DCSA rolls out continuous vetting for ‘non-sensitive’ federal workforce

The U.S. Defense Counterintelligence and Security Agency (DCSA) has begun a phased roll out of continuous vetting (CV) for the non-sensitive public trust (NSPT) federal workforce, which includes individuals who have non-national security positions but who as trusted insiders still pose a “high risk” to the government “through misconduct.”

Positions that are designated as public trust may involve duties and responsibilities such as rulemaking, border and aviation security, public safety and health services, law enforcement, fiduciary requirements or protection of government IT systems.

DCSA is the U.S. government’s largest investigative service provider, providing vetting services for a total of 95 percent of the federal government and the continuous vetting of nearly 4 million people who make up the “trusted workforce” – those persons holding national security clearances.

“Expansion of CV to the NSPT workforce is a critical component of federal Trusted Workforce 2.0 policy, and enhances the trustworthiness of all federal employees,” said DCSA Director David Cattler.

Trusted Workforce 2.0 is the complete overhaul of the federal government’s vetting processes for security clearance holders and the NSPT workforce. CV is replacing the periodic reinvestigations process, which were episodic checks of an individual’s reliability and trustworthiness. It is being implemented in stages, with 1.25, 1.5, and 2.0.

However, as the four-year-old DCSA continues to build out its problem-plagued National Background Investigation Services (NBIS) IT systems that eventually will be used to manage government-wide security clearances and CV for NSPT workers, it’s having to rely on legacy systems for which adequate cybersecurity controls to protect from inside and outside breaches haven’t been established, as Biometric Update previously reported.

NBIS replaces the Office of Personnel Management’s (OPM) legacy systems.

The government’s security clearance management was moved from OPM and put under the control of the newly created DCSA as a component of the Department of Defense because of breaches of the OPM legacy systems in 2015 which compromised the personnel vetting files of more 22 million federal employees and contractors, exposing untold millions of individuals’ security clearance personally identifiable information.

Cattler told the House Committee on Oversight and Accountability’s Subcommittee on Government Operations and the Federal Workforce in June that “several issues with the NBIS program” were “discovered” last year during an internal DCSA assessment and the preliminary findings of a GAO report released in August 2023, and reviews led by the Office of Under Secretary of Defense for Intelligence and Security.”

Cattler said “these reviews determined there will be a delay in NBIS delivery and sunsetting of legacy IT systems, hindering the timely achievement of critical Trusted Workforce 2.0 milestones and the federal government’s implementation of vetting reform. The analysis of the NBIS program identified several key problems including in oversight, software development methodologies, acquisition strategy, team competencies, and leadership.”

Cattler explained that “the decision in October 2020 to transfer the management of legacy information technology systems to DCSA resulted in a shift in focus towards addressing cyber security standards and compliance without additional personnel or resources to perform these duties,” and that “the cost, schedule, and performance impacts of these additional responsibilities were not assessed or reported.”

But “until NBIS is deployed, DCSA continues to use [these vulnerable] legacy systems,” the subcommittee was told by Alissa Czyz, director of defense capabilities and management at the Government Accountability Office (GAO).

“DCSA originally planned for NBIS to be fully operational in 2019,” but “it continues to miss milestones,” Czyz said, noting that “although DCSA has developed and deployed some NBIS system capabilities, it has faced continued delays in its full deployment of the system, which may in turn delay the successful implementation of Trusted Workforce 2.0 reforms.”

Cattler told the subcommittee that “we are programed out through 2030. We aim in the current plan to have the legacy system sunsetted no later than fiscal ’28.”

Dr. Mark Livingston, DCSA Assistant Director of Personnel Security, told Biometric Update this week that “legacy systems will continue to be used until NBIS is fully operational, but we’re making progress.”

NBIS is eight years behind schedule at a cost of more than $1 billion, Cattler told the subcommittee. “The total is 1.35 billion, because the remaining forty percent, which is about 575 million, was spent on sustaining [OPM’s] legacy systems to deliver the personnel vetting systems to DOD and federal agencies between fiscal ’21 and fiscal ’23.”

Czyz told the subcommittee that GAO’s “number is a little bit higher than that. In addition to that 500 million-ish that Mr. Cattler mentioned, there are also costs to OPM … we have that at a little bit over 250 million more than DCSA stated.”

Continuous vetting for individuals who hold security clearances involves automated record checks of criminal, terrorism, and financial databases, as well as public records, at any time during an individual’s period of eligibility. When DCSA receives an alert, it assesses whether the alert is valid and worthy of further investigation. DCSA investigators and adjudicators then gather facts and make clearance determinations.

The CV process is supposed to help DCSA mitigate personnel security situations before they become larger problems, either by working with the cleared individual to mitigate potential issues, or, in some cases, the outright suspension or revocation of a person’s clearance.

CV solutions in place today do not currently pull from social media, but the process may soon involve CV checks of publicly facing social media profiles.

For both clearance holders and NSPT federal employees, continuous vetting involves the near real time monitoring of federal, state, and local law enforcement agency’s automated records systems and databases for arrests and criminal activity; time and event-based investigative activity, and agency-specific information sharing, according to Heather Green, Principal Deputy Assistant Director of Adjudication and Vetting Services for DCSA.

“Criminal activity is one of the criminal data sources” that is monitored, Green acknowledged to Biometric Update, adding that more of these “types of high value data sources” will be “added” as Trusted Workforce 2.0 “progresses.”

However, unlike the continuous vetting process for security clearance holders (Confidential, Secret, Top Secret, and Top Secret/Sensitive Compartmented Information), financial records and databases are not currently included in the near real-time monitoring of the NSPT workforce.

Green explained that “access to public databases” containing credit and other financial information are currently used for the CV of clearance holders and will eventually be added to the continuous vetting of the NSPT workforce. She said “bad debt” is something that needs to be known about when it happens so that analysts understand the circumstances. “We want to work with people” on these matters because “life happens, people have unexpected medical bills, for example.” She said just because someone has unpaid debt doesn’t necessarily mean they are a security risk.

Green also said that the biometrics of the NSPT workforce isn’t yet included in their continuous vetting.

In October 2021, DCSA successfully enrolled all national security clearance holders in CV, bringing DCSA and the federal government one step closer to implementation of Trusted Workforce 2.0.

“We have over 3.8 million people enrolled in the continuous vetting program from our national security population,” Green said. “That covers seven data categories, agency specific information, and really has shown a lot of success with identifying information early and often and ensuring we mitigate those situations immediately.”

DCSA intends to be able to provide full enrollment capability for customer agencies by the end of fiscal year 2025, at which point all agencies will be able to enroll their NSPT populations into continuous vetting for alert management, real time threat analysis, and reporting. Agencies will enroll their employees based on internal adoption plans.

“When we think about what we’re delivering, it’s that trusted workforce consisting of all the federal employees, contractors, and the mission that they’re providing,” said Dr. Mark Livingston DCSA Assistant Director for Personnel Security. “We’re improving transfer of trust and reciprocity, and those are all mission enablers, and that’s what we’re trying to do as we protect our national secrets.”

“To put it into scope or comparison,” Livingston said, “what 9/11 did to aviation safety and security and what COVID did to the workplace, trusted workforce is doing that to the national security workforce. It is just monumental. These are shifts in the tectonic plates that are just huge, new, and innovative.”

Article Topics

background checks  |  biometrics  |  Defense Counterintelligence and Security Agency (DCSA)  |  identity verification  |  national security  |  U.S. Government