INSPECTOR GENERALU.S. Department ofDefenseApril 14. 2014An Assessment of ContractorPersonnel Security ClearanceProcesses in the Four DefenseIntelligence AgenciesINTEGRITY it EFFICIENCY ?k ACCOUNTABILITY if EXCELLENCEINTEGRITY* EFFICIENCY* ACCOUNTABILITY * EXCELLENCEMissionOur mission is to provide independent, relevant, and timelyoversight of the Department that: supports the warjighter;promotes accountability, integrity, and efficiency; advises theSecretary of Defense and Congress; and informs the public.VisionOur vision is to be a model oversight organization in the federalgovernment by leading change, speaking truth, and promotingexcellence; a diverse organization, working together as oneprofessional team, recognized as leaders in our field.············~····················Fraud, Waste and AbuseHOTLINE1.800.424 .9098 • www.dodig.mil/hotlineFor more Information about the whlstleblower protection, please see the Inside back cover.Report No. DODIG-2014-0601INSPECTOR GENERALDEPARTMENT OF DEFENSE4800 MARK CENTER DRIVEALEXANDRIA, VIRGINIA 22350-1500April14, 2014MEMORANDUM FOR: UNDER SECRETARY OF DEFENSE FOR INTELLIGENCEGENERAL COUNSEL, DEPARTMENT OF DEFENSEDIRECTOR, DEFENSE INTELLIGENCE AGENCYDIRECTOR, NATIONAL GEOSPATIAL-INTELLIGENCE AGENCYDIRECTOR, NATIONAL RECONNAISSANCE OFFICEDIRECTOR, NATIONAL SECURITY AGENCYDIRECTOR, DEFENSE HUMAN RESOURCES ACTIVITYSUBJECT: An Assessment of Contractor Personnel Security Clearance Processes in theFour Defense Intelligence Agencies (Report No. DODIG-2014-060)We are providing this report for your review and comment.We consideredmanagement comments on a draft of the report when preparing the final report.DoD Directive 7650.3 requires that all recommendations be resolved promptly. Pleasesee the recommendations table at page v. We request that the Office of the UnderSecretary of Defense for Intelligence provide us with documentation regarding themilestones discussed in its comments. Recommendation A.3. has been redirected to theOffice of the General Counsel (OGC), Department of Defense. Request that OGC respondto Recommendation A.3. within 30 days from the date of this report. Request thatDirector, Defense Intelligence Agency, and Director, National Reconnaissance Office,provide a response to Recommendation B.2.c. within 30 days from the date of thisreport.Request that you send your responses in electronic format (Adobe Acrobat file only) todonald.dixon@dodig.mil . Copies of your responses must have the actual signature ofthe authorizing official for your organization. We are unable to accept the /Signed/symbol in place of the actual signature. Classified electronic format comments must besent via the Joint Worldwide Intelligence Communications System (JWICS) toigdixde@dodig.ic.gov , or over the SECRET Internet Protocol Router Network (SIPRNET)t o donald.dixon@dodig.smil.mil .We app r eciate the courtesies ext end ed to our staff.822 -4860, DSN 499 -7234 ,Report No. DODIG-2014-0601 ii THIS PAGE INTENTIUNALLY LEFT BLANKReport No. April 14, 2014What We DidOur Recommendations and Management ResponsesOur objective was to assess: a) how, or if,substantiated investigations of misconductwere reported to Agency ClearanceAdjudication Facilities (CAF) and to theDoD Consolidated Adjudication Facility(DODCAF); b) if the referred investigationshad been adjudicated; and c) the results ofthose security adjudications.We recommend that the Under Secretary of Defense for Intelligence[USD(I)]: develop overarching policies governing operation of DCII andJPAS; expedite publishing new security policy; and advocate revisingEO 12968 to require that personnel security clearance adjudicative anddue process actions continue, even if the contractor employee nolonger has access to classified information. USD(I) concurred withthese recommendations. We redirected revision of one directive toOffice of General Counsel, DoD.What We FoundWe recommend that the Offices of Security of the Defense IntelligenceAgency (DIA), National Geospatial-Intelligence Agency (NGA), NationalReconnaissance Office (NRO), and National Security Agency (NSA),Offices of Security, develop formal procedures to ensure that reports ofinvestigation into misconduct by contractor personnel are reported tothe appropriate adjudicative organizations; and ensure that theappropriate security databases are populated with personnel securityadjudicative determinations. The