Pentagon’s background check overhaul drags into second decade

The Pentagon’s marquee effort to modernize the federal government’s background investigation system is once again under scrutiny after a decade of delays, cost overruns, and unresolved security gaps.

The stakes are immense. Background investigation files contain not only basic identifiers like Social Security numbers and dates of birth, but also the most intimate details of an individual’s life.

The Government Accountability Office warned this week that the National Background Investigation Services (NBIS) program remains years from completion, even as it absorbs billions of dollars and continues to depend on outdated systems that expose millions of sensitive personnel files to risk of breaches and insider access.

Financial records, travel histories, drug use, foreign contacts, and psychological evaluations can all be part of the investigative record of individuals seeking or given a security clearance. If compromised, this data provides foreign intelligence services with a roadmap for coercion or recruitment. It also presents criminal opportunities, from identity theft to financial fraud.

GAO presented its latest audit of NBIS to the House Oversight Subcommittee on Government Operations. It lays out a system that has repeatedly failed to deliver on its promises.

Originally envisioned as a modern, secure IT platform to replace the legacy infrastructure compromised in the infamous 2015 Office of Personnel Management (OPM) hack, NBIS was supposed to be fully operational by 2019. Now, GAO projects that major development will not be complete until at least fiscal year 2027.

The cost of delay is staggering. Between 2017 and 2024, the Department of Defense (DOD) spent $2.4 billion developing NBIS and propping up older systems. It is estimated that it will take another $2.2 billion through 2031, pushing the program’s total bill to more than $4.6 billion.

The urgency behind NBIS stems from one of the most damaging cyber incidents in U.S. history. In 2015, hackers believed to be linked to China breached OPM databases, compromising the background investigation files of over 22 million federal employees and contractors.

The files included Social Security numbers, addresses, fingerprints, and in some cases sensitive details about family members, finances, and even mental health – exactly the kind of data hostile intelligence services prize for recruiting or blackmailing potential assets.

The OPM breach demonstrated how dangerous such exposures can be. Intelligence experts have long warned that the data stolen in 2015 could be used for decades to identify patterns, track career trajectories, or pressure individuals who gain access to sensitive positions. The continuing delays in NBIS raise fears that similar vulnerabilities remain unresolved.

The breach shattered confidence in the federal government’s personnel vetting process. In its wake, Congress reassigned responsibility for vetting IT systems to the Department of Defense, which created the Defense Counterintelligence and Security Agency (DCSA) to manage them.

The Pentagon promised to build a new system that would not only secure sensitive data, but would also deliver sweeping reforms through an initiative known as Trusted Workforce 2.0, which was launched in 2018 as a significant reform of the government’s personnel vetting system.

It’s a whole-of-government approach to reform the personnel security process and establish a single vetting system. Continuous vetting, part of Trusted Workforce 2.0, aims to identify risks earlier.

Trusted Workforce 2.0 aims to shorten clearance timelines, ease transfers between agencies, and expand continuous vetting to provide real-time monitoring of federal personnel for potential risks. It was a recognition that background investigations conducted once every five or ten years were inadequate in an era of rapid digital change, financial volatility, and heightened foreign espionage threats.

NBIS was slated to replace OPM’s legacy systems by 2019, but deadlines slipped year after year. By 2023, DCSA conceded that it could not meet critical milestones for Trusted Workforce 2.0. In early 2024, the agency paused NBIS development altogether and announced a new plan: rather than building a system from scratch, it would migrate personnel data to the cloud and modernize legacy code.

Even under this revised approach, NBIS remains years from delivery. GAO now projects full modernization will not occur until at least 2027, while Trusted Workforce 2.0 implementation has been pushed from 2026 to 2028.

The stop-and-start development has not only delayed reform but also left the government reliant on outdated infrastructure. GAO noted that DOD spent $1.3 billion between 2017 and 2024 simply to maintain OPM’s old systems, such as the Personnel Investigation Processing System, alongside DOD’s own Defense Information System for Security.

NBIS’s financial trajectory has alarmed Congress. GAO found that cost estimates have repeatedly failed to meet best practices for reliability, and schedules have been “minimally” aligned with standards for managing large software programs. In past reports, auditors urged Congress to consider mandating DOD to produce reliable estimates to avoid further spirals.

Oversight has been inconsistent. In 2024, DOD transferred some authority for NBIS to the Office of the Under Secretary of Defense for Acquisition and Sustainment to stabilize management. It also created the NBIS Requirements Governance Board to ensure end-users from 115 federal agencies and more than 13,000 contractors have a voice in shaping priorities.

But leadership changes have created instability.

DCSA director David M. Cattler, who paused and restructured the program in 2024, is preparing to depart September 30, raising fears of another disruption. GAO warned that without a qualified successor committed to carrying reforms forward, progress could unravel and costs could climb even higher.

The central irony of NBIS is that a system meant to fix vulnerabilities created by the OPM breach continues to suffer its own security shortfalls. A 2024 GAO review found that NBIS and its legacy systems had not fully implemented required cybersecurity protections or privacy controls. Among the gaps were outdated Privacy Impact Assessments, incomplete risk assessments, and reliance on older security standards.

While DOD has since acted on 13 GAO recommendations to address these deficiencies, auditors stressed that they are still reviewing whether the fixes are effective in practice.

Another report due later this year will assess whether NBIS systems now meet federal cybersecurity standards.

The consequences of NBIS delays are felt across government and industry. In a GAO survey earlier this year, one-third of federal agencies reported that delays in NBIS were disrupting their ability to implement Trusted Workforce 2.0. Contractors said inefficiencies in the IT systems increased their workloads, as they had to maintain duplicative processes across legacy platforms.

In July, DCSA leaders acknowledged internal assessments revealing oversight failures, staffing shortages, and software development problems. The Department of Homeland Security has been hamstrung by reliance on DCSA’s delayed systems, slowing its clearance process and stalling reforms.

The ripple effects are particularly acute for agencies that need to bring new personnel on board quickly. Security clearances are often a prerequisite for critical national security roles. Delays in background checks can keep qualified hires idle for months, undermining readiness in areas from cybersecurity to counterterrorism.

Despite the setbacks, there are signs of progress. DCSA has released a public product roadmap outlining the release and testing of new NBIS capabilities, including the long-delayed electronic application system known as eApp. The agency has also stepped-up engagement with stakeholders, holding quarterly updates and incorporating user feedback into planning.

GAO acknowledged that DCSA has made strides in implementing past recommendations, particularly on cybersecurity. Independent cost estimates have been conducted, and the use of new software tools to track Agile development represents an improvement over prior scheduling methods.

However, GAO stressed that success ultimately depends on sustained leadership. With the current DCSA director departing, Congress and the Pentagon face a pivotal moment. Without continuity at the top, NBIS could slip further behind, extending reliance on vulnerable legacy systems and pushing costs still higher.

The warning is stark. If the government cannot modernize its personnel vetting systems, it risks repeating the very failures that led to the OPM breach. Sensitive files on millions of employees and contractors remain in play, and every year of delay is another year of exposure.

Article Topics

background checks  |  cybersecurity  |  data protection  |  identity theft  |  U.S. Government