Review of the Security and Emergency Planning Staff's Management of Background Investigations
Evaluation and Inspections Report I-2005-010
Office of the Inspector General
As the Departmentís primary security office, SEPS is responsible for adjudicating background investigations, initiating reinvestigations, and providing security clearances for approximately 27,000 of the Departmentís approximately 103,000 employees and about 7,000 contractors. In addition, SEPS is responsible for developing, implementing, and disseminating security policies to all Department components. It must also oversee the physical, personnel, contractor, information, computer, emergency preparedness and communications security programs of the Departmentís 3,000 to 3,500 field offices.
To compensate for the increase in background investigation workload during FY 2000 through FY 2004, SEPS prioritized its responsibilities, placing the greatest emphasis on adjudicating background investigations and on processing and verifying SCI clearances. As a result, in FY 2004, it met federal regulatory requirements for adjudicating background investigations within 90 days in 99 percent of its highest priority cases and in 85 percent of cases overall. Department components also expressed satisfaction with the service SEPS provided on SCI clearances and clearance verifications for Department employees and contractors. However, SEPS did not process lower priority reinvestigations on time and did not fully meet other important responsibilities related to policy and oversight. Moreover, new standards for background investigations contained in the Intelligence Reform Act and HSPD-12 will significantly change the standards the Department must meet in completing background investigations.
Policy Guidance. The policy guidance SEPS provides on the management of background investigations is inconsistent, outdated, and not widely and readily accessible. SEPS has not issued a complete revision of DOJ Order 2610.2A since 1990. Instead, SEPS has issued over 40 separate update memorandums between 1990 and 2005. Moreover, the guidance does not reflect changes in the security environment since September 11, 2001. SEPSís personnel security staff told us that it has been unable to issue updated security policies and guidance because of limited staff, a small budget, and an increasing caseload. We also found that SEPS has not effectively used available technology, such as the Departmentís intranet, to disseminate updates to policy and guidance. As a result, Security Programs Managers indicated in surveys that they find the guidance confusing.
Limited Oversight. CRS serves as the primary vehicle for conducting oversight of the personnel security operations of components with delegated authority for managing background investigations. However, we found that CRS reviews are limited both in number and in the scope of the examination related to personnel security. With only three Security Specialists in CRS, SEPS is generally unable to meet its goal of conducting 60 security compliance reviews each year. Even if it could complete 60 reviews, that would be about 2 percent of the Departmentís offices. Further, personnel security constitutes a small portion of each review, and Security Specialists do not perform substantive reviews of adjudication or investigation quality. We concluded that this minimal oversight is insufficient to ensure that the Department is in compliance with personnel security regulations.
SEPS also relies on outdated technology for case tracking. Because TRAQ is a stand-alone system unavailable to other components, SEPS employees and security officials in other components have no centralized source for background investigation data. Further, because TRAQ was not designed as a case management database, it lacks internal quality controls or image scanning capabilities. SEPS therefore must rely on manual quality reviews and paper-based background investigation files. The reliance on paper-based files, which are all stored in one location, presents a security risk in the event those records are destroyed or inaccessible. According to TRAQ managers, the application has reached system capacity and frequently crashes, causing file corruption. Further, because there is no Department-wide database of background investigation information, SEPS cannot perform systematic oversight of the components to identify weaknesses in the Departmentís personnel security program, such as componentsí failure to comply with NSI requirements.
SEPS Not Well Positioned to Meet New Requirements. With its current resources, processes, and authority, SEPS will have difficulty both in meeting the performance requirements of the Intelligence Reform Act and HSPD-12, and in providing oversight of the Departmentís compliance with those requirements. The Intelligence Reform Act requires that, by the end of 2006, 80 percent of NSI adjudications must be completed within 30 days, and by 2009, 90 percent of NSI adjudications must be completed within 20 days. SEPS will have to significantly improve its timeliness to meet the standards mandated by the Intelligence Reform Act, because in FY 2004, SEPS completed only 59 percent of its NSI adjudications within 30 days. At current staffing levels, SEPS will not be able to speed up adjudications to meet these requirements.
Also, HSPD-12, which mandates a standardized identification card for government employees and contractors, will change the Departmentís hiring practices. HSPD-12 will require that SEPS expand its oversight program to monitor the background investigation process for locally hired contractors. However, until a consolidated Department-wide background investigation database is implemented, SEPS has neither the technological infrastructure nor the staff to monitor compliance with these requirements.
While we believe that SEPS has taken reasonable steps to use the resources available to meet its case processing workload, SEPS nonetheless cannot fully meet existing and future regulatory requirements. To effectively carry out its responsibilities, SEPS must improve its capabilities for managing background investigations, providing timely and accurate policy guidance for the Department, and conducting oversight to ensure the effective administration of the background investigation program in the Department.
We make six recommendations to help improve SEPSís performance of its personnel security responsibilities and better position the Department to meet the requirements of the Intelligence Reform Act and HSPD-12.
We recommend that the Department:
We recommend that SEPS: