Following concerns of extensive backlogs, lagging reform efforts and now IT systems vulnerabilities, the Government Accountability Office (GAO) has added the federal security clearance process to its list of “high-risk” programs in need of immediate improvement.
The next update to the GAO’s high-risk list is scheduled for early 2019, but the agency made the new addition on Thursday after it determined the clearance process is in need of urgent congressional attention to fix glaring security flaws.
“Our objective for the High Risk List is to bring attention to policymakers of the need for action sooner, rather than later. Renewed and strong top leadership commitment will be critical to facilitate progress in reducing the backlog and completing key improvements to the personnel security clearance process,” Gene Dodaro, head of the GAO, said in a statement.
Federal agencies have a backlog of over 700,000 security clearance cases, and there continues to be significant delays in implementing reform efforts to fix the process.
The GAO released two separate reports in November and December 2017 detailing the major problems holding up the security clearance process, including delays in implementing new measures to increase the quality and speed of processing background investigations.
Risk concerns have been particularly centered on software vulnerabilities in the IT systems used to process security clearances. Under new regulations, Department of Defense officials must store clearance data on legacy systems used by Office of Personnel Management (OPM), which previously suffered a massive information breach in 2015.
“Part of the concern regarding clearances is the work OPM still needs to do regarding their IT legacy systems. DoD’s new system that is being designed may require more interconnections to OPM’s legacy systems than originally planned. These interconnections as well as logistical challenges associated with data migration from the legacy systems to the new DoD system raise concerns about the risks to the new DoD system,” Brenda Farrell, GAO director of defense capabilities and management, told Defense Daily.
In its December report, GAO said connections to OPM legacy systems assume inherent risk until properly evaluated.
GAO is also concerned that OPM has yet to implement recommendations made by the United States Computer Emergency Readiness Team to bolster information and security practices in the wake of the 2015 breaches, according to Farrell.
Both OPM and DoD’s security clearance process were originally on GAO’s high-risk list in 2007. They were removed from the list in 2011, but the decision to add it back has received some support from industry groups including the Professional Services Council (PSC).
“Security clearance processes need to be better and faster,” David Berteau, president of the PSC, said. “We urge Congress and the executive branch to apply all necessary resources to reduce the backlog, increase security from the process, implement continuous evaluation government-wide, and achieve real reciprocity for government and contractor personnel.”