[Senate Hearing 118-99]
[From the U.S. Government Publishing Office]
S. Hrg. 118-99
OPEN HEARING:
PERSONNEL VETTING MODERNIZATION
=======================================================================
HEARING
BEFORE THE
SELECT COMMITTEE ON INTELLIGENCE
OF THE
UNITED STATES SENATE
ONE HUNDRED EIGHTEENTH CONGRESS
FIRST SESSION
__________
MARCH 29, 2023
__________
Printed for the use of the Select Committee on Intelligence
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
52-514 WASHINGTON : 2024
SELECT COMMITTEE ON INTELLIGENCE
(Established by S. Res. 400, 94th Cong. 2d Sess.)
MARK R. WARNER, Virginia, Chairman
MARCO RUBIO, Florida, Vice Chairman
DIANNE FEINSTEIN, California JAMES E. RISCH, Idaho
RON WYDEN, Oregon SUSAN M. COLLINS, Maine
ANGUS S. KING, Jr., Maine TOM COTTON, Arkansas
MARTIN HEINRICH, New Mexico JOHN CORNYN, Texas
ANGUS S. KING, Maine JERRY MORAN, Kansas
MICHAEL F. BENNET, Colorado JAMES LANKFORD, Oklahoma
ROBERT P. CASEY, Jr., Pennsylvania MIKE ROUNDS, South Dakota
KIRSTEN E. GILLIBRAND, New York
JON OSSOFF, Georgia
CHARLES E. SCHUMER, New York, Ex Officio
MITCH McCONNELL, Kentucky, Ex Officio
JACK REED, Rhode Island, Ex Officio
ROGER F. WICKER, Mississippi, Ex Officio
----------
Michael Casey, Staff Director
Brian Walsh, Minority Staff Director
Kelsey Stroud Bailey, Chief Clerk
C O N T E N T S
----------
OPENING STATEMENTS
Page
Mark R. Warner, U.S. Senator from Virginia....................... 1
Marco Rubio, U.S. Senator from Florida........................... 3
WITNESSES
Hon. Jason S. Miller, Deputy Director for Management, U.S. Office
of Management and Budget....................................... 6
Prepared Statement........................................... 8
Hon. Stacey A. Dixon, Ph.D., Principal Deputy Director of
National Intelligence, Office of the Director of National
Intelligence................................................... 15
Prepared Statement........................................... 17
Hon. Kiran A. Ahuja, Director, U.S. Office of Personnel
Management..................................................... 21
Prepared Statement........................................... 23
Hon. Ronald Moultrie, Under Secretary of Defense for Intelligence
and Security, U.S. Department of Defense....................... 36
Prepared Statement........................................... 37
OPEN HEARING: ON PERSONNEL VETTING MODERNIZATION
----------
WEDNESDAY, MARCH 29, 2023
U.S. Senate,
Select Committee on Intelligence,
Washington, DC.
The Committee met, pursuant to notice, at 2:42 p.m., in
Room SH-216 in the Hart Senate Office Building, in open
session, the Honorable Mark R. Warner, Chairman of the
Committee, presiding.
Present: Senators Warner (presiding), Rubio, Wyden,
Heinrich, King, Bennet, Casey, Gillibrand, Ossoff, Collins,
Cotton, Cornyn, Moran, Lankford, and Rounds.
OPENING STATEMENT OF HON. MARK R. WARNER, A U.S. SENATOR FROM
VIRGINIA
Chairman Warner. All right everyone, I'm going to call this
hearing to order. The Vice Chair will be joining in a moment. I
had a slightly longer statement today, with apologies to my
colleagues. But before I get to the statement--I shared this
with Senator Rubio's staff--I want to make sure Members know,
since we are all completely on the same page. I had what would
be called a frank and candid exchange with the Deputy Attorney
General today on the issue of the classified documents. Some of
the Members who yesterday realized that the Attorney General
was, in a sense saying, you know we got no problem. We--and I
thank Senator Moran for raising this in separate testimony--and
we've had DOD, and I point this way--DOJ, point this way.
I think we're going to see some results very shortly. The
position of the Administration cannot pass any kind of smell
test. We have a job to do. You know, what is not about
classification, the documents--responsibility for that is the
Justice Department.
But our intelligence responsibility is paramount. And this
Committee is completely united. I just want to make sure I
could share that, not only with Members but frankly, the public
needs to hear this, as well.
This hearing has had a little bit of a dark cloud over it.
I think it's had to be rescheduled two or three times. Some of
my colleagues who sit on the panel think I'm obsessed about
this issue, which I partially am. I did not think security
clearance reform, when we started this with Richard Burr about
four years ago, was going to be a potentially career-ending
task. I thought it could have been done relatively shortly. I
think generally we're going to hear some good news today.
So, I want to, again, welcome today's Executive Branch
witnesses: the Honorable Jason Miller, who is the Deputy
Director of OMB and Chair of the Performance Accountability
Council of the PAC. The Honorable Kiran Ahuja, Director of OPM
and the Government's Suitability, Fitness and Credit
Credentialing Executive Agent; the Honorable Stacy Dixon, who
has appeared before us many times--and we appreciate her recent
appearance before the BRT on that China brief--Principal Deputy
Director for National Intelligence, PDDNI, representing the DNI
as the Government's Security Executive Agency; and the
Honorable Ronald Moultrie, the Undersecretary of Defense for
Intelligence and Security, who handles the DOD side of this.
The Intelligence Committee has long prioritized the need to
vet personnel for sensitive and national security positions
effectively and efficiently to ensure classified information is
properly protected. This is about getting the very best
personnel into our intelligence agencies, and for that matter
DOD, and into the contracting positions as well, in sensitive
positions.
But also trying to make sure that companies and our
government agencies don't waste time and money to bring people
on board to address critical issues and then find out that
we've simply opened ourselves up to our adversaries. It's
obviously an even more difficult road in recent years. Our
legacy vetting system was anchored around granting clearances
to a workforce employed by government for a lifetime, with
minimum mobility between agencies and companies. And we did
this in a way that focused on one-time investigations. And
then, regardless of what happened, a five-year later, second
review. It took way too long, deterred applicants, and made
mistakes. I remember one of our earlier hearings on this
subject, where I know Senator Burr and a couple of the Members
mentioned they either had family members or friends who had
wanted to serve, for example, at the CIA. And it was close to
two years before they could get their clearances. We were
losing people. We were finding people on the contracting side
not able to do their jobs in a way that was appropriate. And
the truth was, the backlog, ultimately in 2015, got to 725,000
folks and it took over two years to get a top-secret clearance.
Let me be clear that I want to give compliments to the
predecessors in the Trump Administration. They worked hard to
bring that down. We brought it down to about 225,000, 250,000.
We had to bump up on the adjudication process. But we have now,
frankly at a steady state, we're in a pretty good spot. But
we've got to make sure that--. We've still got more work to do.
And this is going to require a whole-of-government effort,
started under the last Administration, continuing in this
Administration, the Trusted Workforce 2.0 Initiative to
reimagine, from end to end, how we vet personnel. But we've got
to make sure that--we've still got more work to do.
The truth is, we need to be able to do this on a continuous
basis, not simply demonstrated by arbitrary timelines. We need
to use the power of technology. We also need to make sure that
we utilize machine learning, artificial intelligence, and other
tools to make sure that we've got this appropriate information.
One of the reasons why the Vice Chairman and I are so
concerned about some of the national security risks of TikTok
is because if people's data is ultimately ending up in Beijing
and that's then used to potentially blackmail someone, that
could obviously completely preclude somebody from serving in
our government.
So, the Trusted Workforce 2.0 Initiative rests on some core
tenets.
First, it integrates the frameworks for security,
suitability, fitness, and credentialing.
Second, it collapses, finally, the five tiers of
determination for trust to three: low, medium, and high.
Third, the new model operates around five common personnel
actions: the initiation, maintenance, upgrading, transfer, and
reestablishment of trust.
Fourth, the new vetting. The new approach uses a behavioral
model, as I mentioned, of continuous vetting to assess trust on
an ongoing basis, rather than on this automatic five years,
regardless of circumstances. And we've got to make sure this
works not just for folks who work inside the government, but
our industry partners, as well.
There's still work to be done. The IT backbone that will
deal with this Trusted Workforce 2.0, DOD is developing, and
needs to be tested, verified, and validated. We need to make
sure that this process, again, works for folks on both sides,
because we do want to encourage people going, for a while, in
the government, going into the private sector, being able to
come back.
And we need to make sure that, down to some of the nitty
gritty we've gotten into--. For polygraphs on CIA personnel,
others, how we make sure there is some reciprocity, for
example, on those kinds of tests? We've got a lot of questions
that we've had in some of the closed hearings: how we navigate
issues like mental health, financial duress, marijuana usage,
social media. We recognize the complexity of this.
But we've got to get this done. For this hearing, because
it's in public, what we're going to go ahead and go in order of
seniority, although I am going to allow Senator Gillibrand,
who's got something to go to, to take my round of questions
after Senator Rubio and after our witnesses present, because
I'm going to stick on this until we get it done.
I very much appreciate the collaboration, cooperation, and
our work with all of you so far. And with that, I'll turn it
over to the Vice Chairman. Marco.
OPENING STATEMENT OF HON. MARCO RUBIO, A U.S. SENATOR FROM
FLORIDA
Vice Chairman Rubio. Thank you, Mr. Chairman. Thank you all
for coming here.
