The hackable technology and outdated screening methods used in the clearance process merit its return to the government’s list of most vulnerable programs.
The government’s system for providing and updating security clearances is among the 35 highest risk programs in government, a congressional auditor said Thursday.
The clearance process, which has been rocked by multiple data breaches and struggles with mammoth backlogs, is no stranger to the Government Accountability Office’s high-risk list, which highlights programs likely to be mismanaged, abused or is most in need of transformation.
The system was first added to the list in 2005 but was removed in 2011 after making “substantial progress” on many of its ongoing problems, a GAO spokesman said.
Among GAO’s top concerns is that vulnerabilities in legacy information technology systems that house clearance data leave it susceptible to hacking.
Responsibility for managing those systems was transferred after the 2015 Office of Personnel Management data breach to a new organization, the National Background Investigations Bureau, which is housed inside OPM but secured by the Defense Department.
The investigations bureau is still burdened OPM’s legacy IT infrastructure as it stands up replacements, though, GAO found.
The OPM breach compromised highly personal records, including disclosures about financial and sexual activity, about more than 20 million current and former federal employees and their families.
The office, including its investigations bureau, recently received a cybersecurity score of 2 out of 5 in a report compiled by its own inspector general.
USIS, a contractor that provided security clearances, suffered its own data breach in 2014, which helped to spike the clearance backlog. That backlog of incomplete clearance investigations had grown to 709,000 by September 2017, according to GAO.
The decision to return the system to GAO’s high-risk list was also influenced by slow progress modernizing the clearance process, which relies heavily on a decades-old model of in-person interviews with a current or prospective employees’ friends and neighbors.
Those interviews are re-conducted every five or 10 years.
Intelligence and defense officials have piloted an updated process, called continuous evaluation, which relies on regular checks of public information, such as credit, property and arrest reports. Agencies are far behind in perfecting those systems or rolling them out more broadly, however, the office found.
Advocates say a continuous evaluation model will not only be faster and cheaper but would better reflect the contemporary world in which people move frequently and rarely know their neighbors well.
The clearance process has also taken flak for not spotting employees such as National Security Agency leaker Edward Snowden and Navy Yard shooter Aaron Alexis.
“A high-quality and timely personnel security clearance process is essential to minimize the risks of unauthorized disclosures of classified information and to help ensure that information about individuals with criminal histories or other questionable behavior is identified and assessed,” GAO head Gene Dodaro said in a statement.
Dodaro will send a letter outlining the office’s concerns to top officials at OPM as well as in the intelligence community, Defense Department and the White House Office of Management and Budget, the office said.
The Professional Services Council, which advocates government efficiency, applauded GAO's move and urged Congress and the executive branch to commit resources to reducing the clearance backlog.
Sen. Mark Warner, D-Va., ranking member on the Senate Intelligence Committee, said the move "reaffirms what we all have known for the last several years: our current clearance system is broken."