US Plans ‘Continuous Evaluation’ of New and Existing Security Clearances
Every federal employee authorized to handle classified information will be cross-checked for signs of risk using court proceedings, financial data, and more.
When the Pentagon starts handling all federal security clearances this fall, it will usher in a brand-new approach to figuring out who can be trusted with dangerous secrets.
Whereas the Office of Personnel Management performed an initial background check on individuals who requested clearances, then reviewed its findings every five or ten years, the Defense Department will move toward a more automated “continuous evaluation,” after the initial check, beginning in October, a DoD official told reporters Thursday.
After an applicant passes their initial screening, they’ll be incorporated into a system in which software continuously scours open-source information — court proceedings, financial data, and more — looking for signs that the person might be turning into a security risk.
Garry Reid, Director of Defense Intelligence (Intelligence and Security), told reporters that Defense Secretary James Mattis “wanted us to reform this process, not just shift ownership” after the White House decided in June to take the job away from OPM.
Today, an applicant fills out a form and a field investigator goes to check that applicant out, verify certain facts and make sure that he or she isn’t a potential security threat. The process is repeated every five years for top-secret clearance applicants and every ten years for secret clearance holders.
Reid said that takes too much time and resources, and is one reason why the clearance system has a backlog of about 700,000 cases.
The Defense Department and the intelligence community are shifting to what is called continuous evaluation, using software that continuously scans arrest records, court filings, major purchase records, etc. If something consequential turns up, the software tips off an adjudicator — basically a human in charge of figuring out what to do next. The adjudicator can then send an email, make a phone call, conduct an in-person visit, or take some other step, depending on what the evaluation turned up.
The process is far from fully automated; the Defense Department has about 1.1 million people enrolled in continuous evaluation, up from 500,000 last year, said Reid.
In the short term, in order to work down the backlog, most of the cases will be handled the old-fashioned way, with a field inspector. But the hope is to begin enrolling screened applicants into continuous evaluation.
Reid could not say how long it will take to fully shift the processes over to the new way of doing things.
The Defense Department needs to a build up what Reid called “investigative capacity,” new hardware and software capabilities to handle the massive new influx of data, for which they’ve contracted Enterprise Services, LLC. for about $50 million.
But there’s also a question of what sort of data should make its way into the new automated evaluation system. It may include information related to what a subject does on a government computer network. Large file uploads and downloads at odd times are often a sign of anomalous behavior, which could be a threat indicator. Reid said that patterns of life, as expressed through publicly available information, could be part of the mix, since that would be essential to determining what is normal or abnormal for any given individual. Scans of public-facing social media information could also be part of the continuous evaluation, but not yet, said Reid. There’s still work to do there in terms of figuring out what to look for and how to use it.
“We intend to develop protocols to do that,” he said. “We’ve done some research in DoD. We intend to apply that but we’re not applying it, yet. We need to get smarter about it.”