[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]
SECURITY AT STAKE:
AN EXAMINATION OF DOD'S STRUGGLING
BACKGROUND CHECK SYSTEM
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON GOVERNMENT OPERATIONS
AND THE FEDERAL WORKFORCE
OF THE
COMMITTEE ON OVERSIGHT
AND ACCOUNTABILITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTEENTH CONGRESS
SECOND SESSION
__________
JUNE 26, 2024
__________
Serial No. 118-118
__________
Printed for the use of the Committee on Oversight and Accountability
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available on: govinfo.gov
oversight.house.gov or
docs.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
56-066 PDF WASHINGTON : 2024
-----------------------------------------------------------------------------------
COMMITTEE ON OVERSIGHT AND ACCOUNTABILITY
JAMES COMER, Kentucky, Chairman
Jim Jordan, Ohio Jamie Raskin, Maryland, Ranking
Mike Turner, Ohio Minority Member
Paul Gosar, Arizona Eleanor Holmes Norton, District of
Virginia Foxx, North Carolina Columbia
Glenn Grothman, Wisconsin Stephen F. Lynch, Massachusetts
Michael Cloud, Texas Gerald E. Connolly, Virginia
Gary Palmer, Alabama Raja Krishnamoorthi, Illinois
Clay Higgins, Louisiana Ro Khanna, California
Pete Sessions, Texas Kweisi Mfume, Maryland
Andy Biggs, Arizona Alexandria Ocasio-Cortez, New York
Nancy Mace, South Carolina Katie Porter, California
Jake LaTurner, Kansas Cori Bush, Missouri
Pat Fallon, Texas Shontel Brown, Ohio
Byron Donalds, Florida Melanie Stansbury, New Mexico
Scott Perry, Pennsylvania Robert Garcia, California
William Timmons, South Carolina Maxwell Frost, Florida
Tim Burchett, Tennessee Summer Lee, Pennsylvania
Marjorie Taylor Greene, Georgia Greg Casar, Texas
Lisa McClain, Michigan Jasmine Crockett, Texas
Lauren Boebert, Colorado Dan Goldman, New York
Russell Fry, South Carolina Jared Moskowitz, Florida
Anna Paulina Luna, Florida Rashida Tlaib, Michigan
Nick Langworthy, New York Ayanna Pressley, Massachusetts
Eric Burlison, Missouri
Mike Waltz, Florida
Mark Marin, Staff Director
Jessica Donlon, Deputy Staff Director and General Counsel
Bill Womack, Senior Advisor
James Rust, Chief Oversight Counsel
Lisa Piraneo, Senior Professional Staff Member
Jennifer Kamara, Government Accountability Office Detailee
Benjamin Tardiff, Professional Staff Member
Ellie McGowan, Staff Assistant and Administrative Clerk
Contact Number: 202-225-5074
Julie Tagen, Minority Staff Director
Contact Number: 202-225-5051
------
Subcommittee on Government Operations and the Federal Workforce
Pete Sessions, Texas, Chairman
Gary Palmer, Alabama Kweisi Mfume, Maryland Ranking
Clay Higgins, Louisiana Minority Member
Andy Biggs, Arizona Eleanor Holmes Norton, District of
Byron Donalds, Florida Columbia
William Timmons, South Carolina Maxwell Frost, Florida
Tim Burchett, Tennessee Greg Casar, Texas
Marjorie Taylor Greene, Georgia Gerald E. Connolly, Virginia
Lauren Boebert, Colorado Melanie Stansbury, New Mexico
Russell Fry, South Carolina Robert Garcia, California
Eric Burlison, Missouri Summer Lee, Pennsylvania
Vacancy Jasmine Crockett, Texas
Rashida Tlaib, Michigan
C O N T E N T S
----------
Page
Hearing held on June 26, 2024.................................... 1
Witnesses
----------
Mr. David Cattler, Director, Defense Counterintelligence and
Security Agency, U.S. Department of Defense
Oral Statement................................................... 5
Ms. Alissa Czyz, Director, Defense Capabilities Management, U.S.
Government Accountability Office
Oral Statement................................................... 8
Written opening statements and statements for the witnesses are
available on the U.S. House of Representatives Document
Repository at: docs.house.gov.
Index of Documents
----------
* Report, RAND, ``A Diverse and Trusted Workforce''; submitted
by Rep. Lee.
* Report, RAND, ``Assessing Racial Bia in Security Clearance
Process''; submitted by Rep. Lee.
* Report, CAIR, ``Twenty Years Too Many''; submitted by Rep.
Tlaib.
* Transcript, Richard J. Langham - Planet Depos; submitted by
Rep. Tlaib.
* Questions for the Record: to Mr. Cattler; submitted by Rep.
Sessions.
* Questions for the Record: to Mr. Cattler; submitted by Rep.
Connolly.
* Questions for the Record: to Mr. Cattler; submitted by Rep.
Lee.
* Questions for the Record: to Ms. Czyz; submitted by Rep.
Sessions.
Documents are available at: docs.house.gov.
SECURITY AT STAKE:
AN EXAMINATION OF DOD'S STRUGGLING
BACKGROUND CHECK SYSTEM
----------
Wednesday, June 26, 2024
House of Representatives
Committee on Oversight and Accountability
Subcommittee on Government Operations
and the Federal Workforce
Washington, D.C.
The Subcommittee met, pursuant to notice, at 2:09 p.m., in
room 2154, Rayburn House Office Building, Hon. Pete Sessions
[Chairman of the Subcommittee] presiding.
Present: Representatives Sessions, Palmer, Higgins, Biggs,
Timmons, Burchett, Mfume, Norton, Frost, Connolly, Lee, and
Tlaib.
Mr. Sessions. The hearing of the Subcommittee on Government
Operations and Federal Workforce will come to order, and I
would like to welcome everyone to this important hearing today.
Without objection, the Chair may declare a recess at any
time, and I recognize myself the purpose of making an opening
statement.
First of all, let me thank the witnesses who are here
today. I spent time with them yesterday or the day before to
speak with them about the importance of not only what we are
doing here today, but the overall importance to the Nation and
national security. Today's hearing is with the Department of
Defense's National Background Investigative System, and we are
going to not only gain a full update of that, but we are going
to receive some information that will allow us to get closer to
the actual operations underneath of what is happening. A high-
quality security clearance process is vital to the security of
the United States of America, and as we have seen over the
years, when sensitive information gets into wrong hands, the
result is far reaching, compromising both the safety of the
country as well as the lives of the citizens. So, today's
discussion is a very important one.
In 2015, the Office of Personnel Management--OPM--announced
that it had suffered a significant cyberattack, one that
exposed the personal information of over a million people. In
fact, over 21 million people who completed forms for security
clearance investigations and had submitted fingerprints had
their personal information stolen by hackers. The massive
breach led to the security clearance process shifting from
where it was at OPM to the Department of Defense where it
currently resides. However, we know that what happened there is
that DOD was taking on an issue that was flawed and had to
start from the beginning. They had to start with reforming the
Federal personnel vetting system and also the mechanics behind
that. Hopefully today's hearing will help us understand not
just why, but how we can further our confidence that they are
headed the right way.
DOD now conducts 95 percent of all background
investigations for over a hundred agencies, most of the
personnel vetting for the entire Federal workforce. In 2016,
DOD, through its Defense Counterintelligence and Security
Agency or DCSA, began crafting the idea of a new innovative
personnel vetting information technology system. That system is
called National Background Investigative Services System, or
NBIS. This product was supposed to be a one-stop-shop system
covering all phases of personnel vetting--electronic forms,
managing investigations, recording decisions--and making sure
that became available not only to them, but also the users.
However, at this point, after all that planning, the system is
only being used for initial application portion of the vetting
process. In other words, this system is only able to handle the
first planned capacity that it was supposed to initiate back in
2016. We are now in 2024.
Initially, DOD said the system would be fully operational
in 2019. That deadline has long passed. Next, they said the
system would be fully up and running at the end of Fiscal Year
2024. We are about halfway there right now this year. However,
recently, users were instructed in a large process that was
virtually a town hall meeting, were instructed to stop using
the system completely for the time being and to revert to the
older system, which was supposed to be phased out by fall of
this year. Even more troublesome, DOD has not thoroughly
planned for the cybersecurity of both systems, potentially
exposing millions to the threat of another attack.
Like so many matters this Subcommittee addresses, today's
discussion is not a partisan one. The gentleman from Maryland
and I tend to see virtually the same way national security, the
money that is spent by taxpayers that has been appropriated by
this Congress, and the need to make sure that he and I continue
to work together to see things, where it deals with national
security, similarly. I think my colleagues across the aisle
also agree that these issues--ongoing delays with the rollout
of an effective and efficient personnel vetting system--are
important to every single person, including the security of
this great Nation. So, I think that we will all agree that
today's discussion is not a bureaucratic formality, but a
necessity. We must work together, and this is an issue that I
discussed with both of our witnesses yesterday. By the way, we
took pictures a minute ago. One noted, ``well, I wonder what
the after-meeting picture will look like.'' So, the before
meeting picture was most professional. I will tell you so will
the after because you will be dealt with professionally in this
Subcommittee, not just by Members on my side, but also Members
on Mr. Mfume's side.
So, today we are pleased to hear from David Cattler, the
Director of the Defense Counterintelligence and Security
Agency; and Alissa Czyz, Director of the Defense Capabilities
Management from the GAO, Government Accountability Office. I
look forward to working with each one of you today, and our
work is not done today, but today is an update, and I want to
thank each of you. And I would like to yield such time as the
distinguished gentleman from Maryland would choose. The
gentleman, Mr. Mfume, is recognized.
Mr. Mfume. Thank you very much, Mr. Chairman, and I clearly
echo your comments with respect to the way this Committee has
operated in this last Congress. Both you and I try to find a
common path, and where we disagree or diverge, we recognize
that we retain that right, but the decorum of the Committee,
the purpose of the Committee, the findings of the Committee,
and the oversight of the Committee is something we absolutely
and totally agree upon. So, I am happy to be here at this
particular point for this hearing, which, as you said, means a
lot to all of us, and when it comes to national security, we
try as best we can to speak with one voice.
This Subcommittee, Mr. Chairman, has been focused laser-
like on ensuring that our Federal Government effectively
executes the essential services and the essential functions
that our national security demands while safely guarding, at
the same time, all of the American interests against all of the
possible threats. As our Nation faces malign actors, we need a
talented, very reliable and trustworthy Federal workforce now,
actually more than ever before, to protect our fragile
democracy.
A rigorous and timely personnel vetting system minimizes
the risk of unauthorized disclosures and classified
information. Unfortunately, the information technology system
supporting the national background check process has attracted
our attention today precisely because efforts to modernize it
have been so inefficient, impeding other efforts to update the
clearance process and to fill sensitive positions of trust
within our government.
As far back as 2008, the Federal Government formed the
Security Sustainability and Credentialing Performance
Accountability Council, also known as the PAC, to address
longstanding problems with timeliness with effectiveness and
the overall process for granting security clearances. However,
as I indicated before, inadequacies persisted, leading to the
Government Accounting Office to add the governmentwide
personnel security clearing process to its High-Risk List 6
years ago in 2018.
The system had skyrocketing processing times, which
created, as we know, a towering backlog of qualified
individuals who could not start serving in national security
roles because of a backlog. Subsequently, the PAC launched the
Trusted Workforce, or TW 2.0, initiative to fundamentally
overhaul the Federal personnel vetting system and to take on
backlogs and other issues. While that initiative takes
noteworthy steps, Mr. Chairman, toward meeting the demand of
our national security workforce, the underlying personnel
vetting IT system called the National Background Investigation
Service, or NBIS, may, in fact, hinder the success and the
successful delivery of TW 2.0's mission.
NBIS was originally created to replace outdated and
decades-old legacy office. That office was within Personnel
Management. IT systems in 2019, however, have fallen short in
many respects of their laudable mission and fallen short of
meeting, quite frankly, their expectations. A 2023 GAO report
ordered by this Congress found that after $654 million spent
and 8 years of development, along with $835 million spent on
maintenance of the system that NBIS is meant to replace, DOD
still lacks--still lacks--a reliable schedule and cost estimate
for fully developing NBIS. Now that the full deployment of NBIS
has blown past--way past--its original projected deadline of
2019, TW 2.0 is left floating in the wind.
According to a GAO report in January of this year, of 31
surveyed Federal agencies, more than 50 percent do not trust
each other's security clearance, vetting process, or anything
else, and that more 50 percent feel the need to compete--or
complete, I should say--on their own duplicating efforts,
which, in turn, then prolongs the hiring efforts. While the
Defense Counterintelligence and Security Agency has made some
improvements and has introduced new NBIS capabilities since
taking over that process in 2020, it quite simply still is not
enough to be able to retain, attract, and secure high-quality
employees. Extensive wait times force talented agency recruits
to pursue employment outside of the government when their
security clearance stretches for months and sometimes years,
and can you really blame them for wanting to wait and to hang
around for things to change? On the other side of the coin,
inadequate security clearance processes may allow the wrong
people to access sensitive government materials, thereby
endangering, directly or indirectly, national security.
So, today we face a global threat landscape populated by
even more dangerous adversaries, as we know. The bottom line is
that our government security clearance process cannot keep up
with the challenges we face at home and abroad if we do not
address shortcomings within basic IT systems. So, I want to
thank our two witnesses for participating in today's hearing.
Like you, Mr. Chairman, I look forward to learning more about
how DOD plans to remedy this issue and how we as Members of
this Subcommittee can collaborate on efforts needed to put the
NBIS project back on track. And with that, Mr. Chairman, I
yield back the balance of my time.
Mr. Sessions. The gentleman yields back his time. I really
want to thank both of our witnesses who are here today. Both of
them spent a great deal of time with me and the staff yesterday
or the day before as we spoke about their preparation, our
expectations, our performance, and the things that they would
be doing. And I think you capsulized the need very well, and I
want to thank the gentleman.
So, I am pleased to welcome our two witnesses. Mr. Cattler
serves as Director of the Defense Counterintelligence and
Security Agency. In this role, he was selected because of his
demonstrated not just background, but his commitment to the
national defense and national security of this great Nation,
and I believe he was chosen properly. Mr. Cattler is
responsible for leading the efforts to protect America's
trusted workforce, trusted workspace, and classified
information, and I want to thank him for being here. Ms. Alissa
Czyz serves as the Director in the Defense Capabilities and
Management team at the Government Accountability Office. In her
role, she oversees reviews on the personnel security clearance
processes, artificial intelligence, intelligence
infrastructure, and DOD approach to business transformation.
Let me say this. I was impressed with her depth of knowledge,
her ability to effectively communicate and to share that
information so that others, including Mr. Cattler, would know
what he is getting into.
Thank you, each of you, for joining us today. I would now
like to ask both of you to stand and rise. So, pursuant to
Committee Rule 9(g), the witnesses will please stand and raise
their right hand.
Do you solemnly swear or affirm that the testimony you are
about to give is the truth, the whole truth, and nothing but
the truth, so help you God?
[A chorus of ayes.]
Mr. Sessions. Let the record reflect that both the
witnesses answered in the affirmative. I want to thank both of
you and ask that you take your seat.
We appreciate you being here today. Let me remind the
witnesses that we have read your testimony attempted to be
prepared for you, and it will appear in full in the Committee
hearing record. As I told both of you when we spoke, while we
have oral statements of 5 minutes, I am going to be, as I
always am, lax on that and want you to take the time to get
things done on your oral presentation, notwithstanding that may
change a bit as we get into questions and answers. I need you
to make sure that you are passing the information to this
Committee and did not believe it could be effectively done in 5
minutes. So, the distinguished gentleman will have to put up
with my review of that, but I would like for us to learn what
they have to say, and I am delighted that they are here.
Just to remind you, please press the button on the
microphone in front of you so it is on and all Members can hear
you when you speak. The light in front of you will also turn
red and green, and I think you will figure out the rest of it.
I now would like to acknowledge and welcome the
distinguished Director Cattler for his opening statements. The
gentleman is now recognized.
STATEMENT OF DAVID CATTLER
DIRECTOR
DEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCY
U.S. DEPARTMENT OF DEFENSE
Mr. Cattler. Thank you. Chairman Sessions, Ranking Member
Mfume, and distinguished Members of the Committee, I am truly
honored and grateful for the privilege to testify before you
today. I thank you for the urgency and for the attention you
are giving to the Trusted Workforce 2.0 policy initiatives and
to the National Background Investigation Services or NBIS
program. I will act with the same urgency to ensure that DCSA
is responsible and accountable in both what we say and what we
deliver.
I appreciate this opportunity as well to testify with Ms.
Czyz at this hearing. The Government Accountability Office has
conducted several reviews of the NBIS program between both 2021
and 2023, including a recent report on cybersecurity that was
published last week and another report assessing technical
controls for background investigation systems that will be
published later this year in 2024. The GAO identified areas
where DCSA and the Department of Defense needed to improve.
Even before I became DCSA's Director 93 days ago, I closely
studied these reports and noted GAO's concerns. These
recommendations do guide my focus and my direction as the
Director of DCSA. I have directed that we renew our focus on
these recommendations and that we close the action items
presented within them as soon as we can. This includes the
recommendations from the GAO cybersecurity report even before
it was completed.
In early May, after only about a month as Director, I
hosted Ms. Czyz and several of her colleagues to understand
GAO's methodology and analysis to determine any additional
concerns they might have beyond those described in their
reports and, frankly, to understand how my Agency interacted
with GAO. I am committed to building a culture of
accountability at DCSA that was lacking in the program. Simply
and directly, the delay in fielding NBIS is unacceptable to
everyone. Oversight from GAO and Congress are important parts
of this ecosystem of accountability. As we move forward, we
will be guided by what is in the best interest of national
security and what is in the best interest of the taxpayer.
