[DOCID: f:hr767.107] From the House Reports Online via GPO Access [wais.access.gpo.gov] 107th Congress Report HOUSE OF REPRESENTATIVES 2d Session 107-767 _______________________________________________________________________ Union Calendar No. 482 DEFENSE SECURITY SERVICE: THE PERSONNEL SECURITY INVESTIGATIONS [PSI] BACKLOG POSES A THREAT TO NATIONAL SECURITY __________ SIXTH REPORT by the COMMITTEE ON GOVERNMENT REFORM <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Available via the World Wide Web: http://www.gpo.gov/congress/house http://www.house.gov/reform October 24, 2002.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed COMMITTEE ON GOVERNMENT REFORM DAN BURTON, Indiana, Chairman BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California CONSTANCE A. MORELLA, Maryland TOM LANTOS, California CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania STEPHEN HORN, California PATSY T. MINK, Hawaii JOHN L. MICA, Florida CAROLYN B. MALONEY, New York THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington, MARK E. SOUDER, Indiana DC STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland BOB BARR, Georgia DENNIS J. KUCINICH, Ohio DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois DOUG OSE, California DANNY K. DAVIS, Illinois RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts JO ANN DAVIS, Virginia JIM TURNER, Texas TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois CHRIS CANNON, Utah WM. LACY CLAY, Missouri ADAM H. PUTNAM, Florida DIANE E. WATSON, California C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia ------ JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont JOHN SULLIVAN, Oklahoma (Independent) Kevin Binger, Staff Director Daniel R. Moll, Deputy Staff Director James C. Wilson, Chief Counsel Robert A. Briggs, Chief Clerk Phil Schiliro, Minority Staff Director Subcommittee on National Security, Veterans Affairs and International Relations CHRISTOPHER SHAYS, Connecticut, Chairman ADAM H. PUTNAM, Florida DENNIS J. KUCINICH, Ohio BENJAMIN A. GILMAN, New York BERNARD SANDERS, Vermont ILEANA ROS-LEHTINEN, Florida THOMAS H. ALLEN, Maine JOHN M. McHUGH, New York TOM LANTOS, California STEVEN C. LaTOURETTE, Ohio JOHN F. TIERNEY, Massachusetts RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri DAVE WELDON, Florida DIANE E. WATSON, California C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts EDWARD L. SCHROCK, Virginia Ex Officio DAN BURTON, Indiana HENRY A. WAXMAN, California Lawrence J. Halloran, Staff Director and Counsel J. Vincent Chase, Chief Investigator Jason Chung, Clerk David Rapallo, Minority Counsel LETTER OF TRANSMITTAL ---------- House of Representatives, Washington, DC, October 24, 2002. Hon. J. Dennis Hastert, Speaker of the House of Representatives, Washington, DC. Dear Mr. Speaker: By direction of the Committee on Government Reform, I submit herewith the committee's sixth report to the 107th Congress. The committee's report is based on a study conducted by its Subcommittee on National Security, Veterans Affairs and International Relations. Dan Burton, Chairman. (iii) C O N T E N T S Page I. Summary..........................................................1 Findings................................................. 1 Recommendations.......................................... 2 II. Background.......................................................2 III. Discussion......................................................11 Findings................................................. 11 Recommendations.......................................... 36 (v) Union Calendar No. 482 107th Congress Report HOUSE OF REPRESENTATIVES 2d Session 107-767 ====================================================================== DEFENSE SECURITY SERVICE: THE PERSONNEL SECURITY INVESTIGATIONS [PSI] BACKLOG POSES A THREAT TO NATIONAL SECURITY _______ October 24, 2002.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Burton, from the Committee on Government Reform submitted the following SIXTH REPORT On October 9, 2002, the Committee on Government Reform approved and adopted a report entitled ``Defense Security Service: the Personnel Security Investigations [PSI] Backlog Poses a Threat to National Security.'' The chairman was directed to transmit a copy to the Speaker of the House. I. Summary The Government Reform Committee, National Security, Veterans Affairs and International Relations [NSVAIR] Subcommittee conducted an oversight investigation of the Defense Security Service. The subcommittee examined the agency's personnel security investigation [PSI] program to determine the reasons behind a growing PSI backlog. Personnel security investigations are conducted to determine whether an individual should be granted access to classified information. This is a critical first step in safeguarding the Nation's secrets. Findings: 1. The Defense Security Service cannot accurately determine the size or forecast the elimination of the personnel security investigations backlog. 2. There was a lack of management oversight of the Defense Security Service by the Department of Defense [DOD] that contributed to a backlog of personnel security investigations. 3. Acquisition of the Case Control Management System [CCMS] and the Joint Personnel Adjudication System [JPAS] did not comply with the requirements of the Clinger-Cohen Act and may not provide effective caseload management. 4. There are no common standards for investigating and adjudicating a personnel security clearance in a timely manner. 5. Defense Security Service and the Office of Personnel Management [OPM] personnel security clearance investigators have difficulty accessing State and local criminal history record information [CHRI]. Recommendations: 1. The Secretary of Defense should continue to report the personnel security investigations program including the adjudicative process as a material weakness under the Federal Managers' Financial Integrity Act to ensure needed oversight is provided to effectively manage and monitor the personnel security process from start to finish. 2. The Secretary of Defense should set priorities and control the flow of personnel security investigation requests for all DOD components. 3. The Secretary of Defense should closely monitor the interface between JPAS and CCMS to ensure effective management of investigative and adjudicative cases and avoid further backlogs. 4. The National Security Council should promulgate Federal standards for investigating and adjudicating personnel security clearances in a timely manner. 5. The Secretary of Defense and the Attorney General jointly should develop a system which allows DSS and OPM investigators access to State and local criminal history information records [CHIR]. II. Background Acts of espionage have had serious consequences for the United States, military personnel and citizens. To prevent acts of espionage, and to ensure the interests of the United States are protected requires certain information concerning national security be protected against unauthorized disclosure. Information may not be classified unless its unauthorized disclosure reasonably could be expected to cause damage to national security. The degree of expected damage from unauthorized release determines which of the three levels of classification will be applied: TOP SECRET--``exceptionally grave damage'' to the national security; SECRET--``serious damage'' to the national security; and, CONFIDENTIAL-- ``damage'' to the national security.\1\ --------------------------------------------------------------------------- \1\ Executive Order No. 12356 of Apr. 2, 1982, National Security Information Guidelines, Sec. 1.1, Classification Levels, Code of Federal Regulations, Office of the Federal Register National Archives and Records Administration. --------------------------------------------------------------------------- Each year thousands of classified programs and projects are carried out by the U.S. Government. These activities generate millions of items of classified documents and information used by the military, civilian and contract employees. This classified information is not only in the form of documents. An enormous inventory of classified equipment and components must be safeguarded. Increasingly, classified data is being processed, transmitted and stored electronically, posing serious new problems of protection. The Department of Defense through the Defense Security Service conducts personnel security investigations [PSI] to determine whether an applicant should be granted access to classified information. Upon completion of the PSI by DSS, the information collected is sent to one of eight adjudication facilities for security clearance determination.\2\ --------------------------------------------------------------------------- \2\ Executive Order No. 12968 of Aug. 2, 1995, Access to Classified Information, Sec. 1.2, Access to Classified Information, Code of Federal Regulations, Office of the Federal Register National Archives and Records Administration. --------------------------------------------------------------------------- At the end of fiscal year 2001 DSS reported, 2,127,476 active duty military, civilian, and contractor employees held personnel security clearances: 62,108 employees held confidential clearances, 1,607,727 employees held secret clearances, 209,897 held top secret, and 247,744 held top secret/SCI clearances. On average, an initial top-secret investigation takes DSS approximately 521 days to complete and the Office of Policy and Management approximately 108 days to complete and costs approximately $2,400 per investigation for DSS and approximately $2,775 per investigation for OPM.\3\ --------------------------------------------------------------------------- \3\ Email from Lt. Colonel Leo Clark, Office of the Secretary of Defense, Subject: DSS Final Report, Feb. 15, 2002, (in subcommittee files). --------------------------------------------------------------------------- The Department of Defense is requesting $443.0 million for DSS operations for fiscal year 2003 a decrease of $51.3 million over fiscal year 2002.\4\ The investigation budget for DSS and OPM is $269.7 million and $157.4 million respectively.\5\ Despite the overall reduction, DOD is requesting an additional $3.6 million for case control management system improvements in fiscal year 2003 and increase of 29 percent over fiscal year 2002.\6\ --------------------------------------------------------------------------- \4\ Defense Security Service, Fiscal Year 2003 Budget Estimates, February 2002, Exhibit Fund-14 Revenue and Expenses, (in subcommittee files). \5\ See supra note 3. \6\ Defense Security Service, Fiscal Year 2003 Budget Estimates, February 2002, Exhibit Fund-9a, Activity Group Capitol Investment Summary, (in subcommittee files). --------------------------------------------------------------------------- Three primary business areas comprise the DSS mission: No. 1, the Personnel Security Investigations Program, the investigations conducted under this program are used by the DOD adjudication facilities to determine an individual's suitability to enter the armed forces, to access classified information, or to hold a sensitive position within the Department of Defense; No. 2, the National Industrial Security Program [NISP] established by Executive Order 12829,\7\ which primarily ensures private industry, colleges, and universities that perform government contracts or research safeguard classified information in their possession; and No. 3, the Security Training and Education Program, which provides security education and training programs to support DSS components, DOD agencies, military departments and contractors.\8\ --------------------------------------------------------------------------- \7\ Executive Order No. 12829 of Jan. 6, 1993, National Industrial Security Program, Code of Federal Regulations, Office of the Federal Register National Archives and Records Administration. \8\ Defense Security Service, FY2003 Amended Budget Submission, February 2002, p. DSS-2, (in subcommittee files). --------------------------------------------------------------------------- In addition, DSS supports counterintelligence, operation and maintenance, and research and development activities of the Department of Defense Polygraph Institute [DODPI].\9\ DODPI is an educational, research and policy-establishing institute for the forensic discipline of psychophysiological detection of deception. The Defense Security Service is under the direction, authority, and control of the Office Assistant Secretary of Defense (Command, Control, Communications and Intelligence) (OASD-C3I) in accordance with the provisions of DOD Directive 5105.42.\10\ --------------------------------------------------------------------------- \9\ Ibid., p. DSS-11. \10\ Department of Defense, Directive No. 5105.42, Subject: Defense Security Service [DSS], May 13, 1999, (in subcommittee files). --------------------------------------------------------------------------- Top secret, secret, and confidential clearances require reinvestigation every 5, 10, and 15 years, respectively. The importance of reinvestigating and reevaluating a personnel security clearance is as much a matter of national security as the original background check. According to GAO, failure to have an up-to-date security clearance would pose a threat to national security.\11\ --------------------------------------------------------------------------- \11\ Testimony of Carol R. Schuster, Associate Director, U.S. General Accounting Office, NSVAIR Subcommittee hearing, Serial No. 106- 267, p. 38. --------------------------------------------------------------------------- DSS conducts personnel security background investigations within the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, and the trust territories. DSS requests the military departments and other U.S. Government agencies, as appropriate, to complete investigative leads in areas not set forth above.\12\ --------------------------------------------------------------------------- \12\ Defense Security Service, Personnel Security Investigation Manual, revised Oct. 15, 1999, 1-329. DSS PSI Mission, pp. 6-7, (in subcommittee files). --------------------------------------------------------------------------- A Defense Security Service personnel security investigation [PSI] is intended to determine an individual's loyalty to the United States, character, trustworthiness, honesty, reliability, discretion, and judgment are such that the person can be expected to comply with government policy and procedures for safeguarding classified information.\13\ --------------------------------------------------------------------------- \13\ See supra note 2, Sec. 3.1. --------------------------------------------------------------------------- In 1994, the Joint Security Commission determined ``national security policy was fragmented and lacked an effective mechanism to ensure commonality. Multiple groups with differing interests and authorities worked independently of one another with insufficient integration of security policy and procedures.'' \14\ Because of this fragmentation of security policy and structure, the President established the Security Policy Board to consider, coordinate, and recommend policy directives for national security. The Security Policy Board was the principal mechanism for reviewing and proposing to the National Security Council [NSC] legislative initiatives and Executive orders pertaining to security policy, procedures and practices that do not fall under the statutory jurisdiction of the Secretary of State.\15\ \16\ --------------------------------------------------------------------------- \14\ Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence, p. 2, Feb. 28, 1994, Joint Security Commission, Washington, DC 20505. \15\ Security Policy Board Mission Statement (in subcommittee files). \16\ The Bush administration transferred the duties assigned to the Security Policy Board to NSC Policy Coordination Committees pursuant to Presidential Directive, NSPD-1, Organization of the National Security Council System, Feb. 13, 2001, (in subcommittee files). --------------------------------------------------------------------------- In August 1995, under Executive Order 12968, ``Access to Classified Information,'' the President directed the Board to develop a set of uniform investigative standards and adjudicative guidelines for determining eligibility for access to classified information.\17\ In 1997, the Security Policy Board issued standard procedures to govern the access to classified information.\18\ The investigative standards developed by the Security Policy Board include examination of: --------------------------------------------------------------------------- \17\ See supra note 2. \18\ Security Policy Board, Investigative Standards for Background Investigations for Access to Classified Information, SPB Issuance 1-97, Mar. 24, 1997, (in subcommittee files). --------------------------------------------------------------------------- <bullet> Birth and citizenship records; <bullet> Corroboration of education; <bullet> Verification of employment for the past 7 years and interviews with supervisors and co-workers: <bullet> Interviews with character references with social knowledge of the subject; <bullet> Neighborhood checks and interviews with neighbors to confirm all residences for the past 3 years; <bullet> National agency checks including the FBI and CIA; <bullet> Financial review including a credit bureau check; <bullet> Local agency check of criminal history records and other public records to verify any civil or criminal court actions involving the individual; and <bullet> A personal interview with the individual. The objectives of the investigative standards are to (1) examine and assess various aspects of an individual's trustworthiness and reliability, taking into account both positive and negative issues and (2) bring some uniformity and consistency to Federal processes to avoid unnecessary and costly reinvestigations when an individual switches agencies.\19\ --------------------------------------------------------------------------- \19\ See supra note 2, Sec. 2.4. --------------------------------------------------------------------------- The standards for reinvestigations are essentially the same as those for initial investigations, with two exceptions. Reinvestigations do not require corroboration of proof of birth and citizenship, and education. The basis for not requiring this information for reinvestigation cases is that it is obtained in the initial investigation, and does not change.\20\ --------------------------------------------------------------------------- \20\ Ibid. --------------------------------------------------------------------------- The process of obtaining a security clearance begins with a request from a military commander, contractor, or other DOD official for a security clearance for an individual because of the sensitive nature of his or her duties. The individual completes the appropriate personnel security form for the level of classification needed--CONFIDENTIAL, SECRET, or TOP SECRET.\21\ The Personnel Security form requires the candidate for a security clearance to provide personal background information needed to conduct the personnel security investigation. The questionnaire is then forwarded to the Defense Security Service's Operations Center. --------------------------------------------------------------------------- \21\ See supra note 12, Sec. 4, pp. 14-15. --------------------------------------------------------------------------- Defense Security Service analysts review clearance requests to ensure all necessary forms are complete, develop a scope for the investigation, and assign the required work to 1 or more of the 12 DSS field-operating locations throughout the United States. An investigation may be sent to one or more operating locations depending on where the individual seeking clearance has lived, worked, or attended school. Once received in the field, an investigation is assigned to an investigator who seeks information in that geographic location about the individual's loyalty, character, reliability, trustworthiness, honesty, and financial responsibility. As the investigation elements are completed, the field sends reports to the DSS Operations Center, where case analysts determine if all investigative criteria have been met and all issues relevant for a clearance decision have been resolved. DSS sends the completed investigation to one of eight adjudication facilities for security clearance determination. The Army, Navy, Air Force, the National Security Agency [NSA], the Defense Intelligence Agency [DIA], the Defense Office of Hearings and Appeals [DOHA], the Joint Chiefs of Staff [JCS], and the Washington Headquarters Service [WHS] operate the eight adjudication facilities. The adjudicative process is an examination of a sufficient period of the applicant's life to determine if the person is an acceptable security risk.\22\ The adjudication process is the weighing of a number of variables known as the ``whole person concept.'' \23\ The whole person concept is the consideration by the adjudicator of all available, reliable information about the person, past and present, favorable and unfavorable, when reaching a determination. In deciding if a clearance should be granted or denied, the adjudication facility staffs base their decision on the following adjudicative factors: \24\ --------------------------------------------------------------------------- \22\ Security Policy Board, Adjudicative Guidelines for Determining Eligibility for Access to Classified Information, SPB Issuance 2-97, Mar. 24, 1997, (in subcommittee files). \23\ See supra note 12, Sec. 4, p. 18. \24\ Ibid., p. 17. --------------------------------------------------------------------------- <bullet> Allegiance to the United States; <bullet> Foreign influence; <bullet> Sexual behavior; <bullet> Personal conduct; <bullet> Financial consideration; <bullet> Alcohol consumption and drug involvement; <bullet> Emotional, mental, and personality disorders; <bullet> Criminal conduct; <bullet> Security violations; <bullet> Outside activities; and <bullet> Misuse of information technology The ultimate determination of whether the granting or continuing of eligibility for a security clearance must be clearly consistent with the interests of national security based upon careful consideration of the adjudication factors, each of which is to be evaluated in the context of the ``whole person.'' \25\ --------------------------------------------------------------------------- \25\ Department of Defense, Adjudicative Guidelines for Determining Eligibility for Access to Classified Information, DOD 5200.2-R, (in subcommittee files). --------------------------------------------------------------------------- Since 1985, blue ribbon commissions \26\ and the General Accounting Office [GAO], have recommended the quality, timeliness and frequency of personnel security background investigations be improved.\27\ --------------------------------------------------------------------------- \26\ Keeping the Nation's Secrets: A Report to the Secretary of Defense by the Commission to Review DOD Security Policies and Practices, Nov. 19, 1985, DOD Security Commission, Office of the Secretary of Defense, Washington, DC 20301, (in subcommittee files). \27\ DOD Personnel: Inadequate Personnel Security Investigations Pose National Security Risks, (GAO/NSIAD-00-12) in October 1999. --------------------------------------------------------------------------- More recently, management deficiencies identified by GAO and the DOD-OIG included the failure of the Defense Security Service, formerly known as the Defense Investigative Service, to provide accurate and timely personnel security investigations, inattention to personnel training, and the acquisition and installation of new information technology systems without the benefit of risk assessment, proper testing or backup.\28\ --------------------------------------------------------------------------- \28\ Department of Defense, Office of Inspector General Audit Report, Program Management of the Defense Security Service Case Control Management System, Report No. D-2001-019, Dec. 15, 2001. --------------------------------------------------------------------------- According to the 1994 Joint Security Commission Report, delays in the investigative and adjudicative process contribute directly to government costs.\29\ As far back as 1981, the General Accounting Office reported to Congress nearly $1 billion was wasted annually because of investigative backlogs at the Defense Security Service.\30\ --------------------------------------------------------------------------- \29\ See supra note 14, p. 47. \30\ Ibid. --------------------------------------------------------------------------- The subcommittee conducted three Defense Security Service oversight hearings: on February 16, 2000,\31\ September 20, 2000,\32\ and March 2, 2001.\33\ The purpose of the hearings was to examine performance and management challenges confronting DSS, particularly the agency's plans to address the personnel security investigations backlog and the extent to which the automated case control management system can be improved to address the backlog of security clearances. --------------------------------------------------------------------------- \31\ Defense Security Service Oversight Hearing, 106th Cong., 2d sess., (2000) National Security, Veterans Affairs, and International Relations [NSVAIR] Subcommittee hearing, Feb. 16, 2000, Serial No. 106- 152. \32\ Oversight of the Defense Security Service: How Big is the Backlog of Personnel Security Investigations?, 106th Cong., 2d sess., (2000) National Security, Veterans Affairs, and International Relations [NSVAIR] Subcommittee hearing, Sept. 20, 2000, Serial No. 106-267. \33\ Defense Security Service: Mission Degradation?, 107th Cong., 1st sess., (2001) National Security, Veterans Affairs and International Relations [NSVAIR] Subcommittee hearing, Mar. 2, 2001, Serial No. 107- 40. --------------------------------------------------------------------------- The backlog was a result in large part due to lax OASD-C3I oversight, DSS mismanagement, CCMS malfunctions, and OASD-C3I and DSS's inability to keep pace with changing personnel security clearance criteria and Presidential directives. Hearing testimony offered optimistic views for determining the size and timetables for the elimination of the personnel security investigations backlog \34\ and ``dramatic improvements'' \35\ in the case control management system despite recommendations to replace the system.\36\ --------------------------------------------------------------------------- \34\ Testimony of Lt. General Charles J. Cunningham Jr., USAF (Ret), Director-Defense Security Service, National Security, Veterans Affairs, and International Relations [NSVAIR] Subcommittee hearing, Feb. 16, 2000, Serial No. 106-152, p. 114. \35\ Statement of Lt. General Charles J. Cunningham Jr., USAF (Ret), Director-Defense Security Service, National Security, Veterans Affairs and International Relations [NSVAIR] Subcommittee hearing, Sept. 20, 2000, Serial No. 106-267, p. 75. \36\ TRW's Evaluation of DSS CCMS, Final Report, July 21, 1999, Contract No: DASW01-99-F-3060-P001, June 22, 1999, (in subcommittee files). --------------------------------------------------------------------------- Based on the testimony and documentary record, the subcommittee concludes lax oversight of DSS by the Office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (OASD-C3I) contributed directly to the degradation of DSS productivity and effectiveness.\37\ --------------------------------------------------------------------------- \37\ An Assessment of the Department of Defense Personnel Security Program: A Report to the Deputy Secretary of Defense, Personnel Security Investigations Process Review Team, Oct. 31, 2000, (in subcommittee files). --------------------------------------------------------------------------- Proactive intervention by OASD (C3I) did not occur until October 1999, after the backlog had attained crisis proportions.\38\ Only after much criticism and scrutiny from Congress,\39\ the media,\40\ other government agencies,\41\ and defense contractors \42\ did the Office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence [C3I] request a serious review of the status and options regarding the personnel security investigations backlog. --------------------------------------------------------------------------- \38\ Ibid., p. 44. \39\ The General Accounting Office [GAO] reviewed DOD's personnel security investigative functions at the request of Congressman Ike Skelton, ranking member, House Committee on Armed Services. GAO issued the report DOD Personnel: Inadequate Personnel Security Investigations Pose National Security Risks, (GAO/NSIAD-00-12) in October 1999. \40\ USA Today, Pentagon Crisis: Security Check Backlog, Edward T. Pound, June 3, 1999, (in subcommittee files). \41\ Memorandum: Investigation Standards for Access to Classified Information, Oct. 26, 1996, from Peter D. Saderholm, Director-Security Policy Board to Richard J. Wilhelm, et. al., Co-Chair, Security Policy Forum, (in subcommittee files). \42\ Aerospace Industries Association, 1250 Eye Street NW., Suite 1200, Washington, DC 20005, Background Investigation Timeliness Tracking Survey, December 2000, (in subcommittee files). --------------------------------------------------------------------------- The review produced an internal report issued February 8, 2001 entitled Personnel Security Investigations: Mission Degradation! \43\ This report called for ``bold action'' \44\ and contained worse news, and more sweeping recommendations, than the Assistant Secretary anticipated. The report shows that the time to complete personnel security investigations upon which clearances are based is getting longer. As the time to complete investigations has grown, the number of investigations pending is also growing. In December 2000, output exceeded input for the first time, but it remains to be seen whether this constitutes a trend or a one-time improvement. --------------------------------------------------------------------------- \43\ Personnel Security Investigations: Mission Degradation! OASD (C3I) Security Directorate Draft Report for Comment, Richard F. Williams, Director of Security, Feb. 8, 2001, (in subcommittee files). \44\ Ibid., p. 1. --------------------------------------------------------------------------- Between June 9, 1999 and February 8, 2001,\45\ memoranda, program initiatives, and policy directives to eliminate the PSI backlog resulted in little improvement to provide timely investigations and clearances to soldiers, sailors, airmen, Marines, DOD civilian and defense contractors. --------------------------------------------------------------------------- \45\ Ibid., p. 21-24. --------------------------------------------------------------------------- As a result, defense contractors are losing qualified new hires that cannot wait almost a year for DSS to complete an initial investigation.\46\ In addition, defense contractors have found themselves unable to perform billions of dollars of work because employees have not obtained routine clearances. These delays threaten to affect some facilities' ability to effectively perform on defense contracts and meet cost schedules. A survey conducted by the Aerospace Industries Association revealed, as of December 2000, 12 percent of the secret clearance requests were pending for more than 1 year and 30.6 percent of the top secret clearance requests were pending for more than 1 year. Another survey conducted in November 1999 revealed it cost the aerospace industry an estimated $149.9 million for clearances more than 90 days old.\47\ --------------------------------------------------------------------------- \46\ See supra note 42. \47\ Aerospace Industries Association, 1250 Eye Street NW., Suite 1200, Washington, DC 20005, DSS Clearance Backlog Summary, November 1999, (in subcommittee files). --------------------------------------------------------------------------- In 1997, the DOD Office of Inspector General reported, the Director of the Defense Security Service had designated DSS as a ``reinvention laboratory'' to assess the agency's policies and procedures in an effort to determine their relevance and responsiveness to the users of DSS services.\48\ Under this ``reinventing government'' initiative, DSS management and employees reviewed the investigation process to identify ways to improve the quality and timeliness of investigations.\49\ Initiatives developed by DSS managers included: --------------------------------------------------------------------------- \48\ Department of Defense, Office of Inspector General, Audit Report No. 97-196, Personnel Security in the Department of Defense, p. 17, July 25, 1997 (in subcommittee files). \49\ Ibid., p. 5. --------------------------------------------------------------------------- <bullet> reorganizing and streamlining the agency, <bullet> becoming a performance based organization [PBO], <bullet> implementing new investigative procedures to improve the timeliness of investigations, <bullet> automating the scope development and review of investigations, and <bullet> charging a fee for service.\50\ --------------------------------------------------------------------------- \50\ Ibid. --------------------------------------------------------------------------- The following year, the Department of Defense Office of the Inspector General (DOD-IG) conducted an audit of DSS to determine the effectiveness and efficiency of the management of the personnel security program. Specifically, the DOD-IG reviewed the processes for conducting and the procedures for disseminating information related to personnel security investigations [PSI].\51\ --------------------------------------------------------------------------- \51\ Ibid., Executive Summary. --------------------------------------------------------------------------- Although, at the time, the audit conducted by the Department of Defense-Office of the Inspector General ``strongly supported'' Defense Security Service reinvention efforts,\52\ GAO found DSS's initiative exacerbated the problem of accurate and timely personnel security investigations contributing to a massive backlog of PSI cases.\53\ --------------------------------------------------------------------------- \52\ Ibid., p. 12. \53\ See supra note 27. --------------------------------------------------------------------------- The backlog of PSI cases can be attributed to a number of factors. In his memorandum of June 15, 2000, the Assistant Secretary of Defense (C3I) wrote, ``the periodic reinvestigation [PR] backlog has reached significant proportions largely as a result of the PR quota that was imposed from FY96 to present by this office as well as the implementation of new national policy which lowered the interval for SECRET PR's from 15 to 10 years and set a new 15 year PR requirement for CONFIDENTIAL PR's.'' \54\ --------------------------------------------------------------------------- \54\ Memorandum: Personnel Security Investigations Backlog, June 15, 1999, from Assistant Secretary of Defense for Command, Control, Communications, and Intelligence Arthur L. Money to Secretaries of the Military Departments, et. al., (in subcommittee files). --------------------------------------------------------------------------- In 1995, the Assistant Secretary of Defense (C3I) directed DOD components to cease submitting periodic reinvestigation [PR] requests that were due to DSS,\55\ and then in June 1996, the Assistant Secretary of Defense (C3I) revised this directive and established a quota system allowing DOD components to submit up to 40,000 secret and 42,000 top secret PR requests per year.\56\ Although these directives were intended to reduce the turnaround time to process PSI cases, the directives created a backlog and a pent-up demand for security clearances. In addition, at that time, the Assistant Secretary announced that DOD would adopt new investigative standards.\57\ These standards provided less complete information for use by adjudicators in determining whether to grant clearances, which further delayed the security clearance process. And, finally there were system failures of the newly deployed automated case control management system for tracking and processing PSI cases.\58\ All of these factors: the PR quota system; new investigative standards; and CCMS failures all affected DOD's capacity to process PSI cases and contributed to the backlog. --------------------------------------------------------------------------- \55\ See supra note 27, p. 30. \56\ Ibid. \57\ Ibid., p. 19. \58\ Ibid., p. 26-28. --------------------------------------------------------------------------- According to Carol Schuster of the General Accounting Office, ``Since 1998, various DOD documents and statements have cited several widely divergent backlog estimates ranging from about 452,000 to 992,000.'' \59\ The backlog was a result, in part, of internal procedure changes in DSS. According to the General Accounting Office, DSS officials stated that once the agency became a reinvention laboratory, it was allowed to operate, for the most part, at its own discretion with little or no oversight from the Assistant Secretary of Defense- Command, Control, Communications and Intelligence (ASD- C3I).\60\ --------------------------------------------------------------------------- \59\ Statement of Carol R. Schuster, Associate Director, U.S. General Accounting Office, NSVAIR Subcommittee hearing, Serial No. 106- 267, p. 8. \60\ See supra note 27, p. 19. --------------------------------------------------------------------------- Knowing the accurate size of the backlog is an important step toward effectively managing and eliminating the backlog. In 1999 DSS attempted to determine the size of the PSI case backlog. The MITRE Economic and Decision Analysis Center was hired to work with DSS to conduct an analysis of the backlog through the use of formal statistical sampling and manual counts.\61\ MITRE reported in 2000, with 95 percent confidence, the true size of the backlog population falls between 206,107 and 558,552 cases.\62\ --------------------------------------------------------------------------- \61\ Mitre Technical Report, The Defense Security Services Backlog of Periodic Reinvestigations: Statistical Analysis and Risk Prioritization Procedure, p. iii-iv, February 2000, Paul R. Garvey, et. al., (in subcommittee files). \62\ Ibid., p. v. --------------------------------------------------------------------------- In October 1998, to expedite PSI case processing, the Defense Security Service acquired and deployed a new information technology system referred to as the Case Control Management System at a cost of $100 million.\63\ The stated goals of CCMS were to simplify the investigative process by eliminating unnecessary manual activity, and automate the processes associated with the overall management of PSI cases.\64\ CCMS was supposed to expedite PSI case processing by linking all relevant information critical to an investigation through a network of DSS subsystems.\65\ PSI case processing includes the collection, tracking, adjudication, and disseminating of information about security clearances for more than 15 million individuals. The CCMS network is primarily located at the DSS Personnel Investigations Center in Fort Meade, MD. --------------------------------------------------------------------------- \63\ General Accounting Office briefing for the House Committee on Government Reform, Subcommittee on National Security, Veterans Affairs, and International Relations [NSVAIR], briefing slide, p. 30, Nov. 8, 1999, (in subcommittee files). \64\ See supra note 48, p. 9. \65\ See supra note 63. --------------------------------------------------------------------------- In 1999, assessments of the case control management system were conducted by TRW \66\ and a DOD Red Team.\67\ Those assessments found deficiencies in acquisition strategy, program management, system integration, and operations and maintenance. It was estimated that an additional $87.2 million to $103 million would be needed fiscal year 1999-2006 to address the deficiencies for a system that was projected to cost $100 million when fully operational.\68\ --------------------------------------------------------------------------- \66\ See supra note 36. \67\ DOD Red Team Advanced Draft, Red Team Recommendations-- Transition Ahead, July 14, 1999. \68\ See supra note 36, Sec. 7, p. 67-68. --------------------------------------------------------------------------- According to GAO, the case control management system suffers serious weaknesses and will be far more difficult to fix than DSS anticipates. During the September 2000 NSVAIR Subcommittee hearing, addressing the CCMS issue, the Director of DSS stated, ``there were dramatic improvements resulting from the software enhancements and corrections that have been implemented within the last 6 months.'' \69\ Yet the DOD-IG in December 2000 recommended the Assistant Secretary of Defense- C3I analyze whether the investment for the Case Control Management System provides the best business solution when compared to alternative solutions for opening, tracking, and closing personnel investigation cases. --------------------------------------------------------------------------- \69\ See supra note 35, p. 75. --------------------------------------------------------------------------- The Defense Security Service is making progress since the subcommittee's oversight investigation of the agency began a little more than 2 years ago. However, DSS has a long way to go to resolve systemic problems of tracking and promptly completing personnel security investigations. In the meantime, national security risks increase and the need for additional financial resources grows. According to Donald Mancuso, Acting Inspector General, ``Simply put, the inability to track and promptly complete personnel security investigations has had a devastating effect on the Department's ability to ensure that national security is protected and that military, civilian and contractor employees have the timely clearances needed to complete their jobs. On a human level, the lack of timely clearances prevents people from obtaining employment in DOD, and in the case of contractor employees, causes the loss of hundreds of millions of tax dollars paid to contractors or for employees awaiting clearances.'' \70\ --------------------------------------------------------------------------- \70\ Testimony of Donald Mancuso, Acting Inspector General, Office of the Inspector General, Department of Defense, NSVAIR Subcommittee hearing, Serial No. 106-267, p. 38. --------------------------------------------------------------------------- III. Discussion FINDINGS 1. The Defense Security Service cannot accurately determine the size or forecast the elimination of the personnel security investigations backlog. The Defense Security Service has a personnel security investigation backlog that has ranged from approximately 350,000 to 900,000 cases. The disparity in the range is a result of different methodologies used to count the backlog, efforts to prioritize the most sensitive personnel security investigations, and the elimination of cases as a result of changes in employment status for the individual needing a security clearance. Priorities for investigations by category include presidential support, sensitive compartmented information [SCI], and special access programs [SAPs] which impose need-to-know or access controls beyond those normally provided for access to confidential, secret, or top secret information.\71\ The inability to prioritize investigations has resulted in extensive delays in clearances for some high priority projects.\72\ Additionally, there is currently no automated method for notifying DSS of a priority investigation. The requester has to notify DSS when a priority investigation is provided and special processing is necessary. DSS manually pulls the request and moves the investigation case to the front of the queue.\73\ It is currently taking, on average, more than a year to complete a personnel security reinvestigation for someone needing a top-secret clearance. --------------------------------------------------------------------------- \71\ See supra note 37, p. 19. \72\ Ibid. \73\ Ibid. --------------------------------------------------------------------------- Testifying before the NSVAIR Subcommittee, GAO's Carol Schuster, Associate Director for National Security Issues stated, ``There were several reasons that led to this backlog. The implementation of a quota system on the number of PSI requests that could be submitted created a pent-up demand contributing to the backlog. Then we had new requirements \74\ that were instituted during this period for re-investigations on secret and confidential clearances. Those had not been requirements before. So this added to the backlog. Also, the automated case control management system that we were talking about just did not work. CCMS system failures contributed to the backlog.'' \75\ --------------------------------------------------------------------------- \74\ Between August 1996 and February 1999, DSS issued 31 policy letters directly related to the manner in which investigations were to be conducted. Several letters announced policy changes that gave investigators greater discretion in how they would meet the standards or pursue issues that might be of significance in deciding to grant clearances. Several of these policies were inconsistent with Federal investigative standards in the requirement to conduct local agency checks of criminal history records, and the verification of public records regarding divorce, bankruptcy, or other court actions, involving the subject. \75\ Testimony of Carol R. Schuster, Associate Director, U.S. General Accounting Office, NSVAIR Subcommittee hearing, Serial No. 106- 152, p. 34. --------------------------------------------------------------------------- Carol Schuster stated DSS also pointed to additional factors contributing to the backlog, ``One is that they feel that there are more people requesting clearances because of the growing number of information technology jobs that may require clearances, and the reduction of DSS staff and investigators the agency experienced as a result of DOD downsizing. So all of those problems collectively contributed to the problem.'' \76\ --------------------------------------------------------------------------- \76\ Ibid. --------------------------------------------------------------------------- A consultant for DSS reported in February 2000 the effect downsizing had on the Defense Security Service. ``As a result of the general downsizing of defense agencies in recent years, DSS staffing has been significantly reduced, dropping from about 4,000 in 1991 to about 2,500 in 1998. In particular, DSS investigators fell from 1,650 to 1,250 during the same period. Meanwhile, the investigative workload for clearances has remained fairly constant over that time.'' \77\ --------------------------------------------------------------------------- \77\ See supra note 61, p. 1.1. --------------------------------------------------------------------------- As congressional \78\ and media \79\ scrutiny intensified, concerns were raised regarding the growing backlog of personnel security investigations, and the affect the backlog would have on national security. As a result, the NSVAIR subcommittee asked the General Accounting Office to determine how DSS estimates the backlog, assess the soundness of DOD's backlog estimates, and identify the plans DSS developed to address the backlog problem. --------------------------------------------------------------------------- \78\ Letter from Congressman Ike Skelton of Missouri to the General Accounting Office a review of DOD's personnel security functions, Mar. 25, 1998. \79\ See supra note 40. --------------------------------------------------------------------------- The General Accounting Office reported its findings in August 2000. According to GAO findings, the personnel security reinvestigations backlog for defense, civilian, and contractor personnel was approximately 505,000 reinvestigations, and growing, with an additional 480,000, which had not yet been submitted to DSS from DOD and the military departments. However, the subcommittee learned the actual backlog size was still unknown because existing personnel security databases cannot provide an accurate count of overdue reinvestigations. ``In the absence of a Department-wide database that can accurately measure the reinvestigation backlog, DOD estimates the backlog on an ad-hoc basis, using manual counts and statistical sampling as the primary methods. Using the sampling method, DOD makes a rough and known to be inaccurate estimate from existing personnel security databases.'' \80\ --------------------------------------------------------------------------- \80\ DOD Personnel: More Action Needed to Address Backlog of Security Clearance Reinvestigations, (GAO/NSIAD-00-215), p. 1-2, U.S. General Accounting Office, in August 2000. --------------------------------------------------------------------------- In that regard, the subcommittee also learned the survey process for determining the backlog was flawed. When the Office of the Secretary of Defense asked Military Departments and Defense agencies to survey their commands and organizations in 1999, they failed to provide the methodology for determining the size of the backlog. As a result, no standard format was used to obtain the figures. Some just filled out the information by using manual counts, while others did a sample survey. A second survey conducted a few months later again did not address methodology. As a result, it appears programs and agencies reported lower numbers giving the erroneous impression that DOD was making progress eliminating the PSI backlog. From June 9, 1999 to February 8, 2001 the Department of Defense issued 13 policy directives and reports to manage and eliminate the growing backlog of personnel security investigations. These included: <bullet> June 9, 1999--Deputy Secretary of Defense memorandum, Personnel Security Clearance Investigations Backlog, directed the elimination of the backlog by September 30, 2000. The memorandum expanded the DOD investigative capacity by shifting a part of the DOD civilian PSI workload to the Office of Policy and Management, directed each military department and defense agency to provide a quarterly plan for eliminating the backlog. The Deputy Secretary further directed that each military department and defense agency to administratively terminate or downgrade all clearances not based on a current investigation or not in process for reinvestigation by September 30, 2000. <bullet> June 15, 1999--Assistant Secretary of Defense (C3I) memorandum, Personnel Security Clearance Investigations Backlog, implemented the Deputy Secretary's memorandum of June 9, 1999 by directing a minimum number of additional periodic reinvestigations to OPM for DOD civilian employees and all others to DSS. The Assistant Secretary stressed military departments and defense agencies would be expected to identify the resources necessary to fund backlogged of periodic reinvestigation's over and above those already programmed as well as accomplish the adjudications at the backend end of the PSI process. <bullet> September 29, 1999--Assistant Secretary of Defense (C3I) memorandum, Personnel Security Clearance Investigations, directed all initial investigations of DOD civilian personnel, except overseas investigations, would be conducted by OPM, and rescinded the June 9, 1999 directive to administratively terminate or downgrade all clearances not based on a current investigation or not in process for reinvestigation by September 30, 2000. <bullet> November 1999--At a meeting of the Defense Management Council, the Deputy Secretary of Defense called for the creation of an Overarching Integrated Process Review Team [OIPT] to find a cure for the PSI backlog problem, and to chart a new path for the future. The Team defined the backlog to be those periodic reinvestigations exceeding the timeframe for which a reinvestigation is required and which has not yet been submitted to the investigative agency. <greek-l><bullet> deg. The Team asked the military departments to determine their backlog according to the established backlog definition. For DOD agencies and contractors the team used previously developed estimates rather then developing new counts. The Team reported their findings and recommendations in January 2000. The Team determined that the periodic reinvestigation backlog totaled 505,786. The Team recommendations included the transfer of all secret and confidential investigations to OPM and restoration of funding for the Joint Personnel Adjudication System to improve management of the population actually receiving access to the most classified information. <bullet> March 31, 2000--Deputy Secretary of Defense memorandum, Personnel Security Clearance Investigations Backlog, directed implementation of the OIPT recommendations and extended the timeline for eliminating the PR backlog to March 31, 2002. <bullet> June 1, 2000--Deputy Secretary of Defense memorandum, Personnel Security Investigation Process Review, directed a comprehensive review to baseline the reform of the personnel security process, to establish a ``get well'' date, and make additional recommendations to expedite the personnel security process effort. A Process Review Team was established to accomplish this effort. <bullet> June 22, 2000--Under Secretary of Defense (Comptroller) memorandum, Personnel Clearance Backlog and Security Initiatives, generally referred to as the ``Spend Plan,'' extended the timeline for eliminating the PR backlog to September 30, 2002. The plan provided monthly targets for all DOD components for submitting investigative requests to DSS and OPM, along with the associated funding. PSIs were distributed between DSS and OPM in accordance with the Deputy Secretary of Defense memorandum dated March 31, 2000. <greek-l><bullet> deg. The plan called for sending 415,841 cases to OPM in fiscal year 2001 and 395,908 in fiscal year 2002. During the same period, DSS was to process 558,619 new cases and 128,000 existing cases in fiscal year 2001; and 388,598 new cases plus 307,000 existing cases in fiscal year 2002. This accounted for all carryover work at DSS and all new work to be submitted over fiscal year 2001 and fiscal year 2002, both backlog cases and the steady-state workload. <greek-l><bullet> deg. In addition, the memorandum call for the appointment of a senior official by each component to monitor processing of personnel security investigations to DSS and OPM, and to establish procedures for monitoring and executing the plan within the component. <bullet> August 22, 2000--Assistant Secretary of Defense (C3I) memorandum, Personnel Security Clearance Investigations, implemented the Spend Plan by providing instructions to the components for submitting investigative requests including quarterly progress reports. To ensure success, the military departments and defense agencies were required to appoint a senior official to monitor the processing of investigations to DSS and OPM and encouraged to have their Inspectors General include compliance as a matter of interest during inspections for fiscal year 2001 and fiscal year 2002. <bullet> September 11, 2000--Deputy Secretary of Defense memorandum, Personnel Security Investigation Process Review, directed all military departments and defense agencies to conduct a periodic reinvestigation survey because the backlog baseline may have changed considerably due to a lapse of time and the efforts of the Departments in submitting PR requests. <bullet> October 11, 2000--The report, An Assessment of DOD's Plan to Eliminate the Periodic Reinvestigation [PR] Backlog, responds to the second of three assessment directives issued by the Deputy Secretary of Defense on June 1, 2000. The June 1, 2000 directive called for the establishment of a process review team [PRT] to assess DOD's plan to eliminate the backlog of overdue periodic reinvestigations by September 30, 2002. The PRT determined DOD would not meet the September 30, 2002 target date for elimination of the PR backlog. The PRT did not consider the submission of the overdue PR requests sufficient to eliminate the backlog. Rather, the PRT considers the backlog eliminated once the investigations have been completed and adjudicated and the workloads of DSS and the Central Adjudication Facilities [CAFs] return to a steady state. <bullet> October 31, 2000--The report, An Assessment of the Department of Defense Personnel Security Program, responds to the first and third directive issued by the Deputy Secretary of Defense on June 1, 2000 to determine where DOD currently stands in reforming the PSI process, and recommend how to expedite the reform effort. The assessment team conducted a thorough review covering the major steps in the PSI process including requesting the investigation, conducting the investigation, adjudicating the results of the investigation, and oversight and funding of the program. <bullet> December 14, 2000--The Office of the Under Secretary of Defense (Comptroller) revised the Spend Plan to incorporate the adjustment of the backlog from 505,786 to 316,995 in accordance with the Process Review Team's survey results pursuant to the directive issued by the Deputy Secretary of Defense on September 11, 2000. <bullet> February 8, 2001--Office of the Assistant Secretary of Defense (C3I) Security Directorate released the draft report, Personnel Security Investigations: Mission Degradation, which called for bold action to address current PSI backlogs. The purpose of the draft report is four fold: No. 1, to serve as a frame of reference for surfacing various options and reactions to organizations both within and outside the Department; No. 2, to be used to further refine the situation with those who are performing PSI work for DOD; No. 3, to serve as a think piece for DOD senior executives who will be reviewing the progress on balancing PSI funding and workload issues; and No. 4, to present options for consideration by the interagency. On June 9, 1999, Deputy Secretary of Defense John J. Hamre issued a memorandum, ``Personnel Security Clearance Investigations Backlog'' directing the military departments, defense agencies, and contractors to eliminate the backlog by the end of fiscal year 2000.\81\ This was the first of four target dates calling for the elimination of the PSI backlog. --------------------------------------------------------------------------- \81\ Memorandum: Personnel Security Investigations Backlog, June 9, 1999, from Deputy Secretary of Defense John J. Hamre to Secretaries of the Military Departments, et. al., (in subcommittee files). --------------------------------------------------------------------------- In addition, the Deputy Secretary's memorandum of June 9, 1999 attempted to ease the pressure on DOD investigative capacity by shifting a part of the workload to the Office of Personnel Management. The memorandum also directed each service and DOD agency to provide the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence a quarterly plan for eliminating the backlog. The Deputy Secretary of Defense further directed the services and defense agencies to administratively terminate or downgrade all clearances not based on a current investigation or not in process for reinvestigation by September 30, 2000.\82\ --------------------------------------------------------------------------- \82\ Ibid. --------------------------------------------------------------------------- On June 15, 1999, then Assistant Secretary of Defense for Command, Control, Communications, and Intelligence Arthur L. Money issued a memorandum ``Personnel Security Clearance Investigations backlog'' implementing Deputy Defense Secretary's June 9, 1999 memorandum with respect to cost, process, and prioritization.\83\ The memorandum directed all components to identify the resources necessary to fund the elimination of the backlog. The memorandum changed personnel security reinvestigation policy directing each service, agency, and contractor not to apply for security investigations for those within 1 year of separation from DOD employment, or who will be assigned to duties for which a personnel security clearance is not required.\84\ This policy change had serious national security implications by allowing a person to continue in a sensitive position without the required periodic investigation. The policy change was a violation of personnel security clearance standards adopted and approved by the Security Policy Board. --------------------------------------------------------------------------- \83\ See supra note 54. \84\ Ibid. --------------------------------------------------------------------------- In that regard, even when the Deputy Secretary of Defense thought OASD (C3I) had a handle on the true size of the backlog, no provision was made for providing for additional funds to eliminate the backlog of PSI requests, nor was there any specific strategy available for processing the minimum number of additional PSI requests over and above those already programmed to be conducted.\85\ --------------------------------------------------------------------------- \85\ Memorandum: Personnel Clearance Backlog and Security Initiatives, June 22, 2000, from Under Secretary of Defense (Comptroller) William J. Lynn to Secretaries of the Military Departments, et. al., (in subcommittee files). --------------------------------------------------------------------------- GAO also pointed out this directive had drawbacks, specifically the lack of funding. Carol Schuster stated, ``We recommended to the Secretary of Defense to direct the Assistant Secretary of Defense (C3I) to identify and prioritize overdue investigations and fund and implement initiatives to conduct these investigations in a timely manner.'' \86\ --------------------------------------------------------------------------- \86\ Statement of Carol R. Schuster, Associate Director, U.S. General Accounting Office, NSVAIR Subcommittee hearing, Serial No. 106- 152, p. 16. --------------------------------------------------------------------------- On September 29, 1999, Assistant Secretary of Defense for Command, Control, Communications, and Intelligence Arthur L. Money issued a memorandum ``Personnel Security Clearance Investigations'' directing the submission of all initial investigations and reinvestigations of DOD civilian personnel to OPM effective October 1, 1999.\87\ It stated DSS would continue to conduct investigations for military personnel, for civilian personnel stationed overseas, and for contractor personnel.\88\ --------------------------------------------------------------------------- \87\ Memorandum: Personnel Security Investigations, Sept. 29, 1999, from Assistant Secretary of Defense for Command, Control, Communications, and Intelligence Arthur L. Money to Secretaries of the Military Departments, et. al., (in subcommittee files). \88\ Ibid. --------------------------------------------------------------------------- By November 30, 1999, it became apparent the actions DOD had taken to date were not getting the results anticipated. As a result, Deputy Secretary of Defense called for the creation of an Overarching Integrated Process Team [OIPT] to find a solution for the backlog problem and to ``pioneer a different path to solve the crisis of the continuing personnel security investigations backlog,'' and to submit a plan by January 20, 2000.\89\ --------------------------------------------------------------------------- \89\ Memorandum: Personnel Security Investigations Backlog, Mar. 31, 2000, from Deputy Secretary of Defense John J. Hamre to Secretaries of the Military Departments, et. al., (in subcommittee files). --------------------------------------------------------------------------- The team reported their findings and recommendations in January 2000. The team determined the backlog totaled 505,786 and recommended additional personnel security investigation cases be transferred to OPM.\90\ --------------------------------------------------------------------------- \90\ See supra note 43, p. 21-22. --------------------------------------------------------------------------- As mentioned earlier, DOD's two attempts to determine the backlog size had methodological limitations, produced estimates that were 6 months old or older, and did not include thousands of overdue reinvestigations that had been submitted. The two estimates, one by the Overarching Integrated Process Team and the other by the MITRE Corp., were developed independently and used different estimating methods but coincidently arrived at similar estimates of about 505,000 overdue reinvestigations. These estimates differed from several previous backlog estimates that were cited by GAO in various DOD documents and statements.\91\ --------------------------------------------------------------------------- \91\ See supra note 80, p. 6. --------------------------------------------------------------------------- During the February 16, 2000 NSVAIR Subcommittee hearing, the DSS Director stated, ``I am accepting their number. However, I do not have total confidence in it.'' \92\ When asked to clarify this statement, the DSS Director said, ``While the number (PSI backlog) could be lower, I think the number is higher. That is my professional judgment.'' \93\ Carol Schuster, Associate Director of GAO concurred stating, ``I cannot tell you what the size of the backlog is. I would really question whether they have an exact fix it on.'' \94\ --------------------------------------------------------------------------- \92\ See supra note 34, p. 111. \93\ Ibid. \94\ See supra note 11, p. 34. --------------------------------------------------------------------------- This was finally confirmed by the Office of the Assistant Secretary of Defense (C3I) during the September 2000 NSVAIR Subcommittee hearing. ``While there is some concern about the various methodologies used to arrive at the size of the backlog, it was acknowledged that a more accurate assessment would prove problematic. The difficulty in assessing the precise scope of the backlog is due to the limitations of the current DOD central clearance database, which contains records for approximately 2.5 million cleared DOD military, civilian and contractor personnel. This problem will be resolved when DOD fields the Joint Personnel Adjudication System in fiscal year 2001. JPAS will require continuous tracking (and input) of an individual's actual access requirement upon which the periodic reinvestigation is based.'' \95\ --------------------------------------------------------------------------- \95\ Statement of J. William Leonard, Deputy Assistant Secretary of Defense for Command, Control, Communications, and Intelligence, NSVAIR Subcommittee hearing, Serial No. 106-267, p. 60. --------------------------------------------------------------------------- JPAS is designed to provide DOD with the ability to provide real-time data on the number of personnel currently authorized to have access to classified information, and will facilitate accurate forecasting of reinvestigation requirements. In addition, JPAS could further support reciprocity by including clearance data from non-DOD agencies.\96\ --------------------------------------------------------------------------- \96\ See supra note 37, p. 39. --------------------------------------------------------------------------- DOD stated, ``JPAS will provide all DOD components, for the first time, a single, central, fully integrated system for managing their cleared personnel and providing accurate statistics on such things as projected periodic review requirements and whose PSI is pending or closed.'' \97\ In addition, the DOD-IG reported, JPAS will provide DOD with a common information resource for granting and sharing personnel security eligibility determinations and recording personnel access to sensitive information.\98\ --------------------------------------------------------------------------- \97\ DOD response to Questions for the Record Inquiry, Mar. 27, 2001, House Government Reform Committee, NSVAIR Subcommittee, Defense Security Service hearing, Mar. 2, 2001, (in subcommittee files). \98\ Department of Defense, Office of Inspector General Audit Report, Acquisition Management of the Joint Personnel Adjudication System, Report No. D-2001-112, May 5, 2001, (in subcommittee files). --------------------------------------------------------------------------- However, the projected ability to field JPAS in fiscal year 2001, once again, was overly optimistic. According to the DOD's Deputy Inspector General, ``Although the future Joint Personnel Adjudication System is the long term solution, it is agreed that the case control management system would be modified this year as an interim alternative. Due to subsequent slippage in baselining the system, the change may not be made until fiscal year 2002.'' \99\ --------------------------------------------------------------------------- \99\ Statement of Robert J. Lieberman, NSVAIR Subcommittee hearing, Serial No. 107-40, p. 17. --------------------------------------------------------------------------- Without knowing with any certainty the size of the PSI backlog but suspecting it could be higher, the DSS Director said at the February 16, 2000 NSVAIR Subcommittee hearing, ``We believe that we can bring the backlog, as we now know it, we can eliminate the backlog by the end of calendar year 2001.'' \100\ --------------------------------------------------------------------------- \100\ See supra note 34, p. 114. --------------------------------------------------------------------------- The following month, DOD changed the PSI backlog elimination target date a third time. On March 31, 2000, Deputy Secretary of Defense John J. Hamre issued another memorandum,\101\ ``Personnel Security Clearance Investigations Backlog'' directing the Military Departments, Defense agencies, and contractors shift all new Secret and Confidential level investigations to OPM through its contractor US Investigations Services [USIS] and changing the target date for elimination of the backlog to March 31, 2002.\102\ DSS would retain responsibility for all top secret investigations and reinvestigations for military and contractor personnel. The objective was to reduce pressure on DSS for conducting hundreds of thousands of investigations while leveraging OPM's investigative capacity.\103\ --------------------------------------------------------------------------- \101\ See supra note 89. \102\ Ibid. \103\ Ibid. --------------------------------------------------------------------------- On June 1, 2000, Deputy Secretary of Defense Rudy de Leon issued the memorandum, ``Personnel Security Investigation Process Review'' directing a comprehensive review of the personnel security process, to establish a ``get well'' date, and make additional recommendations to expedite the personnel security process effort. A Process Review Team was established to accomplish this effort.\104\ Once again the Department was attempting to ascertain the size of the backlog and when it would be eliminated. --------------------------------------------------------------------------- \104\ Memorandum: Personnel Security Investigation Process Review, June 1, 2000, from Deputy Secretary of Defense Rudy de Leon to Secretaries of the Military Departments, et. al., (in subcommittee files). --------------------------------------------------------------------------- On June 22, 2000 Under Secretary of Defense (Comptroller) William J. Lynn issued the memorandum, ``Personnel Clearance Backlog and Security Initiatives,'' generally referred to as the ``spend plan.'' \105\ The directive included monthly targets for all DOD components for submitting PSI requests to DSS and OPM, along with the associated funding to eliminate the backlog. The Comptroller estimated the Department would need an additional $201.6 million over 2 fiscal years to fund PSI cases taken over by OPM in addition to the funds already planned in the budget at that time. --------------------------------------------------------------------------- \105\ See supra note 85. --------------------------------------------------------------------------- The Department had finally recognized additional funding was needed to address the growing PSI backlog. GAO had recommended as part of their review of the Personnel Security Investigation Program in October 1999 that DOD provide additional funding to address the PSI backlog. According to Carol Schuster, ``One of the problems that has occurred over the last couple of years is they have mandated (PSI) submissions, but the money has not been behind it. So the services have been cajoled to put in submissions, but the money has to be reprogrammed from other programs in order to cover it. That has been true for 1999, it has been true for 2000, and it is true for 2001. When the money is not there and the services choose not to reprogram the money for that purpose, then the submissions are not made.'' \106\ The Comptroller also moved the backlog elimination target date to September 30, 2002.\107\ --------------------------------------------------------------------------- \106\ See supra note 11, p. 47. \107\ See supra note 85. --------------------------------------------------------------------------- The ``spend plan'' mandated that each DOD component submit a designated quota of backlogged cases each quarter of fiscal year 2001 and fiscal year 2002. If implemented as planned, all backlogged cases as of September 2000, were to be submitted by the end of fiscal year 2002. These cases were to be in addition to those cases coming due for reinvestigation and new cases. Together, these new submissions represented a very large influx of cases given that there was already a large backlog of unprocessed cases at DSS. GAO had estimated that the number of PSI cases involved was 2.2 million, raising additional concerns. Several other attempts were made to increase capacity to process PSI cases. These included entering into contracts with private sector investigative firms and bringing a number of reservists onto active duty to assist DSS.\108\ General Charles J. Cunningham Jr., USAF (Ret), Director, Defense Security Service informed the subcommittee, ``Our plan to use private sector contractors to augment our investigative workforce has continued to materialize and is proving to be a successful endeavor. In addition, to contractor augmentation, we are also using military reservists to augment our investigative workforce. Currently, approximately 45 reservists who have prior investigative and interviewing experience are integrated into our agent workforce.'' \109\ --------------------------------------------------------------------------- \108\ See supra note 36, p. 78. \109\ Ibid. --------------------------------------------------------------------------- Although these were positive steps, they were not seen as enough to handle the increase in PSI cases expected as a result of the implementation of the spend plan. According to GAO, ``it's really hard to tell exactly what kind of an effect this large influx of cases is going to have and whether the use of private contractors and reservists and the like are going to make a dent in that.'' \110\ --------------------------------------------------------------------------- \110\ See supra note 11, p. 46. --------------------------------------------------------------------------- Carol Schuster stated, ``we've already gone over how flimsy the 500,000 is so we don't really know whether that's a good estimate or not. We do know how many cases are called carryover cases-those already submitted to DSS. Over the next 2 years, they've got 435,000 of those cases. Then you've got the backlogged cases and then you've got new cases coming in. So all told, we're talking about an enormous workload here of 2.2 million cases coming into the investigative community. As I understand it, the spend plan for this 2-year period is just to get the cases submitted, and then it is up to the investigative community to somehow deal with that. We haven't really seen the influx yet. A lot of the cases that are going to OPM really start at the beginning of the fiscal year in October (2000).''\111\ --------------------------------------------------------------------------- \111\ Ibid. --------------------------------------------------------------------------- Other efforts to reduce the backlog and identify potential high-risk cases included the development of a predictive model or algorithm to track those cases. Carol Schuster stated, ``They are taking several actions. One in particular, I think, is very promising. They are working on an algorithm that will try to identify those cases that are most likely to result in a denial of a clearance, based on their past experience. That will allow them, if they can get this to work, to identify those cases that are most risky to the government and be able to process those in a priority manner.'' \112\ --------------------------------------------------------------------------- \112\ See supra note 75, p. 22. --------------------------------------------------------------------------- During the subcommittee's DSS oversight hearing in February 2000, DSS Director General Charles J. Cunningham submitted written testimony which stated, ``DSS has established several initiatives to more effectively manage this significant increase in clearance demand while at the same time reducing the inherent risks associated with outdated investigations in individuals already accessing classified information, thus reducing the vulnerability of insider threat. One of those initiatives is the development of a predictive model to identify those cases that pose a higher risk based on responses to certain questions on the personnel security questionnaire. The algorithm will be applied at the front end of our investigative process to ensure that the potential high-risk investigations receive priority processing.'' \113\ --------------------------------------------------------------------------- \113\ Statement of Lt. General Charles J. Cunningham Jr., USAF (Ret), Director, Defense Security Service, Serial No. 106-152, p. 54. --------------------------------------------------------------------------- The MITRE Corp. was retained by DSS to develop the algorithm. The MITRE Corp. produced ``a statistically based prioritization procedure whereby a high percentage of the `latent revocations' among the backlog could be identified and given immediate attention, based solely on the information provided in a standard Electronic Personnel Security Questionnaire [EPSQ]. Such a method would allow the DSS to allocate limited investigative resources so as to remove a high percentage of the risky backlog cases in the shortest amount of time.'' \114\ --------------------------------------------------------------------------- \114\ See supra note 61, p. iii. --------------------------------------------------------------------------- Responding to the question of what kind of risk assessment had been developed to determine the danger the backlog poses to national security, the DSS Director stated, ``GAO mentioned the algorithm that we have been working on and we have now completed. Our plan is to go into the total population of the backlog, apply the algorithm, identify which records come up as high risk from the algorithm, which we believe and have had scientific support will predict 89 percent, based on a 6.5 percent sample size, that we use it against the backlog while we are bringing the backlog down. So that we both work the backlog down and, in the process, go after those that are identifiable as highest risk in the backlog.'' \115\ --------------------------------------------------------------------------- \115\ See supra note 34, p. 114. --------------------------------------------------------------------------- At that time, General Cunningham indicated DSS expected to implement an algorithm and have a prioritization process for backlog cases by July 2000. The algorithm for identification of high-risk cases was implemented in November 2000.\116\ --------------------------------------------------------------------------- \116\ See supra note 97. --------------------------------------------------------------------------- The prioritization of backlog cases proved even more difficult to implement. As a result, the lack of any effective priority tracking procedures has subjected DSS to criticism from both the DOD-IG and the services. In April 2000, an Office of the Inspector General [OIG] audit report recommended that the Office of the Assistant Secretary of Defense (C3I) develop criteria to determine the highest priority mission-critical and high-risk positions based on their impact on mission-critical programs.\117\ --------------------------------------------------------------------------- \117\ Department of Defense, Office of Inspector General Audit Report, Security Clearance Investigative Priorities, Report No. D-2000- 111, Apr. 5, 2000, Executive Summary, p. 14, (in subcommittee files). --------------------------------------------------------------------------- According the Acting Inspector General, ``I think the only way to really handle the problem is to allow the various DOD components the opportunity to prioritize what they feel is truly important in their work, and to, therefore, fit those concerns into the plan. So I think it should be on a broad basis and not just for a few of the high-risk programs. When you're seeking consensus and agreement on how to prioritize, it's going to take a while longer than it would take to simply direct it from the top. It is my understanding that process is continuing, that the Department hopes to have some sort of process in place in the next few months.'' \118\ --------------------------------------------------------------------------- \118\ See supra note 70, p. 44. --------------------------------------------------------------------------- The Acting Inspector General went on to say, ``The clearance requests for important programs and higher risk programs often languished while investigators often worked routine cases. The Office of the Assistant Secretary of Defense (C3I) initially disagreed with the feasibility of developing a prioritization method but has subsequently changed its position and has been working with the services and DSS to comply with the recommendation. I'm still frankly disappointed, however, with the slow progress, and am concerned that it appears so difficult to implement what is to us a basic workload management tool. We believe this delay was unnecessary and could have been avoided through firm decisionmaking by leadership.'' \119\ --------------------------------------------------------------------------- \119\ Ibid., p. 21. --------------------------------------------------------------------------- Due to DOD component resistance and ongoing CCMS problems, DSS did not expect to implement a risk prioritization process until January 2001. Regarding the implementation of a prioritization process, the Deputy Assistant Secretary of Defense (Security and Information Operations) stated, ``the recent problems with CCMS and the resulting increase in DSS case completion times, prioritization has become problem as case completion times have soared to a year or more in some cases. The OSAD (C3I) has taken the lead in developing with the DOD component customers a draft prioritization plan.'' \120\ A prioritization process for backlog cases was not implemented in January 2001.\121\ --------------------------------------------------------------------------- \120\ See supra note 95, p. 66. \121\ Ibid., p. 67. --------------------------------------------------------------------------- In March 2001 the subcommittee learned, from the Assistant Secretary of Defense (C3I) Arthur L. Money, ``CCMS, which is part of all of this, is getting more stable and better, but it needs a prioritization application program added to it so we can prioritize things, and that is what that report (Personnel Security Investigations: Mission Degradation) pointed out. That internal report pointed out that we do not have prioritization within DSS, which is being fixed and will be in place in April 2001.'' \122\ --------------------------------------------------------------------------- \122\ Testimony of Arthur L. Money, Assistant Secretary of Defense for Command, Control, Communications, and Intelligence, NSVAIR Subcommittee hearing, Serial No. 107-40, p. 55. --------------------------------------------------------------------------- On August 22, 2000, Assistant Secretary of Defense for Command, Control, Communications, and Intelligence Arthur L. Money issued a memorandum ``Personnel Security Clearance Investigations'' implementing the Deputy Secretary's direction to distribute the personnel security clearance workload between DSS and OPM.\123\ --------------------------------------------------------------------------- \123\ Memorandum: Personnel Security Clearance Investigations, Aug. 22, 2000, from Assistant Secretary of Defense for Command, Control, Communications, and Intelligence Arthur L. Money to Secretaries of the Military Departments, et. al., (in subcommittee files). --------------------------------------------------------------------------- The Assistant Secretary also directed military departments, defense agencies, and contractors, per the Comptroller's ``Spend Plan,'' to appoint a senior official to oversee the execution of their workload plan. Under DOD Directive No. 5200.2 issued April 9, 1999,\124\ DOD components had previously been directed to designate a senior official to implement and administer the DOD Personnel Security Program. The senior component official would be responsible for monitoring and reporting the status of availability of sufficient funds, ensuring the PSI backlog workload distribution is maintained, and ensuring the timely adjudication of completed cases. --------------------------------------------------------------------------- \124\ Department of Defense Directive, No. 5200.2, Apr. 9, 1999, DOD Personnel Security Program, (in subcommittee files). --------------------------------------------------------------------------- On September 11, 2000, Deputy Secretary of Defense Rudy de Leon issued a memorandum, ``Personnel Security Investigation Review'' directing military departments, defense agencies, and contractors to review their requirements for personnel security reinvestigations.\125\ The Process Review Team that the Deputy Secretary created on June 1, 2000 determined that the backlog baseline had changed due to lapse of time and the efforts of the components in submitting personnel security reinvestigation requests. An update of the backlog was considered essential for planning and funding decisions. The results indicated that the backlog had dropped by 187,677 cases from 505,786 as reported in January 2000 to 318,109 in just 6 months.\126\ --------------------------------------------------------------------------- \125\ Memorandum: Personnel Security Investigation Review, Sept. 11, 2000, from Deputy Secretary of Defense Rudy de Leon to Secretaries of the Military Departments, et. al., (in subcommittee files). \126\ An Assessment of DOD's Plan to Eliminate the Periodic Reinvestigation Backlog, A Report to the Deputy Secretary of Defense, Personnel Security Investigations Process Review Team, Oct. 11, 2000, p. 4, (in subcommittee files). --------------------------------------------------------------------------- On October 11, 2000, the Deputy Secretary's Process Review Team formally reported the results of their review analyzing when DOD should expect the PSI process to ``get well'' as tasked by the Deputy Secretary's memorandum of June 1, 2000.\127\ The Process Review Team report revealed a dispute over what PSI cases were to be considered as part of the backlog. The OASD (C3I) considered the backlog eliminated when all of the overdue PRs have been completed for investigation. ``Although, this goal represents an important milestone, a process review team reported, the elimination of the backlog means completion of investigations associated with those PRs, the adjudication of the investigations, and a return of the pending workload to steady state.'' \128\ The Process Review Team considers the backlog eliminated once the investigations have been completed and adjudicated and the workloads of DSS and the Central Adjudication Facilities [CAFs] return to steady state. ``Assuming that DSS completes the last backlog investigation by mid to late FY2003, the last backlog cases would be adjudicated not later than the end of FY2003. At that time, the backlog will be eliminated and investigative workload will return to a steady state.'' \129\ This marked the fifth time in a 1\1/2\ year period that the target date for elimination of the backlog moved farther down range. --------------------------------------------------------------------------- \127\ Ibid. \128\ Ibid., p. 5. \129\ Ibid., p. 4. --------------------------------------------------------------------------- Commenting on DOD's ability to carry out this plan and achieve the new benchmark date for the elimination of the backlog, Deputy Inspector General Robert J. Lieberman said, ``As far as the prospects for execution of the current plan are concerned, I don't think that we can be fully confident that we understand how many new investigations are going to be required until the system that Mr. Money referred to, the new system that is just being fielded now, is actually in place and starts generating experience data that we can all rely on. I think in another year or so we will be looking at the numbers again and perhaps the plan does not have to be stretched out. It may be evident that we will achieve this steady-state sometime earlier, but my guess is that we will not be seeing this steady-state for a few months after the end of the project plan.'' \130\ --------------------------------------------------------------------------- \130\ Testimony of Deputy Inspector General, Robert J. Lieberman, NSVAIR Subcommittee hearing, Serial No. 107-40, p. 37. --------------------------------------------------------------------------- On October 31, 2000, the Deputy Secretary's Process Review Team responded to the remaining tasks as directed by the Deputy Secretary's memorandum of June 1, 2000. This report responds to the first and third tasks, to determine where DOD currently stands in reforming the PSI process with recommendations of how to expedite this reform effort.\131\ --------------------------------------------------------------------------- \131\ See supra note 37. --------------------------------------------------------------------------- On December 14, 2000, the Office of the Under Secretary of Defense (Comptroller) issued a revised spend plan to incorporate the adjustment of the backlog from 505,786 to 318,109 in accordance with the process review Process Review Team's survey results. The report included performance expectations for completing personnel security investigation cases and a $44.1 million reduction in funding for fiscal year 2001 and fiscal year 2002.\132\ --------------------------------------------------------------------------- \132\ Department of Defense, Office of the Under Secretary of Defense (Comptroller), Plan for Eliminating the Personnel Security Investigation Backlog, Dec. 14, 2000, (in subcommittee files). --------------------------------------------------------------------------- On February 8, 2001, the Director of Security, OASD (C3I) released a draft report on the status and possible options regarding the conduct of personnel security investigations by DSS.\133\ --------------------------------------------------------------------------- \133\ See supra note 43. --------------------------------------------------------------------------- The draft report indicated, ``the time to complete the types of investigations upon which clearances are based was getting longer, not shorter.'' \134\ As the time to complete investigations has grown, the number of investigations pending also grew. ``If this trend remains static, there is no probability that the backlog of periodic reinvestigations will be reduced by the end of FY 2002, as currently directed.'' \135\ However, according to Assistant Secretary of Defense Arthur L. Money, ``the draft report was not reviewed; and it is not entirely accurate. You will see it has `draft' on it and so forth, so it was a failing within my office of not having the report vetted and made more accurate.'' \136\ --------------------------------------------------------------------------- \134\ Ibid., p. 4. \135\ Ibid., p. 10. \136\ See supra note 122, p. 54. --------------------------------------------------------------------------- Commenting on the February 8, 2001 draft report, the Deputy Inspector General stated, ``It is likely that much of the data being used to track progress against the plan is flawed, but the errors are probably not egregious enough to distort the overall trends, which are very disappointing.'' \137\ --------------------------------------------------------------------------- \137\ See supra note 99, p. 14. --------------------------------------------------------------------------- The draft reports states quite clearly, ``When observed as a whole, the current process as defined by the various directions and plans contained in the policy memoranda that have been issued by senior DOD management since June 1999, is not meeting the Department's need to provide timely investigations and clearances.'' \138\ When queried further why the draft report shouldn't be given more creditability, the Deputy Assistant Secretary J. William Leonard said the draft report did not include the PSI workload completed by OPM. Secretary Leonard said if the draft report had included the OPM workload, DDS turnaround time for completed PSIs would have been lower. ``When we were here last September (2000), we reported to the committee that a good part of our plan encompassed off-loading work from DSS to OPM. So therefore, any assessment of that plan would have to take into account what OPM is doing.'' \139\ --------------------------------------------------------------------------- \138\ See supra note 43, p. 4. \139\ Testimony of J. William Leonard, Deputy Assistant Secretary of Defense for Command, Control, Communications, and Intelligence, NSVAIR Subcommittee hearing, Serial No. 107-40, p. 61. --------------------------------------------------------------------------- OPM had the capacity to handle personnel security investigations, and after 1 year demonstrated the ability to complete those investigations transferred from DSS in an accurate and timely manner.\140\ OASD (C3I) senior management wanted the subcommittee to accept the argument that the draft report was flawed because the authors did not include OPM's statistics in the calculation of the number of cases processed and how long it was taking to process those cases. As Mr. Leonard went on to say, ``And so, for example, for the first quarter OPM did, I believe close to 28,000 investigations for the Department of Defense, and if they were factored into case completion times, for example, what it would have shown is that Department-wide case completion times actually decreased.'' \141\ DSS was taking credit for OPM's ability to complete personnel security investigations in a timely manner and wanted to include those figures in a report that would have shown improved progress. --------------------------------------------------------------------------- \140\ See supra note 126, p. 15-16. \141\ See supra note 139, p. 61. --------------------------------------------------------------------------- Also, it should be noted the composition of the investigations handled by each is not the same. OPM handles many cases that can be processed by simple computerized checks, whereas almost all of DSS workload involves the most labor- intensive and time-consuming background investigation work related to top-secret clearances. Therefore, the time necessary to complete a case varies widely between DSS and OPM. The handling of PSIs by OPM was not intended to be a permanent fix and as such should not be included in any measurement of DSS's workload capacity. When pressed further regarding the accuracy of the draft report relative to the Department's need to provide timely personnel security investigations and clearances, Deputy Assistant Secretary J. William Leonard stated, ``Don't get me wrong. I am not saying that we are where we want to be. We recognize that we are not on a glide path, so from that point of view, the fundamental thing you get out of that report is accurate. And we are very mindful of that and we are focused on that.'' \142\ --------------------------------------------------------------------------- \142\ Ibid. --------------------------------------------------------------------------- The January 2002 Department of Defense, Office of the Inspector General semi-annual report to Congress highlighted ``The inability of the Defense Security Service Program to ensure timely investigations also remains a serious concern. The Defense Security Service has increased its productivity and the Office of Personnel and Management has provided good support through its contractors to work off the backlog of several hundred thousand overdue clearance investigations and achieve reasonable turnaround times for new investigations requests. The program remains hampered, however, by uncertain projections of the future investigative workload. There is widespread skepticism among DOD components about the ability of DSS to efficiently handle more workload, yet DSS views the outsourcing of much of the investigative workload to OPM as a temporary measure. The long delayed transition of DSS to a pay- for-service organization remains a key DOD management objective, but DSS still lacks a cost accounting system.'' \143\ --------------------------------------------------------------------------- \143\ Inspector General, Department of Defense, Semi-Annual Report to Congress, Apr. 1-Sept. 30, 2001. p. 3. --------------------------------------------------------------------------- 2. There was a lack of management oversight of the Defense Security Service [DSS] by the Department of Defense that contributed to a backlog of personnel security investigations. The Assistant Secretary of Defense for Command, Control, Communications, and Intelligence [C3I] is the Department of Defense's senior agency official responsible or the personnel security program. Responsibilities of the Assistant Secretary (C3I) include oversight of the Defense Security Service, and direction, administration and oversight of the DOD personnel security program.