Agencies concurred with some ofthese recommendations and non-concurred with others. (See thereport and Appendices D - G).There was a lack of effectivepersonnel security policy.There was a lack of effective recordkeeping.There was an avoidance ofpersonnel security adjudication forcontractor personnel involved inmisconduct.There was a lack of personnelsecurity information sharing.There was a lack of connectivitybetween the Defense Central Indexof Investigations (DCII) and theJoint Personnel AdjudicativeSystem (JPAS).Visit us on the web at www.DoDig.milWe recommend that the Directors of DIA, NGA, NRO, and NSA ensure IGreports of investigation into contractor misconduct are reported toDODCAF. The Agencies concurred with this recommendation.Lastly, we recommend that the Director, Defense Human ResourcesActivity (DHRA), (1) work with the Genera l Services Administration toadd the Excluded Parties List System/System for Award Managementto the set of databases accessed by the Automated ContinuingEvaluation System that the Defens e Personnel Security Research Centerdeveloped; and, (2) develop softwar e to automatically flag thepersonnel secur ity adj udicative portio n of JPAS that a DCII fil e exists ona specific Subject. The Defense Manpower Data Center manages bothJPAS and DCII. DHRA did not concur with action 1, but did concur withaction 2.Report No. DODIG-2014-0601 ivRecommendations TableManagementUnder Secretary ofDefense for Intelligence[USD(I)]USD(I)usb(l)General Counsel,Department of DefenseDirector, DefenseIntell igence AgencyDirector, Nati onalGeospatial-lntelligenceAgencyDirector, NationalReconnaissance OfficeDirector, NationalSecurity AgencyDirector, Defense HumanResources ActivityInspector General,Defense IntelligenceAgencyInspector General,National GeospatialIntelligence AgencyInspector General,National ReconnaissanceOfficeInspector General,National Security AgencyRecommendation(s)Requiring AdditionalComments8.1.a.Date CommentsRequestedOctober 15, 20148.1.b.8.l.d.A.3.May 1, 2014July 15, 2014May 14, 20148.2.c.May 14, 2014RecommendationsRequiring No AdditionalCommentsA.l., A.2., 8.l.c., and C.8.2.a., 8.2.b., and 8.3.8.2.a., 8.2.b., 8.2.c., and8.3.8.2.a., and 8.2.c.May 14, 20148.2.b. and 8.3.8.2.a.May 14, 20148.2.b., 8.2.c., and 8.3.8.4.May 14, 2014E.8.3B.3 .B.3.B.3.Report No. DODIG-2 014-0601 vDistribution:Secretary of DefenseDeputy Secretary of DefenseUnder Secretary of Defense for Personnel and ReadinessAssistant to the Secretary of Defense for Intelligence OversightDirector, Office of Cost Assessment and Program Evaluation, OSDChairman, Senate Select Committee on IntelligenceChairman, House Permanent Select Committee on IntelligenceChairman, Senate Armed Service CommitteeChairman, House Armed Services CommitteeChairman, Senate Committee on Homeland Security and Governmental AffairsDirector of National IntelligenceInspector General of the Intelligence CommunityDirector, Special Security Directorate, Office of the National CounterintelligenceExecutive/SecurityDirector, Office of Security, Central Intelligence AgencyDirector, Office of Management and BudgetDeputy Director for Management, Office of Management and BudgetDirector, Office of Personnel ManagementDirector, Federal Investigation Services, Office of Personnel ManagementArchivist of the United StatesDirector, Defense Security ServiceInspector General, Defense Security ServiceChair, Council of the Inspecto rs General on Integrity and EfficiencyInspector General, Defense Intelligence AgencyDirector, Office of Security, Defense Intelligence AgencyInspector General, National Geospatial-Intelligence AgencyDirector, Office of Security, National Geospatial-Intelligence AgencyInspector General, National Reconnaissance OfficeDirector, Office of Security, National Reconnaissance OfficeInspector General, National Security AgencyDirector, Office of Security, National Security AgencyDirector, Department of Defense Consolidated Adjudication FacilityReport No. DODIG-2014-0601 viContentsIntroduction .................................................................................................................. 1Background ..................................................................................................................................................... 1Objectives ....................................................................................................................................................... 