Review of the Security and Emergency Planning Staff's Management of Background Investigations
Evaluation and Inspections Report I-2005-010
Office of the Inspector General
The Department of Justiceís (Department) Security and Emergency Planning Staff (SEPS) is the primary office responsible for developing, implementing, and ensuring compliance with security policy throughout the Department. SEPS has direct responsibility for managing background investigations on 27,000 of the Departmentís 103,000 employees. SEPS has delegated to personnel security staff in the components the authority to adjudicate background investigations and reinvestigations for their employees and contractors, and the authority to grant waivers so new employees can begin work. In total, 20 components have delegated adjudication authority Ė 7 have the authority for employees and contractors, and 13 have the authority only for contractors.1
Overall, SEPS has four responsibilities related to background investigations in the Department: (1) managing background investigations of political appointees, attorneys, and other personnel whose investigations are not delegated to the components; (2) granting clearances for access to Sensitive Compartmented Information (SCI) materials for all Department employees; (3) providing policy guidance and training on background investigations; and (4) providing oversight of the componentsí background investigation programs.2
The Office of the Inspector General (OIG) conducted this review to examine SEPSís management of its background investigation program. Specifically, we reviewed SEPSís administration of the background investigations and security clearances it manages, SEPSís role in establishing Department policy on background investigations, and SEPSís oversight of the background investigations delegated to components.
RESULTS IN BRIEF
In fiscal year (FY) 2004, SEPS met federal regulatory requirements for adjudicating background investigations within 90 days in 85 percent of the cases it processed.3 Further, in response to a SEPS survey, Department components expressed satisfaction with the service SEPS provided on SCI clearances and clearance verifications for Department employees and contractors. SEPS achieved these results despite the fact that, after September 11, 2001, SEPSís workload of background investigation adjudications and SCI clearances more than doubled. Because it received no additional resources to process this workload, SEPS prioritized its background investigation adjudications and redirected its resources to the highest priority cases. In FY 2004, SEPS adjudicated 99 percent of its highest priority cases (those of political appointees and attorneys) within the required 90 days.
However, SEPS did not adjudicate lower priority background investigations within the required time. Further, SEPS did not fully meet other important responsibilities related to policy and oversight. Specifically, the Departmentís personnel security policy Ė contained in DOJ Order 2610.2A (August 21, 1990) and more than 40 memorandums issued over the past 15 years Ė is inconsistent, outdated, and not available in electronic form. In addition, SEPS has not implemented an effective oversight program to ensure that components with delegated authority to adjudicate background investigations comply with regulations and policy.
We also found that SEPS has limited ability to electronically track background investigation files. First, SEPS has no capability to maintain electronic copies of background investigation files. Instead, it relies on an outdated inventory system to track its own paper personnel security files, which are maintained in one location. We believe this is an important vulnerability, as all the files could be lost in a fire or other disaster. Second, there is no Department-wide database to track background investigations. This hinders SEPSís ability to effectively monitor the background investigation process in Department components with delegated authority.
Moreover, new standards for background investigations contained in the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act) will significantly change the standards the Department must meet in completing background investigations. The Intelligence Reform Act requires that, by December 2009, 90 percent of background adjudications must be completed within 20 days and 90 percent of field investigations within 40 days. To meet those standards, SEPS will have to greatly expedite its processing of adjudications from its FY 2004 performance levels. In FY 2004, SEPS completed only 46 percent of adjudications within 20 days. SEPSís oversight workload will also increase because it must ensure that the components with delegated authority comply with the requirements in the Intelligence Reform Act.
In the next sections, we provide more detail regarding these findings.
SEPSís Personnel Security Operations
SEPSís Processing of Background Investigations and SCI Clearances. Federal regulations require that the Department adjudicate background investigations and report the results to the Office of Personnel Management (OPM) within 90 days of the completion of the field investigation. In FY 2004, SEPS processed 85 percent of its initial employee adjudications within the required 90 days.
SEPS accomplished these results even though its workload increased significantly in the last 5 years. From FY 2000 through FY 2004, SEPSís background investigation workload almost doubled, from 7,018 actions (such as initiating investigations of new employees or reinvestigations of current employees) in FY 2000 to 13,509 actions in FY 2004. Overall, SEPS processed 55,197 actions on background investigations during those 5 fiscal years. In addition, SEPSís SCI workload increased by 150 percent from calendar year (CY) 2000 through CY 2004. In CY 2000, SEPS cleared or verified clearances for 2,061 Department staff. In CY 2004, SEPS cleared or verified clearances for 5,166 Department staff.