\144\ --------------------------------------------------------------------------- \144\ See supra note 37, p. 44. --------------------------------------------------------------------------- In addition, the DOD Personnel Security Committee [DODPSC] and Executive Steering Group [ESG] were established in 1999 to provide input and support to DOD's personnel security program management.\145\ --------------------------------------------------------------------------- \145\ Ibid. --------------------------------------------------------------------------- In 1999, the General Accounting Office reported the Defense Security Service operated for at least 4 years with little or no oversight from the Office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence [C3I] which is responsible for assessing the completeness of DSS investigative work.\146\ --------------------------------------------------------------------------- \146\ See supra note 27, p. 29. --------------------------------------------------------------------------- Substantiating this in his prepared statement for the March 2, 2001 NSVAIR Subcommittee hearing, Deputy Inspector General Robert J. Lieberman stated, ``senior DOD leaders paid very little attention to the Defense Security Service before the crisis broke.'' \147\ --------------------------------------------------------------------------- \147\ See supra note 99, p. 9. --------------------------------------------------------------------------- A report, issued October 31, 2001, to the Deputy Secretary of Defense assessing the personnel security program observed oversight of the personnel security program by the Office of the Assistant Secretary of Defense (C3I) had not been effective.\148\ DOD officials told GAO that once DSS became a reinvention laboratory, it was allowed to operate, for the most part, independently.\149\ --------------------------------------------------------------------------- \148\ See supra note 37, p. 9. \149\ See supra note 27, p. 29-30. --------------------------------------------------------------------------- As an example, from August 1996 through February 1999, DSS relaxed its investigative requirements through a series of policy letters.\150\ Several of these letters gave investigators greater discretion in how they would meet the Federal standards or pursue investigative issues that might be significant. These policy changes caused much confusion among agency staff.\151\ --------------------------------------------------------------------------- \150\ Ibid., p. 20. \151\ Ibid. p. 21. --------------------------------------------------------------------------- In 1996 and again in 1998, the Security Policy Board advised DSS not to adopt policies that ran counter to the Federal investigative standards.\152\ The Director of the Security Policy Board staff stated, ``Apparently, rather than fight for adequate funding, DSS has chosen an assault on personnel security clearance standards.'' \153\ --------------------------------------------------------------------------- \152\ See supra note 41. \153\ Ibid. --------------------------------------------------------------------------- The Board noted that DOD was a full partner in developing the new standards and that the planned actions by DSS would undermine the objectives of achieving reciprocity and PSI standardization among Federal Government agencies, cause a serious deterioration in the quality of investigative work, and increased security risk. The Policy Security Board stated that if DSS wanted to change the standards the agency should bring such requests to the Board, which was specifically established for that purpose. According to GAO, in spite of this advice, DSS management adopted the relaxed investigative guidance.\154\ --------------------------------------------------------------------------- \154\ See supra note 86, p. 13-14. --------------------------------------------------------------------------- When questioned how lack of oversight and mismanagement of the agency contributed to PSI weaknesses found in GAO's review of the Personnel Security Investigation Program, Carol R. Schuster, Associate Director, stated, ``We found weaknesses in several areas. The first area was relaxing the standards below Federal standards, and also allowing perhaps too much latitude with their investigators as to how far and how deeply they went into the investigative areas. The second area was doing away with some of the quality control mechanisms they had on those investigations. They did away with the Quality Assurance Branch, and supervisory review, for instance. In the training area, they just really were not giving very much training to the investigators. Because there were new investigative standards, there was a need for such training. They also did away with the Security Institute, which was training not only to DSS investigators, but investigators throughout the Government.'' \155\ --------------------------------------------------------------------------- \155\ See supra note 75, p. 19. --------------------------------------------------------------------------- The lack of oversight also affected the acquisition of the Case Control Management System. The Office of the Assistant Secretary of Defense (C3I) has the responsibly for monitoring major IT acquisitions.\156\ Robert J. Lieberman, Deputy Inspector General stated, ``we have spent about $100 million so far on CCMS.'' \157\ --------------------------------------------------------------------------- \156\ See supra note 28, p. 3. \157\ Testimony of Deputy Inspector General, Robert J. Lieberman, NSVAIR Subcommittee hearing, Serial No. 106-267, p. 36. --------------------------------------------------------------------------- During the September 20, 2000 hearing, the subcommittee learned CCMS would be designated a major acquisition project 4 years after the project began. In his prepared statement Donald Mancuso, Acting Inspector General wrote, ``We understand that the Assistant Secretary of Defense (Command, Control, Communications, and Intelligence) intends to designate CCMS as a major acquisition project, meaning there will be oversight by an Integrated Process Team and the Chief Information Officer [CIO] at the Office of the Secretary of the Secretary of Defense level. This is a prudent step, but does not in itself guarantee close oversight.'' \158\ --------------------------------------------------------------------------- \158\ Statement of Donald Mancuso, Acting Inspector General, DOD, Office of the Inspector General, NSVAIR Subcommittee hearing, Serial No. 106-267, p. 34-35. --------------------------------------------------------------------------- When acquiring major IT systems, the Clinger-Cohen Act \159\ requires the Chief Information Officer [CIO] to monitor and evaluate the performance of information technology programs and advise the heads of agencies whether to continue, modify, or terminate a program.\160\ Carol R. Schuster, Associate Director, stated, ``to my mind (CCMS) is the biggest challenge that they face. That automated system was just not planned properly. It was not implemented properly. The people who were trying to procure that system and manage it really were not totally qualified to do that. They did not have the background in a major acquisition program. They did not have the information technology expertise to really do that.'' \161\ --------------------------------------------------------------------------- \159\ 41 U.S.C. Sec. 251 (The Clinger-Cohen Act of 1996). \160\ See supra note 98, p. 7. \161\ See supra note 75, p. 22. --------------------------------------------------------------------------- Arthur J. Money, Assistant Secretary of Defense (C3I) conceded CCMS oversight failures stating, ``A program that had started in 1995, called case control management system, was installed. Now, here was a major failure. It was installed without testing, and the legacy system was turned-off never to be turned back on, or never could be turned back on.'' \162\ --------------------------------------------------------------------------- \162\ See supra note 122, p. 36. --------------------------------------------------------------------------- And, acknowledging the lack of acquisition and deployment oversight of CCMS by the Office of the Assistant Secretary of Defense (C3I), the Deputy Assistant Secretary of Defense J. William Leonard stated, ``I am sitting here before you with the full knowledge that a significant part of the solution is to address shortcomings in past oversight from my organization, especially with respect to things such as overseeing the acquisition of a major automation system such as CCMS. I recognize that and am very much committed personally and organizationally to ensure that we address these issues in the months to come.'' \163\ --------------------------------------------------------------------------- \163\ See supra note 95, p. 54. --------------------------------------------------------------------------- However, in that regard, there was more involved in the failure of CCMS than just software and design problems. In December 2000 the DOD Inspector General indicated in an audit of the case control management system that ``despite the key roll of CCMS in DSS operations that support virtually all DOD critical missions, minimal acquisition oversight and guidance was provided or offered by the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence.'' \164\ --------------------------------------------------------------------------- \164\ See supra note 28. --------------------------------------------------------------------------- Others have also noted the Office of the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (OASD-C3I) had difficulty providing adequate management oversight. The Report of the Commission to Assess U.S. National Security Space Management and Organization noted, ``The current ASD (C3I) organization suffers from three difficulties: the span of control is so broad that only the most pressing issues are attended to and (space) matters are left, on a day-to-day basis, in the hands of middle-level officials without sufficient influence within the Department and the interagency arena.'' \165\ --------------------------------------------------------------------------- \165\ Public Law 106-65, Report of the Commission to Access United States National Security Space Management and Organization, Executive Summary, Jan. 11, 2001, p. 21, (in subcommittee files). --------------------------------------------------------------------------- Insufficient influence within the Department and interagency arena was again evident in an OASD (C3I) August 22, 2000 directive \166\ concerning compliance with a newly established workload plan for the elimination of the PSI backlog. The Assistant Secretary of Defense (C3I) merely ``encouraged (emphasis added) the Military Departments and Defense agencies to have their Inspectors Generals include compliance as a matter of interest during inspections for FY2001 and FY 2002 to preclude the recurrence of the PSI backlog.'' \167\ As the PSI backlog grew to crises proportions, the Assistant Secretary of Defense (C3I) should have been made clear the PSI backlog should be treated more than just as a matter of interest. --------------------------------------------------------------------------- \166\ See supra note 123. \167\ Ibid. --------------------------------------------------------------------------- 3. Acquisition of the Case Control Management System [CCMS] and the Joint Personnel Adjudication System [JPAS] did not comply with the requirements of the Clinger-Cohen Act and may not provide effective caseload management. The Office of the Assistant Secretary of Defense (C3I) is responsible for overseeing the design and implementation of large information technology systems are on schedule, within acceptable cost parameters, and have full user satisfaction. The Subcommittee found the Office of the Assistant Secretary of Defense (C3I) has a poor record for controlling the proliferation of incompatible IT systems, acquiring new systems that meet user needs within reasonable timeframes, controlling acquisition and upgrade costs, and ensuring the quality of data. As a result, the Office of the Assistant Secretary of Defense (C3I) allowed the acquisition and development of CCMS \168\ and JPAS \169\ without first determining whether the systems were the most cost-efficient and cost-effective solution for opening, tracking, closing, and adjudicating personnel security investigation cases. --------------------------------------------------------------------------- \168\ The case control mangement system was deployed in October 1998. \169\ The Air Force is testing and deploying JPAS. Current legacy adjudication systems will operate in parallel with the deployed JPAS. Initial operational capability is planned for October 2001. --------------------------------------------------------------------------- The lack of oversight resulted in the deployment of a major IT system, the case control management system, that has put national security at risk and will require millions of additional dollars to fix or replace. The Defense Security Service's deployment of CCMS resulted in decreased productivity contributing to the periodic reinvestigation backlog. CCMS has become a costly attempt to maintain a failing status quo despite recommendations to scrap the system.\170\ DSS will spend more to fix the CCMS than it cost to acquire it.\171\ --------------------------------------------------------------------------- \170\ See supra note 36, Sec. 7, p. 67-68. \171\ Ibid., p. 1-7. --------------------------------------------------------------------------- CCMS was designed to guide and control the Defense Security Service Enterprise System for opening, tracking, and closing personnel security investigation cases. The Enterprise System is a combination of 24 distinct primary information systems, subsystems, applications, and interfaces that share common data and connectivity.\172\ --------------------------------------------------------------------------- \172\ See supra note 28, p. i. --------------------------------------------------------------------------- Commenting on the acquisition of CCMS, the Acting DOD Inspector General Donald Mancuso stated, ``The need for a modern DSS system with the capabilities intended for CCMS is undeniable; however, as has often been the case over the last decade with DOD information technology investments, execution of this system acquisition project was flawed. In retrospect, DSS and its contractors badly underestimated the technical risk and failed to test adequately to manage those risks.'' \173\ --------------------------------------------------------------------------- \173\ See supra note 158, p. 33. --------------------------------------------------------------------------- DSS believed establishing a paperless Enterprise System of automated applications would avoid as much as $80 million in operating costs over a 6 year period and $900 million over a 3 year period in reduced time for personnel security investigations.\174\ Without knowing the extent to which CCMS is meeting cost and benefit expectations, DOD was not in a position to make informed decisions on whether to deploy the system. --------------------------------------------------------------------------- \174\ See supra note 28, p. i. --------------------------------------------------------------------------- Federal information technology investment management guidelines require Federal agencies to economically justify IT projects before investing in them, and to justify them in an incremental manner to spread the risk of doing many things over many years on large projects. In December 2000, the DOD Office of the Inspector General issued an Audit Report citing DSS for not effectively managing the high risk involved in the acquisition and integration of CCMS and its Enterprise System by following the requirements of the Clinger-Cohen Act of 1996,\175\ OMB Circulars and DOD guidance for acquisition of information technology systems. The Clinger-Cohen Act requires agencies to design and implement a process for assessing and managing the risks of information technology acquisitions to include analyzing, tracking, evaluating, and reporting on risks and results of all major information technology capital investments.\176\ In addition, DOD regulations require every system acquisition program to establish cost, schedule, and performance objectives and thresholds before a major IT system is deployed.\177\ --------------------------------------------------------------------------- \175\ Ibid., p. 3. \176\ Ibid., p. 15. \177\ DOD Regulation 5000.2-R, Mandatory Procedures for Major Defense Acquisition Programs and Major Automated Information Systems Acquisition Programs, Mar. 15, 1996 (revised June 2001), (in subcommittee files). --------------------------------------------------------------------------- In February 2000, Carol Schuster, Associate Director of GAO's National Security International Affairs Division stated, ``DSS did not properly plan for the implementation of a new system (CCMS) designed to automate its personnel security investigation case processing. As a result, DSS has not been able to process its investigations, the volume of investigations sent to field offices and adjudication facilities has decreased sharply, and according to DSS officials, DOD may have to add $100 million to $300 million more to the $100 million already spent on its automation efforts to have a workable system. The automation efforts have exacerbated DSS's efforts to cope with the large backlog of overdue investigations.'' \178\ --------------------------------------------------------------------------- \178\ See supra note 86, p. 15. --------------------------------------------------------------------------- Carol Schuster went on to say, ``the basic underlying factors are that it really was not planned very well as an acquisition program. The people were not very well qualified in either IT or acquisition management.'' \179\ DOD's Acting Inspector General Donald Mancuso concurred stating, ``The failure of CCMS, the DSS case control management system, was also a major setback.'' \180\ The DOD-IG reported, ``Prior to September 2000, neither the CCMS nor the rest of the Enterprise System was designed as a major automated information system or a special interest initiative. Funds contractually obligated for the Enterprise System's development and modernization amounted to $76 million from FY 1995 through FY 1999. Total planned development and operation costs for FY 2000 through FY 2007 are estimated to be $312 million.'' \181\ --------------------------------------------------------------------------- \179\ See supra note 75, p. 32. \180\ See supra note 70, p. 20. \181\ See supra note 28, p. 2. --------------------------------------------------------------------------- When questioned what was the biggest problem the agency faced, the Director of DSS stated, ``It is the case control management system because it becomes the pacing item for everything else that happens in the agency in investigations.'' \182\ And, Assistant Secretary Money stated, ``What happened in October 1998 was, essentially everything came to a grinding halt in that no cases were coming out due to software failure, system failures, and I will assert due to poor design on what CCMS ought to be.'' \183\ --------------------------------------------------------------------------- \182\ See supra note 34, p. 117. \183\ See supra note 122, p. 36. --------------------------------------------------------------------------- The Office of the Assistant Secretary of Defense (C3I) and the Defense Security Service are attempting to resolve CCMS technical and program problems by initiating a series of actions designed to improve and enhance system performance. In August 1999, recognizing the agency did not have the capability or in-house expertise to manage and support the case control management system, DSS transferred management of the system to the Air Force. In addition, DSS is implementing a strategy to repair CCMS technical and program problems to improve the system's ability to open, track and close personnel security investigation cases. The aim is to expand the utility, efficiency, and effectiveness of CCMS to meet projected workload increases resulting from implementation of the spend plan. The strategy will involve a three-phase process and timetable: Phase one would stabilize the existing system; phase two would improve the current system; and the third phase would implement enhancements to CCMS. Those enhancements, called ``target architecture,'' would be developed and implemented over 5 years starting in fiscal year 2002. DSS has requested an additional $93 million to develop and implement phase three.\184\ According to the Director of DSS, ``This target architecture provides a framework for future development and implementation of the entire Defense Security Service Enterprise System, including the case control management system.'' \185\ DSS believes the three-phase approach will not only allow for stabilization of the system and improvements to CCMS, but will preserve the initial investment in the system. --------------------------------------------------------------------------- \184\ Letter from Lt. Gen Charles J. Cunningham, Jr., USAF (Ret), Director, Defense Security Service to Congressman Christopher Shays, chairman, NSVAIR Subcommittee, July 26, 2000, (in subcommittee files). \185\ See supra note 35, p. 77. --------------------------------------------------------------------------- The August 22, 2000 memorandum issued by the Assistant Secretary of Defense (C3I) included detailed instructions to the DOD components transferring a portion of the personnel security clearance workload to OPM to fulfill the comptroller's spend plan directive. In part, this action was taken in an attempt to relieve the pressure on CCMS thereby allowing the system to more rapidly process incoming background investigations.\186\ However, according to TRW, the case control management system's serious weaknesses will be far more difficult to fix than DSS anticipates.\187\ --------------------------------------------------------------------------- \186\ See supra note 95, p. 62. \187\ See supra note 36, p. 1-5. --------------------------------------------------------------------------- In December 2000, the DOD Inspector General recommended the Assistant Secretary of Defense (C3I) analyze whether the investment for the Case Control Management System provides the best business solution when compared to alternative solutions for opening, tracking, and closing personnel investigation cases.\188\ --------------------------------------------------------------------------- \188\ See supra note 28, p. ii, (in subcommittee files). --------------------------------------------------------------------------- In January 2001, responding to the DOD IG's recommendation, the Assistant Secretary for Defense (C3I) wrote, ``DSS and C3I concur with the finding and recommendation as stated in the DOD IG report. We will conduct an analysis of alternatives to support the direction we plan to achieve for the future architecture and will include the economic analysis and calculation of the return on investment. In addition, performance measures and information assurance requirements will also be addressed.'' \189\ --------------------------------------------------------------------------- \189\ Memorandum: Audit Report on Program Management of the Defense Security Service Case Control Management System (No. D-2001-019), Jan. 23, 2001, from Arthur L. Money, Assistant Secretary of Defense (C3I) to the DOD IG Office of Assistant Inspector General for Audit, Director, Acquisition Management (in subcommittee files). --------------------------------------------------------------------------- As criticism of OASD (C3I) and DSS intensified over the handling of the case control management system, and as questions were raised regarding the justification for spending more to fix the system than it originally cost to purchase, DSS brought in consultants to evaluate the system. Carol Schuster stated, ``Regarding past evaluations, there was a DOD red team that came in, and evaluated what they should do with that system, and what went wrong with the system, and what they would recommend. A TRW contractor evaluation also looked at it from a technical standpoint.'' \190\ --------------------------------------------------------------------------- \190\ See supra note 75, p. 23. --------------------------------------------------------------------------- The assessments found deficiencies in acquisition strategy, program management, system integration, and operations and maintenance. TRW estimated that an additional $168 million would be needed over the next 7 years to address these deficiencies for a system that was projected to cost $100 million when fully operational. Ultimately, TRW believed CCMS could not be reengineered cost-effectively and recommended scrapping the system altogether. ``It is our engineering judgment that CCMS is not viable long-term and that it should be replaced. Such a replacement should be developed under the auspices of a strong, acquisition-experienced program management office.'' \191\ --------------------------------------------------------------------------- \191\ See supra note 36, p. 1-5. --------------------------------------------------------------------------- Carol Schuster stated, ``Both of those groups pointed out numerous problems with the way the thing was put together, the lack of documentation, the lack of checks and controls, just what you would expect of an automated system, to the point that the TRW investigation did not feel like it was salvageable.'' \192\ --------------------------------------------------------------------------- \192\ See supra note 75, p. 23. --------------------------------------------------------------------------- Despite the criticism, DSS persisted in plans to spend more to fix CCMS, and contracted with TRW for a follow-up, independent evaluation. In response to an inquiry from the chairman of the NSVAIR Subcommittee regarding the justification of continuing investment in CCMS, DOD responded, ``TRW reported in October 2000 that they now believe it is possible to retain and reuse substantial parts of the system. The system has sufficient stability to support operations for the foreseeable future. As improvements are made, alternatives are reviewed for impact and application for the various subsystems. No commitment to a future architecture for CCMS will be made without first conducting a thorough analysis of alternatives.'' \193\ --------------------------------------------------------------------------- \193\ See supra note 97. --------------------------------------------------------------------------- During the October 2000 NSVAIR Subcommittee hearing, addressing the CCMS issue, the Director of DSS stated, ``there were dramatic improvements resulting from the software enhancements and corrections that have been implemented within the last six months.''\194\ --------------------------------------------------------------------------- \194\ See supra note 35, p. 75. --------------------------------------------------------------------------- In May 2001, responding to questions \195\ for the record from the NSVAIR Subcommittee, the Office of the Assistant Secretary of Defense (C3I) reported, ``The case Control Management System is not contributing to any increase in the pending backlog. CCMS has been stabilized and recent improvements allow the Defense Security Service to take advantage of the original functional design to minimize human intervention and repetitive tasks. Efforts were refocused on stabilizing and improving the system to ensure a productive system. Actions were taken as necessary to meet directed policy scope changes, to baseline the current system, and to stabilize key processing functions. While we have taken advantage of the original CCMS functions as intended, the changing PSI and technology requirements dictate an assessment of needs for the current baseline as well as future requirements. Future target architecture and business process reengineering requirements are in the concept stage with a formal Analysis of Alternatives scheduled for early fiscal year 2002.'' \196\ --------------------------------------------------------------------------- \195\ See supra note 97, p. 8. \196\ Ibid. --------------------------------------------------------------------------- Also in May 2001, the DOD-IG issued an audit report \197\ regarding the acquisition management of the Joint Personnel Adjudication System. JPAS will provide DOD with a common information resource for granting and sharing personnel security eligibility determinations and recording personnel access to sensitive and non-sensitive compartmented information. Its common database, linked by the Joint Adjudication Management System [JAMS] and the Joint Clearance and Access Verification Management System [JCAVS] applications, will standardize security clearance adjudications in compliance with DOD Regulation 5200.2-R,\198\ and will provide security managers with eligibility verifications for personnel desiring access to sensitive and classified facilities, weapon systems, and information. JPAS will also provide reports for programming and managing workloads at the Central Adjudication Facilities [CAFs] and locations requiring cleared personnel.\199\ JPAS is expected to minimize work delays for newly hired and visiting personnel with adjudicated clearances.\200\ --------------------------------------------------------------------------- \197\ See supra note 99. \198\ Ibid., p. 1. \199\ Ibid. \200\ Ibid. --------------------------------------------------------------------------- As with CCMS, OASD did not manage the JPAS as an information technology investment when the acquisition strategy changed from a network of distributed database systems to a centralized database system.\201\ The DOD Chief Information Officer [CIO] did not demonstrate oversight involvement in the acquisition of the JPAS. JPAS supports the eligibility adjudication and verification business processes for granting security clearances to military, civilian, and contractor personnel. Accordingly, any processing delay caused by JPAS could also delay DOD and contractor personnel from performing assigned functions. As a result, JPAS requires CIO oversight because of its significance in supporting DOD missions.'' \202\ --------------------------------------------------------------------------- \201\ Ibid., p. 8. \202\ Ibid., p. 7. --------------------------------------------------------------------------- 4. There are no common standards for investigating and adjudicating a personnel security clearance in a timely manner. The subcommittee found there were no clear timeliness standards for completing a personnel security clearance. As an example, the length of time for completing a top-secret clearance by the Defense Security Service in 2000 ranged from 298 days to 376 days.\203\ Completion times by OPM were lower. --------------------------------------------------------------------------- \203\ See supra note 43, p. 5. --------------------------------------------------------------------------- The DSS Director General Cunningham indicated as a result of reforms instituted, the agency would be able to do a case in 180 days and that his target for completing a personnel security investigation was less than 100 days.\204\ --------------------------------------------------------------------------- \204\ Testimony of Lt. General Charles J. Cunningham, Jr., USAF (Ret), Director, Defense Security Service, NSVAIR Subcommittee hearing, Feb. 16, 2000, Serial No. 106-267, p. 88. --------------------------------------------------------------------------- Also testifying regarding the length of time it takes to complete a security clearance investigation, Deputy Assistant Secretary of Defense J. William Leonard stated, ``The reason why the arrow is pointing to the left \205\ is because in one particular category, the most complex cases, OPM case completion times have gone up beyond the standard. However, the reason for that is because of the amount of work that we are giving out, we are dependent upon what I call `third-party providers of information.' We have to do FBI checks, INS checks, State Department checks, what have you. Those are the other activities that we are dependent upon. The more we push out, the more they have to respond to. That is the challenge we have today as a community. I have directed my people to get together on a community-wide effort. We need to collectively address this, because it is not an OPM problem, it is a community problem that impacts DSS and impacts every other agency that does background investigations.'' \206\ --------------------------------------------------------------------------- \205\ Deputy Assistant Secretary Leonard is referring to a ``Plan Success Factor'' chart that compared success factors for processing PSIs by DSS and OPM. The success factor for OPM's Performance Expectations was pointing left, toward failure, even though overall OPM was at the high end of the chart. See NSVAIR Subcommittee hearing, Serial No. 107-40, p. 29. \206\ See supra note 139, p. 40. --------------------------------------------------------------------------- 5. Defense Security Service [DSS] and the Office of Personnel Management [OPM] personnel security clearance investigators have difficulty accessing State and local criminal history record information [CHRI]. The Personnel Security Investigations Process Review Team reported, ``Conducting a local agency check to obtain a criminal history record is a national requirement for all security clearance investigations. In some cases, a criminal history record can be obtained from State and federal repositories, thus fulfilling the local agency check requirement. However, the cooperation and priorities of local law enforcement agencies providing criminal history records varies depending on jurisdiction. In many cases, conducting a local agency check can cause significant delays in closing a PSI investigation.'' \207\ --------------------------------------------------------------------------- \207\ See supra note 37, p. 25. --------------------------------------------------------------------------- ``State and municipal law enforcement agencies do not receive separate funding or resources for conducting local agency checks and often require payment for such checks as local policies dictate. Payment of fees does not appear to be an effective inducement for local agencies to comply with requests in an expeditious manner as response time does not change as a result of payment.'' \208\ --------------------------------------------------------------------------- \208\ Ibid. --------------------------------------------------------------------------- DSS drafted proposed legislation which required access be given by all States to criminal history information through automated systems where available. ``The legislation passed without two key aspects: authorization for federal agencies to obtain criminal history record information on the basis of name or other common identifiers, and a prohibition on requiring indemnification agreements.'' \209\ --------------------------------------------------------------------------- \209\ Ibid., p. 26. --------------------------------------------------------------------------- The Personnel Security Investigations Process Review Team recommended the Office of the Secretary of Defense representative to the Security Policy Board \210\ coordinate with the Department of Justice to develop incentives for local enforcement agencies to comply with requests for criminal history record information and to press for the enactment of the two unresolved issues.\211\ --------------------------------------------------------------------------- \210\ See supra note 16. [The Security Policy Board [SPB] was abolished pursuant to NSPD No. 1. The functions of the SPB were transferred to the National Security Council, Policy Coordinating Committee on Feb. 13, 2000.] \211\ See supra note 37, p. 26. --------------------------------------------------------------------------- RECOMMENDATIONS 1. The Secretary of Defense should continue to report the personnel security investigations program including the adjudicative process as a material weakness under the Federal Managers' Financial Integrity Act to ensure needed oversight is provided to effectively manage and monitor the personnel security process from start to finish. Given the fact personnel security investigations are not conducted in a timely manner; many investigations are not meeting required national investigative standards, and long range milestones are planned beyond fiscal year 2001 to improve DSSs automation capabilities, the subcommittee recommends DOD continue to report the Personnel Security Investigations Program as a material weakness under the Federal Manager's Financial Integrity Act [FMFIA]. The FMFIA requires DOD's senior managers to identify and solve department wide systemic problems. The General Accounting Office recommended this action as a result of their review of the PSI program. GAO found personnel security investigations were not conducted in a timely manner nor were they meeting Federal investigative standards, thus having a potential effect on national security. During the NSVAIR Subcommittee hearing in February 2000 Carol Schuster stated, ``They are designating this investigation program, as a material weakness to the Department of Defense under the Federal Manager's Financial Integrity Act.'' \212\ --------------------------------------------------------------------------- \212\ See supra note 75, p. 22. --------------------------------------------------------------------------- The Department of Defense has made some headway in reducing the backlog of personnel security investigations as well as resolving the problems associated with tracking, processing, and adjudicating PSI's in a timely manner. However, the NSVAIR subcommittee recommends the Department of Defense continue to include the Personnel Security Investigation Program as a material weakness under the Federal Manager's Financial Integrity Act. Specifically, the subcommittee recommends the Secretary of Defense include in the Annual Statement of Assurance what progress and what action the Defense Security Service and the Office of the Assistant Secretary of Defense (C3I) are taking with regard to achieving the September 30, 2002 target date for the elimination of the PSI backlog, and for reducing the time it takes to grant a security clearance for new PSI's and periodic reinvestigations. In a prepared statement submitted to the NSVAIR Subcommittee, the Deputy Inspector General stated, ``We included the personnel clearance problem in the list of top DOD management challenges submitted to congressional leaders last December and recommend continued DOD and congressional oversight until the problem is truly resolved. I am confident that ultimately it is fixable with sustained management emphasis, but the current goal of eliminating the investigative backlogs by September 30, 2002, is clearly at risk. In addition, it is uncertain that all backlog cases will be adjudicated until well after that date.'' \213\ --------------------------------------------------------------------------- \213\ See supra note 99, p. 19. --------------------------------------------------------------------------- The DOD-OIG reported, ``any large-scale shift of investigative workload back to DSS should be done incrementally and on a trial basis, with close oversight of the results. Any transfer must be justifiable on the basis that DSS will be able to out-perform OPM in terms of the cost, timeliness, and quality of investigations. The DOD-OIG plans additional audit work on these issues for the remainder of FY 2002.'' \214\ --------------------------------------------------------------------------- \214\ See supra note 143, p. 3. --------------------------------------------------------------------------- In addition, the Deputy Inspector General said, ``I would not be surprised if the current plan has to be recast one more time, because I don't think that we can be fully confident that we understand how many new investigations are going to be required until the system (JPAS) that Mr. Money referred to, the new system (JPAS) that is just being fielded now, is actually in place and starts generating experience data that we can all rely on.'' \215\ --------------------------------------------------------------------------- \215\ See supra note 130, p. 37. --------------------------------------------------------------------------- Concerns regarding the viability of the September 30, 2002 target date were also raised by the General Accounting Office, ``Then you've got the backlog cases, and then you've got the new cases coming in. So all told, we're talking about an enormous workload. I think they can submit the cases within the 2 years, but whether they can get them investigated and adjudicated, I have questions about that.'' \216\ --------------------------------------------------------------------------- \216\ See supra note 11, p. 46. --------------------------------------------------------------------------- 2. The Secretary of Defense should set priorities and control the flow of personnel security investigation requests for all DOD components. The Department of Defense does not have a centralized unit for tracking and prioritizing personnel security investigations and is therefore unable to determine the size or project an accurate date for the elimination of the PSI backlog. The NSVAIR Subcommittee recommends DOD establish a centralized unit to prioritize and control the flow of personnel security investigation requests. According to DSS Director, General Cunningham, ``The submission of requests for personnel security investigations is a function and responsibility of the individual military departments, defense agencies and defense contractors. More importantly, the Department of Defense prioritization comes from many sources and is difficult to integrate into our operations. This leaves the Defense Security Service at a severe disadvantage in trying to balance investigation requirements for a myriad of customers, all of whom have competing requirements and clearance needs.'' \217\ --------------------------------------------------------------------------- \217\ See supra note 35, p. 80. --------------------------------------------------------------------------- The General went on to say, ``The personnel security process basically involves three phases, identifying the need for a security clearance and then prioritizing those requests, conducting the personnel security investigation, and adjudicating the PSI request.'' \218\ --------------------------------------------------------------------------- \218\ Ibid., p. 81. --------------------------------------------------------------------------- Regarding the issue of prioritization, the Acting Inspector General stated, ``The April 2000 IG DOD report on Security Clearance Investigative Priorities \219\ discussed a number of DSS case management issues. The principal concern was the lack of a meaningful process for prioritizing the workload. We determined that investigative resources were generally applied on a first in, first out basis, so that clearance requests for important programs and higher risk positions often languished while investigators worked on routine cases. Since timely investigations are a major problem, we deemed it particularly unreasonable not to have a viable prioritization process that both the requestors of the clearance and the investigators understand.'' \220\ --------------------------------------------------------------------------- \219\ See supra note 117, p. i. \220\ See supra note 158, p. 30-31. --------------------------------------------------------------------------- The Assistant Secretary of Defense (C3I) Arthur L. Money stated, ``There is a lack in CCMS to do prioritization. That is being fixed as another add-on to the software in April that will wash through the system, so by August there will not be this accumulation of cases, which have not worked their way through. So the prioritization will help the services once they prioritize.'' \221\ --------------------------------------------------------------------------- \221\ See supra note 122, p. 63. --------------------------------------------------------------------------- However, according to the Director of DSS, ``With an anticipated significant number of security clearance requests expected through fiscal year 2001, it seems logical to me that the existing Department of Defense planning, programming and budgeting system would greatly improve the identification of requirements and simplify the process. It also seems logical that the establishment of central requirements facilities in the military departments would be most advantageous.'' \222\ --------------------------------------------------------------------------- \222\ See supra note 35, p. 80-81. --------------------------------------------------------------------------- The subcommittee also suggests the Office of Management and Budget [OMB] undertake a study to determine the feasibility of transferring the management of DOD's Personnel Security Investigation Program to the Office of Personnel Management and report their findings to the appropriate congressional oversight committees. Legitimate concerns have been raised regarding the viability and the success of achieving the September 30, 2002 target for the elimination of the backlog. Deputy Assistant Secretary J. William Leonard stated, ``The plan also extended the deadline for elimination of the investigation backlog until fiscal year 2002.'' \223\ Deputy Assistant Secretary Leonard was referring to the directive issued by Under Secretary of Defense William J. Lynn's on June 22, 2000, ``By using the services of the Office of Policy and Management for select investigations, we plan to clear the backlog of clearances by fiscal year 2002.'' \224\ --------------------------------------------------------------------------- \223\ Testimony of J. William Leonard, Deputy Assistant Secretary of Defense for Command, Control, Communications, and Intelligence, NSVAIR Subcommittee hearing, Serial No. 106-257, p. 55. \224\ See supra note 85. --------------------------------------------------------------------------- However, the Deputy Inspector General is skeptical DOD can achieve this target date stating, ``The success of tracking, processing, and adjudicating PSI's in a timely manner is also doubtful. According to 2001 Defense Security Service data, it is taking 403 days on average for initial top-secret investigations, compared to 359 days in September 2000, when you had your last hearing on the subject. Likewise, it is taking 470 days on average for top-secret periodic reinvestigations, compared to 386 days in September 2000. The trends since this time last year have gone the wrong way, as far as this most sensitive part of the investigative workload is concerned.'' \225\ --------------------------------------------------------------------------- \225\ See supra note 99, p. 14-15. --------------------------------------------------------------------------- When compared to the results OPM is achieving, the Deputy Assistant Secretary J. William Leonard stated, ``OPM's performance has been outstanding. They have--an earlier question from Mr. Kucinich in terms of how long it takes to do an investigation, they have established time lines, anywhere from 35 days for a background investigation all the way up to 180 days, depending upon what the requirements are. By and large, they are meeting those standards in every case.'' \226\ --------------------------------------------------------------------------- \226\ See supra note 139, p. 40. --------------------------------------------------------------------------- 3. The Secretary of Defense should closely monitor the interface between JPAS and CCMS to ensure effective management of investigative and adjudicative cases and avoid further backlogs. Without more consistent oversight of major information technology acquisitions, there can be no assurance that policy under the Clinger-Cohen Act is being translating into practice. Therefore, the subcommittee recommends the Secretary of Defense direct an immediate and one-time review of internal procedures to ensure compliance with the Clinger-Cohen Act by all DOD Military Departments and agencies, and the Office of Budget and Management initiate a review, cost/benefit analysis, and assessment of transferring the management and oversight of DOD agency information technology acquisitions to the General Services Administration [GSA]. The deficiencies in DOD's Personnel Security Investigations Program systems are in large part due to DOD's non-compliance with the Clinger-Cohen Act. Both the General Accounting Office and the Office of the Inspector General have raised concerns whether the CCMS and JPAS will be fully operational and integrated to accomplish the task of prioritizing, opening, tracking, and adjudicating personnel security investigations. Deputy Inspector General Robert J. Lieberman stated, ``Unfortunately, the DOD historically has not has a strong record in the support systems area and the entire Defense Personnel Security Program clearly has been hampered by inadequate systems for many years.'' \227\ --------------------------------------------------------------------------- \227\ See supra note 99, p. 13. --------------------------------------------------------------------------- In regards to DOD's ability to eliminate the PSI backlog and prioritize PSI cases, the Deputy Inspector General said, ``Everything is going to have to go right in terms of fielding new systems; and I know, Mr. Chairman, I have been over here on numerous subjects before you before, and the common theme running through all of them is that we have bad information systems and need something better, and historically, the track record for systems coming in on time, on schedule and actually being fully functional is not particularly good. So there is a risk there. If the new systems come in on schedule and are fully operational, we do not have anything that remotely looks like the CCMS fiasco, then we will have a fighting chance to get from here to there.'' \228\ --------------------------------------------------------------------------- \228\ See supra note 130, p. 51-52. --------------------------------------------------------------------------- The Department of Defense, Office of Inspector General released audit reports critical of DOD's acquisition management of both Case Control Management System \229\ and the Joint Personnel Adjudication System.\230\ --------------------------------------------------------------------------- \229\ See supra note 28. \230\ See supra note 98. --------------------------------------------------------------------------- The DOD Inspector General reported, ``Programs are defined as Major Information Technology Investment if OASD (C3I) determines that a program requires special OSD management attention because of the importance of the program's DOD mission, the high development, operating, or maintenance costs, or the program's significant role in administering DOD programs, finances, property, or resources.'' \231\ ``Despite, the system's (JPAS) criticality in support of DOD missions, acquisition management oversight was not provided in accordance with the Clinger-Cohen Act.'' \232\ --------------------------------------------------------------------------- \231\ Ibid., p. 2. \232\ Ibid., p. 8. --------------------------------------------------------------------------- CCMS and the Enterprise System for personnel security investigations were also allowed to proceed ``without the benefit of program oversight and guidance.'' \233\ ``The failure of the Chief Information Officer (CIO) to actively participate in the acquisition of CCMS contributed greatly to the systems failures.'' \234\ \235\ --------------------------------------------------------------------------- \233\ See supra note 28, p. 7. \234\ Ibid. \235\ The failure of OASD (C3I) to monitor and evaluate the performance of major IT systems appears to be a systemic problem that the subcommittee has found in other Defense Department agencies. [See DOD Systems Modernization: Continued Investment in the Standard Procurement System Has Not been Justified, (GAO-01-682), U.S. General Accounting Office, July 2001. NSVAIR Subcommittee hearing record, The Standard Procurement System (SPS): Can the DOD Procurement Process be Standardized?, Feb. 7, 2002, (in subcommittee files).] ``The Clinger- Cohen Act of 1996, OMB guidance, DOD policy, and practices of leading organizations provide an effective framework for managing information technology investments, not just when a program is initiated, but continuously throughout the life of the program. Together, they provide for economically justifying proposed projects on the basis of reliable analyses of expected life-cycle costs, benefits, risks, and a basis for investment selection, control, and evaluation decisionmaking. The department has not met these investment management tenets for the Standard Procurement System.'' [See Statement of Joel C. Willemssen, Managing Director, Information Technology Issues, U.S. General Accounting Office, NSVAIR Subcommittee hearing record, p. 5, The Standard Procurement System (SPS): Can the DOD Procurement Process be Standardized?, Feb. 7, 2002, (in subcommittee files).] --------------------------------------------------------------------------- 4. The National Security Council should promulgate Federal standards for investigating and adjudicating personnel security clearances in a timely manner. Federal standards do not contain any specified time requirements for agencies to complete their investigative work for granting personnel security clearances. Because of the national security implications resulting from the length of time it takes agencies to grant security clearances, the subcommittee recommends that the appropriate National Security Council, Policy Coordinating Committee develop such Federal standards pursuant to National Security Presidential Directive No. 1.\236\ --------------------------------------------------------------------------- \236\ See supra note 16. --------------------------------------------------------------------------- The General Accounting Office reported, ``Defense Security Service customers (the military departments, DOD civilian agencies, and industrial contractors) and adjudication officials stated that they need DSS to complete its investigations within 90 days. The Office of Personnel Management uses a standard of completing its work in 35, 75, or a maximum of 120 days, depending on the price the customer is willing to pay for the service.'' \237\ --------------------------------------------------------------------------- \237\ See supra note 27, p. 16. --------------------------------------------------------------------------- According to Carol Schuster, ``As I understand it, they are working to come up with some metrics that would have expectations for how long it should take for each kind of case. When we looked at investigations before, they were all over the board. So there isn't any standard right now for how long it should take for a particular kind of case. And there is any number of kinds of cases in this 2.2 million backlog. Some of them are very automated and don't take really very much time, and others are full field investigations that require a whole lot of work and over 200 days to complete.'' \238\ --------------------------------------------------------------------------- \238\ See supra note 11, p. 45-46. --------------------------------------------------------------------------- 5. The Secretary of Defense and the Attorney General jointly should develop a system which allows DSS and OPM investigators access to State and local criminal history information records [CHIR]. During the March 2001 DSS oversight hearing, Assistant Secretary of Defense Arthur L. Money said in his prepared statement, ``In closing, I would like to ask for your help. First, we need automated access to State and local government criminal history records akin to that provided law enforcement agencies.'' \239\ --------------------------------------------------------------------------- \239\ Statement of Arthur L. Money, Assistant Secretary of Defense for Command, Control, Communications, and Intelligence, NSVAIR Subcommittee hearing, Serial No. 107-40, p. 32. --------------------------------------------------------------------------- In that regard, Deputy Assistant Security J. William Leonard indicated DSS investigators could only access local and State criminal history record by means of a fingerprint card. Secretary Leonard stated, ``We have to submit finger print cards, which is a time-consuming and expensive process. In those instances where we cannot access their automated records, we literally have to send an agent out, put shoe leather on the ground, go to the local police office or local sheriff's office and stand in line.'' \240\ --------------------------------------------------------------------------- \240\ See supra note 139, p. 64. --------------------------------------------------------------------------- Recently, subcommittee staff was advised by GAO that since September 11th there has be a greater demand for FBI fingerprint records for background checks by State and local officials. As a result, the increased demand for fingerprint cards is placing a greater burden on DSS to complete personnel security background investigations in a timely manner. The Department of Defense needs to develop policy in conjunction with the appropriate NSC Policy Committee to develop a system which will allow for better access to local and State criminal records by DSS agents and to submit Congress any legislation needed to implement this change.