It's Official: The Pentagon Now Runs the Security Clearance Process
The newly renamed Defense Counterintelligence and Security Agency now handles 95% of the government’s background investigations.
The Office of Personnel Management on Tuesday handed off its National Background Investigations Bureau to the Defense Department, leaving the Pentagon in charge of conducting the vast majority of government’s security clearance investigations.
At midnight, NBIB officially ceased to exist, and its operations and more than 2,900 employees were subsumed by the Defense Counterintelligence and Security Agency. The agency, formerly known as the Defense Security Service, is now charged with adjudicating roughly 95% of the background investigations for the federal government.
DCSA also will be responsible for ensuring the Pentagon and its contractors don’t allow compromised technology to enter their IT ecosystems. Federal officials have grown increasingly wary of efforts by China and other adversaries to infiltrate the government through its IT supply chain, though even when threats arise, the Pentagon has historically been slow to act.
''This merger advances national defense strategy objectives to enhance our security environment and maintain lethality by protecting critical defense information from theft or disclosure,” Joseph Kernan, undersecretary of defense for intelligence, said in a statement.
Related: The Security Clearance Process Is About to Get Its Biggest Overhaul in 50 Years
Related: AI Is Already Keeping Tabs on 1 Million Clearance Holders
Related: Four Steps to Fix the Security Clearance Backlog
NBIB was created in the wake of the 2015 OPM breach that exposed the sensitive personal information of more than 21 million current and prospective federal employees and contractors. During its brief life, the bureau drew sharp criticism as the backlog of security clearance investigations soared, topping 725,000 in early 2018.
Congress passed language in the 2018 defense authorization bill requiring the Pentagon to conduct its own clearances, which made up about 70% of all investigations, and in April, the Trump administration signed an executive orderthat transferred all bureau’s work to the DCSA.
Though the transfer was completed on Tuesday, Defense officials told reporters there remains a significant amount of work to be done. Officials said they plan to spend the next year refining the DCSA’s internal operations to meet its newly expanded mission, and they expect requirements to continue changing over time.
“Not only are we looking to work on the processes that exist today, but we have two external drivers … helping us focus on what tomorrow looks like,” one of the officials said, referring to the growing array of supply chain security threats and the Trusted Workforce 2.0 framework. Unveiled in February, the framework aims to use new technologies and policies to streamline the security clearance process, which hasn’t been updated in some 50 years.
“In the end, we’ll end up developing an end-to-end national-level process for vetting humans and for protecting critical technologies,” the official said.
DCSA is also in the process of replacing the legacy IT used in background investigations with a new system that would automate parts of the process and support a range of applications that make it easier for investigators to collect and analyze information. Though the National Background Investigation System is still in the “beta” phase, officials said they expect to begin deploying capabilities in the near future.
Today, the security clearance backlog stands at about 302,000 pending investigations, and the agency is on track to hit a “steady state” of roughly 200,000 by January.
Beyond rolling out improvements to the security clearance process, DCSA also intends to rethink the government’s approach to buying technology. Specifically, the agency plans to look further down the Pentagon’s supply chain and combat threats that pop up early in the technology development lifecycle, before the system is locked away with secret or top secret classifications.
“We need to focus on a risk-based system that looks at how a company and how a facility is protecting the information or the product that they hold or are producing,” an official said. “It’s a full-court press. I don’t think we’ll ever be perfectly refined on this, but we’ve got to continue doing better on that.”