Because SEPS did not receive additional staffing or resources commensurate with its increased workload, it redirected its existing resources to process adjudications and clearances in priority order. SEPSís four highest personnel security priorities are adjudication of background investigation cases involving political appointees and attorneys, processing requests for SCI access, certification of clearances to other agencies, and processing waivers.4
For political appointees and attorneys, in FY 2004 SEPS completed over 99 percent of the adjudications within the required 90 days. There are no established timeliness standards for SEPSís three other highest work priorities. Therefore, to examine SEPSís performance in these areas, we reviewed correspondence between SEPS and OPM, and a customer satisfaction survey conducted by SEPS. OPM and component officials who commented on these topics in SEPSís survey reported that they were generally satisfied with how quickly SEPS provided SCI clearances and clearance verifications, and processed waiver requests.
Although SEPS almost always adjudicated its highest priority cases within the required 90 days, it did not always adjudicate lower priority background investigation cases within that time. For example, in FY 2004 SEPS adjudicated about 80 percent of the background investigations for non-priority employees and only 54 percent of employee reinvestigations in the required time. We also found that SEPSís performance of its other mission responsibilities Ė related to providing policy guidance and oversight Ė was lacking.
SEPSís Policy Guidance. The Departmentís personnel security guidance is inconsistent and outdated. SEPS has not issued a complete revision of the Departmentís personnel security policy, known as DOJ Order 2610.2A, since it was issued in 1990. The original order remains in effect, but to reflect changes in security regulations and policy that occurred over the past 15 years, SEPS has issued over 40 memorandums to revise, amend, or supplement the guidance in the original order. Some of the guidance has been amended more than once in separate memorandums, making it difficult for users to readily determine which guidance is current.
Further, SEPS staff informed us that some of the guidance contained in the order and memorandums is outdated because it has not been revised to reflect current security requirements. In December 2004, in response to an inquiry related to a prior OIG review, SEPS officials told us that SEPS had begun consolidating and updating the order. But, as of July 2005, the revision was not complete. Among the reasons for delays in completing the revision, SEPS told us that it was waiting for comments from OPM on the draft and for guidance from the Office of Management and Budget (OMB) on new personnel security requirements introduced by Homeland Security Presidential Directive 12 (HSPD-12), which was issued by the President in August 2004 and is scheduled to be initiated in stages starting in October 2005.
Also, SEPS has not effectively used available technology to make security policy and guidance widely and readily accessible. We examined the Personnel Security page of SEPSís intranet site and found that it contained only a list of SEPSís Personnel Security Groupís functions. It did not contain any of the Departmentís personnel security policies Ė or even a complete list of the current policies. The Security Policies page did not include a personnel security section. It did contain the new Security Programs Operating Manual, but no other personnel security guidance was included.
SEPSís Oversight of Components With Delegated Authority. SEPS has not implemented an effective oversight program to ensure that components with delegated authority to adjudicate background investigations comply with regulations and policy. OPM has delegated to SEPS the responsibility for overseeing all Department background investigations, including any field investigations that are conducted by Department components rather than by OPM, and all adjudications. SEPS has retained direct responsibility for managing background investigations for all political appointees, Department attorneys, employees of the United States Attorneysí Offices (USAO); employees of the Departmentís Offices, Boards and Divisions; and certain other designated positions. To the FBI, SEPS has delegated authority to conduct the field investigations on all of the Departmentís political appointees and attorneys as well as on the FBIís own employees and contractors. To the ATF, SEPS has delegated authority to conduct field investigations on its employees who are not political appointees or attorneys and on its contractors. In addition, SEPS has delegated to personnel security staff in the components the authority to adjudicate background investigations and reinvestigations for their employees and contractors, and the authority to grant waivers so new employees can begin work. In total, 20 components have delegated adjudication authority Ė 7 have the authority for employees and contractors, and 13 have the authority only for contractors (see Appendix I).