Before we begin, just off topic--it's not what you're here
to talk about. But I've sort of pledged to myself that any time
we have any representatives of the Intelligence Community
before us, that I would drive this point home, even though it's
not directly under your jurisdictions.
But nonetheless, and I think it's probably directed to
Deputy Director Dixon and Undersecretary Moultrie. And that
is--let me just make this broader point first. Intelligence by
necessity, is something we keep out of the public eye. Right?
Because we can't conduct it in the sunshine. But there has to
be oversight.
And so that's why these Committees were created. And I'm
actually very proud to be a Member of this Committee. Most of
our work is not on camera. Maybe that's why most of our work is
productive, nonpartisan and--and serious. There's no reason to
show off in front of the cameras because no one's in there to
watch that.
But I think also because all the Members on this Committee
that are picked, individually by the respective leaders of the
two parties, are people that take this task very seriously. And
I'm very proud of the work that we do. But it only works if we
have access, and we can conduct oversight. We have to know what
the intelligence agency is, not because we're nosy.
This is not like--we can't tell anybody anyways. It's
because we need to know. Because when things go wrong down the
road, people are going to want to know why wasn't there
oversight being conducted? And we know that classified
information was removed from at least three--from individuals
that previously served in the government, two of them as
President, one as Vice President.
And we need to understand what that material was, so that
we can determine whether the Intelligence Community has
established both the appropriate mitigation and the appropriate
risk calculus as to what was--could have been revealed. We do
not have that. And the excuse is an unacceptable one, that
there's a special prosecutor process going on and that, in no
way--we're not interested in the criminal justice aspect of it.
What we need to understand is, I would almost assure you we
have access, already to almost all, most of the material.
We just don't know which ones they are. How can we make a
judgment as to whether the proper risk calculus is in place and
whether the proper mitigation of any is being implemented, if
we don't know what it is or what we're talking about?
So again, I know it's not anything you two handle
personally, directly, but I hope you'll go back and say that
the Intelligence Committee raised it again today.
Chairman Warner. Can I interrupt?
Vice Chairman Rubio. Yeah.
Chairman Warner. Because--just so that we show, Stacey,
this was not pre-wired, before you got here, I shared with the
Committee that I had a very frank and candid discussion with
the Deputy Attorney General and basically said exactly the same
things, that, while they promise documents, you know, within a
week or so they have not performed, to date. And I think if we
ask every Member on this Committee, we have a responsibility,
the other 85 Senators--. So, I just want to echo what the Vice
Chairman just said.
Vice Chairman Rubio. Yeah. As I said, I think there's--
everyone is very serious about it, and I hope we can find
resolution on it.
The other one, and I'll be even briefer on this one, but I
think is also important to us is, you know, we had a Chinese
balloon go across the middle of the United States. It wasn't a
weather balloon. Everybody acknowledges that it was a
collection platform. We've had very little information or data
provided to us. And in particular, no one's even truly informed
us what role the All-domain Anomaly Resolution Office, AARO,
has played in that regard. Again, I don't know what--maybe this
is because it's a DOD/Intelligence Committee sort of overlap or
whatever it is. These are things that we need answers to and we
just--to think about how important that was and how little
information has been provided to the Committees, particularly
to this one, is something that I hope you will also take back
as concern number two, in this regard.
Now on the topic that we're on today, I think it's a pretty
straightforward one, and that is we need to be able to hire
good people to come in and work for the Government. We need to
know who they are. I think this is a challenge because the
backlog builds up. There's been improvement after the 2016 DOD
system was implemented.
But obviously, that doesn't apply to all of the IC. I think
there are some issues with one agency not reciprocating the
other. And then there's this--and I'm not saying it's
unnecessary--but this Byzantine system of read into some
programs, but not others. All of the different layers of
compartments, and so forth.
But the main point is, I think it's getting increasingly
difficult. I'm just telling you, from people that I know, I've
actively tried to encourage people to pursue serving their
country at one of the agencies. And it's just really hard,
because when you go see them and you tell them well, you know,
it'll take three or four years to clear you, two or three years
to clear you, who can sit around for two or three years to wait
to be hired, especially when we're competing with the private
sector for some of this talent?
There are a lot of people willing to do it. So, I think
that's where I'm most interested in learning. How do we balance
the need to bring in people you can trust and understand who
they are, with the desire to do it quickly enough so that this
is a viable option for people that want to come work here and
there?
I think there are ways to do it. I also think it's going to
get more challenging. In some ways, you know, it's hard--
probably easier to hire a 23-year-old, because they haven't
traveled the whole planet. And frankly, I would imagine that
for at least half that time of their lives, they weren't doing
anything nefarious.
And the other half, well, you know, but we can manage it.
But when you're 23, there's limited windows, as opposed to
somebody who's 55 and has worked in the private sector and you
need to know more about their background and the like. But I
think the flip side of it is, I think it's going to be
impossible in the years to come to hire someone who hasn't had
a substantial social media profile platform.
What--and what that has exposed them to, whether it's data
or places they've traveled or people they've interacted with or
relationships they have. I also think the nature of espionage
has changed. You know, it's not some James Bond figure
rappelling off the side of a building. It might be someone who
doesn't even know they're operating as a spy.
They think--but they're operating as an influence agent,
and those sorts of relationships. So, all that is to say is, is
this is a tricky problem, but what we've got to figure out and
we want to know what progress we're making on it, because we
need to be able to attract talented people to serve our country
in these roles.
So, thank you for coming in.
Chairman Warner. Well, thank you, Senator Rubio. And again,
we've got lots of questions, lots of Members here. I'm going
to--I hope you've been told, but we're going to expect each of
your opening statements to be no longer than three to four
minutes and I'm going to enforce that. So, I'm not sure who
is--who's up first?
Jason.
STATEMENT OF HON. JASON MILLER, DEPUTY DIRECTOR FOR MANAGEMENT,
OFFICE OF MANAGEMENT AND BUDGET
Deputy Director Miller. Thank you, Chairman Warner, Vice
Chairman Rubio, Members of the Committee for the opportunity to
speak today. And thank you for your continued leadership on
personnel vetting reform. I am honored to testify alongside my
colleagues. Collectively, we serve as the principles of
security, suitability, and credentialing for the Performance
Accountability Council, or PAC, established by President Bush
in 2008. The PAC is the interagency body accountable for
transforming personnel vetting.
Personnel vetting reform, as the Chairman noted, it has
been a multi-year effort, spanning Administrations and
benefiting from the consistent and bipartisan support of the
Congress. Soon after my confirmation in April 2021, I convened
the PAC Principles to consolidate the accomplishments of
previous Administrations and make sure we were accelerating
transformation.
As chair of the PAC, I have three primary responsibilities.
First, establishing the overall direction for our reform
efforts; second, coordinating the complex choreography of
implementation across the entire federal enterprise; and third,
ensuring accountability for execution. I want to highlight four
themes from the written testimony I submitted for the record.
First, personnel vetting underpins a well-performing
Federal government. Government service, whether military,
civilian, or contractor, comes with important responsibility.
The American public deserves a workforce they can trust who
will not abuse access for personal gain to harm others or to
undermine the country's security.
Implementing transformational reform of our personnel
vetting system will allow agencies to identify potentially
problematic behavior more quickly and accurately before acting,
while ensuring that federal agencies are able to efficiently
hire and onboard the personnel necessary to faithfully serve
the American people.
Second, substantial progress has been made. Since the PAC
last appeared before this Committee in January of 2020, the
background investigation inventory has consistently remained
below its target level of 200,000 cases, enabling sustained
improvement in processing times. Since that hearing, the time
needed to process top-secret and secret clearances have been
reduced by more than 40 percent.
That has enabled a real focus on transformation. We have
transferred background investigation operations to DOD, issued
many of the key framework policies, and enrolled the entire
national security sensitive workforce into continuous vetting.
These decisive steps ensure we moved away from solely
addressing problems and towards implementing a wholly new
system that will enable transformative impact.
Third, hard work remains. For example, successful adoption
of Trusted Workforce 2.0 relies on the phased development and
deployment of the DOD's personnel vetting information
technology platform, called National Background Investigation
Services, or NBIS. In 2023, this year, this includes
transitioning from the legacy equipment platform used to
process background investigations, to the more user-friendly
EAP system.
Additionally, we must continue ensuring agencies will be
prepared for upcoming reforms, such as the anticipated
enrollment of non-sensitive public trust personnel into
continuous vetting. Fourth, broad collaboration is critical to
reform success. This includes cooperation across federal
agencies and our partners in the federal contracting community.
And just as importantly, I want to acknowledge the
bipartisan backing Congress has shown on personnel vetting,
again across Administrations. Your engagement helps keep us
accountable and on track to reach our milestones.
And thank you again for the opportunity to appear before
the Committee today. I look forward to your questions.
[The prepared statement of the witness follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
STATEMENT OF HON. STACEY DIXON, PhD, PRINCIPAL DEPUTY DIRECTOR
OF NATIONAL INTELLIGENCE, OFFICE OF THE DIRECTOR OF NATIONAL
INTELLIGENCE
Deputy Director Dixon. Chairman Warner, Vice Chairman
Rubio, Members of the Committee, thank you for this
opportunity. I'm here representing the Director of National
Intelligence, Avril Haines, who serves as the security
executive agent for the Federal government and a key member of
the Performance Accountability Council. As a security executive
agent, she oversees national security background investigations
and adjudications that are conducted in order to determine an
individual's eligibility to access classified information or
hold a sensitive position. Her responsibilities include issuing
guidance to ensure the vetting processes are effective,
efficient, timely, fair, and secure. This includes the use of
polygraphs for those agencies that use them in their process.
