The Defense Department is preparing to add 500,000 employees to its continuous evaluation pilot by Jan. 1 as part of DoD’s effort to add rigor to the security clearance process.
Daniel Payne, the director of the Defense Security Services, said Sept. 20 that the additional half-million employees would bring the total uniformed and civilian employees enrolled in continuous evaluation to 1 million. There are more than 4.3 million cleared employees and service members across the government, including 1.3 million at the top-secret level, according to the Office of the Director of National Intelligence’s 2015 report.
“Continuous evaluation allows us to monitor employees regularly throughout the tenure of their access to classified information,” Payne said at the Association of Government Accountants’ internal control and fraud prevention training event in Washington. “We regularly check about 22 different databases throughout the DoD, the U.S. government and the private sector to see if there are any indications that an individual is doing something that perhaps they shouldn’t be doing. Already what we are seeing is we are definitely seeing the value of doing that CE program.”
The value of CE was never clearer than when DoD found 48 people among the 500,000 in the pilot had lost their security clearances well ahead of their reinvestigations.
Understand progress being made in the evolving cyber scorecard. Download our free Expert Edition: Cyber Exposure in DoD.
“Of those 48 people whose clearances have been removed and of those who had secret access, we discovered things that resulted in the revocation of their security clearance, on average, six years and four months before their next reinvestigation would’ve taken place. That is exactly what the continuous evaluation program is designed to do,” Payne said. “At the top-secret level, we were finding the data about a year-and-a-half before they were rescheduled for their reinvestigation.”
Additionally, Payne said the CE program alerted the Defense Security Service about employees or service members that had issues that needed to be addressed, but didn’t end up revoking their security clearances.
He said sometimes commanders or supervisors had conversations about certain types of behaviors or issued letters of warnings, or removed access to certain types of data.
“When there is a potential problem with an employee, like the 48 we revoked the security clearances of, the process starts by us getting an alert. The first thing we do is making sure the alert is really about the DoD employees versus someone else with a similar name. So we get rid of the false positives,” Payne said. “Identity resolution is an important part because public records don’t always have the person’s personal information, like Social Security numbers or date of birth. Then we look at information and send it to the DoD adjudication facility, and they determine how important the issue is, and if additional investigation is needed.”
Payne said the National Background Investigations Bureau (NBIB) then gets involved and the resulting investigation leads DoD to decide whether or not to revoke the security clearance.
The CE program eventually will replace the current approach where the NBIB reinvestigates employees with a secret clearance every five years, and reinvestigates employees with a top-secret clearance every three years.
DoD launched the continuous evaluation program in 2014 and slowly has been adding more employees.
Payne said adding an additional 500,000 service members and employees to the CE program depends on the services and agencies identifying those who hold critical positions, as well as those holding interim clearances, but still are waiting for final approval.
“We hope to eventually reach the point where through the use of CE, we can eliminate the need to do secret-level reinvestigations,” he said. “We also want to identify those employees at the top-secret [level] who we need to do earlier in the process and reduce the wait time to get a top-secret clearance done.”
The continuous evaluation program is part of a larger insider threat initiative. Payne said each of DoD’s 43 services and agencies needs to establish individual programs that meet their respective needs. He said the DSS is working with each organization to establish their program.
“The Defense Insider Threat Management and Analysis Center, which falls under my purview, is the focal point within DoD for all insider threat issues. When various agencies within DoD identify issues that reach a certain level of concern, that information is forwarded to the DITMAC and we have behavior scientists there who look at the information. We have other data sources that come into the insider threat program that we could potentially help that individual agency within DoD deal with and come up with a mitigation strategy for those reports they have sent to us.”
Additionally, government contractors that have access to classified information at an agency within the National Industrial Security Program also must create an insider threat program that follows closely to the one across DoD.
Vendors had to develop a plan, name a senior accountable official and conduct employee training. Payne said more than 95 percent of all vendors met those requirements.
“One of the things that I’m most concerned about is right now, the U.S. is using vast amounts of critical technology on a regular basis. What that translates to, not just classified information or information about weapons systems, it’s intellectual property that makes our companies competitive in the world economy,” he said. “It’s critical that we and the companies establish these insider threat programs, and understand the significance of what they are actually doing and how they are protecting information not only critical to our national defense, but critical to the very profitability of their company.”
Payne said some of the larger companies have robust programs, but DoD is working with all of industry to establish these programs.
A recent report from the DSS found in 2016, cleared contracts faced 18 percent more threats than in 2015.
“For the fourth consecutive year, aeronautic systems; command, control, communication and computers (C4); and electronics made up the top three targeted technologies. However, in FY16, aeronautic systems moved from third to first, while C4 remained second and electronics dropped to third. Radars and armament and survivability finished out the top five targeted technologies,” the report stated. “FY16 trends reflected a continuing threat to cleared contractors at conferences, conventions, and tradeshows (CC&Ts). CC&Ts provide an opportunity for foreign actors to use numerous illicit methods and employ constant aggressive targeting of cleared contractor personnel, information, and technology. The Special Focus Area provides more details on the threat to the cleared industrial base from foreign targeting at CC&Ts.”
Payne said over the next year, DoD will evaluate industry implementation of their insider threat program.
Payne said the value of the insider threat program also has become more clear. He said an example of that value came from one company, which he chose not to name publicly, which identified and caught two employees who were planning to go to a competitor.
“The employees began downloading intellectual property from that company and when engineers saw what was being downloaded, they figured the impact to their company would’ve been about $5 billion in future sales,” he said. “With industry, it always boils down to the bottom line. Security is often a cost entity and not a profit maker. But when you can demonstrate that you just saved the company $5 billion in sales, suddenly you have the interest of the CEO.”