The personnel security compliance reviews SEPS conducts of components to which it has delegated authority to manage background investigations are limited in number and scope. Additionally, limited enforcement authority and the lack of a centralized Department-wide database of background investigation files hinder SEPSís ability to ensure that components and personnel comply with policies and regulations related to personnel security.
SEPSís primary method for evaluating the componentsí personnel security operations is its on-site security compliance review.5 However, with only three Security Specialists and an annual travel budget of $60,000, SEPS reviews about 1 percent of Department offices annually. From 2002 through 2004, SEPS reviewed an average of 39 offices per year. At that rate, it would take SEPS 75 to 90 years to inspect all of the Departmentís 3,000 to 3,500 offices.
Moreover, the scope of each compliance review includes only a small portion (about 4 hours of the review) dedicated to examining personnel security operations.6 The personnel security portion of the review primarily checks that required paperwork was present, that reinvestigations were initiated on time, and that mandatory annual security training was completed. The compliance reviews do not examine the quality of either the componentsí field investigations or the adjudications of employeesí and contractorsí clearances because such reviews would mean less time for higher priority physical and information technology security oversight.7
Even when compliance reviews identify security violations, SEPS has limited enforcement authority to ensure that components and individuals comply with policies and regulations.8 As a consequence, compliance reviews continue to identify violations already reported to the component on past reviews. For example, one recent repeat violation has involved a componentís granting security clearances for employees who do not require access to classified material.
Because the Department has no centralized personnel security database, SEPS has limited capability to centrally monitor the background investigation status of all Department employees. Instead, each component keeps its own database, and the systems are not interoperable. SEPS therefore cannot effectively monitor the componentsí compliance with pre-hiring and reinvestigation regulations, adherence to policy on national security clearances, or the completeness and timeliness of background investigation processing. For example, SEPS cannot effectively identify and track all the Department employees who are overdue for reinvestigation, nor can it perform effective oversight to ensure compliance with personnel security regulations.
SEPSís File Tracking System and Paper Files. SEPS uses an inventory management program called TRAQ to identify the location of each background investigation file. The version of TRAQ used by SEPS is outdated, at full capacity, and does not include needed capabilities. For example, TRAQ lacks quality control features to prevent the entry of erroneous information (such as nonsensical dates), cannot provide SEPS with management reports on the data in the system, and has no capability to maintain electronic copies of scanned security documents.
Because SEPS cannot maintain electronic copies, all SEPS background investigation files are maintained in paper form in one location. Likewise, files related to SCI clearances are also maintained in one location. This represents a significant vulnerability. The loss of the paper records would severely disrupt case processing and clearance verification.
Changes Directed by the Intelligence Reform Act and HSPD-12
The Intelligence Reform Act imposes progressively tighter timeliness requirements for adjudications and field investigations that may overwhelm SEPSís current limited capabilities. The Intelligence Reform Act requires that, by December 2009, 90 percent of adjudications on background investigations and reinvestigations of individuals requiring national security clearances must be completed within 20 days. Further, 90 percent of the field investigations must be completed within 40 days.
To meet the new timeliness standards, SEPS will have to significantly expedite adjudications. For example, in FY 2004, SEPS adjudicated only 31 percent of employee reinvestigations and only 21 percent of contractor background investigations within 20 days. The Intelligence Reform Act also will require SEPS to ensure that the Department components with authority to conduct field investigations meet timeliness standards for those investigations. SEPS is not well positioned to meet these challenges.
HSPD-12, issued by the President in August 2004 and scheduled to be initiated in stages beginning October 27, 2005, expands SEPSís oversight responsibilities to include reviews of componentsí hiring practices for contractors who are investigated and hired directly by the field offices where they will be working. Currently, SEPS reviews only the investigations of contractors hired centrally through componentsí headquarters. The lack of a centralized database prevents SEPS from easily verifying whether each of these contractors received the proper background check or even whether they are still employed. HSPD-12 also requires the recertification of identification cards for all employees and contractors. With its current resources, processes, and authority, SEPS will have difficulty both in meeting the performance requirements of the Intelligence Reform Act and HSPD-12, and in providing oversight of the Departmentís compliance with those requirements.
In this report, we make six recommendations to help improve SEPSís performance of its personnel security responsibilities and better position the Department to meet the requirements of the Intelligence Reform Act and HSPD-12.
We recommend that the Department:
We recommend that SEPS: