Review of the Security and Emergency Planning Staff's Management of Background Investigations
Evaluation and Inspections Report I-2005-010
Office of the Inspector General
From FY 2000 to FY 2004, portions of SEPS’s background investigation workload more than doubled, particularly in the areas of granting clearances and the initiation and adjudication of contractor background investigations (see Table 1). In response to the increasing background investigation caseload, PERSG designated four of its responsibilities as being its highest priorities: (1) adjudication of the background investigations and reinvestigations of political appointees and attorneys; (2) adjudication of requests for access to SCI material; (3) certification of clearances to other agencies; and (4) processing requests for waivers. As lesser priorities, SEPS adjudicates background investigations for other new employees, adjudicates reinvestigations for employees, adjudicates all contractor cases, and develops policy guidance.40
SEPS’s SCI clearance workload also increased dramatically from 2000 to 2004. PERSG retains the sole authority within the Department to grant SCI clearances and to confirm these clearances for personnel who require SCI access to other components or other federal agencies. Table 2 shows SEPS’s SCI clearance workload from calendar years 2000 through 2004.
We found that SEPS’s adjudication of background investigations was generally timely. We examined SEPS’s processing of 55,197 actions on background investigations for which it retained authority during the 5 fiscal years from FY 2000 through FY 2004 (see Table 1). The percentage of adjudications of initial background investigations for employees and contractors processed by SEPS within 90 days for each of the fiscal years is shown in Table 3. In FY 2004, SEPS adjudicated 85 percent of all employee background investigations within 90 days.
In discussions with SEPS staff responsible for adjudications, we asked why some cases were not processed within 90 days. SEPS staff explained that some cases were delayed because SEPS lacked the staffing needed to perform all adjudications within the required time and that, in other cases, decisions were delayed pending the receipt of documentation or until issues related to the applicant’s suitability were resolved. For example, when a background investigation identified credit issues, a final decision on the adjudication might be delayed until the employee documented 3 months of on-time payments.
Staffing and Resources Not Increased Commensurate With Workload. As described in the background section, two previous external reports from the Webster Commission and the National Archives and Records Administration found significant shortfalls in SEPS staffing. SEPS requested additional staffing both before and after those reviews. Between FY 2000 and FY 2005, SEPS’s annual budget requests included additional staff and provided extensive performance and workload measures to justify the requests. For example, SEPS provided studies comparing its staffing levels to those of three other Department components with comparable adjudications responsibilities and to other components or agencies with comparable security responsibilities. As Table 4 shows, in 2001 SEPS had the smallest ratio of adjudications staff to background investigation caseload.41 Despite the recommendations from these reports, SEPS did not receive the requested additional resources, except for one additional position in the CRS.
SEPS’s Workload Management. Despite its low staffing levels, SEPS has taken several steps to manage its increasing case workload more effectively. These steps include redirecting personnel assigned to other duties to adjudications, and identifying and focusing its available resources on its highest priority cases. Specifically, PERSG staff stated that they relied on a combination of staff redirected from other duties, overtime from adjudicators, and assistance from employees in other sections of SEPS with prior adjudicative experience. For example, because they had experience as adjudicators, the PERSG Chief for Policy, Training, and Oversight and a Security Specialist from this section were assigned, as needed, to process requests for SCI clearances and other adjudication cases. Also, the Operations Section scheduled one day a week when all PERSG staff devoted the entire day to adjudicating backlogged cases. The size of the adjudications backlog has diminished since October 2003 (see Table 5).
SEPS does not operate on a fee-for-service basis (i.e., the components do not directly reimburse SEPS for the cost of the services it provides). However, since 1992, Department components have contributed funding to enable SEPS to hire staff dedicated to managing reinvestigations. Of the nine adjudicator positions, five are assigned to reinvestigations and are paid for proportionally by the components. The components also contribute to a fund from which SEPS pays staff overtime for conducting adjudications. In FY 2004, the components agreed to contribute $22,000 to the overtime fund.42
Also, as described previously on pages 20 and 21, SEPS established priorities for the processing of cases. The priorities were (in order) political appointees, attorneys, other FBI investigations (i.e., not political or attorney positions), OPM national security information (NSI) investigations, other OPM investigations, employee reinvestigations, and contractors. Our review of the processing times for cases involving these categories of employees found that SEPS is processing the highest priority cases first (see Table 6).43 For example, based on records contained in TRAQ, we determined that SEPS processed over 99 percent of its highest priority cases (political appointees and attorneys) within 90 days.
