Security Clearances and Access Issues
THE ISSUE OF who gets security clearances has been in the news recently in connection with the Edward Snowden National Security Agency domestic surveillance program leaks and the Aaron Alexis Navy Yard mass shooting. Both individuals held security clearances but several red flags made their cleared statuses questionable. Following the Alexis shootings, Defense Secretary Chuck Hagel announced that the Department of Defense (DoD) would conduct reviews of the process to close any security gaps.
Currently, there are three basic or broad levels of clearance: confidential, secret, and top secret.
Agencies may have many other designations. For example, the Department of Energy includes additional clearances to allow access to nuclear material such as nuclear weapons.
The process of granting a person a clearance is intended to evaluate such traits as loyalty to the United States, honesty, trustworthiness, judgment, and freedom from conflicting allegiances. According to the Congressional Research Service (CRS), the federal government’s Office of Personnel Management, Federal Investigative Services oversees more than 90 percent of the background investigations, but “the actual investigations, for the most part, are conducted by private investigation firms,” as was the case with Snowden and Alexis.
CRS lists some key steps in this information collection process. It includes an extensive application, a background investigation (the extent of this investigation is determined by the level of clearance the agency is seeking), an adjudication process to determine whether the individual will be cleared, and periodic reinvestigations. The adjudicator tends to be within the agency seeking the clearance, with the military adjudications under the DoD.
Based on the numbers, it is not surprising that problems have occurred. According to a recent report from the Office of the Director of National Intelligence, as of October 1, 2012, 4.9 million individuals held a security clearance at some level. Nearly 800,000 of those individuals were approved in 2012.
Until recently, most of the attention was on the issue of clearances taking too long to be granted. The clearance process in fiscal year 2012 for the fastest 90 percent of applicants took from one day to 500 days. The Department of State awarded the clearances most quickly on average while the CIA took the longest.
Apart from general backlogs, among the specific issues that were cited in delaying individual security clearances were financial troubles, drug involvement, and allegiance to the United States. CRS names 13 adjudicative standards agencies must use in assessing clearance applications, including foreign influence, sexual behavior, and misuse of technology. But, according to Dan McGarvey, director of security programs at Global Skills XChange (GSX) who dealt with security clearance issues in his past position as Chief Security Officer at the United States Air Force, what may be a disqualifying factor for one agency may not be for another. So, for example, using drugs is a definite deal breaker for obtaining a clearance at the Drug Enforcement Agency. However, some other agencies will allow minor drug use “because it’s so common nowadays that we wouldn’t have anybody to clear virtually if we didn’t,” McGarvey says.
There is a reciprocity rule that states that agencies must accept clearances from other agencies, but there are exceptions to those rules, and CRS points out that it is unclear how much reciprocity truly occurs.
When a clearance is not granted or is revoked, the applicant will receive a statement explaining why. The applicant can then challenge the findings.
But as with routine preemployment background checks, one of the challenges of security clearances is getting access to all of the relevant data, says McGarvey. He says that was an issue with the Alexis background check, where he says adjudicators appeared to have insufficient information.
“Whether that was because of the lack of the investigative quality, or whether the information just wasn’t there at the time, it’s hard to say. The challenge is getting local and state data into the system. Because some states do a very good job, some states do a very poor job,” says McGarvey.
There is also the question of whether background checks are done as claimed. Reuters reported after the Navy Yard shooting that its research turned up evidence of 350 reports of faulty or falsely represented background investigations in connection with federal security clearances between 2004 and 2012.
“Information about health and mental illness is a whole different category. It falls under HIPAA, [the Health Insurance Portability and Accountability Act], and some states provide that [information] freely and some states don’t,” McGarvey explains. A lot of that information appears not to have been provided in the case of Alexis, he notes. “So that’s what made it very difficult for the whole process to take place.”
Additionally, the Alexis case has brought up the question of whether clearances are granted for too long a period. At the top secret level, reinvestigation occurs every five years; at secret level, every 10 years; and at confidential level, every 15 years. Many of the offenses that might have been red flags during an active background check investigation occurred after Alexis had received his initial clearance and before he was due for another check.
The security director for the contractor says he would advocate reinvestigating every five to seven years for everybody. “A lot can happen in 10 years. People can be arrested, they can deteriorate mentally, they can experience significant financial problems, so a person’s status can change significantly in 10 years.”
McGarvey suggests what he calls continuous evaluation, which would either periodically or constantly take a look at certain key indicators that might raise red flags, although it would rely on well-trained people with direct contact with the individual to note behavioral indicators that the individual should be re-evaluated. But he says more research is needed as to whether investigators are looking at the right factors in the first place. “The challenge is that we’re still looking at process rather than content. And so, we don’t know for sure if we’re looking at the best indicators,” McGarvey notes.
Separate from the issue of having access to confidential information is the simple right to access a military site. In a report from the DoD Inspector General on Navy Commercial Access Control Systems mitigation of access control risks—which happened to have been issued after the Navy Yard shooting, though it was conducted before it occurred—the IG notes that 52 convicted felons who were contract workers (not necessarily with security clearances) received routine access to Navy sites because their initial background checks, conducted by a third-party vendor using publicly accessible databases, did not uncover the convictions. These checks were done annually, rather than only at 10-year intervals, as is the case with the security clearances, and some subsequent checks turned up felonies missed on the first check. Among the problems, said the IG, was that the Commander, Navy Installations Command (CNIC)—which is responsible for overseeing physical security at Navy installations, attempted to reduce costs by asserting that certain standards did not apply, which meant that the individuals weren’t run through the FBI’s criminal database or the Terrorist Screening Database as should have been required. And even public database searches were too limited by location—all of which resulted in felonies or other possible disqualifiers being missed. The report calls for an end to the issuance of access credentials to Navy contractors based solely on public records searches.