controls to protect from inside and outside breaches haven’t been established. Nor has NCSA put into effect proper privacy controls to prevent insider and other threats that could put this highly sensitive information at risk.

Alissa Czyz, director of defense capabilities and management at the U.S. Government Accountability Office (GAO), told the U.S. House Committee on Oversight and Accountability’s Subcommittee on Government Operations and the Federal Workforce several weeks ago that this makes the biometric and other personally identifiable information (PII) contained in the security clearance files of potentially millions of persons holding or applying for national security clearances, as well as those subject to continuous vetting, vulnerable to exposure and exploitation.

“DCSA has not fully planned for the cybersecurity controls needed to protect NBIS and legacy systems or fully implemented measures to manage privacy risks,” Czyz told the subcommittee. “For example, DCSA used an obsolete version of government-wide guidance to select the cybersecurity controls for six NBIS and legacy systems GAO reviewed. GAO recommended that DCSA address these gaps, as these systems may not be fully protected.”

Ironically, DCSA was stood-up in 2020 because of the two breaches of the U.S. Office of Personnel Management’s (OPM) legacy systems in 2015 which glaringly demonstrated the damage that increasingly sophisticated national security cyber threats can cause. OPM was the agency that had managed the government’s security clearance processes. The penetration of the OPM computers compromised the personnel vetting files of more 22 million federal employees and contractors, exposing untold millions of individuals’ security clearance PII.

Following the OPM breaches, the government’s security clearance management was moved from OPM and put under the control of the newly created DCSA as a component of the U.S. Department of Defense.

U.S. counterintelligence (CI) officials said following the OPM breaches that “the seriousness of [those breaches couldn’t] be underestimated,” explaining that the exposure of the identities of security clearance holders and other information that’s contained in an individual’s security clearance file could “open them up to compromise.” These same officials told Biometric Update on background that any vulnerabilities to the IT systems used to process and maintain security clearances “poses a grave threat” to national security.

Today, DCSA is the U.S. government’s largest investigative service provider, providing vetting services for a total of 95 percent of the federal government. Last year, DCSA’s Personnel Vetting mission conducted 2.7 million investigations, 10,700 investigations per day, 668,000 adjudicative decisions, and the continuous vetting of over 3.8 million people in what’s known as the “trusted workforce” – those persons holding national security clearances.

But “until NBIS is deployed,” Czyz said, “DCSA continues to use [vulnerable] legacy systems.”

GAO first placed the government-wide security clearance process on its High-Risk List in 2018 due in part to challenges with IT systems.

GAO found that DCSA:

• Did not fully define and prioritize requirements to ensure cybersecurity and privacy in the six systems it reviewed;
• Used an obsolete version of government-wide guidance to select the cybersecurity controls for the six NBIS and legacy systems we reviewed; and
• Did not fully implement controls to manage privacy risks for the six systems we reviewed.

As the federal government’s primary service provider for background investigations, DCSA is tasked with ensuring the NBIS and legacy systems used in these investigations are properly secured from breaches like the 2015 OPM incidents that compromised federal security clearance files.

But while DCSA has taken steps to prepare for managing security risks to NBIS and legacy systems, it has not fully addressed key tasks in DOD’s cybersecurity Risk Management Framework (RMF), largely due to a lack of an oversight process. These key tasks include identifying all stages of the information life cycle, defining and prioritizing security and privacy requirements, performing risk assessments at both the organizational and system levels, and allocating security and privacy requirements to the appropriate systems.

The cybersecurity RMF for DOD Systems was only established in July 2022. It sets forth the cybersecurity requirements and cyberspace operational risk management functions that are to be “applied to all programs, systems, and technologies in DOD, regardless of the acquisition or procurement method,” and that “accountability for cybersecurity risk accepted within DOD must be enforced at all levels within the Office of the Secretary of Defense or DOD component in question.”

