[Senate Report 113-283]
[From the U.S. Government Publishing Office]
113th Congress
2d Session SENATE Report
113-283
_______________________________________________________________________
Calendar No. 610
ENHANCED SECURITY CLEARANCE ACT OF 2014
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 1618
TO ENHANCE THE OFFICE OF PERSONNEL MANAGEMENT BACKGROUND CHECK SYSTEM
FOR THE GRANTING, DENIAL, OR REVOCATION OF SECURITY CLEARANCES OR
ACCESS TO CLASSIFIED INFORMATION OF EMPLOYEES AND CONTRACTORS OF THE
FEDERAL GOVERNMENT
December 2, 2014.--Ordered to be printed
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
THOMAS R. CARPER, Delaware Chairman
CARL LEVIN, Michigan TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio
JON TESTER, Montana RAND PAUL, Kentucky
MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota
Gabrielle A. Batkin, Staff Director
John P. Kilvington, Deputy Staff Director
Mary Beth Schultz, Chief Counsel
Lawrence B. Novey, Chief Counsel for Governmental Affairs
Troy H. Cribb, Chief Counsel for Governmental Affairs
Keith B. Ashdown, Minority Staff Director
Christopher J. Barkley, Minority Deputy Staff Director
Andrew C. Dockham, Minority Chief Counsel
Mark K. Harris, Minority U.S. Coast Guard Detailee
Laura W. Kilbride, Chief Clerk
Calendar No. 610
113th Congress
SENATE
Report
2d Session 113-283
======================================================================
ENHANCED SECURITY CLEARANCE ACT OF 2014
_______
December 2, 2014.--Ordered to be printed
_______
Mr. Carper, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 1618]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 1618), to enhance
the Office of Personnel Management background check system for
the granting, denial, or revocation of security clearances or
access to classified information of employees and contractors
of the Federal Government, having considered the same, reports
favorably thereon with an amendment in the nature of a
substitute and recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History.............................................11
IV. Section-by-Section Analysis.....................................11
V. Evaluation of Regulatory Impact.................................12
VI. Congressional Budget Office Cost Estimate.......................13
VII. Changes in Existing Law Made by the Bill, as Reported...........14
I. Purpose and Summary
S. 1618 seeks to make the nation more secure by requiring
that federal personnel who have security clearances or who hold
sensitive agency jobs will have their background information
checked more frequently than is done now. The government
periodically reinvestigates the background information of these
individuals, though the required schedule for these periodic
reinvestigations is frequently not met, and the sometimes
lengthy periods between reinvestigations creates vulnerability.
This bill would address that vulnerability by supporting the
government's efforts to clear the backlog of periodic
reinvestigations and by requiring randomly timed automated
background checks during the interim between the periodic
reinvestigations. Taken together, these steps would enable the
quicker discovery of information that may call into question
the trustworthiness of personnel with clearances or in
sensitive positions.
II. Background and Need for the Legislation
Processes for vetting government personnel for security
clearances and sensitive positions. Because unauthorized
disclosure of classified information can cause damage to
national security and loss of human life, federal personnel--
including civilian employees, military personnel, and employees
of contractors and grantees--are allowed access to classified
information only after the government conducts a background
investigation and issues them a security clearance.\1\ For
classified national security information, the levels of
security clearance--``Top Secret,'' ``Secret,'' and
``Confidential''--correspond to the degree of sensitivity of
the classified information to which the individual may have
access.\2\ To indicate access to sensitive nuclear information
and materials, ``Q'' clearances and ``L'' clearances are
issued, with Q clearances allowing access to the more highly
sensitive level.\3\ Another category of security clearances
allow access to ``Controlled Access Programs,'' including
``Sensitive Compartmented Information,'' which involves
intelligence matters and is particularly sensitive.\4\
---------------------------------------------------------------------------
\1\See Exec. Ord. 12968 ``Access to Classified Information'' (Aug.
2. 1995) (50 U.S.C. Sec. 3161 note).
\2\See Exec. Ord. 13526 ``Classified National Security
Information'' (Dec. 29, 2009) (50 U.S.C. Sec. 3161 note).
\3\See U.S. Department of Energy, Order DOE O 472.2, ``Personnel
Security'' (Approved: July 21, 2011), https://www.directives.doe.gov/
directives-documents/400-series/0472.2-BOrder, https://
www.directives.doe.gov/directives-documents/400-series/0472.2-BOrder/
@@download/file; U.S. Nuclear Regulatory Commission, Information
Security (Last Reviewed/Updated October 31, 2013), http://www.nrc.gov/
security/info-security.html.
\4\See Office of the Director of National Intelligence, Number
704.1, Intelligence Community Policy Guidance, Personnel Security
Investigative Standards and Procedures Governing Eligibility for Access
to Sensitive Compartmented Information and Other Controlled Access
Program Information (ICPG 704.1, Oct. 2, 2008), http://www.ncix.gov/
publications/policy/docs/ICPG_704-1_Investigative%20Standards.pdf.
---------------------------------------------------------------------------
Moreover, the head of an agency is required to designate
positions within the agency as ``sensitive positions'' if an
individual occupying a position could bring about ``a material
adverse effect on the national security.''\5\ Most sensitive
career civil-service positions and some others are categorized
among three levels of sensitivity: ``Noncritical-Sensitive,''
``Critical-Sensitive,'' and ``Special-Sensitive.''\6\
---------------------------------------------------------------------------
\5\See Exec. Ord. 10450 (April 27, 1953) (5 U.S.C. Sec. 7311 note).
\6\See 5 C.F.R. Sec. 732.101 (The requirement to designate
sensitive positions at one of these three levels of sensitivity applies
to position in the competitive service (i.e., positions filled
according to the Office of Personnel Management's competitive-hiring
regulations) and to Senior Executive Service positions filled by career
appointment, and agencies may apply the requirement to other
positions); Office of Personnel Management, Position Designation Tool,
Position Designation of National Security and Public Trust Positions
(October 2010), http://www.opm.gov/investigations/background-
investigations/position-designation-tool/oct2010.pdf.
---------------------------------------------------------------------------
The vetting of government personnel generally involves two
distinct steps: investigation and adjudication. A security
investigation begins when the individual, at the request of the
sponsoring agency, submits an application in which the
individual provides detailed information on a broad range of
topics, including: personal history, identity of relatives and
friends, foreign contacts and activities, criminal and legal
record, any financial or tax difficulties, use of drugs and
alcohol, and other matters.\7\ Then, using the information
provided by the applicant, a background investigation is
conducted. The Office of Personnel Management (OPM) conducts
the great majority of the investigations, though several
agencies, many of which are in the Intelligence Community, are
authorized to conduct their own.\8\ OPM hires contractors to
conduct much of the information collection, and other agencies
also use a mix of contractors and federal employees to gather
the information needed for a background investigation.\9\
---------------------------------------------------------------------------
\7\See OPM, Standard Form 86, ``Questionnaire for National Security
Positions (Revised December 2010).
\8\See Office of Management and Budget, ``Suitability and Security
Processes Review: Report to the President,'' conducted by the
Suitability and Security Clearance Performance Accountability Council
(February 2014) (``120-day Suitability and Security Report''), at pages
2-3,
http://www.whitehouse.gov/sites/default/files/omb/reports/suitability-
and-security-process-review-report.pdf.
\9\See id.
---------------------------------------------------------------------------
The degree of scrutiny of an individual's background will
depend on the level of risk or sensitivity of the information
or position to which the individual may be granted access. The
background investigation may include reviews of the
individual's criminal history, any terrorist activity, credit
issues, and foreign activities and influence, and may also
include interviews of the subject, employers, and social
references.\10\ Following the background investigation comes
the adjudication stage, in which the sponsoring agency assesses
the information collected and determines whether to grant to
the individual a security clearance or allow the individual to
occupy the sensitive position.
---------------------------------------------------------------------------
\10\See id.
---------------------------------------------------------------------------
Individuals with security clearances may be the subject of
reinvestigation any time there is reason to believe the
individual may no longer meet the standards for the clearances,
but cleared individuals are also supposed to be the subject of
a periodic reinvestigation a specified number of years after
the last investigation. The frequency of periodic
reinvestigation was originally established government-wide in
1997 with three different periods for the three levels of
security-clearance access,\11\ and the frequency has been
standardized with a uniform reinvestigation requirement of
every five years, regardless of the level of access.\12\
---------------------------------------------------------------------------
\11\The requirement for periodic reinvestigations established in
1997 was: every 5 years for a Top Secret clearance or for access to
sensitive compartmentalized information; every 10 years for a Secret
clearance, and every 15 years for a Confidential clearance. See id., at
page 2. This minimum frequency was established in Federal Investigative
Standards issued in 1997 pursuant to section 3.4(c) of Exec. Ord.
12968, note 1 above.
\12\See Beth Cobert, Deputy Director for Management at the Office
of Management and Budget and Chair of the Suitability and Security
Clearance Performance Accountability Council, ``Progress on Security
and Suitability,'' posted by Beth Cobert (Sept. 16, 2014), http://
www.whitehouse.gov/blog/2014/09/16/progress-security-and-suitability.
---------------------------------------------------------------------------
Moreover, employees in Special-Sensitive and Critical-
Sensitive positions must undergo reinvestigation at least every
five years under current regulations, and some agencies require
reinvestigations for employees in Noncritical-Sensitive
positions every 10 years. The regulations applicable to these
categories of sensitive positions in the career civil service
are now under review, and the requirements for reinvestigation
may be changed when revised regulations are issued.\13\
---------------------------------------------------------------------------
\13\See 5 C.F.R. Sec. 732.203; 78 Fed. Reg. 31847 (May 28, 2013);
75 Fed. Reg. 77783, 77784-77785 (Dec. 14, 2010).
---------------------------------------------------------------------------
Recent high-profile incidents focused attention on the need
to strengthen security-related vetting processes. Several high-
profile crimes committed in recent years by individuals with
security clearances have highlighted weakness in our processes
for vetting cleared federal personnel and demonstrated the
urgent need to strengthen these processes:
On November 5, 2009, U.S. Army Major Nidal Malik
Hasan, while holding a Secret security clearance, shot and
killed 13 people and wounded 43 others at Fort Hood, Texas.\14\
---------------------------------------------------------------------------
\14\See U.S. Senate Committee on Homeland Security and Governmental
Affairs, ``A Ticking Time Bomb: Counterterrorism Lessons from the U.S.
Government's Failure to Prevent the Fort Hood Attack,'' a special
report by Joseph I. Lieberman, Chairman, and Susan M. Collins, Ranking
Member (Feb. 3, 2011), http://www.hsgac.senate.gov/download/fort-hood-
report; Hearing before the Senate Committee on Homeland Security and
Governmental Affairs, 111th Cong., 1st Sess., ``The Fort Hood Attack: A
Preliminary Assessment,'' S.Hrg. 111-810 (November 19, 2009), http://
www.gpo.gov/fdsys/pkg/CHRG-111shrg56145/pdf/CHRG-111shrg56145.pdf; U.S.
Department of Defense, Report of the DoD Independent Review,
``Protecting the Force: Lessons from Fort Hood'' (January 2010), at
pages 12-13, http://www.defense.gov/pubs/pdfs/DOD-Protecting TheForce-
Web_Security_HR_13Jan10.pdf; Department of Defense, ``Internal Review
of the Washington Navy Yard Shooting: A Report to the Secretary of
Defense'' (November 20, 2013) (``DoD Internal Review''), at pages 15-
16, http://www.defense.gov/pubs/DoD-Internal-Review-of-the-WNY-
Shooting-20-Nov-2013.pdf.
---------------------------------------------------------------------------
During 2009 and 2010, an Army intelligence
analyst, then named Bradley Manning, stole and publicly leaked
enormous quantities of classified documents regarding military
operations in Iraq and Afghanistan.\15\
---------------------------------------------------------------------------
\15\See U.S. Army, ``Army to transfer Manning to new Leavenworth
correctional facility,'' by Donna Miles, American Forces Press Service
(April 19, 2011), http://www.army.mil/article/55211/army-to-transfer-
manning-to-new-leavenworth-correctional-facility/; U.S. Army, ``Army
charges Manning with leaking intelligence,'' by Dave Vergun (Feb. 23,
2012), http://www.army.mil/article/74417/
Army_charges_Manning_with_leaking_intelligence/; U.S. Army, ``Manning
guilty of 20 specifications, but not `aiding the enemy''', by David
Vergun, Gary Sheftick (July 26, 2013), http://www.army.mil/article/
108143/Manning_guilty_of_20_specifications_but_not_aiding_enemy_/. In
April 2014, Manning's name was legally changed to Chelsea Elizabeth
Manning, at Manning's request. See Ernesto Londono, ``Convicted leaker
Bradley Manning changes legal name to Chelsea Elizabeth Manning,''
Washington Post (April 23, 2014), http://www.washingtonpost.com/world/
national-security/convicted-leaker-bradley-manning-changes-legal-name-
to-chelsea-elizabeth-manning/2014/04/23/e2a96546-cb1c-11e3-a75e-
463587891b57_story.html.
---------------------------------------------------------------------------
During June 2013, computer systems administrator
Edward Snowden leaked to the news media enormous quantities of
National Security Agency classified documents that he obtained
while working for intelligence contractors Dell and Booz Allen,
in what is said to be the most massive and damaging
intelligence leak in our history.\16\
---------------------------------------------------------------------------
\16\See ``Safeguarding our Nation's Secrets: Examining the Security
Clearance Process,'' joint hearing before the Subcommittee on the
Efficiency and Effectiveness of Federal Programs and the Federal
Workforce and the Subcommittee on Financial and Contracting Oversight,
Senate Committee on Homeland Security and Governmental Affairs, 113th
Cong, 1st Sess. (June 20, 2013), S. Hrg. 113-316; testimony of James R.
Clapper, Director of National Intelligence, ``Open Hearing: Current and
Projected National Security Threats Against the United States,'' before
the Senate Intelligence Committee, January 29, 2014, http://
www.intelligence.senate.gov/
hearings.cfm?hearingid=138603a26950ad873303535a630ec9c9&witnessId=138603
a26950 ad873303535a630ec9c9-0-1, unofficial transcript at http://
www.washingtonpost.com/world/national-security/transcript-senate-
intelligence-hearing-on-national-security-threats/2014/01/29/b5913184-
8912-11e3-833c-33098f9e5267_story.html.See also, Mark Hosenball,
``Snowden downloaded NSA secrets while working for Dell, sources say,''
Reuters (Aug. 15, 2013),
http://www.reuters.com/article/2013/08/15/usa-security-snowden-dell-
idUSL2N0GF11220130815.
---------------------------------------------------------------------------
Most recently, on September 16, 2013, Aaron
Alexis, fatally shot 12 U.S. Navy civilian and contractor
employees and wounded several others in a mass shooting inside
the Washington Navy Yard in Washington, D.C.\17\ At the time of
the shooting, and despite a history of arrests and other
troubling behavior, Alexis was employed by a Navy contractor
and held a Secret-level security clearance, issued in March
2008 while he was in the military service.
---------------------------------------------------------------------------
\17\See DoD Internal Review, note 14 above; ''), http://
www.defense.gov/pubs/DoD-Internal-Review-of-the-WNY-Shooting-20-Nov-
2013.pdf; Department of Defense, ``Security from Within: Independent
Review of the Washington Navy Yard Shooting'' (November 2013) (``DoD
Independent Review''), http://www.defense.gov/pubs/Independent-Review-
of-the-WNY-Shooting-14-Nov-2013.pdf.
---------------------------------------------------------------------------
In the periods leading up to each of these incidents, there
had been warning signs about troublesome behavior by the
individual involved which were not heeded or communicated to
the proper authorities. During Hasan's military medical
training, colleagues and superiors had expressed concern about
his behavior and comments, and government officials were aware
that Hasan had expressed violent, extremist sentiments.\18\
Manning had demonstrated instability by his many emotional and
physical outbursts in the months leading up to his leaking
classified documents, and had even disregarded basic security
measures common to classified working environments.\19\
Reportedly, Snowden had been suspected of trying to break into
classified computers, and changes in his behavior and work
habits raised concerns when he was working for the CIA in 2007-
2009.\20\ Alexis had been arrested several times, twice
involving firearms, and in the weeks before the Navy Yard
shooting had been observed complaining of being followed, of
hearing voices, and of being under attack by vibrations and
microwaves.\21\
---------------------------------------------------------------------------
\18\See U.S. Senate Committee on Homeland Security and Governmental
Affairs, ``A Ticking Time Bomb: Counterterrorism Lessons from the U.S.
Government's Failure to Prevent the Fort Hood Attack,'' a special
report by Joseph I. Lieberman, Chairman, and Susan M. Collins, Ranking
Member (Feb. 3, 2011), at pages 27-39, http://www.hsgac.senate.gov/
download/fort-hood-report.
\19\See DoD Internal Review, note 14 above, at page 16.
\20\See Eric Schmitt, ``CIA Warning on Snowden in '09 Said to Slip
Through the Cracks,'' New York Times (October 10, 2013), http://
www.nytimes.com/2013/10/11/us/cia-warning-on-snowden-in-09-said-to-
slip-through-the-cracks.html?pagewanted=all&_r=0.
\21\See DoD Internal Review, note 14 above, at page 16.
---------------------------------------------------------------------------
On October 30, 2013, in the aftermath of the Navy Yard
shooting, Senators Collins, McCaskill, Ayotte, and Heitkamp
introduced S. 1618, the Enhanced Security Clearance Act, to
require randomly timed audits of background information for
cleared personnel. The next day, on October 31, 2013, this
Committee held a hearing entitled ``The Navy Yard Tragedy:
Examining Government Clearances and Background Checks,'' at
which S. 1618 was one of several topics discussed.\22\
---------------------------------------------------------------------------
\22\Hearing before the Senate Committee on Homeland Security and
Governmental Affairs, ``The Navy Yard Tragedy: Examining Government
Clearances and Background Checks'' (October 31, 2013) (``HSGAC
hearing''), http://www.gpo.gov/fdsys/pkg/CHRG-113shrg85500/pdf/CHRG-
113shrg85500.pdf. Witnesses were: Joseph G. Jordan, Administrator,
Office of Federal Procurement Policy, Office of Management and Budget;
Elaine D. Kaplan, Acting Director, U.S. Office of Personnel Management;
Brian A. Prioletti, Assistant Director, Special Security Directorate,
National Counterintelligence Executive, Office of the Director of
National Intelligence; Stephen Lewis, Deputy Director for Personnel,
Industrial and Physical Security Policy, Directorate of Security Policy
& Oversight, Office of Under Secretary of Defense for Intelligence,
U.S. Department of Defense; and Brenda Farrell, Director, Defense
Capabilities and Management, U.S. Government Accountability Office.
---------------------------------------------------------------------------
Also in the fall of 2013, the President instructed the
Office of Management and Budget (OMB) to conduct within 120
days a thorough review of the suitability and security vetting
procedures for civilian, military, and contractor personnel.
(``Suitability'' refers to being found suitable for federal
employment generally; ``security'' refers to being found
eligible to hold a sensitive national security position or to
have access to classified information.\23\) Having conducted
the work through an interagency team,\24\ OMB prepared and
submitted, and the President approved, the report in the winter
of 2013 (``Suitability and Security Processes Review: Report to
the President'' (February 2014), referred to herein as the
``120-day Suitability and Security Report'').\25\
---------------------------------------------------------------------------
\23\For employment in a civilian position outside the competitive
service or a position with a government contractor, the term
``fitness'' is generally used instead of ``suitability.'' See,
generally, 5 C.F.R. parts 302, 731.
\24\The work was carried out by the Suitability and Security
Clearance Performance Accountability Council (PAC), which was
established by section 2.2 of Exec. Order. 13467 (June 30, 2008) (5
U.S.C. Sec. 3161 note); and a Senior Review Panel of representatives
from key security and personnel agencies drove the review and to
identify recommended solutions. See 120-day Suitability and Security
Report, note 8 above, at page 1.
\25\120-day Suitability and Security Report, note 8 above; see also
OMB press release, ``Administration Releases Suitability and Security
Report'' (March 18, 2014), http://www.whitehouse.gov/sites/default/
files/omb/press--releases/suitability-and-security-report-press-
release-03182014.pdf.
---------------------------------------------------------------------------
Addressing the vulnerable time-gap between periodic
reinvestigations. Reviews in the aftermath of the Navy Yard
shooting and the other recent incidents found that a
substantial weakness in the current process arises from the
time-gap between periodic reinvestigations. As the
Administration's 120-day Suitability and Security Report put
it,
The current reinvestigation practices do not
adequately reevaluate or appropriately mitigate risk
within the security and suitability population. Lengthy
periods between reinvestigations do not provide
sufficient means to discover derogatory information
that develops following the initial adjudication.\26\
---------------------------------------------------------------------------
\26\120-day Suitability and Security Report, note 8 above, at page
8.
The events involving Alexis prior to the shooting at the
Navy Yard starkly demonstrate this vulnerability. Alexis had
several run-ins with law enforcement, including at least two
within the period since his 2007 background investigation: an
August 2008 arrest in Georgia for disorderly conduct and a
September 2010 arrest in Texas for unlawfully discharging a
firearm.\27\ Moreover, the defense contractor by whom Alexis
was employed at the time of the shooting was aware of
indications of his mental instability, but failed to report
that information to the Defense Department as required under
the contract, apparently influenced by a lack of clear
understanding about what must be reported.\28\ Thus,
information showing Alexis's instability was available in
police records and was known to government contractors with an
obligation to report it, but no mechanism existed to adequately
bring such information to the attention of the agency between
periodic investigations. The DoD Independent Review found that
``DoD gains little to no insight into its cleared workforce
between periodic investigations'' and that the Department must
find a way to account for this risk.\29\
---------------------------------------------------------------------------
\27\DoD Independent review, note 17 above, at page 39.
\28\See HSGAC October 31, 2013 hearing, note 23 above, Lewis's oral
testimony; DoD Internal Review, note 14 above, at page 20-21, 36-37;
DoD Internal Review, note 14 above, at page 20.
\29\DoD Independent Review, note 17 above, at page 16.
---------------------------------------------------------------------------
Moreover, the schedule for periodic reinvestigations is not
being met. The 120-day Suitability and Security Report found
that ``resource constraints lead agencies to conduct fewer than
the required number of reinvestigations,''\30\ resulting in a
backlog of periodic reinvestigations for even the most
sensitive populations.\31\ Of the individuals eligible for
access to Top Secret classified information or to Sensitive
Compartmentalized Information, roughly 22 percent of the
background investigations were outdated as of March 2014, and
no reinvestigation had even been requested.\32\
---------------------------------------------------------------------------
\30\120-day Suitability and Security Report, note 8 above, at page
8.
\31\Id., at page 11.
\32\Id.
---------------------------------------------------------------------------
During the time-gap between reinvestigations, the
government relies on individuals to self-report and on others
to report any relevant information. However, the requirements
are not adequate, and too little reporting is being done. As
noted above, the managers at the defense contractor that
employed Alexis were aware of troubling behavior, but ``[t]he
employer's decision not to report Alexis' behavior appears to
be influenced by a lack of awareness about what types of
behaviors are considered `adverse' information that must be
reported (particularly those related to mental health
issues).''\33\ Likewise, regarding the incident involving
Manning, DoD found, ``In the months leading up to the
unauthorized disclosure, Manning displayed behaviors indicating
instability through multiple emotional and physical outbursts,
expressed discontent with the Army and the Federal Government,
and disregarded basic security measures common to all
classified working environments.''\34\ More generally, the 120-
day Suitability and Security Report found that inadequate
reporting and self-reporting is a critical and pervasive
problem:
---------------------------------------------------------------------------
\33\See DoD Internal Review, note 14 above, at page 20.
\34\See id., at page 16.
This review found that clear and consistent
requirements do not exist across government for
employees or contractors to report, subsequent to their
being hired or granted a clearance, information that
could affect their continued fitness, suitability, or
eligibility for Federal employment (e.g., criminal
conduct, behaviors of concern), or their eligibility to
access government facilities and IT systems. Neither is
there consistent guidance in place to direct
contractors or contract managers in the Federal
Government to report noteworthy or derogatory
information regarding employees.\35\
---------------------------------------------------------------------------
\35\120-day Suitability and Security Report, note 8 above, at page
7.
Recognizing the security vulnerabilities that arise from
the time-gap between reinvestigations, the agencies are
undertaking a number of efforts to eventually address various
aspects of this problem. The government has been working to
establish automated systems, referred to generally as
Continuous Evaluation (CE), to check government and commercial
data sources on a more frequent or even continuous basis to
flag issues of concern during the period between background
investigations. At this Committee's October 31, 2013 hearing,
witnesses reported that all government agencies already conduct
some automated electronic record checks now,\36\ and described
the Automated Continuous Evaluation System (ACES) being
developed by DoD to test, on a large population of cleared
military, civilian, and contractor personnel, the concepts of
conducting one-time inquiries and then moving towards providing
real-time updates as soon as an arrest is posted on a law-
enforcement database, for example, or when other relevant
information becomes available.\37\
---------------------------------------------------------------------------
\36\HSGAC Hearing, note 23 above, oral testimony of Prioletti.
\37\HSGAC Hearing, note 23 above, oral testimony of Lewis.
---------------------------------------------------------------------------
The 120-day Suitability and Security Report stated that the
ACES and other pilots provide compelling evidence of the
benefits of the CE approach, and that CE can help address the
vulnerability arising from the years-long time-gap between
periodic reinvestigations:
By identifying issues between reinvestigations, CE
will more frequently evaluate employees and contractors
who are eligible for access to classified information
by using periodic, random, and event-driven assessments
to better resolve issues or identify risks to national
security.\38\
---------------------------------------------------------------------------
\38\120-day Suitability and Security Report, note 8 above, at page
9.
The Report explained that CE is an ambitious undertaking--
``Success of the CE program will depend on a fully-integrated
solution across government, which will eliminate inefficiency
and avoid the expenses of duplicative systems''\39\--and the
report also recognized the challenges and stated how much is
yet to be done to reach that goal:
---------------------------------------------------------------------------
\39\Id.
Implementing a system for continuous evaluation is
resource intensive, and poses genuine technical and
procedural challenges. Currently there is no
government-wide capability, plan or design present in
the investigative community to operate a data-driven
architecture to collect, store, and share relevant
information.\40\
---------------------------------------------------------------------------
\40\Id.
To help manage and track government-wide progress towards
implementing the recommendations from the 120-day Suitability
and Security Review, including CE, OMB recently published an
implementation work plan as part of its new Cross Agency
Priority Goal of ``Insider Threat and Security Clearance
Reform.''\41\ The workplan for FY2014 Quarter 3 sets out a
series of ten milestones. Specifically for personnel with Top
Secret or sensitive compartmented clearance, the workplan sets
a December 2014 goal for having an initial CE capability for
the most sensitive population, and a December 2016 goal for the
entire population. The workplan includes tiered expansion by
DoD of its CE capability to cover 100,000 cleared personnel by
October 2014, 225,000 personnel by December 2015, 500,000
personnel by December 2016, and 1 million during 2017. Other
milestones include various planning goals and other items. The
workplan illustrates the Administration's commitment to
achieving a government-wide CE capability, as well as the
length of the road ahead.
---------------------------------------------------------------------------
\41\Cross Agency Priority Goal Quarterly Progress Update, ``Insider
Threat and Security Clearance Reform,'' FY2014 Quarter 3, Work Plan:
Implement Continuous Evaluation, http://www.performance.gov/node/3407/
view?view=public#progress-update.
---------------------------------------------------------------------------
To address the reinvestigation backlog itself, the 120-day
Suitability and Security Report includes recommendations to
reduce the backlog using a ``risk-based approach'' that would
``identify high risk populations through the use of automated
records checks (e.g., derogatory credit or criminal activity)
and prioritize overdue investigations based on the risk posted
by job responsibilities and access.''\42\
---------------------------------------------------------------------------
\42\120-day Suitability and Security Report, note 8 above, at pages
11-12.
---------------------------------------------------------------------------
With respect to self-reporting and reporting by others
during the period between reinvestigations, the 120-day
Suitability and Security Report set forth a multi-stage
planning process. Uniform reporting requirements applicable to
employees across the executive branch must first be developed
and issued, followed by training for both employees and
supervisors. Moreover, to establish uniform reporting
requirements applicable to government contractors, the Office
of Federal Procurement Policy will need to propose and issue
changes to the Federal Acquisition Regulations that would
``impose those applicable reporting requirements on contractors
and to ensure that enforcement and accountability mechanisms
are in place.''\43\
---------------------------------------------------------------------------
\43\Id., at pages 7-8.
