Our review found that the OBDs were not effectively implementing the Contractor Personnel Security Program and, consequently, were providing access to sensitive Department data and facilities to hundreds of contract employees who did not have the required security clearances. We found that 44 percent of the 628 contract employees we examined did not have security clearances. Several contract employees did not have clearances that were sufficient for the sensitivity of their work. In addition, less than 25 percent of the FY 1999 and 2000 contracts we reviewed had the required SPM security certifications.
When SEPS transferred the responsibility for contractor personnel security to the OBDs, the SPMs did not have procedures in place to perform these duties. In addition, JMD did not adequately monitor the OBD's implementation of the program. Consequently, many uncleared contract employees had access to sensitive law enforcement information that may have included grand jury information as well as some of the Department's most important automated information systems.
In September 2000, we met with representatives from the OBDs to discuss the results of our review. Subsequent to the meeting, we revised the report to show that several OBDs have developed procedures for managing their Contractor Personnel Security Programs. In November 2000, JMD conducted the first in a planned series of contractor personnel security program training. The training covered the SPM's role and responsibilities, BI requirements for the various position risk levels, the minimum BI required for contract employees, reinvestigation requirements, and record-keeping requirements. As our review progressed, the SPMs improved the administration of their security programs. However, some of the SPMs still have not developed a program that fully addresses the level of responsibility associated with ensuring that all contract employees are cleared to work on Department contracts.
We believe that JMD needs to exercise increased oversight over the OBDs' implementation of the Contractor Personnel Security Program. In addition to providing guidance on the topics covered by the November 2000 training, we believe that the program can be improved by developing procedures for designating SPMs, developing procedures for SPM contract certifications, and coordinating contract employee information between COTRs and SPMs. In addition, once policies and procedures have been established, the OBDs must ensure that their SPMs, program officials, COTRs, and other pertinent employees adhere to them. Accordingly, we make the following recommendations to the Assistant Attorney General for Administration:
In response to the report, JMD indicated that SEPS is issuing revised program guidance that should address the recommendations, with the exception of recommendation six. JMD did not agree that SEPS should issue guidance on reinvestigation standards and instead proposed that each of the OBDs establish their own standards. We did not agree with JMD's position and consider the report open.