To determine whether SEPS met OPM timeliness expectations, we reviewed FY 2004 correspondence between PERSG and the OPM Investigations Program Specialist assigned to the Department’s oversight. The OPM Specialist noted that SEPS’s performance (85 percent of adjudications completed in less than 90 days) and that of the Department as a whole (87 percent completed in less than 90 days) “exceed[ed] compliance expectations” and was “meeting” an “important goal.” We also reviewed a recent PERSG customer service survey and conducted an additional survey of 12 Security Programs Managers. All 12 indicated that they were generally satisfied with the service SEPS provided in processing background investigations and security clearances. Separately, in SEPS’s own customer service survey of Security Programs Managers, PERSG’s responsiveness in obtaining SCI access and certifying national security clearances to other components and agencies were the two highest rated elements.44
Overall, we believe that SEPS has taken reasonable steps to use the resources available to manage its case processing workload, and OPM and the components have been generally satisfied with SEPS’s performance. SEPS met regulatory timeliness requirements 85 percent of the time in FY 2004 for the background investigations for which it is directly responsible and is meeting Department needs by processing SCI clearances and clearance verifications as quickly as possible. In only 15 percent of the employee cases and 4 percent of the contractor cases did SEPS not meet OPM’s timeliness requirements. However, as we discuss in greater detail below, the Intelligence Reform Act and HSPD-12 directed changes that will, when implemented, require faster processing times and increase the number of case processing stages that SEPS must accomplish to complete background investigations.
The Department’s personnel security policy, amended by more than 40 memorandums issued over the past 15 years, is inconsistent, outdated, and not widely and readily accessible. SEPS, which is responsible for issuing policy and providing guidance for the Department, issued the last complete revision of the Department’s security policy, known as DOJ Order 2610.2A, in 1990. Although the basic order has not been updated, from 1990 through 2005 SEPS issued more than 40 memorandums that revised or supplemented the order. Because the changes have been issued in a piecemeal fashion, there is no single, consolidated document that contains all current guidance for component security officials and other Department employees to consult.
Despite the many revisions and supplements, the guidance has not been updated to reflect recent changes in the security environment, according to PERSG staff. For example, the guidance does not require the reinvestigation of all contractors, which SEPS has long considered necessary to ensure the Department’s security.45 In customer service surveys conducted by the OIG and SEPS, Security Programs Managers and adjudicators expressed frustration with having to work with outdated and confusing materials. In responses to our survey, for example, Security Programs Managers pointed out that SEPS’s memorandums often modify or correct prior memorandums, making it difficult to determine whether the order or one of the various memorandums is the correct guidance. In PERSG’s 2004 customer service survey, Security Programs Managers rated PERSG lowest in the area of policy guidance.
According to SEPS employees, SEPS has not consolidated the updates it has issued into a revised policy because its staff in the Policy, Training, and Oversight Section were dedicated to processing SEPS’s background investigation caseload. In December 2004, in response to an inquiry related to another OIG review, SEPS officials told us that they had begun consolidating and updating the existing guidance on employees. However, as of July 2005, the revised DOJ Order 2610.2A was still undergoing review. Moreover, SEPS had not worked on new requirements for contractors – and for visitors – since March 2005. Further, SEPS staff told us that the order cannot be finalized until OPM approves SEPS’s proposed minimum level of background investigation for hiring public trust employees. SEPS was also waiting for OMB guidance on implementation of HSPD-12 since this guidance may supersede SEPS’s proposed changes to both DOJ Order 2610.2A and contractor policy.
Limited Use of Technology. SEPS has not effectively used available technology to disseminate policy and guidance. We examined SEPS’s presence on the Department’s intranet and found that the Personnel Security page consisted solely of a list of tasks that PERSG handles. Although adjudicative guidelines were available on the SEPS site as an appendix to the Security Program Operating Manual and several relevant regulations and executive orders were listed on the Security Policies page, the Personnel Security page did not contain a link or cross-reference to this information. Further, that page did not provide Department personnel security policies, did not identify the names or dates of Department policies currently in effect, and did not provide answers to commonly asked questions. Because this information was not readily available on the intranet, PERSG and CRS staff provided guidance by answering case-specific questions from components or faxed copies of memorandums upon request.
We also examined the CRS section of the SEPS intranet and found that with the exception of the Security Program Operating Manual issued in May 2005, it contained only limited and outdated information. When we interviewed CRS staff in February 2005, they noted that they had requested that copies of the checklists used to conduct compliance reviews, the package of information sent to Security Programs Managers when a compliance review is announced, and training materials be posted on the web site.
PERSG’s 2004 customer service survey also identified shortcomings in online guidance. In particular, several components commented on SEPS’s failure to use the intranet effectively. For example, one component stated that “PERSG is behind the times when it comes to posting information to the DOJ intranet. It would be helpful if personnel security information was made available.”
Our interviews with SEPS staff identified three reasons for the delays in posting information. First, SEPS gave no priority to the posting of information on its web site. Second, SEPS did not clearly define internal responsibilities and approval processes for posting information. Third, SEPS officials did not follow up to ensure that approved information was posted to the web site.
In June 2005, we contacted an official from the Department’s Office of the Chief Information Officer (OCIO) to determine what the procedures for posting information on the web site were.46 An OCIO official stated that approved information submitted in the required format would be posted within a few days of receipt. In July 2005, we revisited the web site to determine whether SEPS had begun posting information. We found that the May 2005 Security Program Operating Manual had been posted. However, other information that CRS staff told us in February 2005 had been submitted for internal SEPS approval was still not on the web site.
SEPS has not implemented an effective oversight program to ensure that components with delegated authority to adjudicate background investigations comply with regulations and policy regarding personnel security. SEPS has delegated to 20 components the authority to perform adjudications and grant security clearances for employees or contractors, but SEPS remains responsible for conducting oversight to ensure that the components are carrying out their delegated authority in accordance with Department regulations. SEPS receives an annual statistical report from OPM on the Department’s performance in meeting the 90-day adjudication standard. However, SEPS’s primary method of overseeing components’ operations is the security compliance reviews conducted by CRS. The CRS reviews are limited both in number and in scope of the examination related to personnel security. Further, both SEPS and the components’ Security Programs Managers have limited authority to ensure that corrective actions are taken.
SEPS Conducts Few Security Compliance Reviews. Overall, SEPS inspects less than 1 percent of Department offices each year. According to the CRS Chief, SEPS’s internal goal is to conduct 60 security compliance reviews each year. However, with a staff of only three Security Specialists and an annual travel budget of $60,000, CRS has been unable to meet this goal. In the past 3 years, CRS has achieved its goal of conducting 60 reviews only once, completing an average of 39 compliance reviews each year (Table 7).47 At that rate, it would take SEPS approximately 75 to 90 years to inspect all of the Department’s estimated 3,000 to 3,500 offices.
Similar to the adjudication staffing studies discussed earlier, in 2002 a CRS Security Specialist conducted a study that compared the number of SEPS Security Specialists with the number of Security Specialists in other security compliance review offices within and outside the Department. According to the CRS comparison, in 2002 CRS had two Security Specialists to conduct reviews of the Department’s approximately 3,000 offices. In contrast, CRS’s data indicated that the FBI had 37 security staff to conduct reviews of its 500 offices and the DEA had 6 security staff to conduct reviews of its 100 offices. Those staffing levels provide a staff-to-workload ratio of 1,500 offices per Security Specialist for SEPS, as compared with 13.5 for the FBI and 16.7 for the DEA. CRS has gained one additional Security Specialist since 2002 and currently has three Security Specialists. However, this still leaves SEPS’s staff-to-workload ratio at 1,000 offices per Security Specialist.
SEPS also receives annual reports from OPM on component compliance with the regulatory requirement that adjudications be completed within 90 days. In response to the OPM reports, the CRS site visits, or other information, SEPS may request that OPM conduct an in-depth review of components’ management of background investigations. This occurs infrequently. According to SEPS, the most recent OPM review it requested was of the ATF when that component transferred from the Department of the Treasury to the Department of Justice.48 PERSG has the option of requesting OPM appraisals of the component programs more frequently, but told us that they recognized from the difficulty they experienced in obtaining a review of the ATF process that OPM has to balance these requests with its own heavy workload of investigations.
Personnel Security Issues Receive Minimal Attention. In addition to conducting few security compliance reviews, CRS also devotes little time to personnel security issues during each review. During the 2-day security review we participated in, CRS staff spent about 4 hours on personnel security issues. CRS staff confirmed that 3 to 4 hours per review was typical. That includes both time spent reviewing background investigation files before the site visit and time spent reviewing personnel security issues on site at the office under review.
Because components’ background investigation files are maintained centrally, prior to each site visit Security Specialists spend 2 to 3 hours reviewing background investigation files of select employees from the office that will be reviewed. We accompanied a Security Specialist on a file review to observe the procedure. The Security Specialist selected 30 personnel files (26 employees and 4 contractors) out of the approximately 150 employees assigned to the office under review. CRS reviews the files to determine whether investigations have been initiated and adjudicated within the timeframes required by regulations, waivers have been appropriately requested and approved, required reinvestigations have been initiated, required paperwork (such as nondisclosure agreements and security clearance justifications) have been placed in the file, and the requested clearance level is appropriate for the level of classified information accessed by the employee.
Component security officials in field offices have limited involvement in background investigations. Therefore, SEPS Security Specialists typically spend only about an hour on personnel security issues while on site. During that time they question security staff and other employees to determine how employees and their supervisors are notified of pending reinvestigations, whether training is provided on handling classified material, what information security staff and managers have on personnel clearance levels, and how background investigations of locally hired contractors and interns are conducted.
The security compliance review reports that we examined identified a limited number of problems related to administrative personnel security. The 20 reports issued in FY 2003 contained a total of 4 findings (direct violations of federal regulations) and no observations (vulnerabilities not directly covered by federal regulations) related to personnel security.49 The findings were: (1) required reinvestigations had not been initiated for some employees; (2) an employee was in a sensitive position without a completed and favorably adjudicated background investigation on file; (3) employees who did not need access to national security information had been given national security clearances; and (4) memorandums requesting security clearances lacked accurate need-to-know justifications. CRS staff stated that the deficiencies cited in the FY 2003 reports are typical of what they found in more recent site visits.
Security Specialists do not review the quality of the adjudication or investigation of employees’ and contractors’ background investigations or reinvestigations, nor do any other personnel in SEPS. CRS staff explained that they do not examine files for substantive issues or to determine whether there are investigations or disciplinary actions pending, as such in-depth reviews would mean less time for higher priority physical and information technology security oversight. Instead, Security Specialists ensure only that the required paperwork (e.g., signed disclosure forms for cleared employees) is included in employees’ files and that reinvestigations are timely.50
When asked whether they were concerned that no personnel at SEPS perform any qualitative reviews of components’ adjudications, SEPS officials confirmed that they were. They stated that it is not currently possible for SEPS to ensure that components effectively identify national security concerns during adjudications. However, SEPS officials noted that other case processing and security oversight issues remained a higher priority.
CRS Has Limited Authority to Correct Problems. CRS has no formal authority to compel a component to correct a security violation.51 The six current and former CRS Security Specialists we interviewed all commented that because of this limitation, CRS must carefully decide which compliance issues it pursues aggressively. For example, CRS found that the ATF obtains national security clearances for all its Special Agents, including those who work in offices that do not handle classified information. Nor does the ATF periodically review whether these security clearances are necessary.52 CRS informed us that this practice is not consistent with security regulations and therefore must be reported as a finding.53 CRS told us that it had reported this deficiency during prior reviews of ATF field offices, and on the site visit we observed, we noted that the Security Specialist again raised the issue. However, neither CRS nor the ATF Security Programs Manager had the authority to compel the ATF to either limit the number of clearances or obtain a waiver of the requirement that clearances be given only to those who must handle classified information. CRS staff stated that they will continue to report this issue, but that CRS’s priority is resolving more immediate physical security risks.
While component Security Programs Managers provide assistance to CRS, both in identifying security weaknesses and addressing CRS’s site visit findings and observations, their authority is also limited. DOJ Order 2600.2C assigns Security Programs Managers 11 separate areas of responsibility for ensuring the security of their respective components, but it provides no specific instructions on the measures Security Programs Managers can take to enforce security requirements. In our survey of Security Programs Managers, several explained that they were unable to implement a CRS finding because there was a component policy that the Security Programs Manager could not change (such as some components’ policies of obtaining national security clearances for all law enforcement officers).
PERSG Has Limited Authority to Correct Problems. Just as CRS has no formal authority to require components to comply with personnel security regulations, PERSG has no formal authority to require individuals to comply with personnel security regulations. Because SEPS cannot effectively identify and track all the Department employees who are overdue for reinvestigation, it cannot perform effective oversight to ensure compliance with that requirement.
In its management of component background investigations, PERSG is responsible for ensuring that personnel submit the paperwork to initiate their background reinvestigations in a timely manner. To facilitate compliance for the 27,000 employees and 7,000 contractors for whom SEPS has retained authority, SEPS provides each component’s Security Programs Manager with a list of personnel whose reinvestigations must be initiated by the end of the fiscal year. SEPS maintains records of personnel who have not submitted the necessary reinvestigation paperwork in a timely manner (PERSG refers to these cases as the “backlog”), and forwards the backlog lists to the Security Programs Managers to follow up with the individuals. SEPS also provides a list to the OIG of personnel for whom it has not received the necessary reinvestigation paperwork.54
We asked SEPS staff and the Security Programs Managers about how backlogged cases are handled and, more specifically, how noncompliance is addressed for personnel with security clearances and for personnel in public trust positions. For personnel with security clearances, SEPS staff stated that personnel generally comply with SEPS’s requests for reinvestigation paperwork because SEPS can administratively withdraw clearances for failure to submit the paperwork.55 Security Programs Managers in our survey confirm that they do obtain paperwork from personnel who require access to classified information. In contrast, for personnel in public trust positions, which do not require a security clearance, SEPS staff stated that they have no sanctions comparable to the administrative withdrawal of a clearance. To obtain compliance, they send a memorandum to the OIG reporting personnel overdue for reinvestigation, and may also involve the Security Programs Managers. Security Programs Managers can initiate disciplinary procedures for noncompliance, but stated that it is a lengthy process. Both SEPS and the Security Programs Managers stated that they do eventually obtain compliance.
Incorrect SEPS Data on EOUSA Reinvestigations. To confirm that overdue individuals are eventually submitting their paperwork, we reviewed TRAQ data to identify personnel more than 1 year overdue for reinvestigation as of March 2005. According to the TRAQ data, there were 399 Department personnel who were more than 1 year overdue for reinvestigation, of whom 357 were EOUSA employees. SEPS explained that this data was erroneous because EOUSA initiates its own reinvestigations and does not report the initiations to SEPS. Consequently, the individuals continue to be shown in TRAQ as overdue for reinvestigation.
Because SEPS did not have complete and accurate data in TRAQ on the specific number of individuals in the Department that were more than 1 year overdue for reinvestigation, in May 2005 we requested information on a sample of 28 overdue cases to determine how many were actually overdue and how many were erroneous entries in which reinvestigations were not reported by the component. Of the 28 sample cases, 14 were erroneous entries that either had a reinvestigation initiated or in which the employee did not require reinvestigation for other reasons (such as that they were no longer employed by the component). Of the 14 cases in which the employee was actually overdue for reinvestigation, we found that half – including all the individuals holding NSI clearances – were less than 2 years overdue, but some public trust employees had been overdue for longer periods, including one individual who was more than 10 years overdue for reinvestigation. Overall, our analysis indicated that processing delays accounted for approximately half of the backlogged EOUSA cases. Nonetheless, even accounting for the erroneous EOUSA entries, most of the backlogged cases involved EOUSA employees.56
Because SEPS cannot independently identify when EOUSA initiates reinvestigations, it provides an annual status report to EOUSA showing the individuals overdue for reinvestigation and requests that EOUSA initiate appropriate action. The status reports we reviewed did not specifically request that EOUSA provide a response, and the PERSG Chief of Operations told us that EOUSA often does not respond directly to the status reports. Consequently, SEPS often only learns that a reinvestigation has been initiated when EOUSA forwards the results of the OPM field investigation.
The Department does not have a centralized database containing information on the status of background investigations and reinvestigations that can be accessed and updated by SEPS staff, the components for which it retains authority (such as EOUSA), or components with delegated authority. As we will discuss in greater detail beginning on page 40, SEPS’s inability to monitor and manage overdue reinvestigations is one example of the limitations of the Department’s current technological resources.
Despite efforts to increase SEPS’s staff and secure funding for technology improvements, the Department has not received increased appropriations for SEPS. In its FY 2005 budget submission, SEPS requested three additional PERSG positions, six additional compliance review security specialists, $2,000,000 to replace the TRAQ database, and $105,000 in additional travel money for CRS site visits. SEPS’s budget submission tied the need for additional funding directly to the Department’s counter-intelligence priority and the importance of ensuring that the Department hire and retain only trustworthy personnel. The request noted that PERSG staff had worked more than 500 hours of overtime since October 1, 2002, but that PERSG was still backlogged. The request explained that the existing PERSG file tracking system, TRAQ, was at the end of its life cycle and at full capacity, and that a new Department-wide system was needed to enable SEPS to adequately monitor the Department’s personnel security program. The budget submission noted the Department’s growing presence overseas and the need to ensure that the Department’s most vulnerable facilities be reviewed at least every 5 years.
The Department supported the budget request, and the Office of Management and Budget approved the personnel requests and $1,500,000 for the new database. Funding for these items was included in the appropriations bill approved by the House, but it was not included in the final version of the appropriations bill passed by Congress for FY 2005. PERSG has reduced its backlog since the budget submission, but as previously noted, it is not able to meet regulatory timeliness requirements at its current staffing level. Moreover, as discussed below, with the implementation of HSPD 12 and the Intelligence Reform Act, SEPS will face an increased workload, more stringent timeliness requirements, and an expanded oversight role.
The file tracking system SEPS uses is outdated, at full capacity, and does not include needed capabilities. PERSG staff told us that they selected the system, an inventory management program called TRAQ, because it had a barcode-scanning capability that allowed PERSG to track the physical location of each personnel security file. Currently, PERSG’s TRAQ system contains information on approximately 27,000 Department employees and 7,000 contractors. This represents approximately one-fourth of the Department’s employees and an unknown percentage of its contractors. TRAQ contains no information on the approximately 76,000 employees who work in the components with delegated adjudicative authority.
Because TRAQ was designed to be an inventory management system, SEPS has modified the TRAQ software extensively to accomplish its internal case monitoring tasks. SEPS regularly obtains management reports from TRAQ to set adjudication priorities, identify personnel due for reinvestigation, evaluate security clearance levels, and monitor its adjudicative backlog. However, according to SEPS’s technical staff, TRAQ does not provide needed capabilities and cannot be modified further. In a briefing prepared for the budget director on SEPS’s justification for its FY 2006 budget request, SEPS staff stated that the TRAQ vendor told SEPS it has pushed the system well beyond its limits and capacity and is at risk of losing data due to system crashes. SEPS staff further stated, “The application will eventually fail due [to] the amount of records the system is trying to manipulate.” TRAQ’s specific limitations include:
The Department has no centralized personnel security database that SEPS can use to monitor the background investigation status of all Department employees. Instead, components maintain information on the background investigations of their personnel in separate systems that are not interoperable or accessible to SEPS. Some components keep their records in Oracle databases, while others maintain their records in Microsoft Access databases or Excel spreadsheets. Further, these systems do not track the same information regarding the background investigation process steps to enable comparison across components.
Based on our review of SEPS’s budget requests and our discussions with SEPS staff regarding their oversight program, we identified a number of areas in which the lack of a centralized database impedes SEPS’s ability to conduct oversight of the components’ background investigation processes:
As described previously, TRAQ was not designed as a case management database and cannot be further expanded to provide SEPS with additional capabilities it needs to effectively oversee the components’ background investigation processes. SEPS’s compliance reviews cover only a small fraction of Department personnel each year. A Department-wide database with imaging capability could reduce the risks inherent in a paper-based system and enable SEPS to better oversee components’ background investigations programs.
Because this review focused on SEPS, we did not examine whether the components’ tracking systems are similarly limited in their capabilities to provide oversight of their internal processes. In our discussions with component Security Programs Managers and SEPS staff, however, we were informed that the DEA is the only component that currently maintains electronic copies of its background investigation files. Therefore, a Department-wide database with imaging capability could provide a security benefit to components with delegated authority, as well as to SEPS.
SEPS has identified the need for a Department-wide database and has requested resources to develop one. The Department concurred with SEPS’s request, and in FY 2005, requested at least $2 million to replace TRAQ with a Department-wide system. However, the funding was not included in the FY 2005 Appropriations Act passed by Congress.
In its FY 2006 budget request, SEPS has again sought requested funding for a Department-wide database, stating that a new Department-wide personnel security database would: (1) allow the Department to re-engineer its background investigation process to comply with the e-Gov initiative; (2) improve timeliness by electronically initiating, receiving, monitoring, and storing background investigations, reinvestigations, and security clearances; (3) improve communication and information sharing within the Department; (4) eliminate duplicate investigations, thereby saving time and money for Department components; (5) enable better enforcement of personnel security standards, and (6) support better oversight at the Department level.
The Intelligence Reform Act imposes progressively tighter timeliness requirements for adjudications and field investigations that will overwhelm SEPS’s limited capabilities. To meet the new timeliness standards, SEPS will have to expedite adjudications significantly. SEPS also must increase its oversight of the timeliness of field investigations conducted by the FBI and the ATF to ensure that they meet the new standards. At present, we believe that SEPS is not well positioned to meet these challenges.
Adjudications. Currently, the only formal timeliness requirement is that adjudications of background investigations and reinvestigations are to be completed within 90 days.59 The Intelligence Reform Act shortened these timeliness requirements. By the end of 2006, 80 percent of adjudications must be completed within an average of 30 days, and by the end of 2009, 90 percent of adjudications must be completed within an average of 20 days.
To meet the new timeliness standards, SEPS will have to greatly reduce the time it takes to complete adjudications. For example, according to data in TRAQ, in FY 2004 SEPS completed 59 percent of its adjudications of employees’ NSI background investigations within 30 days, and completed 46 percent of its adjudications within 20 days (see Table 8). Thus, to meet the December 2006 timeliness standard of 80 percent in 30 days, SEPS will have to greatly increase the number of adjudications it completes within that time. Meeting the standard for adjudications of employee reinvestigations and contractor background investigations will require even greater increases. In FY 2004, SEPS adjudicated only 31 percent of employee reinvestigations and only 21 percent of contractor background investigations within 20 days.
Field Investigations. As of July 2005, there were no regulatory requirements regarding the timeliness of field investigations on background investigations. The Intelligence Reform Act requires that, by December 2006, 80 percent of field investigations be completed within 90 days. By December 2009, 90 percent of field investigations must be completed within 40 days. As with adjudications, meeting the new standards will require that field investigations be significantly accelerated from current performance levels.
The FBI and OPM conduct the field investigations on those cases for which SEPS retains adjudication authority. In FY 2004, the FBI took an average of 197 days to complete a field investigation for SEPS. The FBI completed approximately 25 percent of its NSI investigations within 90 days and less than 10 percent within 40 days in FY 2004 (see Table 9). Although OPM’s actions are not within the control of the Department of Justice, we noted that the time it takes OPM to conduct field investigations for SEPS will also have to be significantly reduced to meet the new standards. In FY 2004, OPM’s highest priority cases took an average of 100 days, and its routine cases took an average of 324 days.60
Oversight Implications of Timeliness Standards. Given its currently available methods of oversight, SEPS is not well positioned to meet the standards of the Intelligence Reform Act. The Act will require SEPS to ensure that the FBI and the ATF (the two Department components with authority to conduct field investigations) meet timeliness standards for those investigations. SEPS does not currently review the timeliness of these field investigations, since there were no regulatory timeliness requirements before the Act. The new timeliness standards will also apply to the adjudications conducted by Department components with the delegated authority to carry out those actions.
Our review of SEPS’s oversight of components with delegated authority found that its primary oversight of components’ timeliness in adjudications is accomplished through OPM, which provides SEPS with an annual report on the Department’s overall compliance with the 90-day adjudication standard, broken down by component. SEPS may then address any concerns OPM raised about timeliness with the component directly.61 In addition, CRS examines the timeliness of the case processing in the particular files they select for review prior to field visits. However, as CRS has been conducting an average of less than 40 site visits each year, the information gained by those reviews was limited and anecdotal.
To conduct effective oversight of the components’ compliance with the new requirements, SEPS will require additional data, beyond the annual compliance numbers provided by OPM, that will enable it to track cases as they progress to completion. As described above, the Department does not presently have the databases and other technological infrastructure to allow SEPS to effectively monitor and analyze the components’ performance at processing background investigations.
Other Background Investigation Processing. Our review of the required timeframes established by the Intelligence Reform Act found that, as the law is written, no additional time is allowed for aspects of the background investigation process that are not included in the field investigation or adjudication phases. For example, there are three categories of cases for which an additional review is conducted between completion of the field investigation and SEPS’s adjudication: (1) political appointees undergoing confirmation, whose files are reviewed by the Senate; (2) attorneys, whose files are reviewed by the Office of Attorney Recruitment and Management; and (3) non-attorney personnel at the U.S. Attorneys’ Offices, whose files are reviewed by EOUSA.