---------------------------------------------------------------------------
S. 1618, to require randomly timed automated record checks
during the time-gap between reinvestigations. As discussed,
plans are being developed and implemented to address the three
major aspects of time-gap between reinvestigations--
Development and implementation of CE capabilities,
which can provide prompt or real-time access to relevant data
during the period between reinvestigations.
A program to apply a risk-based approach to
identify high-risk populations while eliminating the backlog of
overdue reinvestigations.
Plans to foster more reliable self reporting and
reporting by managers and colleagues when troubling information
becomes evident.
Even with the current efforts, full implementation of these
efforts will be years in the future. To support these ongoing
efforts and to strengthen the security process while long-term
solutions are being put into place, the Committee decided that
every individual with a security clearance or eligible to hold
a sensitive position should be covered by a program of random
automated record checks, as provided under S. 1618.
As noted, S. 1618 was introduced soon after the mass
shooting at the Washington Navy Yard. Over the subsequent
several months, the responsible agencies under the leadership
of the PAC conducted in-depth reviews and developed strategies
and plans, summarized in the 120-day Suitability and Security
Report, to reform the processes to improve decisionmaking and
reduce risk in the vetting of federal personnel, particularly
with regard to eligibility for security clearances and for
holding sensitive positions. Over the past several months,
staff for the bill sponsors have engaged in detailed
discussions with agency officials involved in the preparation
of the Report and implementation of its recommendations, and,
informed by those discussions, the sponsors modified the
legislation to ensure that it is consistent with, and
supportive of, the agencies' ongoing plans. That modified
language constitutes the substitute amendment submitted to, and
approved by, the Committee.
S. 1618, as amended, would reform the security programs for
federal employees, military personnel, and employees of
contractors in several key ways. The central element of the
legislation is to require each agency to establish an Enhanced
Personnel Security Program under which individuals with
security clearances or who are eligible to occupy sensitive
positions would be the subject of randomly timed automated
record checks. To avoid drawing resources away from the ongoing
efforts to address the backlog in reinvestigations, the full
requirements regarding enhanced personnel security programs
would not go into effect until the backlog is eliminated, or
until five years pass since enactment, whichever comes first.
For this initial period, S. 1618 codifies the
recommendation in the 120-day Suitability and Security Report
stating that the Director of National Intelligence must develop
and implement a plan to eliminate the backlog and that this
plan should use a risk-based approach to prioritize
reinvestigations. To achieve a prompt reduction in
vulnerability while this backlog is being eliminated, the bill
requires that every individual who has a security clearance or
who is eligible to hold a sensitive position would be placed
into a pool of individuals subject to a one-time automated
record check. It is expected that the agencies will require at
least five years to address the reinvestigation backlog. During
this period, the randomly timed audits will insert a critical
security component for the population who have not yet been the
subject of a reinvestigation.
Once the backlog has been addressed or five years have
passed, whichever comes first, the full requirements of the
Enhanced Personnel Security Program will go into effect. The
Director of National Intelligence will then direct each agency
to provide enhanced security review of all individuals who have
security clearances or eligibility to occupy sensitive
positions. Such a program must integrate relevant information
from various sources, including government and commercial data
sources, consumer reporting agencies, and social media,
including the types of information that are relevant for
consideration in a background investigation. Any individual
covered by the enhanced personnel security program will then be
subject to two randomly timed audits every five years.
The audits will increase the likelihood that troubling
information about cleared personnel or employees in sensitive
positions will be promptly discovered by the responsible
agency. Moreover, by making covered individuals aware (as well
as making those, like managers, who are obligated to report,
aware) that the individual's background information will be
audited and that the timing of the audits is unpredictable, the
legislation would create a powerful incentive for the
individual to promptly self-report (and for others, like
managers, to report) before the audit occurs. S. 1618 would
thus strengthen the national security helping agencies to
promptly learn of incidents or changed circumstances indicating
that an individual is no longer trustworthy enough to be
eligible for a security clearance or a sensitive government
position.
S. 1618 provides that random audits would not be required
if more frequent automated checks of governmental and
commercial records and data are being conducted with respect to
the individual. This exemption for individuals who are the
subject of more frequent automated checks is a key component of
the program. This provision would phase out the random audit
requirement as individuals are placed under CE or similar
automated programs, because relevant data regarding such
individuals would be obtained more frequently or in real-time.
The enhanced personnel security program under S. 1618 in this
way dovetails with CE as it is being implemented, thereby
preventing duplication of effort but enabling the automated
record checks to apply with respect to individuals who are not
covered by the more rigorous CE systems in the future.
S. 1618 thus increases the likelihood that troubling
behavior or other derogatory information about personnel with
security clearances or eligibility to occupy sensitive
positions will be identified in the current system. It also
provides a safety net should CE not be fully implemented or be
delayed. S. 1618 does not replace the current process, but
rather strengthens the current system and provides a safety net
while these broader reforms, like CE, are instituted.
III. Legislative History
On October 30, 2013, Senators Collins, McCaskill, Ayotte,
and Heitkamp introduced S. 1618, the Enhanced Security
Clearance Act of 2013, which was referred to the Homeland
Security and Governmental Affairs Committee. The Committee
considered S. 1618 at a business meeting on July 30, 2014.
Senators McCaskill and Heitkamp offered a substitute
amendment containing a number of changes based on staff
discussions with representatives of OMB and other agencies
involved in preparing the 120-day Suitability and Security
Review. Changes in the legislation made by the substitute
amendment include--(1) deferring the requirement that enhanced
security programs be implemented until after the agencies have
eliminated the backlog in reinvestigations (not to exceed five
years after enactment); (2) assigning to the Director of
National Intelligence the responsibility for directing the
implementation of a program to provide enhanced security review
by each agency; and (3) making the enhanced personnel security
program applicable to individuals eligible to hold a sensitive
position in the government, as well as to individuals with
security clearances. In addition, Senator McCaskill offered an
amendment to the title of the bill.
The Committee approved the McCaskill-Heitkamp substitute
amendment and the McCaskill amendment to the title of the bill,
both by voice vote. The Committee then ordered S. 1618, as
amended, reported favorably by voice vote, with Senator Coburn
asking to be recorded ``present.'' Senators present for all
three votes were: Carper, Levin, Landrieu, McCaskill, Begich,
Baldwin, Coburn, Johnson, and Ayotte.
IV. Section-by-Section Analysis of the Bill, as Reported
Section 1--Short title
This section states that the short title of the bill is the
``Enhanced Security Clearance Act of 2014.''
Section 2--Enhancing Government Personnel Security Programs
Subsection (a)--Definitions
This subsection defines two terms:
The term ``covered individual'' is defined to mean
an individual who has been determined eligible for access to
classified information or to hold a sensitive position.
The term ``periodic reinvestigations'' is defined
to mean investigations conducted periodically, with a frequency
as required by the Director of National Intelligence, for the
purpose of updating a previously conducted security background
investigation.
Subsection (b)--Resolution of backlog of overdue periodic
reinvestigations
This subsection directs the Director of National
Intelligence to develop and implement a plan to eliminate the
backlog of overdue periodic investigations of covered
individuals. In developing this plan, the Director must use a
risk-based approach to identify high-risk populations and to
prioritize investigations. During this time, each covered
individual would be included in a pool subject to one random
audit.
Subsection (c)--Enhanced Security Clearance Programs
This subsection adds a new section 11001 to title 5, United
States Code, which would require that an Enhanced Personnel
Security Program be established at each agency. In addition,
the subsection would provide that the Inspector General of each
agency must conduct at least one audit of the agency's enhanced
personnel security program.
The subsection includes the following specific requirements
with respect to the Enhanced Personnel Security Programs:
The Director of National Intelligence must direct
each agency to provide for enhanced security reviews of all
covered individuals following the elimination of the backlog of
reinvestigations or by five years after enactment of the bill,
whichever comes first.
The Enhanced Security Program at each agency must
require at least two random automatic record checks (audits) in
each five-year period for each covered individual who is
employed by the agency or by a contractor for the agency,
unless an individual is covered by Continuous Evaluation or a
similar program that provides for automated record checks
regarding the individual more frequently than twice in each
five-year period.
The Enhanced Security Program of each agency must
integrate relevant information from various sources, including
government sources, publicly available and commercial data
sources, consumer reporting agencies, social media, and such
other sources as are determined by the Director of National
Intelligence.
The head of each agency must ensure that each
covered individual is adequately advised of the types of
information the individual is required to report. A review of
the information relating to the individual may not be conducted
until more than 120 days after the individual receives the
notification.
The Director of National Intelligence also must
issue guidance defining minor financial or mental health issues
in accordance with this section of the bill.
Beginning two years after the date of implementation of the
Enhanced Personnel Security Program at each agency, the
Inspector General of the agency must conduct at least one audit
to assess the effectiveness and fairness of the system, in
accordance with performance measures and standards established
by the Director of National Intelligence.
V. Evaluation of Regulatory Impact
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of S. 1618. The Congressional
Budget Office states that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandate Reform Act and would impose no costs on state,
local, or tribal governments, or private entities. The
enactment of this legislation will not have significant
regulatory impact.
VI. Congressional Budget Office Cost Estimate
S. 1618--Enhanced Security Clearance Act of 2014
S. 1618 would require federal agencies to develop an
enhanced personnel security program that would conduct interim
reviews of certain types of information (primarily electronic
records) between regularly scheduled full background
investigations for individuals with security clearances or who
hold sensitive positions that might affect national security
(some positions are designated as sensitive but do not require
security clearances). Based on guidance from the Office of the
Director of National Intelligence (ODNI), agencies would be
required to check certain types of information--such as
criminal, financial, and social media records--not less than
twice every five years to ensure the continued suitability of
individuals to hold security clearances or to remain in
sensitive positions.
Enacting S. 1618 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
Conducting the required checks and incorporating newly
acquired information into the security records of employees
would increase the costs to certain federal agencies, subject
to appropriation of the necessary funds. However, the bill
would not require the program to be implemented until the
earlier of five years after enactment of the bill or such time
as the current backlog in periodic security reinvestigations is
eliminated. Periodic reinvestigations are background checks of
individuals who have previously had background investigations
and are supposed to occur every five years. Because there has
been a significant backlog in such investigations for many
years, CBO anticipates that the new program would not be
implemented until after 2019; therefore, the costs of
implementing the bill would be negligible over the 2015-2019
period.
Although CBO does not have enough information to provide a
precise estimate of the costs of implementing S. 1618 after
2019, the cost of conducting the kinds of record checks that
would be required by the bill and the large number of employees
who would probably be affected indicates that those costs would
be significant. S. 1618 would require such checks to be
completed twice every five years. CBO expects that the records
checks would require a level of effort roughly equivalent to
that of a basic National Agency check, which is a check of
certain government records, including federal investigative
records. Such checks currently cost about $100 each.
About 5 million people currently hold security clearances
and an unknown additional number hold positions that do not
require security clearances but are deemed sensitive for the
purpose of national security. However, both the ODNI and the
Department of Defense (DoD) are developing programs under
current law to continually evaluate certain personnel for their
fitness to hold security clearances or to remain in sensitive
positions. Personnel subject to those programs would be
exempted from the checks required under S. 1618. Although no
data are available on the number of people the ODNI's program
would cover, DoD's program is expected to apply to
approximately 1 million employees by the end of 2017. On that
basis, the costs of implementing S. 1618 would probably be in
the low hundreds of millions of dollars a year after 2019.