Director Haines and I fully support the Trusted Workforce 2.0
alignment of personnel vetting across suitability and fitness,
credentialing, and security into one overall vetting model,
with the tiers mentioned before.
We're leveraging technology and automation for initial
background checks and for our transition from the traditional
periodic reinvestigation model to a continuous vetting model
that will improve our ability to detect risk earlier and
mitigate that risk proactively. This transition is helping to
deliver talent faster and retain and move that talent within
the government to support mission.
Continuous vetting has now been successfully deployed for
nearly all of the national-security-sensitive population,
improving our ability to protect sensitive IT systems,
facilities, people, and mission. Agencies with that sensitive
population have been certified as having compliant personnel
security programs that are able to implement the expanded
capabilities that are now allowing us to identify concerning
information sooner, so employers can intervene early and
leverage resources, such as employee assistance programs that
can help individuals and create the conditions for retaining
them as valuable, productive members of the workforce.
Working with OPM, we are entering the final stages of
updating the personnel vetting questionnaire standard forms
that applicants fill out. The updates are taking into account
feedback that we receive from agencies and the public. Our goal
is to ensure better alignment of information collection efforts
and what we believe will be an improved, overall applicant
experience.
This effort also provides an opportunity to better align
security vetting into our Nation's changing societal landscape
by providing clarity on what information will be collected and
reviewed, including on matters such as past marijuana use and
mental health. Director Haines and I also believe that it is
fundamental to our national security to ensure that we recruit
and retain a diverse workforce that is representative of our
American society.
The Intelligence Community is making strides in this regard
and remain dedicated to removing any structural and cultural
barriers that might prevent or discourage qualified applicants
from applying for jobs with the Federal government, including
within the Intelligence Community. We're also focused on
eliminating any perception of bias in the security clearance
vetting process.
We have been working to update our national training
standards for security adjudicators and background
investigators. The standards will include a renewed focus on
treating candidates fairly and consistently throughout the
entire vetting process. We're also committed to taking into
account views from multiple partners, including interagency
security personnel, civil liberties and privacy experts, hiring
officials, legal advisers, Congressional Committees, and
industry partners.
Our dialog with industry partners in particular has never
been stronger, and we are committed to working closely with
them to tackle their concerns and challenges head on.
Mr. Chairman, I will close my remarks by saying that this
entire reform effort will continue to require strong senior
agency leadership, support from Congress, especially this
Committee, in order that we can achieve these goals that we
share.
I thank you and I look forward to your questions.
[The prepared statement of the witness follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
STATEMENT OF HON. KIRAN AHUJA, DIRECTOR, OFFICE OF PERSONNEL
MANAGEMENT
Director Ahuja. Chairman Warner, Vice Chairman Rubio,
Members of the Committee. Thank you for the opportunity today
to testify on personnel vetting reform. It is my honor to lead
OPM and its work within the Suitability, Security, and
Credentialing PAC. I look forward to discussing the progress we
are making on Trusted Workforce 2.0, including reducing time to
onboard new hires, continuous vetting, increased mobility, and
improving the vetting experience for applicants, as well as our
next steps on this important topic.
The Federal government's most important asset is its
people, and OPM is committed to helping federal agencies find
and recruit the best talent. But it's not enough just to
attract talent. We must sufficiently vet future employees and
efficiently onboard them in a timely manner. Reducing time to
onboard new hires while maintaining a trustworthy civil service
is a key priority for OPM. Working with our PAC partners,
Trusted Workforce 2.0 will transform and modernize how the
Federal government vets individuals.
For example, last May, Director of National Intelligence
Haines and I issued new federal personnel vetting investigative
standards to agencies, marking a key milestone in the
initiative. The new standards make three improvements that I'd
like to highlight today. First, technology and automated record
checks make it easier and faster for agencies to make a
preliminary determination, so an individual may start working
in their position more quickly.
Second, continuous vetting improvements assess risk in near
real time by providing insight into whether an individual
presents a risk to national security or an agency's mission.
Third, a new, three-tiered structure for background
investigations replaces the five-tiered model to streamline
background investigations and more easily transfer trust
determinations.
These improvements have enabled us to establish an
ambitious set of targets for initial vetting. Chief among them
is we anticipate onboarding determinations can be made on the
majority of individuals being vetted for positions that require
top security clearances within 30 to 45 days, and a target of
25 days for secret level positions. We are committed to
achieving these targets as we realize the full potential of the
Trusted Workforce model.
Another critical piece of the Trusted Workforce 2.0 vision
is improving the experience for individuals completing the
investigative questionnaire. The updated PVQ, or Personnel
Vetting Questionnaire, replaces four current questionnaires
with one streamlined questionnaire.
It also features clear instructions, simplified questions,
and plain language, all of which is designed to benefit the
applicant. Together with ODNI, DOD, and OMB, we have made
tremendous progress on Trusted Workforce 2.0. As we continue to
implement this initiative, we hope to see further improvements
in reducing the time required to onboard new hires, enhancing
risk management by identifying potential security threats
sooner, and improving Workforce--Workforce mobility.
I look forward to discussing the transformational framework
we have established and how this will improve efficiency and
accuracy of the vetting process. Thank you, again, Chairman
Warner, Vice Chairman Rubio, and all the Members of the
Committee.
I look forward to your questions.
[The prepared statement of the witness follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
HON. RONALD MOULTRIE, UNDER SECRETARY OF DEFENSE FOR
INTELLIGENCE AND SECURITY, U.S. DEPARTMENT OF DEFENSE
Secretary Moultrie. Chairman Warner, Vice Chairman Rubio,
and distinguished Members of the Committee. It's a privilege to
testify on behalf of the Department of Defense's intelligence
and security professionals who work every day to address the
threats facing our Nation. I wish to thank the Members of this
Committee for your continued support and your partnership.
As the Undersecretary of Defense for Intelligence and
Security, I'm committed to using our tools, talents, and
technologies to protect our strategic advantage, including our
most important asset, our people. I'm also mindful that this is
an important opportunity to raise public awareness about the
vetting process for millions of Americans and the foreign
nationals employed by the Department, including those holding
government security clearances.
As the largest department in the Federal government, the
Department of Defense hosts the largest number of cleared
personnel. Of the approximately 4.2 million Americans with
security clearances, more than 3.6 million of them work as DOD
civilian or contractor personnel. We deem it an imperative to
embark on transformational initiatives to improve and enhance
the security, sustainability, and vetting process for all.
I also want to thank my colleagues from OPM, OMB, and ODNI
and our PAC partners for the great collaboration on this
effort. The Department's efforts to implement and support the
Trusted Workforce 2.0, phased approach occurs on a much larger
scale than anywhere else in the government. And we're making
significant progress.
Since October, all DOD personnel have been enrolled in
Trusted Workforce 1.5. During the next two calendar years, DOD
will continue driving towards Trusted Workforce 2.0, through a
number of processes, including engagements with leaders in
various sectors and through our Defense Trusted Workforce
Implementation Group.
Through the Defense Counterintelligence and Security
Agency, and in close partnership with OPM, we are going to
continue to deploy an enterprise-wide system, known as the
National Background Investigation Services system, or NBIS.
NBIS, our secure end-to-end IT infrastructure, will enable us
to conduct comprehensive personnel vetting on a single
platform, from subject initiation to background investigation
through adjudication and continuous vetting.
We look forward to continuing our drive towards full
importation of Trusted Workforce 2.0, while implementing the
policies and practices with the same care, attention, and
expertise we use in our intelligence and security work.
I want to thank every Member, again for your support and I
look forward to your questions.
[The prepared statement of the witness follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Warner. Thank you all very much. And I've got a
bunch of questions. I want to make sure I don't go beyond time.
So, I'm going to ask for crisp, short answers. Ms. Ahuja, I
think you may have even been--. I commend you on your
timelines--25 days on secret. I thought you said 40 days on top
secret. Is that right?
Director Ahuja. Thirty to 45 days.
Chairman Warner. Thirty to 45. All right. Because I thought
Mr. Miller had said that we might get it at--more at 75 days,
but I'll take your numbers better.
Director Ahuja. I do want to clarify. That's for initial
determinations. So, we have a new metric, actually a much more
outward-facing metric, that allows us to actually put an
individual in the seat through an initial determination, while
the full adjudication takes place----
Chairman Warner. While the full, but the adjudication----
Director Ahuja [continuing]. Is still the original--the
number that you have, the 75 days.
Chairman Warner. But all of that is a huge improvement.
And Dr. Dixon, I know we've got, you know, higher levels,
greater secrets. You know, what we had been pressing in some of
our earlier legislation is 180 days. Are you going to be able
to try to get the intel community down to where the balance of
the cleared community and the balance of the government is?
Deputy Director Dixon. Our goal is to try to come as close
to that as possible, given that we have additional steps
required to get to the secret--the extra level of security
clearance, as well as the polygraphs and the medical, in some
cases.
Chairman Warner. But can you get butts in the seat before
you finish, the way the balance of the government is?
Deputy Director Dixon. At the moment, that is not something
we are able to do. We are looking at whether that would be
worthwhile, both for the employee coming in, as well as for
agencies.
Chairman Warner. And while I have huge respect for Director
Burns, CIA is still the laggard. So, I would like to get by
each of the IC agencies, how their plan is to get as close to
the balance of the government. Secretary Moultrie, on NBIS, you
know, we've had some slowdowns. Things are picking up now.
Big, big task. But how do we make sure that we don't bolt
on cybersecurity? We build those security components in, so we
don't have the kind of OPM, embarrassing leak we had before?
Talk a little bit about cyber on that.
Secretary Moultrie. Yes, I think one of the real virtues of
NBIS is that we're actually building a system that moves at the
speed of risk, something that we have not done in the past. One
of the things that we're building this architecture on is zero
trust. And I believe that you understand this very well, Sir.
But in terms of looking at this, we're going to look at all
aspects of it. And what we're building is something that looks
at the data that we have coming in. It looks at the people who
are going to manage that data, the credentialing of those
people, ensuring that we have multifactor authentication,
looking at behaviors while we monitor the network.
And then lastly, ensuring that we have an alerting system
that alerts us real time, or near real time, to what I would
call anomalous behavior on the network. That's all being built
in. It's got input from cybersecurity experts, some of the best
in the government, some who are in the DOD, some who are in the
private sector, and more importantly, sir, with the CIOs who
really know this business.
So, we've made that a framework and a foundation of what we
are----
Chairman Warner. We're going to want to get as fully
briefed in the weeds as possible on making sure the security
piece is taken care of.
Back to you, Dr. Dixon, on this one. I'm going to do two,
again so that I can make sure I don't go over time. One is
reciprocity, reciprocity, reciprocity. And we know the IC is
the toughest. But the notion that you get cleared in one
component, even inside the IC, and you can't use that
clearance. There may be certain roles. How are we going to do
on that?
And then, this maybe applies not just to the IC, but across
the whole enterprise. When we think about our private sector
partners, the idea that you may get a job and you've got 40
slots and it may be a midsize firm and those 40 slots do not
extend. So, you often times have the CEO or the CTO or the CFO,
not even being able to get clearance to be aware of what
projects they're working on. That's inappropriate oversight. It
frankly doesn't make any sense. So, if you can take the
reciprocity--and maybe Jason, you can also address this--issue
of how we make sure that management in the private sector side
is going to get slots, as well, beyond the actual need for the
specific job.
Deputy Director Dixon. Sure, Senator.
So yes, reciprocity has been a challenge. I think with
this, in particular, I know that contractors have raised, that
the industry partners have raised that as a significant
concern. As it is right now, 90 percent of contractors can go
within IC agencies when there are the same processes.
So, for example, if you've got a kind of polygraph in one,
you've got a polygraph another of the same kind, you can go
within five days. Ninety percent of our contractors go in that
five-day timeline. The challenge is the other 10 percent that
is not.
Chairman Warner. The challenge also that you've got to
polygraph here, but you don't have it and need it here, and
having some uniformity--. My time is about out. Talk to me
about how you're going to deal with the management that doesn't
fall into the jobs perceived.
Deputy Director Miller. So, on this issue--and you've
raised this issue with me before. This is an issue that
absolutely we need to address and we're working on it. We have
a working group, and I'd be happy to follow up with you on the
specifics of how we're going to try and drive this forward.
Vice Chairman Rubio. The backbone of this whole thing is
the--I'll use the right terminology--the National Background
Investigation Services. That's basically what's going to hold
all this information. It's the database. So, I just want to
have a better understanding, without obviously endangering its
security.
Why is this more secure than the OPM database that was
breached back in 2014? Are there features here that were not
available? Is it because the OPM one was broader and this one
was more categorized? How confident are we, especially since
cybersecurity? Perhaps others may want to comment on it, but
this is the Holy Grail, to some extent. Everyone's going to
know it. We know the existence of it is public. How is it more
secure than the OPM? Because a breach of this sounds like it
would be catastrophic.
Secretary Moultrie. So, thanks for the question. I can't
speak to the OPM system that was developed over decades and the
cyber security features that it may or may not have had. I
suspect that during the time that it was built, we would not
have had the capabilities and the advancements that we have
today. So, I can speak to what we are----
Vice Chairman Rubio. Neither did the hackers. I mean,
they've developed, as well. And that's why this is a moving
target.
Secretary Moultrie. Exactly. And that's why what we're
doing is building it on the latest frameworks that we have,
that are cyber-security proven, that--the zero trust frameworks
that we know are proven. We are getting the counsel of those
who actually understand breaches and who have lived through
breaches, and understand how hackers may want to get into
systems and what they go after and how they actually do this.
And building every component to actually withstand an insider
threat, an external threat, or just a lapse in security.
So, I think all that's being factored into a system that
will be state of the art. I would say nothing is breach proof,
but it will bring us, I believe, to an exponentially better
place than where we were with the----
Vice Chairman Rubio. Do you know which agencies are not
using NBIS right now?
Secretary Moultrie. I can get a list of those for you.
Vice Chairman Rubio. Okay. Have we tested its usability
with industry or with the government--the security directors of
government agencies?
Secretary Moultrie. So, what we are doing is agile software
development. We are testing components as we go along. We are
building that and testing, as we go along.
Vice Chairman Rubio. Mr. Miller, are we testing the broader
Trusted Workforce 2.0 with users in the industry? Is that part
of the benchmarking?
Deputy Director Miller. Yes, it is, and just to step back
on the breadth of this. It's more than 13,000 industry partners
that will touch these systems. There's a staged deployment as
well as an engagement model to ensure that we're getting
feedback.
Vice Chairman Rubio. I understand that. Let's say you open
it up to 100 of them, right? And have them try to use it and
then they give you feedback as to: We encountered this problem;
we encountered that problem. And you're making adjustments
based on that feedback?
Deputy Director Miller. That is part of the agile
deployment, or the agile development model, that Mr. Moultrie
was discussing. We're also phasing different developments. I
would defer to Mr. Moultrie to talk that through. But in terms
of building additional capabilities and running it as we go.
Vice Chairman Rubio. Okay. Thank you.
Chairman Warner. Senator Wyden.
Senator Wyden. Thank you, Mr. Chairman. And thank you all.
This Committee, ever since the days of one of our leaders,
Pat Moynihan--I see Senator Gillibrand here, and I am sure she
goes into the Moynihan train station often--Senator Moynihan
always stood for the proposition that a big part of the job in
intelligence is striking the balance between transparency and
protecting sources and methods.
And we continue to this day to do that. And I want to ask
about declassification reform, because Senator Moran and I have
made a major proposal to promote declassification reform. And I
see a lot of my colleagues here, Senator Warner, we've all been
talking about this for years. Senator Cornyn has been very
constructive.
Let me start this way. There are clearly too many jobs in
the Federal government that require a security clearance. And
one of the reasons is that there are too many secrets of
matters that do not need to be secret. And there are at least
two solutions. The first is reforming the rules that determine
what information is declassified and when it gets declassified.
Now at our Threats Hearing earlier this month, I asked Director
Haines about a matter that I'm especially concerned about and
that's the National Security Council's rewrite of the Executive
Order that governs classification and declassification, and the
prospect, based on everything I've heard, that this has
stalled.
So, I'd like to just go down the line of our witnesses,
because I want to get your sense of what is going on, because I
think that leaves us in the position of what to do next. Can
any of our witnesses assure me that that is not the case? That
we are not dealing with a situation where the National Security
Council is stalling things?
Let's start with you, Mr. Miller. Just go right down. I
think I can get all five of you in my five minutes. Sir.
Deputy Director Miller. Senator, Sir. Great. Thanks,
Senator. Appreciate the importance of this issue. This specific
issue is outside my remit. I would defer to my colleagues, but
I can absolutely take that back, as well.
Senator Wyden. Okay.
Deputy Director Dixon. I know for a fact, that there are
aspects of the classification reform are ongoing. As to which
parts that are being referred to as being stalled, I am not
sure.
Senator Wyden. Ongoing is different than the question I'm
asking. I'm concerned that things are stalling out there, that
I've been talking to people who feel very strongly about the
subject, and they're very loyal Americans. They want to get
this done and they want to do it the Moynihan way. Let's
protect transparency, and let's protect sources and methods.
And they're concerned we're stalling out. So, if you could
be a little bit clearer.
Deputy Director Dixon. There are definitely aspects that
are not stalled. There's many, many aspects of the conversation
we need to have, with respect to reforming classification writ
large. There are processes in place moving along certain
aspects. The entire thing itself, that's going to take some
time.
So, I don't know whether it's--there is----
Senator Wyden. How much time? How much time?
Deputy Director Dixon. Sir, it's actually--it's not my
process. So, I can't really comment on how much time it would--
is taking. But there's a commitment from all the parts of the
interagency that want to get this done, that want to get this
moving. We will, again, much like Jason, I'll take it back,
too, and make sure they understand the importance of it and the
interest that you have in making sure that there's a timeline
that we meet.
Senator Wyden. Ma'am.
Director Arjuha. Yes, Senator. I would defer to my
colleague, Deputy Director Dixon. It's not particularly in our
purview, within OPM.
Senator Wyden. This hearing is on classification issues.
And if everybody shows up and says, ``not my purview,'' it
gives me a pretty clear sense of what the remedy ought to be.
But why don't we have you, Sir? And then I'll just wrap it up
with my colleagues very quickly. Please, Secretary Moultrie.
Secretary Moultrie. Sure. We are not responsible for the
process. But I can tell you, within the DOD, we're committed to
classification reform. There are things that we have talked
about. There are policies that I've written and signed in the
fall of last year, that get at classification reform and
classification review. In closed hearing, I'd love to come back
and talk to you about some of these things that we've done, and
how they are going to get information, not only to warn
individuals within our country, but also to some of our key
allies and partners.
Senator Wyden. Okay. Colleagues, let's just kind of tote
this up, in terms of what we have just heard. We've had four
very dedicated public servants, and I respect all of you. One
of the four, a bear one, said things were moving a bit in some
areas. And three out of four basically said, not my beat, not
my purview. You all are entitled to share your views and I
respect all of them.
But I think what this tells us, colleagues--and Senator
Warner and I have talked about it--is that this is more reason
for the Congress and this Committee to step in and do this job
and do it in a bipartisan way. In other words, we've had four
very good public servants with expertise in this area, give me
answers, as I have to run off and deal with the Senate Finance
Committee, with a sense that this is not moving with the speed
and the urgency it requires.
And I've been very appreciative, because I've been pounding
away in these precincts for a long time, to have Senator
Warner, Senator Moran, and Senator Cornyn in particular, all
making it clear that we've got to get something done. So, Mr.
Chairman, I thank you.
Chairman Warner. Let me just--and I think, frankly all of
us, not just the four you called out, share this. And you know,
I think we're going to have to deal with it, both
legislatively--. But I also think in the interim, you know,
we've got to have people back, in both open and closed--. On
this very topic. Respectfully, I found the answers equally as
frustrating, if not more than you.
So, we will have another bite at this apple, I promise you.
Senator Collins.
Senator Collins. Thank you, Mr. Chairman.
Director Ahuja, in 2016, after the OPM data breach, the
timelines for processing clearances soared to over two years
for a top-secret clearance, and the backlog swelled to 725,000.
Think of the thousands of individuals who just gave up the
prospect of working for the Federal government during that
time, because they needed jobs. And there are a lot of
alternatives.
I'm concerned that we now have another major data breach
and that is the Affordable Care Act breach in DC, which affects
a lot of Hill employees who get their insurance through the--
get their ACA insurance through that DC system.
First, is there an impact that you've seen from this latest
data breach, which has exposed names, addresses, Social
Security numbers, all sorts of information?
And second, what can we do to make sure that we harden the
systems that contain this information, because obviously, the
data in the system is subject to identity theft, is going to
make doing clearances much more difficult, as we saw in 2016.
Director Ahuja. Thank you, Senator, for that question. You
know, I can't speak specifically to the more recent data
breach, but I can tell you, we've learned quite a bit at OPM,
from the data breach from 2015, and the work that we've done to
ensure that we have a secure system. My colleague here, Ron
Moultrie, spoke to the work that's happening within NBIS to
shore that up under zero trust architecture. I can tell you,
with a lot of the IT modernization happening, moving to a
Cloud-based system, especially within our organization--a very
aggressive timeline that we have for its modernization within
OPM. And we're not alone. This is happening across the Federal
government, and the work that's being led by the Office of the
National Cyber Director, focused on Federal government as well
as across industry.
So that's the work we're doing within OPM. But certainly,
we've taken lessons. And Vice Chairman Rubio mentioned the
difference: at the time of the breach in 2015, we were sitting
on legacy systems at the time. And we very much are working
hard, through the support of Congress, to move off those legacy
systems in order to take advantage of the latest technological
capabilities and to move to the Cloud, which inherently has
more cybersecurity protections within it.
Senator Collins. Thank you.
Dr. Dixon, I want to get a better understanding of how the
Intelligence Community does clearances versus the rest of
government. It's my understanding that the Defense
Counterintelligence and Security Agency is in charge of basic
security clearances for approximately 95 percent of those in
the U.S. government.
However, that leaves five percent, approximately, in the
Intelligence Community who utilize a different investigative
service provider or providers. Why are there different security
clearance programs and databases for DOD versus the IC?
Deputy Director Dixon. Thank you, Senator Collins. The
processes are different. And while we do similar things, with
respect to figuring out if the person is fit to have the job,
trustworthy to have the job, and then whether or not they are
able to have a security clearance, we do that all in one
process, as opposed to making the person go through multiple
processes.
So yes, we do have our own databases, but we follow the
same types of rules and regulations. And if you look at the
standards and the guidelines that have been put out as part of
Trusted Workforce 2.0, it's similar processes. Just rather than
using their service provider, we're doing it ourselves. We're
following the same system, following the same types of
questions. They are following the same types of information
gathering.
So, if you just think of it as having multiple, different
ways to get the same information, that's the way that we're
approaching it.
Senator Collins. Do you honor the security clearances of
DOD, if an employee goes from working at, let's say NGO to the
CIA?
Deputy Director Dixon. What this process will let us to do,
is to know where their process stopped and what we need to do
to continue to bring it up to the level of a person that
actually has to have the clearance level that we have within
our community. So, we will respect it. But it doesn't transfer
completely, because there are other steps that have not been
taken, with respect to that vetting.
Senator Collins. I guess, then, I realize my time's
expired. But I guess I'm trying to understand whether a TSI
clearance is the same across the Federal government, or does it
mean something different, depending on which agency you work
for?
Deputy Director Dixon. So, within the Intelligence
Community, in addition to having, for example, the TS, will
actually have a Sensitive Compartmented Information clearance
level. It is a different level of clearance than the TS that is
not--in the non-sensitive population. There are additional
questions. There are additional processes that we will use that
they will not, which is why it's not a one-to-one transfer.
Chairman Warner. Senator Collins has hit the nail on the
head. You know, my view is, belief is, we have a complete
mishmash. And the lack of reciprocity, or even the kind of not
knowing for sure if you're at DHS and you want to go to DOE,
and then you want to go to NRO--. We've got a lot of work to do
in this space. And there are differences, but sometimes,
particularly when you get into the contractor world, it gets
even--you don't even know.
I appreciate that. Especially when you get
compartmentalized areas on the IC side, there needs to be
higher--. But that lack of clarity, you know, you got why I'm
crazy about this. But it's just--we can do this. We can protect
the enterprise, and we can be much more efficient. I really
appreciate you raising it.
Senator Collins. Thank you.
Chairman Warner. Senator King.
Senator King. I want to talk about a different aspect of
that, and that is what happens after you're hired--the so-
called continuous vetting? Mr. Miller, can you tell me how that
works? Because prior to that concept, there were periodic,
timed revaluations, just to check in on the employee. Now
that's no longer the case.
So, give me the mechanics of continuous vetting. What does
that mean?
Deputy Director Miller. Absolutely. Yes, so the prior
process, involving periodic re-investigations, could be a five-
year or a ten-year window before a periodic check on an
individual. The continuous vetting model includes, but it's not
only included--includes automated checks on a near-real-time
basis, which provides any potentially problematic information
to an agency.
Senator King. What does an automated check mean? What does
it check?
Deputy Director Miller. For example, criminal databases.
So, if an employee does not self-report, an agency might not
know about that information. But a check on a criminal database
would allow an agency to see that. It also requires the
agencies to change their internal processes, which were
previously built on a periodic reinvestigation model, for how
they're going to intake that information and then make
determinations based upon that information.
I would defer to Mr. Moultrie on the specifics for DOD, but
both DOD and other agencies have noted the dramatic change that
that has made for them, in terms of their ability, on a near-
real-time basis to get information and make sure that we're
maintaining trust in a much more effective model, is a dramatic
and important shift.
Senator King. Well, I want to be convinced of this, because
I'm not sure that an automated records check is an adequate
substitute for somebody actually doing a periodic
investigation. So, convince me.
Secretary Moultrie. In terms of thinking about the
digitized system that we're developing, that digitized system
takes the data on an individual. It is plugged in, Senator, to
national databases, some that reside with the Federal Bureau of
Investigation, some reside with national law enforcement
systems. And we establish thresholds that if something happens
to one of our personnel that meets the threshold--it may be an
arrest, it may be that they had some conviction or some issue.
There's a threshold that automatically alerts us to say,
there's something you need to look at regarding one of your
people. And that can happen near-real-time. And that allows us
to really accelerate the timeline by which we know things.
Instead of waiting for somebody to report that, which may be
five years as you're saying, or maybe seven years in some
instances. We have now accelerated that timeline to where, for
top-secret issues and alerts that we may not have gotten for a
while, we now get those, we think, some one-and-a-half years
earlier than what we would have got if we would have waited for
somebody to fill out a form and say: Oh, by the way I had this
happen to me.
Senator King. I understand that if you're talking about
something obvious, like a conviction. But there may be more, so
the question is, would this system have picked up Aldrich Ames?
Secretary Moultrie. CIA--Aldrich Ames? I don't know.
Without knowing the specifics of that. But what it might tell
us, Sir, is if somebody is putting an inordinate amount of
money in a bank account.
Senator King. It would pick that up?
Secretary Moultrie. It would be able to tell us, if it has
the alerts on, it would be able to tell us that they have
exceeded the threshold. And I believe one of the things with
the case you are talk----
Senator King. You say, if it has the alerts. Is that one of
the--?
Secretary Moultrie. I do not know, but I can take that
question back, Sir.
Senator King. Ms. Dixon.
Deputy Director Dixon. Yes, it is. So, a suspicious
financial alert is one of the alerts. If someone is depositing
large sums of money, particularly from foreign accounts into a
bank account? Yes, that will alert.
Senator King. Are you comfortable, as an intelligence
professional, with this automated system, as opposed to regular
revisits to the classification?
Deputy Director Dixon. I am. I believe, between the variety
of things--the financial, the criminal, the credit--all those
things together will provide a lot of information that frankly,
again, we weren't getting, except every five years. And so, we
have an opportunity to shorten that timeline.
In terms of the insider threat that you mentioned, in Ames
in particular, we've got other processes that are also in place
within our counterintelligence organizations that will also
assist in noticing when some----
Senator King. Because if you've got a spy who's a
professional, they're going to know about bank accounts and
convictions.
Deputy Director Dixon. They will. But strangely enough,
with that, historically he actually was displaying a lot of----
Senator King. The bank account might have picked him up.
Deputy Director Dixon. The bank or his colleagues who
noticed that he was all of a sudden spending a lot of money on
clothes and cars, should have reflected something, and I think
would now.
Senator King. Quick question. Do you all red team this
system? Do you ever try to send somebody through it that has an
obvious, not an obvious, but a problem and to see whether the
system is actually picking up potential security threats?
Secretary Moultrie. The system is constantly red-teamed,
Senator. Yes, it is.
Senator King. Good. I think that's all I have.
I want to thank you for what you're doing and the progress
that you have made. I think the point of this hearing is, we're
way ahead of where we were three or four years ago. And thank
you all for the work that's made that happen.
Thank you, Mr. Chairman.
Chairman Warner. And I believe, and you can correct me if
I'm wrong, whether Mr. Ames or some of the others, the five-
year periodic review didn't pick up any of these guys.
Senator Cornyn.
Senator Cornyn. Well, thank you all for the good work
you've done modernizing the background check system and making
the issuance of security clearances a whole lot more efficient.
I have a pretty basic question, though. Mr. Moultrie
mentioned that there are approximately 4.2 million security
clearances that have been issued by the U.S. government.
I think we have a more fundamental question, and Senator
Wyden raised it. I'm not sure you're the panel to answer this,
but I'd be interested in your views if you have them. It seems
to me that before we figure out how many security clearances
should be issued, we need to figure out what the range of
classification of information should be, because the less
information that's classified, the fewer security clearances
the government is going to have to issue.
And I would footnote that by saying, obviously, we all
understand the importance of the classification system when it
comes to national security. But unfortunately, we also know
that there is just a human tendency to classify information in
order to prevent accountability. And there's really a clash
between those values, our democracy with the public's right to
know, the need to receive information upon which to judge the
performance of public officials. There's a real tension there.
And we need to make sure that that line is drawn in the right
place.
Can I ask, maybe I'll start with Dr. Dixon and then Mr.
Moultrie, how do you determine the number of clearances that
your agencies--or for that matter, any intelligence agencies--
require?
Deputy Director Dixon. I will say there are a couple of
ways. So, Congress provides the authorizations for the number
of government personnel that we have. In addition, we look at
the number of contractors that we need to support the work. And
so that will determine the number of clearances. But the
initial number is authorized by Congress, in terms of the
government.
To your point, a look at the actual classification levels
and whether or not we are over classifying is the conversation
we were having earlier that needs to be in work, and that I
think we're all committed to, on whatever timeline makes sense,
given the enormity of the situation.
I would just say that every year we are trained that
classification is not used to hide information. It may be out
of laziness that people are classifying things, over-
classifying. But I would just say very clearly: we are trained
every year that we are not supposed to use it to hide
information from oversight or from others outside of the
government.
And so, I would just--I wanted to push back on that one
point, Sir, respectfully.
Senator Cornyn. Well, no, I accept that. I understand. I'm
not saying people are doing something nefarious or something
improper. I'm just saying that there's a natural human tendency
to want to hide your mistakes, or things that you don't want to
explain. And it's the same reason I've worked closely with
Senator Pat Leahy, when he was here, on the Freedom of
Information Act reform, to make sure that the public had access
to the information that they needed in order to make those
decisions.
But what I'm talking about is not something nefarious. It's
basically a human tendency, or just the ease with which it's
easy to stamp something classified. Or now, we know that the
explosion of digital records is making it virtually impossible
to keep up with this.
But Mr. Moultrie, can you talk about the Department of
Defense and how do you determine the number of clearances that
you need?
Secretary Moultrie. Once again, it's what we're authorized,
in terms of the numbers that we're actually authorized. Two, I
would say it's an assessment of the position itself and whether
or not that position requires some degree of trustworthiness,
and that determines whether or not that person gets into access
and the clearance.
And then also the risk assessment with that particular
position determines what level of clearance and what access we
need to provide there. I would say, to the issue of over-
classification, there are cultural issues that have been around
for decades where there was probably a default to overclassify
or highly classified things some 40, 50 years ago.
And that's changing now. There are processes, and I would
say there are policies that we have to rewrite, and there are
systems that we have to do--some systems actually default to a
classification. It will actually default to saying something's
classified, even when it just may be an unclassified statement,
if you will.
We're getting at all that. We're looking within the
Department of Defense. We are getting at all that. And I know
that, at the Deputy Secretary's level, she has within the last
month asked individuals to take a look at how we ensure that we
are not defaulting to the wrong processes. How we're actually
training people to actually write to release and to share
things with, not just people within the community, but also
with the American public.
Senator Cornyn. Well, thank you. Thank you for that. We're
going to look forward to working with you to try to understand
that process a little bit better. I'm not sure whether Congress
has the basic information we need to know how many security
clearances we should authorize. I'm not sure that's a
conversation we've had. Maybe we have and I just haven't been a
party to it. But we look forward to working with you to address
this--this issue.
Thank you.
Chairman Warner. And, Senator Cornyn, I think you hit the
nail, that this notion of default or the old-fashioned term,
CYA, not based upon malfeasance, but just--and I'm anxious to
see the systems changes to move away from that default. And
somebody who's actually been working on this issue for years is
Senator Moran. Senator Moran, you are up.
Senator Moran. Mr. Chairman, I thank you for your
suggestion that I have credibility on this issue, but I don't.
And at the moment, I'd just like to continue listening to the
dialog. I apologize, however, for missing the moment in which
you did compliment me earlier in the hearing.
Chairman Warner. Let the record show that was--so Senator
Lankford must have some brilliant questions coming up.
Senator Lankford. No, he's just yielded his time to me. So,
I've got ten minutes now.
Thanks for your time. I do have a bunch of quick questions
I want to be able to get to. I want to be able to ask about the
personal vetting questionnaire. How is that different than the
SF-86? I know there's been lots of conversation about we're
narrowing it down, we're changing it. What's the real
difference here?
Director Ahuja. Thank you for that question, Senator.
This has really been a big part of how we're thinking about
the reforms and the Trusted Workforce 2.0.
So, the personal vetting questionnaire, you know, we have
to revise it periodically. This is one of the instances where
it expires, so to speak. And so, in this instance within these
reform measures, we wanted to streamline, we initially had four
different questionnaires, depending on your risk level and how
you were classified. And now we've combined it into one
questionnaire, so into different subparts. And the benefit here
is that, depending on your risk level, you fill out just the
portion that you need to. And then when you come back, and
let's say you move into a higher risk level, you just have to
fill the gap, really, and go on to the next part of it. We've
simplified the questions.
We've removed double-barreled questions. We've heard from
applicants that, oftentimes it's difficult to understand what
you're asking of them, and we want them to be truthful. We
wanted to ensure that there was clarity there. We put in longer
segments of what we called preambles, to understand this is why
we're asking the question.
This has been an effort that we started in the last
Administration, you know, underway--that was when the Trusted
Workforce 2.0 was launched. And we're kind of coming to
fruition. And now we're in the second public comment period
that's about to end. We do look forward to that feedback to
ensure this is really one big part of this effort--the
guidelines that we've set together with my colleague at ODNI--
is the experience that an applicant goes through to ensure that
not only is it a fluid experience, but that we can actually
onboard them in a more efficient manner.
Senator Lankford. So, let me ask a reciprocity question
with this. Ms. Dixon, you were talking before about some of the
time period they have to do additional work on it. If they've
just gone through the process, they got a secret clearance, it
is 25 days--Congratulations on that. That's a big change.
They've done that.
Now they want to be able to switch over. Now they've got
additional items they've got to be able to do. Are they
starting all over? Or is it a faster process now because
they've already been through the first year?
Deputy Director Dixon. They should be able to build on the
process that's already happened.
Senator Lankford. Should be or do?
Deputy Director Dixon. Will.
Senator Lankford. Okay, deal. So, your estimate, at that
point, was you were hoping to be around 75 days or less in the
process?
Deputy Director Dixon. To get to just the top secret with--
not within the national security population.
Senator Lankford. Correct. Okay. And so, if they've gone
through these 25 days or 45 days for the clearance, they switch
over to you, it should be another 20 days? Or it should--I get
another--because I'm not going to hold you to this. I'm trying
to get a feel of what this looks like.
Deputy Director Dixon. No, and I appreciate the question.
We've actually been looking at the entire timeline, so I don't
actually have a goal for the exact apples-to-apples comparison.
At this point in time, I think if you look at what we are on
average, it's about 120 days. We're trying to get that lower
for that particular part.
Senator Lankford. Okay. That'd be very helpful. There's
been a lot of conversation about the social media aspect as
well. Is it reliable, is it not reliable? Should we look at it?
Should we not look at it? Let me just say, from my perspective,
you should look at it. I mean, to say it's not reliable, would
be to say there's nothing we could really gain there.
Clearly, there's information that we can gain--trends,
information--at least questions to be able to follow up with
people and say, hey, we saw this association, or we saw this
connection, or we saw this post at this point. That's not an
unreasonable thing. So, if there's some dispute to wonder
whether we're going to say to you, you shouldn't look at that.
No, I think you should. That's a pretty reasonable thing.
The question is, how you use it. What is the plan at this point
for how you're using social media? And are you?
Deputy Director Dixon. As you pointed out, we are allowed
to use it. We have the authority to use it. Right now, we're in
exploratory phase trying to figure out what the utility is,
what can we get out of it, based on the amount of information
that is coming through. There have been several pilots that
have been going on, and those will influence--and those will
help us understand how we're actually going to be using it in
the future.
Senator Lankford. Okay. Other comments from anybody on
that? Mr. Moultrie, you're nodding your head on that, as well.
Secretary Moultrie. No, Director Dixon covered that the way
I would have covered it.
Senator Lankford. Okay. Let me ask one final question
there. It's about the polygraph, because there's been--some
agencies use it, some do not. There's been some conversation
about ocular scanning instead, or a different resource or in
addition to.
Are there other conversations about how to use polygraph,
where to use it? Other tools that may be out there that may be
a better tool? What is the trend at this point? To try to
figure out what to be able to do with that?
Deputy Director Dixon. I will have to take that for the
record. I am not actually aware that they're thinking about new
technologies to be using for it. But right now, we plan to
continue using it within the Intelligence Community itself.
Senator Lankford. Okay. Mr. Moultrie.
Secretary Moultrie. Our National Center for Credibility
Assessment uses a polygraph. It is the tool, the gold standard
that we have right now. We have had a discussion within the
Department of Defense as to whether or not new technologies
might be augmentative to polygraphs. Is there something out
there that would allow us to monitor some of the same things
that a polygraph monitors?
But those are in the very early stages of discussion. But
we believe that looking at technology and being able to enhance
any process is a way that we ought to go.
Senator Lankford. Okay. Thank you.
Senator Rounds. Thank you, Mr. Chairman.
In closed sessions, the Chairman suggests that I can take
advantage of being the newbie on the Committee for as long as I
would like. Let me begin just with a primer, if we could. If
you're talking about the Department of Defense, who sets the
guidelines for what the security clearance necessary for a
secret or a top secret or a TS/SCI? Who's responsible for
setting those on-the-job descriptions?
Secretary Moultrie. We work within the Department of
Defense, based on the criteria and the guidelines that we have.
In my office----
Senator Rounds. Who sets those guidelines?
Secretary Moultrie. With policy and the Undersecretary of
Defense for Intelligence Security, me. We actually look at
national guidelines and we work off the national guidelines
that are set for access to information. And we will set those
policies to ensure that the Department of Defense is adhering
to those policies.
Senator Rounds. Thank you. It's a national policy?
Secretary Moultrie. It is.
Senator Rounds. Okay. How about if we're looking at DNI?
Deputy Director Dixon. We set the policy for the community.
Senator Rounds. You set the policy for the entire
community. So, the definitions of what is necessary for a
secret or a top secret or a TS/SCI, the conditions or the
policies are consistent across all departments?
Deputy Director Dixon. That's a good question. The answer
should be yes.
Senator Rounds. I'm wondering if it is, though, because
that would be a little bit inconsistent with what I heard
earlier, about differences in the way it's set in some areas.
Explain to me if I'm missing something here.
Deputy Director Dixon. I think what I was referring to
earlier, is where TS, top secret itself stops and where SCI
starts. There will be a difference in those two things.
Senator Rounds. So, it's not a consistency across the
board, then?
Deputy Director Dixon. A TS is a TS. But a TS/SCI and a TS
are different.
Senator Rounds. Based upon the agency or upon national
policy?
Deputy Director Dixon. I am sorry. The IC will use the TS
with the Sensitive Compartmented Information.
Senator Rounds. So, what you'll do with it, with the IC, is
if you're going to do the TS/SCI, it will all be with
compartmented information as part of the thing--. So, you go
deeper into it at a more advanced level, automatically?
Deputy Director Dixon. Correct.
Senator Rounds. Okay. That's helpful. Thank you.
Sir, you're looking at me like are you agreeing with that
or are you--?
Secretary Moultrie. No, I am agreeing. I just think there
may be another part to answer on this.
Senator Rounds. Please.
Secretary Moultrie. If someone has a top-secret clearance,
the reciprocity process may be somewhat different. But once the
top-secret clearance has been granted, whether it's TS or TS/
SCI, individuals get access to the same information. There's no
such thing as this agency has this type of top secret.
This one has a different type of top secret. It's top
secret. They share that information across agencies. They can
work on things, virtually and sometimes in groups together.
They receive the same information. What I was worried about is
some conflation of reciprocity, going into a different agency
or looking at the same information that is shared, once you
reach a certain level.
So that's the only clarification.
Senator Rounds. Well, I'm happy you do that, because that
was my next question. When we talk about reciprocity, or
perhaps I think by that you're talking about moving. If an
individual is moving from one job location to another, and they
have a TS versus a TS/SCI, that's where the challenge comes in?
Director Ahuja. Could I offer something, Senator?
Senator Rounds. Sure.
Director Ahuja. You know, part of the Trusted Workforce 2.0
has been--that my colleagues at ODNI and OPM have worked on--
are these investigative standards that we issued about
streamlining the investigative requirements across all trust
determinations. So, suitability, which OPM manages, and the
security clearance, which ODNI manages.
I just wanted to offer that up, that a part of this effort
has really been to streamline the requirement, so you can have
greater reciprocity and mobility. Before we had these
distinctions, and now we have the--from the five-tier to the
three-tier system, which is going to streamline that process
completely throughout.
I just wanted to add that.
Senator Rounds. Okay. And thank you. I'm also just curious
about one item leading up to this was mentioned that, while the
principles are in place, with regard to leadership teams, there
are two important positions that are being performed on an
acting basis right now. And I'm going to ask the reason why.
The position of Director of the National
Counterintelligence and Security Center, the NSCS, and the
ODNI's primary agent on clearance reform--which is interesting
since that's what we're talking about today--has been vacant
since January of 2021. An FBI agent is acting in that position.
The senior position supporting the USD (I&S) is also vacant and
performed on an acting basis by a detailee from DIA. I got a
lot of acronyms involved in this thing, but what I'm getting at
here is, apparently within the leadership teams themselves,
you've got two vacant positions.
Please don't tell me that it's because they're waiting for
a clearance.
Deputy Director Dixon. No, sir. We've definitely been
trying to find the right political appointee, or nominee, to
put into that position so that we can have it filled. The
person holding has been doing a wonderful job. But yes, we
recognize that we need to get that filled. And we've been
working with the White House.
Senator Rounds. And if the Chairman would indulge me for
one last question, how long will it take to actually get a
clearance for someone, once you have picked the right political
appointee?
Deputy Director Dixon. That process is probably a little
faster than the average process. We are going from 180 days,
from application to the person being offered a job, for the
regular person. It will be a faster process for--.
Senator Rounds. Okay. Thank you. Thank you, Mr. Chairman.
Chairman Warner. But let me--you are also getting at this
issue. This may not be the case, but the last time we did one
of these----
Senator Rounds. 2018.
Chairman Warner [continuing]. Within DHS, I can't recall
whether secret or TS, somebody had the clearance to move from
one contracted DHS to another. Took 100 days. Even though the
classification level is the same. I think everybody is working
with good will here. But this reciprocity thing--Sue Gordon
promised that before she left--and I love Sue to death--but
it's a hard, gnarly one.
Senator Rounds. It is, Mr. Chairman. And look, even whether
we're talking about health care under artificial intelligence
or what we could do there, or if we're talking about Spectrum,
which Senator King has been so actively involved in--the over-
classification or the challenge of getting the appropriate
people, even within our own staff, to get the right type of a
category to get good information to do their job, has been
challenging.
Chairman Warner. Senator King has had a question. I got a
quick lightning round. I want to hit three quick things. You
know, and this first one is for Ms. Dixon, Mr. Moultrie.
Number of polygraphs, the people that can provide the
polygraph, and the number of even trainers for the polygraph
examiners--we were way short. How are we on that, at this
point?
Deputy Director Dixon. I'm going to have to take the actual
number for the record. What I do know is that Ron's
organization has done a wonderful job of expanding the number
of people who can go through the courses. They are doing their
part to make sure that we have the certified people coming out,
making sure that those seats----
Chairman Warner. I want the numbers, both in terms of how
many--there was a single training class in South Carolina. We
had COVID. What are our numbers there? How are we doing in
terms of total number of trained examiners? This is for Mr.
Moultrie and Mr. Miller--tough question. But I think one we've
got to sort through.
We go through our process. We find something that--major
red flag, you know, same person goes out and then is applying
for a job in the private sector, that may end up ultimately
resulting in a requirement for a security clearance. Well,
obviously, we have the privacy protections of that individual.
The idea that we can't give some ability to let the private
contractor know that person X didn't vet. I hope we are trying
to sort through, recognizing there are privacy issues.
Deputy Director Miller. Yes. We recognize this issue and
yes, we are trying to sort through it.
Chairman Warner. You with us on that, Mr. Moultrie?
Secretary Moultrie. That makes 100 percent sense.
Chairman Warner. Last one before I go to Senator King.
Again, Senator King was there that last time we did this.
I have huge respect for former FBI agents who spend their
career going into universities and checking somebody's academic
records or going to a local courthouse and checking somebody's
criminal records.
One of the things that came out of COVID was we did a lot
more online and virtual interviews. I think this one is for
both Stacey and Ron. You know, are we continuing that? And are
there still things we asked specifically, but we're further on
in this process? If there are specific incentives we need to
put in place with our friends in the higher ed world or our
friends in the criminal justice world--that they should be able
to share that information in a timely way so that we don't
waste the time and money, candidly, of sending agents to go out
and look and see if somebody's academic record was valid is
really important. If you can address those two and then we'll
go to any final questions from our colleagues.
Deputy Director Dixon. We are looking to automate as much
as possible--and yes, we learned a lot during the pandemic
about doing things virtually--I think there's some aspect of
things that we're still doing virtually, in terms of having
conversations. The nice thing about the automated systems is
that you will then only have to do the follow-ups for those
times when they're alert.
You're automatically decreasing those numbers of
engagements that you have to have that would be person-to-
person.
Chairman Warner. Ron.
Secretary Moultrie. In terms of being able to add another
aspect to what we are doing with continuous vetting, and
plugging that into the NBIS system, that would be a logical
add. And I know, as it pertains to academics and records and
what we have, being able to import that data will be very
important.
Chairman Warner. And please, we may not be able to mandate
that a local criminal justice system has to share or--higher
ed, but there are ways we could do incentives. Please give us
that guidance.
Senator King.
Senator King. I must say, I'm still a little confused about
reciprocity. Let me be specific. You've got a Defense
Intelligence Agency officer who is retiring, wants to go to
work for the CIA. This individual has a top-secret clearance.
Is there any further security clearance process that has to
take place before he or she can go to work for the CIA?
Deputy Director Dixon. There are definitely different
processes that will need to take place to include, in some
cases, some agencies will have a different psychological
process, a medical process, in addition to a different,
enhanced polygraph process.
Senator King. Okay. So, in that case, there is no
reciprocity.
Deputy Director Dixon. There is for like things. But in
this situation, and when you're trying to determine whether the
person----
Senator King. Well, ``like thing.'' I'm talking about a DIA
officer who wants to go to the CIA. And it's either reciprocity
or it isn't. If there's more forms, investigations, polygraphs,
that isn't reciprocity.
Deputy Director Dixon. I'll broaden it just a little bit.
There are different workforce requirements. For example, in
CIA, you gave that example, they have a lot more of time the
officers being overseas. Being able to make sure that the
person is medically able to do some of those jobs will be part
of their process. That doesn't fall under a security clearance.
It's more a fitness for duty.
Senator King. Well, that's different. That's not what I'm
talking about.
But I think what you're telling me is we don't have
reciprocity. How about if somebody that works for the NSA who
retires and wants to go to work for the CIA as an analyst? Does
the NSA top-secret clearance work? No more forms, no more
polygraphs, no more checks when they go to the CIA?
Deputy Director Dixon. There will be internal checks to
make sure that the receiving agency doesn't have information
that they need to bring up to speed, or to bring up to date, to
make sure that it's current. The current process we have, as
we're transitioning into continuous vetting, there's still some
backlog. With more people in there, they should be less
timelined----
Senator King. I'm confused.
Deputy Director Dixon. Okay.
Senator King. If I have reciprocity as a lawyer in Maine, I
don't have to do anything when I go to Massachusetts and go
into court, except to say I have a law degree in Maine or a law
license. You either have reciprocity or you don't. And I think
what you're telling me is, you don't.
Deputy Director Dixon. I would say it's broader than the
simple term of reciprocity. I suppose that it is more
complicated than one thing being exactly transferable to
another.
Senator King. I do not mean to be argumentative.
Deputy Director Dixon. No, no, no.
Senator King. We're being reassured about reciprocity, but
it isn't happening. Reciprocity means you can do it here; you
can do it over here if you quit. Don't use the term reciprocity
if it's not reciprocity. Okay?
Deputy Director Dixon. I would love to. That would be
great. I will actually----
Senator King. There is a different word.
Deputy Director Dixon. Transfer of trust is the word that
we're trying to use. And you can transfer the trust if it's the
same thing. But if there's a difference in the type of work
that's going to be done, it will be a a different process.
Senator King. But then the question is, why not--why not?
If they have a top-secret clearance at the Department of
Defense, why isn't that good enough for the CIA? And you're
talking about the same kind of documents.
Mr. Moultrie testified that if you have the two clearances,
you can all work together on the same documents. Right? You
were saying that before. But you can't go over and get a job.
Secretary Moultrie. Having worked at NSA and then
transferred to CIA, resigned from NSA, and joined the CIA.
Senator King. You're my case in point.
Secretary Moultrie. Exactly. I can tell you how it worked
for me, at least.
There's clearance reciprocity, where it says everybody has
the same top-secret clearance. There are access issues. And
different agencies will have an access issue. You have the same
clearance, so CIA recognizes, as you said, that you may have a
top-secret clearance. They may have an additional bar, if you
will, or additional criteria, to give you access to their
systems. And so, they go through another check or another
layer, because of the things that have happened in their
history, and that gives you access. Even though you already
have a top-secret clearance, there's an access component to
this, Senator, that is factored in.
Senator King. And how long does it take to go through that
second process? One of the things this Committee is trying to
get at is the length of time that's involved. And to our less-
expert eyes than yours, it seems to us that one way to
streamline this is to say top secret means top secret. If you
have it here, you have it over here.
So how long does it take to do the additional?
Secretary Moultrie. I can't speak specifically to the CIA
and how long it takes. But I can say within non-CIA
organizations, for the most part--and I have to exclude NSA,
because they have other access issues and polygraph issues that
they require--in addition to having your clearance, you can
have a top-secret clearance and not have a polygraph.
NSA and CIA require polygraph, which is an additional layer
on top. So that will add time to the process, too.
Senator King. Mr. Chairman, it sounds like we've got some
work to do on reciprocity.
Chairman Warner. We do. And you know, yes, it is. And
unfortunately, I think Ron is being generous. This is
oftentimes months. And I'd even give CIA, because of its unique
responsibility, and even NSA, you know, a little slack on this.
When we're talking about overhead, the one example I like
to use is NGA to NRO or vice versa. You know, you're still
dealing, pretty much, with the same pixels and how you analyze
that. And there's still problems there. This is a gnarly issue
and it has been around for a long time. I do think we have the
focus, and people are working through to take this from five to
three, to kind of get the culture right on that.
And the--the chart I got here. Ms. Ahuja, you know, this
would be wild--25, 40, and 75 days is the three categories. You
get there, you'll never get any grief from me, because it's so
much shorter. Now, Stacy, chances are we are never getting it.
Some of you all see an end of that. But--but again, we're still
at--I think the average number was north of 400 days. Now there
are certain pieces on experiment. Director Burns has got down,
but we're losing great personnel, because they just can't wait.
Mike, do you want to do another round? Angus?
Obviously, maybe I'm a little obsessed about this, but I
think it's going to take a little bit of relentless obsession,
because it's easier to stick with the status quo. It's easier
not to make people uncomfortable. It's like the classification
issue, which again, a lot of us on this Committee are going to
push on, because I think we all know it's people, people,
people, people. And if we don't, we can't attract and keep
people and we can't even make it somewhat easy to move in and
out of government, particularly in our defense and
intelligence. We need that--that exchange back and forth.
We appreciate how far you've come. Again, I want to be
clear on this issue. With the last Administration, I had a lot
of differences, but the last Administration made progress on
this as well. I do feel like the Trusted Workforce 2.0 could
have been potentially signed. I think it sat on the President's
desk for a long time in the last Administration.
But you know we will be your support. We'll help give you
some cover. But we are going to stay on this. And I thank all
of your commitment. I also know there's lots and lots of people
who are not just here in this room, but back at your respective
entities, please thank them. You have our attention. You have
our focus.
Any last words for anybody on the panel?
Deputy Director Miller. I just want to add one thing on the
chart that you showed, because I think it does speak to the
transformative impact of what we can accomplish over time. It
requires rewiring how these processes work. Those numbers are
for the vast majority of people that go through the system. The
75 days that people talked about--the 400-plus days that it
took people to get a top-secret clearance before--75 days is
even more ambitious than the comparison to that, because we're
measuring everything.
The current system only measures the 90 percent fastest. We
have a huge tail that we're not even measuring. We're trying to
measure everything so we can manage it and make sure that we're
really driving transformative impact.
Chairman Warner. Jason, you buried the lead. You should
have said that when we were all here. I mean, that's right, you
share that. But that is a kind of a fundamental commitment to
transparency that you're not just going to take the 90 percent
universe. You're going to do 100 percent universe. Good news.
And I hope, again, staff will share with their Members that
that's the right goal to have.
Anything else?
We're adjourned. Thank you.
(Whereupon at 4:08 p.m. the hearing was adjourned.)
[all]