DCSA is the largest security agency in the Federal
Government. Its purpose is to provide integrated security
services that protect America's trusted workforce and cleared
workspaces. We perform five primary missions for the Department
of Defense and the broader Federal Government: personnel
security, industrial security, counterintelligence and insider
threat, and security training. I am here today before you to
focus on our personnel security mission.
DCSA is the Federal Government's largest investigative
services provider, providing vetting services for 95 percent of
the Federal Government. Last year, DCSA's personnel security
mission conducted 2.7 million investigations, or 10,700
investigations, per day. We delivered 668,000 adjudicated
decisions based on those investigations, and we performed the
continuous vetting of over 3.8 million people in the trusted
workforce. DCSA is also the primary implementer of the Trusted
Workforce 2.0, or TW 2.0 Program, which is a personnel vetting
reform initiative the White House's Performance Accountability
Council, or PAC, launched after the OPM breach in 2016.
The NBIS program supports the TW 2.0 reform effort as a
Federal IT system for end-to-end personnel vetting. When
complete, NBIS will deliver robust data security, enhanced
customer experience, and integrate data access across the whole
of government and cleared industry. Some efforts implementing
Trusted Workforce 2.0 are going well, but we have faced
challenges delivering NBIS to meet the expected timelines for
Trusted Workforce 2.0 implementation.
TW 2.0 sets an ambitious vision to change the personnel
vetting operating model for the Federal Government, with the
goal to detect and mitigate workforce risks and to expedite the
entry of new employees into the Federal workforce. As the
primary investigative service provider and the Agency with a
task to deliver NBIS, DCSA is an enthusiastic partner and
collaborator with DOD stakeholders and PAC members driving this
TW 2.0 vision.
We have made notable progress with NBIS and without NBIS.
For case initiation, we transitioned our customer base of 115
Federal agencies and more than 10,000 industry companies to the
new entry point via a piece of NBIS called the electronic
application, or eApp, to submit an investigation request. The
eApp interface automates key aspects of the process and
streamlines the submission process for the user, and I am proud
to give you the update now that the eApp system is fully
operational, again, effective today, and restored fully as the
front end for all users. Our continuous vetting services to
replace periodic reviews are driving down risk as well in the
trusted workforce. Our CV services are being used across the
Department of Defense and more than 90 non-DOD entities with
more than 3.8 million personnel enrolled. The program is
preparing to expand to a wider Federal population this summer.
Also, rapid reciprocity decisions increase workforce mobility
within and into the Department of Defense. Reciprocity
timeliness remains at all-day lows for transfers into the DOD.
In 2020, reciprocity transfers took 65 days. I am proud to say
we are now down to only 1 to 3 days today.
We recognize that IT modernization is hard and, in the
past, the NBIS program also made some decisions that made that
process harder for ourselves and for the user community. As a
result, NBIS faced a series of problems. In addition to the
issues raised by the GAO, we found from further internal
analysis and other DOD assessments of the NBIS program, other
key problems across a variety of aspects including oversight,
software development.
I am missing a page. Apologies, Mr. Chairman and Ranking
Member.
We feel an urgency to move quickly because we are behind
the expected delivery schedule and because the Nation needs
NBIS to support the personnel vetting mission. However, we also
need to move forward at a responsible pace to ensure that we
understand the problems and are addressing them. With the help
of our partners in the Department and the GAO, we developed a
recovery plan to fix these problems, including NBIS' cost, its
delivery schedule, and its overall performance. An outcome of
the recovery plan is initial 18-month capability roadmap for
NBIS development. This roadmap was developed with our oversight
agencies and other stakeholders. It addresses TW 2.0 technical
requirements and secures resource alignment across the DOD. We
have multiple cross-agency teams working daily preparing to
meet the milestones in this roadmap, engaging with oversight
for approval and with our customers as we move forward with
improvements. To be clear, NBIS development will extend beyond
the next 18 months, but I am confident with this path forward
to reset the program.
By the end of June, DCSA, working with our oversight
partners in DOD, is staffing for signature the following
documents: an updated capability needs statement and user
agreement; requirements, governance, charter, and related
process document; and a program capability roadmap for digital
transformation that will be vetted with all critical
stakeholders. These documents will provide clarity on program
requirements to inform the NBIS capability roadmap and an
updated lifecycle cost estimate for the program.
DCSA has also onboarded new leadership to implement the
roadmap coming out of this recovery period. We have not just
myself, but also a new NBIS program manager and a new program
executive officer for my Agency. The NBIS program leadership
have a plan in place to restructure and upskill the team to add
technical, agile, and acquisition expertise and skills.
The NBIS program leadership also has evaluated and aligned
a disciplined contracting strategy to support the way forward.
By the beginning of October, we will have an updated
independent cost estimate to assist with a reliable funding
profile to both stabilize and sustain the program. We will
continue to engage with customers and partners to ensure that
their feedback is incorporated into the design and the
configuration of capability development and configuration
management as we implement this new capability roadmap.
And to aid my strategic guidance into ensure internal
accountability, I have also directed my Agency's Inspector
General to audit the NBIS program. The DCSA IG will collect all
historical documentation to support this assessment with a
specific focus on the fiscal years between 2021 and 2024, when
my Agency took direct responsibility. I will ensure he has the
full cooperation of the DCSA workforce and full access to all
DCSA records to conduct his investigation. Taken together, this
will improve our visibility of the program, allow us to craft
lessons learned, and to further enable us to achieve our goals
to deliver NBIS.
So, to conclude, DCSA will move forward with a program that
instills confidence, a program that delivers capabilities to
uphold this mission without fail. We have embraced
collaboration with our oversight partners, the GAO, DOD, PAC
members, the mission owners, and I would add Congress as well.
Together, we will take NBIS on a sustainable pathway forward to
protect the trusted workforce, to protect the Nation, and to
ensure the public's trust. I am confident in our path forward,
and I do expect to be held accountable. I look forward to your
questions. Thank you.
Ms. Sessions. Mrs. Czyz, we are delighted that you are
here. The gentlewoman's recognized.
STATEMENT OF ALISSA CZYZ
DIRECTOR
DEFENSE CAPABILITIES MANAGEMENT
U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Ms. Czyz. Chairman Sessions, Ranking Member Mfume, and
Members of the Subcommittee, I am pleased to be here today to
discuss GAO's on personnel vetting and, specifically, the
National Background Investigation Services System, or NBIS for
short. As you know, the U.S. Government relies on over 4
million personnel with security clearances to provide critical
public services. Personnel vetting processes help ensure a
trusted Federal and contractor workforce, but the government
has struggled with managing personnel vetting for decades. In
fact, this issue first appeared on GAO's High-Risk List in
2005. After some improvements, it came off in 2011, but we had
to add it back onto the list, as the Chairman noted, in 2018
due, in part, to challenges with IT systems.
My statement today focuses on the progress and challenges
with NBIS, which underpins the government's efforts to reform
personnel vetting. I will focus my statement on three key
areas--NBIS' schedule, cost, and cybersecurity--and I am happy
to go into more detail during Q and A.
First, with respect to schedule, DOD is years late in
delivering a fully functional modern IT system intended to
support all phases of personnel vetting. As you know,
cybersecurity incidents in 2015 compromised OPM systems
containing data on over 22 million Federal employees and
contractors. DOD was given the responsibility for a new IT
system after this breach and began developing NBIS in late
2016. DOD had originally planned for NBIS to be fully
functional in 2019, and then August 2022, and then December
2023. And today, while some capabilities have been deployed,
NBIS is still under development. In the meantime, DOD has had
to maintain legacy IT systems, including ensuring their
cybersecurity.
Second, with respect to costs, undertaking a major IT
program is expensive. Last year, we reported that DOD had spent
over a half billion dollars on developing NBIS and would spend
another $700 million through 2027. It had also spent over $800
million to maintain legacy systems while it develops NBIS.
These numbers have most certainly increased since the time of
our review. With delays in schedule come increased costs. These
issues are not new. GAO first sounded the alarm about NBIS in
2021. We reported then that DOD did not have a reliable
schedule for the NBIS program and risked missing milestones. In
2023, we re-looked at NBIS' schedule and found that it still
did not meet our published best practices for a reliable
schedule. We recommended to DOD in 2021 that it takes steps to
improve its schedule. DOD did not. In 2023, we raised this as a
matter for congressional consideration to require DOD to do so.
We also found that DOD may be unable to accurately project NBIS
costs. We suggested Congress also require DOD to follow our
best practices for developing a reliable cost estimate.
Finally, with respect to cybersecurity, DOD must get this
right. We cannot have another breach like we did in 2015. Until
NBIS is fully functional, DOD must ensure the cybersecurity of
both the new systems it is developing as well as the legacy
systems. In a report we released last week, we made 13
recommendations to DOD to enhance cybersecurity of these
systems. However, not all is without hope. The government's
personnel vetting reform effort, called Trusted Workforce 2.0,
has the potential to significantly improve security clearances
by offering continuous vetting instead of conducting
investigations on employees once every several years. NBIS is
the linchpin to this reform effort. While DOD was not always
listening, we are encouraged with the recent leadership
changes, particularly at the Defense Counterintelligence and
Security Agency, which manages NBIS.
As DOD gets NBIS back on track, I cannot emphasize enough
that it needs to embrace key program management principles like
having a reliable schedule and cost estimate. Without these,
the program will continue to suffer setbacks. In summary, NBIS
simply cannot fail. Having fully functional and secure IT
systems to conduct personnel vetting is paramount to keeping
our Nation safe.
Chairman Sessions, Ranking Member Mfume, and Members of the
Subcommittee, this concludes my prepared remarks, and I would
be happy to address your questions.
Mr. Sessions. Thank you very much. Both witnesses have
given us back their time. Now I would like to go first to the
distinguished gentleman from South Carolina, Mr. Timmons. You
are recognized for 5 minutes.
Mr. Timmons. Thank you, Mr. Chairman. Good afternoon. Thank
you to the witnesses for being here today.
I am going to jump right into the issue of continuous
vetting. Continuous vetting is supposed to be one of the major
reforms in Federal personnel vetting. Mr. Cattler, is every
member of the military, civilian workforce, and contractor with
a security clearance currently subject to continuous vetting,
and if not, when will this be the case?
Mr. Cattler. Congressman, yes, I believe they are all
enrolled currently.
Mr. Timmons. That is good news. OK. Well, did not expect
that answer. I appreciate that.
Ms. Czyz. Could I jump in real quick?
Mr. Timmons. Yes, Ms. Czyz, please.
Ms. Czyz. So, it is true that they are all enrolled at this
point, those with security clearances, but it is our
understanding that not all of them are undergoing continuous
vetting at this time. There is varying degrees of when CV is
going to be implemented. So, ``enrolled'' means that they are
ready to undergo vetting. It does not necessarily mean they are
undergoing the entire continuous vetting process, which is
several checks. Some of them may be getting a few checks, some
of them may be getting no checks, and some may be getting more.
So, that is our understanding.
Mr. Timmons. Thank you for the clarification. How do you
prioritize which individuals will have additional scrutiny? Mr.
Cattler, is that an ongoing process, I mean if they are
enrolled but they are not currently receiving the additional
vetting?
Mr. Cattler. Yes, sir. That is both. We are doing it and it
is an ongoing process, and we take a look at how long they have
been cleared for. We also take a look at the nature of the
positions that they are in when we do that prioritization.
Mr. Timmons. OK. Thank you. The track record of the NBIS
system raises concerns about what exactly has been going on at
DCSA since it was formed. Mr. Cattler, what kind of review are
you planning with respect to personnel vetting, and how can we
be sure that no bad actors have gotten through the cracks in
past years?
Mr. Cattler. Well, Congressman, I think I would answer you
in two main ways. One is, again, I am on day 93 in the job, and
I have asked for a zero-based review. I had begun that even
before I interviewed for the job, and then certainly in the
time I have been in. Take a look at what our business processes
are and how we are structured. And, this is in part why I also
said in my statement for the record that we did identify a
number of leadership issues about internal accountability,
compliance with internal controls, for example, reliability of
data that was reported up about the status of the program.
But the other thing we do is a tremendous amount of quality
control checks on the cases that we do reviews on. We are
adjudicating essentially for suitability, further decisions
that are then taken by the operational partners, the agencies
that use our adjudications to determine who should actually
have access to certain material. And so, we take a look at are
we accurate and complete, but we then also have to work with
other partners to determine when we have had someone, let us
say, that has gone bad. Simply, what was the cause? Did we miss
something? Was their behavior different? What changed over time
to have that break in trust?
Mr. Timmons. And while we are going to be asking questions
that will address shortcomings, I do want to say that I am
probably the only person up here that has gone through a
security clearance review in the last year and a half, so I
will say it was extremely professional. It took a little longer
than I would have thought, but they did a very thorough job,
and I felt like they did a very good job.
I also want to talk briefly about the costs associated with
the Trusted Workforce 2.0. This program was initiated in 2018
and was aimed to ``better support agencies' missions by
reducing the time required to bring new hires on board, enable
mobility in the Federal workforce, and improving insight into
workforce behaviors.'' However, as made clear by the testimony
today that is not necessarily the case. It has been 6 years
since the launch of the program, and yet we have seen no
necessarily positive results. The security clearance system is
still extremely backlogged, and, as already mentioned,
dangerous individuals continue to slip through the cracks.
We have to do more. DOD is responsible for the costs
associated with the development and continued maintenance of
the NBIS system. Between 2017 and 2022, DOD spent approximately
$654 million on the development of that system. We are $35
trillion in debt, and we add a trillion dollars in debt every
hundred days, so, I mean, that seems like an enormous amount of
money for a program that it just seems like it is more than we
necessarily should need to spend on this.
I would like to hear from both witnesses what their
estimates are of how long it takes from the time an agency
sponsors somebody for a clearance to the time they get a
clearance. Mr. Cattler?
Mr. Cattler. Thank you, Congressman, for both parts of the
question. First, let me say on the money and the time here, I
completely agree with you. It is unacceptable how we have
gotten to where we are, and we need to turn this thing around.
I am trying to move deliberately, not overly slowly, because I
think I share the same sense of urgency that you are
communicating. We are 8-and-a-half years into a 3-year program.
We spent $1.345 billion on a $700 million program that was
begun in 2016. That is why I also have a sense of urgency, but
at the same time, I recognize that we have got to catch our
breath and make sure we get it straight before we move forward.
That is why we just did this 90-day review and why we are
laying out this better 18-month roadmap that all the
stakeholders have contributed to and will agree on.
On performance, if I track the fastest 90 percent of cases,
if I take a Tier 3 security clearance or a secret, it now takes
92 days, and a Tier 5 or a top-secret clearance takes 188 days.
Those are a 7-month improvement for a Tier 5 investigation, and
a 1-month improvement for a Tier 3 investigation over where we
have been in the past at the peak of that backlog. The time is
slower than the target due to surge in demand. Frankly, we have
more applications now, between ten thousand and 11 thousand new
applications for investigations per week, and that has added up
to quite a number of cases that the team has to process.
Mr. Timmons. Thank you. I am over time. It seems like we
are moving in the right direction. I appreciate all your hard
work. Mr. Chairman, I yield back.
Mr. Sessions. The gentleman yields back his time. Thank you
very much. The gentleman, Mr. Mfume, is recognized for his
time.
Mr. Mfume. Thank you, Mr. Chairman. Mr. Cattler, I want to
talk about that $1.3 billion, but before I do that, you
indicated that you are going to have an updated cost estimate
by October. Is that correct?
Mr. Cattler. Yes, Mr. Ranking Member, that is correct.
Mr. Mfume. And rather than to read about it, can you make
sure that Members of this Committee get that as soon as it is
released?
Mr. Cattler. Yes, sir. I will do everything I can to get it
back to you.
Mr. Mfume. And, you know, you just got in the position, so
we just cannot nail you to the cross for everything that has
gone on. I think what you will find is Members of this
Committee prepared to extend to you the benefit of the doubt,
but that is a lot of money, $1.3 billion into a program that
costs maybe half of that or should have cost half that amount.
Can you talk about how far you are into this review,
particularly as it relates to redundancies in the spending over
the past 3 or 4 years? So, I am talking about contractors,
redundancies in contracts that were underperforming, and
whether or not those are some of the things that you are
looking at.
Mr. Cattler. Again, thank you for your question. This is a
very important part of how we have approached this last 90
days.
Mr. Mfume. Mm-hmm.
Mr. Cattler. We looked at three strategic baskets of
issues, first personnel. Did we have the right people in the
right place with the right qualifications to tackle this work?
Was their training up to date? Do they have the right skills?
We have had a lot of advice on who else to hire, who else to
bring in, for example, user experience experts, people that can
help us a little bit more with data architecture. We have sent
our people out for Agile training. We have had over 140 receive
updated training in Agile methods for software development, and
we sent some of the program management staff over to the
Defense Acquisition University as well for further training on
program management-related skills.
The second basket we looked at was procurement and our
contract structure. Did we have the right framework? Did we
have the right priorities? This balance, sir, as you have
highlighted, between doing new system development and legacy
system sustainment is critical to the path we need to take
forward. Of that $1.35 billion, we spent more than $800 million
of that, yes, on new software development, but the remainder of
it did go to legacy system sustainment. So, we need to
prioritize the retirement of the legacy software systems with
the thought of how much they cost and, ideally, eliminate,
sunset the programs that cost the most at the earliest
opportunity if the technology will allow us to do so. And that
is one of the things the program manager and our contract staff
are taking a look at.
And then finally, oversight is another key piece that we
looked at, and not this form of oversight per se, although,
again, I am happy to be here. We also looked at the
relationship between myself and the GAO; myself, my Agency, and
the Office of the Secretary of Defense; and my office, my
Agency back with the Performance Accountability Council about
transparency and accuracy.
Mr. Mfume. And let me go back to this subject of continuous
vetting. I said in my opening remarks, not only was I fearful
that good people were not being allowed in, but that bad actors
had slipped in. So, this continuous vetting, which I understand
now is more than just enrollment, it is like do you drive? Yes,
I have a car. Have you driven in the last year? No, I have not.
I am very much concerned about how you go about prioritizing
the continuous vetting. So, should I assume that the people
with the highest clearance are not only enrolled, but are being
continuously vetted?
Mr. Cattler. Yes, sir, but again, as Ms. Czyz says, it may
vary based on where they are because, again, they are all
eligible, they are all enrolled, but the extent of the
monitoring may vary. I have statistics here that I could give
you for Fiscal Year 24, Ranking Member, if you would like,
about the performance of CV.
Mr. Mfume. Yes. I would rather you give them to me as part
of your written testimony. I do not have much time here, but I
do want to go back to the GAO here and to ask, you talked about
your real recommendations to the Agency would be to deal with
their scheduling, their costs, their cybersecurity issues.
Could you take this last minute and speak about that please?
Ms. Czyz. Yes, I would be happy to, and we are looking
forward to seeing the new roadmap and plans, but I will say
that we have reviewed multiple NBIS roadmaps over the years,
and none of them had reliable schedules. In fact, when we did a
review in 2021, it was unreliable. In our 2023 report, when we
re-looked at the new roadmap and new schedule, it was actually
worse than the 2021. So, it is great that new plans are being
formed, but it is essential that you follow best practices for
integrated master schedules to get the plan right, or else we
are just going to keep repeating this over and over.
I would also like to mention on the cost estimate, very,
very encouraged to hear that DCSA is going to pursue an
independent cost estimate. That was one of the recommendations
we had according to our best practices, too. I mean, the point
about already spending over a billion, a billion-and-a-half
dollars on the program for several more years, just keep in
mind those estimates were unreliable, too. So, it could have
been more, so we do not know, right? We are at a point now, Mr.
Cattler is here. He is new. He is putting great things in
place. We really appreciate that he invited us down. He has
read all of our reports. He takes them seriously. But our best
advice would be to just, please, you know, it is great to move
forward, but make sure we have got these key program management
principles in place, and the same with cyber, too. Kind of the
main message of our cyber report last week with the 13
recommendations is there was limited oversight of cybersecurity
within DCSA, so strengthening oversight of cybersecurity is
essential as well.
Mr. Mfume. Thank you very much, Mr. Chairman. My time has
expired. I would hope that perhaps in 6 months or so, we can
reconvene all over again and do a review of where we are, where
we started, which is today, and where we will be 6 months later
just to have some contrast and some comparison.
Mr. Sessions. The gentleman yields back his time. Thank you
very much. As a matter of fact, we have talked about that and
would aim for October.
Mr. Mfume. Good.
Mr. Sessions. Thank you very much. This distinguished
gentleman from Arizona, Mr. Biggs, is recognized.
Mr. Biggs. Thank you, Mr. Chairman. Thank our witnesses for
being here. Ms. Czyz, I want to make sure I am clear on this.
From 2017 to 2022, it was $654 million, from 2022 to 2027, it
is anticipated to be $700 million for NBIS, and then just in a
legacy system, that $800 million, that is to date during this
same period?
Ms. Czyz. It is actually only from Fiscal Year 2020 to
2022. That was the only information available at our last
review, so it is much more actually than that.
Mr. Biggs. For the legacy.
Ms. Czyz. For the legacy systems, yes.
Mr. Biggs. So, I would ask Mr. Cattler if you can get that
information for us so we would know. You have it? Oh, well
then, Mr. Cattler.
Mr. Cattler. Thank you, Congressman Biggs. DOD has spent
approximately 825 million on NBIS system development since
2016. That money was spent to build the end-to-end vetting
system to replace the legacy systems, and that total of $825
million was executed under budgetary authorities by both DCSA
and DSA before.
Mr. Biggs. OK. And that is separate than the $1.35.
Mr. Cattler. The total is $1.35 because the remaining 40
percent, which is about $575 million----
Mr. Biggs. OK.
Mr. Cattler [continuing]. Was spent on sustaining legacy
systems to deliver the personnel vetting systems to DOD and
Federal agencies between fiscal 2021 and fiscal 2023, with the
bulk of the $575 spent on supporting legacy BI systems, which
we call BIS.
Mr. Biggs. Does that track with what you know, Ms. Czyz?
Ms. Czyz. Our number is a little bit higher than that. In
addition to that $500 million-ish that Mr. Cattler mentioned,
there are also costs to OPM because the legacy systems still
reside on their network, and so they still have to maintain
that infrastructure even though DCSA is in charge of those
legacy systems. So, we have that at a little bit over $250
million more than DCSA stated.
Mr. Biggs. Right. I see. And then, and Ms. Czyz, you used
the term ``unreliable schedule,'' and you mentioned it,
receiving unreliable schedules. Tell us what a reliable
schedule would look like, please.
Ms. Czyz. Right. So, we have four key practices that we are
looking for that we assess integrated master schedules on.
Comprehensiveness. So, we looked at the schedule, and we could
not see that all activities were in the schedule. So, it is
kind of like building a house but not remembering that you have
got to get the permits, right? You have got to get electricity.
You have got to get plumbing. All the tasks need to be in the
schedule. Control is the second key practice. The schedule,
when we reviewed it, was missing status dates for tasks, and we
could not compare actual progress with a baseline. Credibility
is the third key practice. This is being able to trace events
to each other and have a risk analysis. There was no risk
analysis in the schedule. And then well-constructed logical
sequencing. We could not consistently find sequencing between
different activities. So, in fact, none of those key practices
were met. They were all judged as minimally met in 2023. They
need to be all substantially met to have a reliable schedule.
Mr. Biggs. So, I mean, with the logical sequence, you are
talking about putting the roof on before you put the walls in.
Ms. Czyz. Yes. Good analogy.
Mr. Biggs. OK. And, Mr. Cattler, I know you have only been
on 93 days. I want to give you a chance to respond. I am not
blaming you, but in your written testimony, you said the
analysis of the NBIS program identified several key problems,
including in oversight, software development methodologies,
acquisition strategy, team competencies, and leadership, and
Ms. Czyz has identified some additional problems. And it leaves
this question actually as I read it, I kind of jotted this
down, actually, three questions. Why, what caused the problems,
how do you cure them, and is there anything that you have found
going right because, I mean, these are pretty comprehensive and
broad. So, what is going right?
Mr. Cattler. Well, thank you, Congressman. Let me start
there maybe----
Mr. Biggs. Yes.
Mr. Cattler [continuing]. What is going right.
Mr. Biggs. Yes.
Mr. Cattler. I think that, first, what is going right now
in terms of strategic performance is that we are, in fact,
delivering those 2.8 million investigations a year and 10,700 a
day, and we are satisfying that CV function, obviously, in
order to get that done. We have delivered eApp as a key element
of NBIS, as I said, just fully restored again today. And the
reciprocity work, again, under Trusted Workforce is also, I
think, a big deal in terms of overall performance delivery.
In terms of who is to blame and who is at fault, what I
would say is I think the investigation so far has indicated
that there is plenty of blame to go around. We had many issues
in various places within the program----
Mr. Biggs. Before I run out of time because you get to
answer past my 5 minutes. I do not get to ask questions past my
5 minutes. So, my question is, because you talked about culture
of accountability, ecosystem of accountability, and you just
said there is plenty of blame to go around. How do you mesh the
blame to go around with the ecosystem of accountability, I
mean, because you talked about hiring new people and getting
the right people and everything. You did not talk about maybe
letting go of some people who should not be there.
Mr. Cattler. Yes, Congressman. We have had some people move
on. We have, even in the time that I have been on board, have
had to make some of those changes internally to the team. I
think it is fair to say, too, that the dynamic of communication
internally and external is fundamentally different now since
the end of March. I have worked with my colleagues that are
involved in my oversight now for more than 2 two decades, know
them very well professionally and personally. We are locked arm
in arm on this. And I feel like I should also say to you that
while it is not my fault, it is my responsibility to be sure
that DCSA delivers on this set of requirements. It is critical
that we do so.
Mr. Biggs. Well, thank you. Thanks, Mr. Cattler. My time
has expired. Thank you, Mr. Chairman, for indulging me.
Mr. Sessions. The gentleman yields back his time. Thank you
very much. The distinguished gentlewoman from Washington, DC,
Ms. Norton, is recognized.
Ms. Norton. My first question is for Ms. Czyz. Efforts to
modernize the information technology system at the root of the
U.S. Federal personnel vetting process is years behind schedule
and well over budget. In August 2023, the Government
Accountability Office released a report that found DOD's
development of that system, known as SBIS, lacked accurate cost
projections and failed to meet seven out of seven schedule and
cost estimate best practices. Ms. Czyz, why is an accurate cost
estimate important to a project like SBIS development?
Ms. Czyz. Right. Well, thank you, ma'am. It is a key
program management principle. Without being able to accurately
project costs, you are at risk of cost overruns and you cannot
manage costs. We have four key practices for a cost estimate.
It needs to be reliable--I am sorry--accurate, comprehensive,
credible, and well-documented. We found that DCSA's cost
estimate minimally met three of these practices and did not
meet the credible practice at all. It was not credible. We are
encouraged to hear that they are going to do an independent
cost estimate. That is key to doing that, but to be able to
drive the program, we are years behind now, we are spending
more than what was anticipated, but we cannot really even rely
on those numbers. So, having an accurate cost estimate is key.
Ms. Norton. Mr. Cattler, GAO's report also found that DOD
spent around $654 million since 2016 to develop NBIS. DOD also
spent $835 million to maintain the OPM legacy information
technology systems from fiscal years 2020 through 2022. In its
August 2023 report, GAO recommended that Congress consider
requiring DOD to develop a reliable cost estimate and program
schedule for NBIS development. Mr. Cattler, has your Agency
taken steps to develop the issues with cost estimate and
programs scheduled related to NBIS development, or does
Congress need to enact legislation to get DOD to follow best
practices?
Mr. Cattler. Well, thank you Congresswoman. I believe that
we are well on the track to have the reliability in our
internally generated cost estimate. It will go through many
reviews within DOD and the interagency, for example, led by the
Performance Accountability Council, among others. And as I have
stated my statement for the record, we will also contract out
an independent cost estimate after we have an approved plan to
be sure that that outside scrutiny tracks with what we judge it
will cost moving forward.
Ms. Norton. Well, Mr. Cattler, how does DOD plan to pay for
any and all next steps needed to complete development of NBIS?
Do you plan to request additional funding from Congress?
Mr. Cattler. Congresswoman, I am not yet in a position to
tell you how much all of that will cost and how we would
program for it until I have the final plan and approval. But, I
can tell you that we have already programmed for ongoing NBIS-
related work for development and sustainment, both of the NBIS
and of legacy software, through fiscal 2030 in our current
plans.
Ms. Norton. Mr. Cattler, can I get a promise from you here
today that you and your staff will meet regularly, perhaps
monthly, with Oversight staff to ensure the Defense Security
Cooperation Agency is taking action to address all outstanding
GAO recommendations and getting the NBIS system and Trusted
Workforce 2.0 back on track?
Mr. Cattler. Congresswoman, I commit to you that I will be
open and transparent, I will push information to you, and I
will be fully responsive to any request Congress has on any-
time basis.
Ms. Norton. Ms. Czyz, can Congress count on you and your
team to assist us in this essential oversight?
Ms. Czyz. Absolutely. GAO's role is to provide Congress
with information to aid your oversight. We have been doing that
for many, many years in personnel vetting. We very much
appreciate this hearing today that does provide visibility on
the work and move the ball forward, and we are absolutely
committed to continuing our oversight in this area.
Ms. Norton. Thank you, and I yield back.
Mr. Sessions. The gentlewoman yields back her time. Thank
you very much. The distinguished gentleman from Louisiana, Mr.
Higgins, you are recognized.
Mr. Higgins. Thank you, Mr. Chairman. Mr. Cattler, Ms.
Czyz, thank you for being here. Mr. Cattler, am I pronouncing
your name correctly, sir? It occurred to me we did not get it
right.
Mr. Cattler. Yes, Congressman, ``Cattler.''
Mr. Higgins. OK. Mr. Cattler, my father always said,
ultimately, it is always one guy. It is one guy, and today you
are the one guy. But we recognize the fact you have been on the
job since March, so we are certainly prepared to give a fellow
a chance to make necessary corrections and changes within his
authority to correct some malfunction within the Federal
Government. Let me say it is a Federal Government that is
spending $3 trillion a year that it does not have, so I am one
of those conservative voices that is--you know, call me crazy--
but sounding an alarm, the amount of money that we are spending
in our country that we do not have. We are borrowing this
money, 100 percent of it. So, you have a small slice of that,
and it is what we are addressing today, but I appreciate your
attitude because you seem to be focused on actually fixing what
has gone wrong within your particular Agency.
So, let me just, for the benefit of Americans watching,
that Americans have to deal with a lot of acronyms in
Washington, DC. You work for the Department of Defense. The DOD
is defense, Counterintelligence Security Agency--that is the
DCSA--and primarily what we are discussing today is a failure
to roll out a program called the National Background
Investigative Services, a new state-of-the-art IT system that
will help your Agency to handle the workload of dealing with 95
percent of the background checks and vetting that American
Government requires across the Federal Government. Was that an
accurate summary of the task you have in front of you, sir?
Mr. Cattler. Yes, sir.
Mr. Higgins. OK. And the NBIS program is years overdue and
many millions of dollars, at minimal, over budget. So, what we
are asking of you today is, will you deliver the product? If we
set aside the cost overruns and the budget issues, and the
fact, again, that this is a government that is addicted to
spending money that we do not have as a Nation, we set that
aside, could we at least get some product delivered? And you
appear to be saying, yes, sir/yes, ma'am, I am going to get it
done. Am I hearing you correctly?
Mr. Cattler. Yes, sir. I and my team will get it done.
Mr. Higgins. Excellent. So, the good lady seated next to
you represents the Government Accountability Office, and they
have made recommendations that historically have not been
followed. Now, the GAO, we give them the responsibility to
advise Congress and look into this matter, and say what can be
done, and give official recommendations, and historically, that
is not always followed, including in your Agency. But now that
you are in charge, does DCSA intend to follow GAO
recommendations?
Mr. Cattler. Yes, sir. We have already reverted to
following GAO recommendations, and I and the leadership team
will continue to ensure that we do.
Mr. Higgins. Excellent. I do not claim to be an expert in
your field, but I get the feeling that you claim to be an
expert in your field, and congratulations, but you have a hell
of a job in front of you to fix this thing. This Committee is
going to count on you to measure up. When I was in the Army in
1989, I went through an original, a small security clearance. I
was an MP in the Army. We required a little bit of a security
clearance. I was surprised to hear that the Army had sent
people I went to high school with. There was no computers.
There was no IT system. There was no $1.2 billion to do it.
They sent human beings to talk to the people I went to high
school with. I recall being glad they did not speak to the
people I went to college with.
[Laughter.]
Mr. Higgins. So, America is less focused on some failure to
comply with your budget than we are with the failure to deliver
the product that America requires. And I believe I am hearing
you accurately, good sir, saying that you are going to follow
the recommendations of the Federal Government organization that
is responsible to give you recommendations, and you are going
to drive forward with that mission. So, I look forward to a
report later this year. I thank you each for being here. Mr.
Chairman, my time has expired.
Mr. Sessions. The gentleman yields back his time. Thank you
very much. The distinguished gentleman from Virginia, Mr.
Connolly----
Mr. Mfume. Mr. Frost.
Mr. Sessions. Excuse me. The gentleman, Mr. Frost. Thank
you very much.
Mr. Frost. Thank you so much, Mr. Chairman. Some estimates
indicate roughly 4 million Americans currently have a security
clearance. The Defense Counterintelligence and Security
Agency--DCSA--which administers the governmentwide vetting
process, identified more than 115 Federal agencies and roughly
13,000 industry organizations that touch the NBIS. DCSA is in
charge of developing NBIS, the IT infrastructure at the core of
the personnel vetting system reforms. DCSA is also in charge of
maintaining the legacy IT systems while it gets NBIS fully
functioning, and, unfortunately, DCSA has to spend millions of
dollars maintaining the old system as NBIS fails further behind
schedule. The Deputy Director for Management at OMB, an Agency
trying to help us get this back on track, came before this
Committee and told us that continuous vetting should be covered
for the entire clearance population in ``the coming months.''
Well, the coming months have come and gone, and so, Mr.
Cattler, can you provide a timetable for when DCSA will be able
to retire the legacy IT systems?
Mr. Cattler. Congressman, at this point, I cannot until my
plan is approved and we have confidence in the estimate for
both the program management schedule as well as the cost.
Mr. Frost. OK. Cannot. I mean, this is not the first time
Congress has sought transparency on implementation as it
relates to NBIS, and the thing that goes hand in hand with
transparency is accountability. So, it would be great to get a
timetable as soon as you all are able to provide one to the
Committee.
Mr. Frost. The OMB deputy director also pointed to a
shortage of technical talent. Mr. Cattler, have you at least
acquired sufficient technical talent so we can operate the NBIS
for the full clearance population?
Mr. Cattler. Congressman, I am confident that we have the
internal talent in our workforce to perform the personnel
security mission, and we continue to retain them and hire new.
We are also bringing on additional personnel relevant to the
development of the NBIS program as we further understand where
our key expertise gaps are.
Mr. Frost. OK. Ms. Czyz, has Mr. Cattler articulated to you
any lessons learned from the past challenges with NBIS?
Ms. Czyz. Well, Mr. Cattler has been in his role about 3
months now----
Mr. Frost. Mm-hmm.
Ms. Czyz [continuing]. And I would say maybe even 6 weeks
into that role, he did invite us down to Quantico, and we went
through all of our GAO reports. We presented the key findings
and recommendations. He had read them all. He could even quote
pieces of them back to us. He was, I think, committed and
demonstrated a commitment to understanding our concerns. He
asked us point blank how his Agency had interacted with GAO in
the past, and that he was committed to having a collaborative
relationship and implementing our recommendations. So, I think
we are very encouraged by his early leadership here. He has got
a lot ahead of him definitely, and, hopefully, he can use our
past work to guide him and so we do not have a repeat of what
has happened over the past 8 years.
Mr. Frost. That is really good to hear. NBIS delays are
serious business. Over the last decade, the number of clearance
positions has grown more than tenfold while the number of
candidates remain stagnant. In 2023, the NSA announced its
largest hiring surge in 30 years. The FBI requested $63 million
from Congress to hire 192 new cyber professionals to protect
American IT infrastructure against foreign threats, and all
these positions obviously require security clearance. The
Federal Performance Accountability Council's 4th quarter report
for Fiscal Year 2023 mentions system and IT outages as reasons
for continued clearance delays. Mr. Cattler, have you
identified what the causes of these IT outages were?
Mr. Cattler. Congressman, yes. In the time that I have been
the Director, we have had outages due to issues with
communications connectivity, but we have also had issues
related to failure to follow proper procedures and internal
controls. So, to address these two at least, we have looked at
alternative communications providers. We are working with DISA
on that in order to move to different DOD-provided systems, for
example----
Mr. Frost. Mm-hmm.
Mr. Cattler [continuing]. And different commercial
telecommunications providers. And we are also taking, in some
cases, punitive action against some of our employees and
contractors----
Mr. Frost. Mm-hmm.
Mr. Cattler [continuing]. To be sure that they understand
and they feel a penalty for failure to comply with those
established internal controls, especially, as you have said,
they may, in fact, lead to a system outage that could cause
loss of data as a potential worst outcome, but I hesitate to
say a minimum, but at a minimum, certainly short of loss of
data, a significant delay in somebody being able to even file
an application for security clearance.
Mr. Frost. Are you reviewing and changing any of the
standard operating procedures around this?
Mr. Cattler. Congressman, yes. We are constantly looking at
what our standing operating procedures are and the internal
controls, and this, as well, will be part of the IG review that
I have asked my IG to perform.
Mr. Frost. Perfect. Thank you both for all the work that
you do. I yield back.
Mr. Sessions. The gentleman yields back his time. Thank you
very much. The distinguished gentleman of Tennessee, Mr.
Burchett, is recognized.
Mr. Burchett. Thank you, Mr. Chairman. Ms. Czyz, I got that
name right? That is a cool name. I dig that. That is really
cool. As the 435th most powerful Member of Congress, I get to
ask my questions last. Usually as I like to state, there is
usually a custodian in front of me sweeping up about the time I
get up on the mic, so I apologize if these questions have been
asked. I have trouble hearing. My wife says it is selective,
but my doctor says otherwise, so if you all have asked these
questions before, just act like this is the best question you
ever had. And, Mr. Cattler, if you would look at her and go,
wow, that is a really great question, I would really appreciate
that. It would be good for the folks back home.
The status of the National Background Investigation
Services system, where would you say that is at?
Mr. Cattler. Congressman, it is unacceptably late----
Mr. Burchett. OK.
Mr. Cattler [continuing]. And we have underdeveloped the
required capabilities to meet our policy deliverables.
Mr. Burchett. OK. It was supposed to be fully operational
by 2019? Is that correct? I know you have inherited this mess,
so.
Mr. Cattler. Yes, Congressman, that is correct.
Mr. Burchett. Thank you, brother. And the projection of
when it will be fully operational?
Mr. Cattler. Congressman, we are programmed out through
2030.
Mr. Burchett. OK.
Mr. Cattler. We aim in the current plan to have the legacy
system sunset no later than fiscal 2028.
Mr. Burchett. The GAO, they issued this report, as you know
I am sure, regarding the Defense Counterintelligence Security
Agency's issue with cybersecurity. Do you feel like they have
dropped the ball on this thing, or do you feel like they have
got a good grip on it now?
Mr. Cattler. Congressman, I do not think GAO has dropped
any balls. I think their cybersecurity report is of similar
high quality to the previous reviews of NBIS.
Mr. Burchett. OK. Ms. Czyz, I am not sure if I am supposed
to be asking you this or not. I thought I was asking you that
and he was answering, so I am not sure. How can we have
confidence in this Agency, and is there an investigation into
what vulnerabilities have existed since it was taken over in
2018?
Ms. Czyz. I think with new leadership, we are encouraged
that DCSA can get NBIS back on track, but they have got to go
back to key management principles, the basics, right?
Developing a reliable schedule and cost estimate for the
program, enhancing oversight, and particularly with
cybersecurity, based on a report that we released last week,
these are key fundamental program management principles. And in
the past, the program has been so focused on moving out to
deliver capabilities, that they had told us that it was an
administrative burden and a waste of time, frankly, to develop
a schedule or a cost estimate. They did not need to do that.
They did not need to follow best practices. Well, now they are
years and years late and behind schedule, and over cost, too.
We think that the tone is different this time from the top
and are encouraged, but as they kind re-baseline again, we
would really encourage them to take a look at our
recommendations to make sure that they are implemented so that
they are on a path to success.
Mr. Burchett. So, do you think we have fixed these
vulnerabilities, or do you think we ought to pull the plug on
the program before it becomes worse?
Ms. Czyz. The cybersecurity report we released last week,
the fundamental cause of the issues was lack of oversight of
cybersecurity, lack of documentation of key practices and
processes. If you can strengthen oversight, I think that will
go a long way. We do have an ongoing review right now that Mr.
Cattler referenced. We are actually going in and testing the
controls of the systems to look at vulnerabilities, so we do
not have that information yet. We will have that later this
year. It will be a nonpublic report, of course, but enhancing
oversight of cybersecurity is key.
Mr. Burchett. Mr. Cattler, what do you expect you all are
going to spend on the National Background Information System as
it moves forward?
Mr. Cattler. Congressman, I need to get an approved plan
from the DOD----
Mr. Burchett. Right.
Mr. Cattler [continuing]. And from my oversight officials,
and then I can do the internal tally of how much it will cost,
and then I will confirm that through the independent cost
estimate. I would have to get back to you on what the specific
number is.
Mr. Burchett. I would appreciate that.
Mr. Burchett. Is that normal operating procedure? Is that
the way it usually works? That is not one of these trick
questions a lot of my colleagues ask. I am just asking you
that.
Mr. Cattler. No, Congressman, it is not, and it is also
part of the reason why I say it is unacceptable that I find the
NBIS program in my Agency in the situation that it is in. If we
had followed the proper protocols and leadership had demanded
the oversight and internal accountability that Ms. Czyz and her
colleagues at GO highlighted in their reports, I think you
could make a fair argument that we would not be where we are.
Mr. Burchett. OK. Thank you, Mr. Chairman. Thank you all
very much.
Mr. Sessions. The gentleman yields back his time. Thank you
very much. The gentlewoman, Ms. Lee.
Ms. Lee. Thank you, Mr. Chair. Since 2017, the Department
has managed to spend over a half a billion dollars on
developing a new personnel vetting system, NBIS, with little to
show for it. We have no idea when the project will be done as
well as no idea how much more money DOD anticipates spending.
To quote GAO's report, DOD's estimate is minimally accurate,
minimally comprehensive, not credible, and minimally well-
documented. Ms. Czyz, when did DOD first estimate that NBIS
system would be fully operational?
Ms. Czyz. 2019.
Ms. Lee. So, that same year, but that did not happen. Ms.
Czyz, briefly, what went wrong and what did DOD do next?
Ms. Czyz. Well, as we have reported, the NBIS program did
not have a reliable schedule so they could not accurately
project when they would hit key milestones. They actually moved
their target many times. 2019 was the first target date for
full functionality. It then moved to 2022, it moved to 2023, it
moved to 2024, and now it will likely be years later. But the
key underlying cause of those shifts was not realizing all the
tasks that needed to be done to deliver that full
functionality, so just a basic program management principle of
having a reliable schedule to plan from.
Ms. Lee. So, it was not until after DOD already missed
their own deadline that they publicly reassessed and changed
the timeline to then 2023. Mr. Cattler, it is now June 2024.
Can NBIS currently perform all the necessary functions DOD
needs from it?
Mr. Cattler. Congresswoman, NBIS and the legacy systems
together perform all the functions that are required, but NBIS
alone does not.
Ms. Lee. So, no. So, DOD is years over schedule, over
budget, and the country still does not have enough cleared
staff to perform the work it needs. DOD has the largest budget
in our government yet seems to continue to make the biggest
mistakes lost in multimillion dollar planes, failed audits, and
this mess of a security clearance system.
In addition to highlighting DOD's uncanny ability to fumble
millions of dollars, I also want to take some time to pay
attention to the extent to which racial biases may affect the
security clearance process and may contribute to the
underrepresentation of BIPOC staffers in the national security
workforce. In 2022 and 2023, the RAND Corporation conducted
research assessing whether racial disparities exist in the
clearance process.
I asked unanimous consent to enter these two reports into
the record. I am going to take that as a yes.
Mr. Sessions. Without objection.
Ms. Lee. Thank you so much.
Ms. Lee. Mr. Cattler, in its study Rand observed that
several societal factors, such as financial challenges and
student debt, disproportionately affect minorities and may lead
to increased perceptions of risk without considering historic
context. How is DOD working to ensure that these risks are
fairly considered in the security process? Specifically, what
measures are in place to prevent these systemic issues from
unjustly impacting clearance decisions?
Mr. Cattler. Congresswoman, we work with the director of
National Intelligence as she performs her functions as a
security executive agent on the adjudication guidelines. We
also take a hard look when we do our quality control to be sure
that we have rung out any bias. As we identify it, we do make
changes in those procedures, and we also hold our people
accountable if they make errors or even act inappropriately to
deny someone a security clearance based on one of the factors
you have highlighted.
Ms. Lee. Thank you. Mr. Cattler, human judgment is a
significant component of the security clearance process. What
specific training programs does DOD have in place to help
investigators recognize and mitigate their own implicit biases?
Mr. Cattler. Congresswoman, I have to get back to you with
a specific list, but I can tell you generally that we do
provide bias training for all of our adjudicators with the
recognition that it is a subjective process.
Ms. Lee. Mr. Cattler, again, as DOD increasingly relies on
automation and machine learning for continuous vetting, how are
you ensuring that these technologies do not perpetuate or
exacerbate existing racial biases? For instance, what
safeguards are in place to monitor incorrect algorithmic biases
in the clearance process?
Mr. Cattler. Congresswoman, pieces of this are addressed,
again, through the adjudication guideline review process and
also the training that we are providing to all of our
employees, including those that are working on those algorithms
and the verification of their success.
Ms. Lee. Finally, Mr. Cattler, transparency and
accountability are vital. Can you commit to conducting
independent assessments of security clearance applications to
identify any racial biases that may have influenced outcomes,
and will you make these findings public to ensure
accountability and foster trust in the process?
Mr. Cattler. Yes, Congresswoman, I do.
Ms. Lee. Thank you so much. I thank you both for your time,
and I yield back.
Mr. Sessions. The gentlewoman yields back her time. Thank
you very much. We will go to Ms. Tlaib. The gentlewoman is
recognized.
Ms. Tlaib. Thank you, Mr. Chair. Thank you so much,
Director, for joining us today, and I think it is great that
you are even here even early in your position as a new person.
So, I know my colleagues have, I think, done a really good job
going through the issues regarding NBIS already, so I am not
going to repeat what has already been said. But I want to bring
up an opportunity and put a marker down for my colleagues here
in Committee and what I do here regarding security clearances
with my residents.
What we are seeing right now, and folks might see it
separate, but this is happening to Americans in my district,
the no-fly list. And I know they kept saying both of you cannot
respond to this, but I think it is really important, Mr. Chair,
that here in Washington, we again and again try to address
critical issues that are impacting our residents. But the list
that right now is being used discriminates against American
Muslims en masse, with little to no legal recourse for
countless wrongfully included Americans.
It has been a little over a year since CARE released
analysis of the FBI's ``terrorism screening data base'' that
found 98 percent of the names included were Muslim names. For
the record, if I can submit the report, Mr. Chair.
Mr. Sessions. Without objection.
Ms. Tlaib. And one of the things I want to also put into
the record and read is also a transcribed deposition of the FBI
of April 16, 2024, Mr. Chair. Without objection? Yes, OK.
Great. Thank you.
Ms. Tlaib. So, let me just go over this, and this is
important, Mr. Chair, because I think this would intrigue you.
On page 199, when the plaintiffs' attorneys questioned the FBI
about the effectiveness of the Watch List, the question was,
``Federal law enforcement officers also encounter people on the
Watch List, correct?'' ``Yes,'' the FBI answers. And then,
Chairman Sessions, they go on to say, ``Does the FBI know of
any Federal law enforcement encounter with a person on the
Watch List that has led to a terrorism-related arrest?'' And
then they go on to say, ``So, I do not know of any instances
where local law enforcement was notified of the presence of an
individual on the Watch List and then made an arrest based on
that.''
Why this is important, again, this deposition was done,
this is over a 21-year span of the program, had not arrest, a
single person on the terrorism-related charges because of the
so-called Watch List of Americans. Meanwhile, I have residents,
even one of my local mayors, being harassed and wrongfully
profiled at airports, detained for hours. Their phones are
removed, Chairman. Phones. Canadian PM called me asking my team
for help for innocent families that are also, again, no longer
able to fly because of this Watch List. These are American
citizens. They have rights and deserve some dignity as the rest
of us.
And this is important because people think, well, it is
just Muslims. It may be Muslims today, Mr. Chair, but I do not
see any reason that this should again be partisan because,
after all, the FBI can get away with doing this to any group of
American citizens. Today it may be Muslims, but, again, it
could be another group that they target. So, it is great again
that we are talking about this specific security clearance
issue, but, Mr. Chair, if I may please, we should talk about
and hear more about this Watch List of Americans and bring the
FBI before this Committee to discuss it. Thank you so much, and
I yield.
Mr. Sessions. The gentlewoman yields back her time. Thank
you very much. I do not need to respond to the gentlewoman now,
but I would encourage her to please come sit down with Mr.
Mfume and myself and would remind her that we have thousands of
people who are here in this country who are watched, and two of
them were in Boston. They were the Boston bombers. We knew that
they were in this country, and we knew. All I am suggesting to
you is we would welcome that discussion, Mr. Mfume and myself.
I am sure would be pleased to listen to you, and thank you very
much.
We are now evidently on a vote. I have not had a chance to
have my 5 minutes, doubtful that I will use that. I had an
opportunity over the last days to speak with both of you for
almost an hour, perhaps maybe more than that.
I want to go back to Ms. Czyz, who made a statement which I
consider to be extraordinarily important to this entire matter,
and that was regardless of the timeframe, regardless of the
money, it has got to be done correctly. I am paraphrasing. Mr.
Cattler, can you please respond directly back to that because,
as we were earlier greeting each other, I said to you I was
concerned about the architecture. You said that architecture is
something, Congressman Sessions, and we have that person here.
Well, I assume that the experts--I used to do this at the
organization up in New Jersey where we would do architecture
things--they determine the best outcome. Can you tell us are
you going to do, as you have heard Ms. Czyz say, get this done
and have it done correctly? Obviously your testimony is within
time, within the money. Are you going to get it done properly?
Mr. Cattler. Congressman, we will get it done properly. I
do not feel undue pressure to move quickly because, as I have
said, it is important that we get it right, and if that takes a
little bit of time to do, then I think that is appropriate and
acceptable. But at the same time, I am also mindful, as Members
of this Committee have highlighted just in this hearing, that
we are 8-and-a-half years into a 3-year program. We are $1.345
billion spent on about a $700 million program, and every penny
counts. The taxpayers are not just entitled to and expecting
that we deliver the software with the capability that is
required, but they know that we need it because they are
entrusting--I have entrusted some of my most important personal
data over the course of my more than 30-year career to the
government. My own Agency vetted me and validated me for my
clearance while I served at NATO.
So, what we are trying to balance are those two things:
getting it done right and taking the time to do so, but also
recognizing that we are well behind, and it is unacceptable.
So, we are trying to move with an appropriate sense of urgency,
but we are doing so responsibly. But I have confidence in my
team, in our partners, and in our oversight that we are working
well together, and that we will fix this and deliver the
capability that the American taxpayers need, deserve, and are
paying for.
Mr. Sessions. Thank you. Mr. Mfume, what I would agree on
the statement, I am sure he will have a chance to affirm that,
but get it done right. Getting it done right, we have not
pushed you to a timeframe, to a money allocation, but you have
done that as a responsible manager, and you will be held
accountable to that, and I appreciate you very much. Mr. Mfume,
would you like to say anything before we go we go?
Mr. Mfume. Well, Mr. Chairman, I just want to thank----
Mr. Sessions. The gentleman is recognized.
Mr. Mfume [continuing]. Both witnesses again for their
testimony, both their oral testimony as well as what is
written. I look forward to receiving any additional documents
or information, and I look forward to reconvening in October so
that we may have some sense of where we are today juxtaposed
against where we find ourselves then. And I would invite, on
behalf of the chairman and myself obviously, both of you to
sort of be ready to come back to see us again. Thank you both.
Mr. Sessions. Thank you very much. In closing, I want to
thank our witnesses, the distinguished gentleman from Maryland.
And I want to also say that, without objection, all Members
will have 5 legislative days within which to submit materials
and additional written questions for the witnesses which will
be forwarded to the witnesses if we have those questions.
Mr. Sessions. If there is no further business, without
objection, the Subcommittee stands adjourned. I want to thank
the witnesses very much.
[Whereupon, at 3:36 p.m., the Subcommittee was adjourned.]
[all]