“Until DCSA’s Chief Information Officer establishes an oversight process to ensure the tasks in DOD’s Risk Management Framework’s prepare step are fully addressed, the agency’s leadership will be less able to identify, prioritize, and mitigate privacy and security risks, and important background investigation systems could be under protected,” Czyz told the subcommittee, noting that “until DCSA establishes an oversight process for confirming that control requirements have been accurately completed prior to implementation, the agency may be hindered in identifying and remediating shortfalls in privacy controls. This increases the risk that sensitive information contained in or processed by NBIS and legacy systems could be disclosed, altered, or used inappropriately.”

GAO reviewed the NBIS program in 2021 and 2023, and is expected to issue two more reports of audits by the end of this year.

“In May, I hosted Ms. Czyz and several of her colleagues to understand their methodology and analysis, and to determine any additional concerns they might have beyond those described in their reports. DCSA’s shortcomings will be set right under my direction,” DCSA Director David Cattler told the subcommittee, noting that the breach of the “OPM background investigation system had been severely compromised.”

Cattler was appointed director of DCSA in March.

Cattler admitted that “several issues with the NBIS program” were “discovered” last year during an internal DCSA assessment; the preliminary findings of a GAO report released in August 2023; and reviews led by the Office of Under Secretary of Defense for Intelligence and Security.” He said “these reviews determined there will be a delay in NBIS delivery and sunsetting of legacy IT systems, hindering the timely achievement of critical TW 2.0 milestones and the federal government’s implementation vetting reform. The analysis of the NBIS program identified several key problems including in oversight, software development methodologies, acquisition strategy, team competencies, and leadership.”

Cattler explained that “the decision in October 2020 to transfer the management of legacy information technology systems to DCSA resulted in a shift in focus towards addressing cyber security standards and compliance without additional personnel or resources to perform these duties,” and that “the cost, schedule, and performance impacts of these additional responsibilities were not assessed or reported.”

Cattler said he “directed an internal NBIS program restructuring to comply with proper governance, business, and security protocols,” and is working to strengthen NBIS’s cybersecurity as recommended by GAO.

DCSA’s Inspector General has also begun to audit the NBIS program in order to, among other things, assess whether and to what extent internal controls are in place, appropriately designed, and operating effectively to provide reasonable assurance that the performance objectives of the program are being achieved.

Cattler told the subcommittee that “cybersecurity protections” will be prioritized at DCSA “over the next 18 months,” as well as the modernization and migration of NBIS applications, the alignment of acquisition and development actions, adapting the NBIS workforce, and aligning program cost and service pricing.

The decommissioning of all DCSA legacy systems that are used to support personnel vetting isn’t expected to take place until the end of this year, according to DCSA, which only assumed control of OPM’s legacy systems three years ago. The OPM legacy systems reside on OPM’s network but are maintained by DOD personnel until they are completely replaced by the NBIS system.

Czyz told lawmakers though that “until DOD addresses the reliability of the NBIS schedule, NBIS implementation and the planned replacement of legacy systems could be further delayed.”

“DCSA originally planned for NBIS to be fully operational in 2019,” but “it continues to miss milestones,” Czyz said, noting that “although DCSA has developed and deployed some NBIS system capabilities, it has faced continued delays in its full deployment of the system, which may in turn delay the successful implementation of Trusted Workforce 2.0 reforms.”

In summary, Czyz told the subcommittee that “until DCSA fully implements our recommendations, including establishing an oversight process to enable DCSA’s Chief Information Officer to address cybersecurity planning and providing visibility into the implementation of privacy controls, NBIS and legacy systems may not be fully protected.”

DCSA must “ensure its ability to properly manage and mitigate security risks for all background investigation systems presently, and in the future,” Czyz said.

Article Topics

background checks  |  biometric identifiers  |  biometrics  |  cybersecurity  |  data privacy  |  Defense Counterintelligence and Security Agency (DCSA)  |  identity management  |  U.S. Government