Even in cases in which there is no additional review before the files are transmitted to SEPS, it can take several weeks to physically transmit the paper case files between the investigative and adjudication offices. Table 10 shows the average time lapse between when field investigations were completed and when the case files reached SEPS for adjudication during the last 5 fiscal years. In some cases, the time needed for additional reviews between the field investigation and the adjudication would make difficult, or preclude, meeting the timeframes of the Intelligence Reform Act.
HSPD-12, issued by the President in August 2004 and scheduled to be implemented in stages beginning October 27, 2005, will expand SEPS’s oversight responsibilities to include monitoring identification card recertifications for all employees and contractors, and checking hiring practices for contractors who are investigated and hired locally. The directive establishes minimum government-wide background investigation requirements for entry on duty and requires an identification card recertification process every 5 years for employees and contractors. Although the Department and SEPS had not fully decided how to implement the Directive during our fieldwork, we can describe the impact of HSPD 12 requirements on SEPS’s oversight responsibilities.
Pre-Employment Background Checks. HSPD-12 requires that agencies conduct several background checks in order to issue official identification cards to employees. The minimum National Agency Checks required are the Security/Suitability Investigations Index, Defense Clearance Investigation Index, FBI Name Check, and the FBI National Criminal History Fingerprint check. In addition, HSPD-12 requires that written inquiries be sent to verify past employment, education, residences, and references. It also requires a check of law enforcement databases for addresses where the applicant has lived. This background investigation is called the NACI (National Agency Checks with Inquiries). As initially issued, HSPD-12 required that all steps of the investigation except the paper inquiries be completed before employees could be issued identification cards. In FY 2004, this process took an average of 89 days to complete, according to information that OPM provided to SEPS regarding the NACI process.
In May 2005, Department officials from SEPS and the OCIO involved in implementation of HSPD-12 raised concerns about the length of time necessary to complete the NACI process. They were particularly concerned about delays encountered in the FBI Name Check process.62 In August 2005, OMB amended the guidance on the directive to state that if the results of the National Agency Checks were not received within five days, only completion of a favorable fingerprint check would be required prior to issuance of a building access identification card.
Identification Card Recertifications. HSPD-12 requires that background checks be verified every 5 years in order to renew each employee’s identification card. As described to us by OCIO staff, the recertification will not require a new NACI check. Instead, the office that issues the identification card will check the employee’s personnel security record to verify that an HSPD-12 certification was completed when the identification card was originally issued. As long as the check of the employee’s personnel record does not reveal any other prohibiting factors, the card may be recertified.
One potential increase in SEPS’s reinvestigation workload could occur because the timeframes established by HSPD-12 for renewing identification cards do not coincide with existing OPM requirements for background reinvestigations. HSPD-12 guidelines require that identification cards be renewed no more than 5 years after issuance, whereas OPM’s standards consider a reinvestigation to be current if it is initiated within 5 years after the previous background investigation was completed. Therefore, an employee’s HSPD-12 identification card must be recertified before SEPS is required to complete a reinvestigation. SEPS officials told us that the possibility of requiring a reinvestigation before an HSPD-12 identification card is renewed had not been ruled out as of July 2005. However, if SEPS conducts these actions separately, the number of cases SEPS will have to track and manage each year will increase.63 Conversely, if the decision is made to conduct reinvestigations early so that they are completed concurrent with the HSPD-12 recertification, that would effectively shorten the reinvestigation cycle, which would in turn result in an increase in the number of reinvestigations that SEPS would have to conduct each year.
Oversight of Contractors. Our review of the SEPS oversight program found that it will have to be expanded if it is to cover components’ compliance with all HSPD-12 requirements regarding contractors. Staff from SEPS and the OCIO confirmed that HSPD-12 requirements will extend to certain contractors who are currently investigated and hired at the local level without centralized oversight. At present, SEPS obtains no case processing information on contractors hired locally by components. CRS security staff told us that when they visit a site that has locally-hired contractors, they request a roster and check the files kept on site. CRS will also talk to the General Services Administration about shared contract staff, such as janitors.64 The lack of a central Department-wide database prevents SEPS from easily identifying whether contractors from sites it has not visited have received the proper background check or even whether they are still employed.