S. 1618 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act and
would not affect the budgets of state, local, or tribal
governments.
The CBO staff contact for this estimate is Jason Wheelock.
The estimate was approved by Theresa Gullo, Deputy Assistant
Director for Budget Analysis.
VII. Changes in Existing Law Made by the Bill, as Reported
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
S. 1618, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman):
UNITED STATES CODE
TITLE 5--GOVERNMENT ORGANIZATION AND EMPLOYEES
* * * * * * *
PART III--EMPLOYEES
Subpart A--General Provisions
Chap. Sec.
21. Definitions................................................... 2101
* * * * * * *
Subpart J--Enhanced Personnel Security Programs
110. Enhanced personnel security programs......................... 11001
Subpart A--General Provisions
* * * * * * *
Subpart J--Enhanced Personnel Security Programs
CHAPTER 110--ENHANCED PERSONNEL SECURITY PROGRAMS
Sec.
11001. Enhanced personnel security programs
(a) Definitions.--In this section----
(1) the term ``agency'' has the meaning given that
term in section 3001 of the Intelligence Reform and
Terrorism Prevention Act of 2004 (50 U.S.C. 3341);
(2) the term ``consumer reporting agency'' has the
meaning given that term in section 603 of the Fair
Credit Reporting Act (15 U.S.C. 1681a);
(3) the term ``covered individual'' means an
individual who has been determined eligible for access
to classified information or eligible to hold a
sensitive position;
(4) the term ``enhanced personnel security program''
means a program implemented by an agency at the
direction of the Director of National Intelligence
under subsection (b); and
(5) the term ``periodic reinvestigations'' means
investigations conducted periodically, with a frequency
as required by the Director of National Intelligence,
for the purpose of updating a previously completed
security background investigation.
(b) Enhanced Personnel Security Program.--The Director of
National Intelligence shall direct each agency to implement a
program to provide enhanced security review of covered
individuals--
(1) in accordance with this section; and
(2) not later than the earlier of--
(A) the date that is 5 years after the date
of enactment of the Enhanced Security Clearance
Act of 2014; or
(B) the date on which the backlog of overdue
periodic reinvestigations of covered
individuals is eliminated, as determined by the
Director of National Intelligence.
(c) Comprehensiveness.--
(1) Sources of information.--The enhanced personnel
security program of an agency shall integrate relevant
information from various sources, including government,
publicly available, and commercial data sources,
consumer reporting agencies, social media, and such
other sources as determined by the Director of National
Intelligence.
(2) Types of information.--Information obtained and
integrated from sources described in paragraph (1) may
include--
(A) information relating to any criminal or
civil legal proceeding;
(B) financial information relating to the
covered individual, including the credit
worthiness of the covered individual;
(C) public information, including news
articles or reports, that includes relevant
security or counterintelligence information
about the covered individual;
(D) publicly available electronic
information, to include relevant security or
counterintelligence information on any social
media website or forum, that may suggest ill
intent, vulnerability to blackmail, compulsive
behavior, allegiance to another country, change
in ideology, or any other information that may
suggest the covered individual lacks good
judgment, reliability or trustworthiness; and
(E) data maintained on any terrorist or
criminal watch list maintained by any agency,
State or local government, or international
organization.
(d) Reviews of Covered Individuals.--
(1) Reviews.--
(A) In general.--The enhanced personnel
security program of an agency shall require
that, not less than 2 times every 5 years, the
head of the agency shall conduct or request the
conduct of automated record checks and checks
of information from sources under subsection
(c) to ensure the continued eligibility of each
covered individual employed by the agency or a
contractor of the agency, unless more frequent
reviews of automated record checks and checks
of information from sources under subsection
(c) are conducted on the covered individual.
(B) Scope of reviews.--Except for a covered
individual who is subject to more frequent
reviews to ensure the continued eligibility of
the covered individual, the reviews under
subparagraph (A) shall consist of random or
aperiodic checks of covered individuals, such
that each covered individual is subject to at
least 2 reviews during the 5-year period
beginning on the date on which the agency
implements the enhanced personnel security
program of an agency, and during each 5-year
period thereafter.
(C) Individual reviews.--A review of the
information relating to the continued
eligibility of a covered individual under
subparagraph (A) may not be conducted until
after the end of the 120-day period beginning
on the date the covered individual receives the
notification required under paragraph (3).
(2) Results.--The head of an agency shall take
appropriate action if a review under paragraph (1)
finds relevant information that may affect the
continued eligibility of a covered individual.
(3) Information for covered individuals.--The head of
an agency shall ensure that each covered individual
employed by the agency or a contractor of the agency is
adequately advised of the types of relevant security or
counterintelligence information the covered individual
is required to report to the head of the agency.
(4) Limitation.--Nothing in this subsection shall be
construed to affect the authority of an agency to
determine the appropriate weight to be given to
information relating to a covered individual in
evaluating the continued eligibility of the covered
individual.
(5) Guidance for minor financial or mental health
issues.--The Director of National Intelligence shall
issue guidance defining minor financial or mental
health issues, in accordance with this section and any
direction from the President.
(6) Authority of the president.--Nothing in this
subsection shall be construed as limiting the authority
of the President to direct or perpetuate periodic
reinvestigations of a more comprehensive nature or to
delegate the authority to direct or perpetuate such
reinvestigations.
(e) Audit.--
(1) In general.--Beginning 2 years after the date of
implementation of the enhanced personnel security
program of an agency under subsection (b), the
Inspector General of the agency shall conduct at least
1 audit to assess the effectiveness and fairness, which
shall be determined in accordance with performance
measures and standards established by the Director of
National Intelligence, to covered individuals of the
enhanced personnel security program of the agency.
(2) Submissions to the dni.--The results of each
audit conducted under paragraph (1) shall be submitted
to the Director of National Intelligence to assess the
effectiveness and fairness of the enhanced personnel
security programs across the Federal Government.