1Scope and Methodology ............................................................................................................................ 1Finding A. Lack of Effective Personnel Security Policy ............................... 2Finding B. Lack of Effective Recordkeeping .................................................... 7Finding C. Avoidance of Personnel Security Adjudication and DueProcess Issues ........................................................................................................... 24Finding D. Lack of Personnel Security Information Sharing ................. 27Finding E. Lack of Connectivity Between DCII and JPAS ........................ 30Other Observation ............................................................................................................................. 32Appendix A. Background ...................................................................................... 3 3Appendix B. Scope and Methodology .............................................................. 35Appendix C. Office of the Under Secretary of Defense for IntelligenceResponse ..........................................................................................................37Appendix D. Defense Intelligence Agency Response ................................. 40Appendix E. National Geospatial-lntelligence Agency Response ............ .42Appendix F. National Reconnaissance Agency Response .......................... 44Appendix G. National Security Agency Respo nse .......................................47Append ix H. Defense Human Resources Activity Response ..................... SOAcronyms and Abbreviations ............................................................................. 52IReport No. DODIG-2014-0601 viiIntroductionBackgroundOn September 5, 2012, we published the memorandum report, The Four DefenseIntelligence Agencies Have Had No Effective Procedures for Suspension and Debarment.That project's objective was to determine the effectiveness of suspension anddebarment procedures in the four Defense intelligence agencies -- the DefenseIntelligence Agency (DIA), the National Geospatial-Intelligence Agency (NGA), theNational Reconnaissance Office (NRO), and the National Security Agency (NSA). Webased our study on 131 investigative case summaries (hereinafter referred to as "IGinvestigations") provided to us by the Inspectors General (IGs) of the Defenseintelligence agencies from October 1, 2000, to September 30, 2010; we published thosecase summaries in the Classified Annexes to the [DoD IG's} Semi-Annual Report toCongress. In our study, we found that none of these Agencies had ever debarred acontractor, consultant, or contractor employee. Also, we found that only one of theseagencies had ever suspended a contractor, consultant, or contractor employee.During our research for that project, we found that procurement and general counselstaff from the Defense intelligence agencies had assumed that Subject contractoremployees involved in misconduct would lose their security clearance and access. Weexamined this assumption using the same 131 cases that we had used in the suspensionand debarment study. Also in our research we determined that absent suspension anddebarment there was no policy to preclude individuals involved in misconductinvestigated by Agency IGs from working on unclassified government contracts, even ifthey had lost their security clearance and Sensitive Compartmented Information (SCI)access. A detailed discussion of the background to this project is attached as AppendixA.ObjectivesIn response to our initial data call to the IGs of the Defense intelligence agencies, the IGsidentified 128 individuals as the Subjects of their 131 substantiated investigations.Although these investigations were conducted by the Agency IGs between 2000 and2010, we conducted our research to determine if they were still relevant to contractorpersonnel security clearance processing in the Department. The extent to which theyimpacted individual personnel security adjudicative decisions was within the scope ofauthority of t he individual Agency Directors and Agency Clearance Adj udicationFacilities (CAF). We assessed: a) how, or if, substantiated investigations of misconductwere reported to their Agency CAF and to the Department of Defense (DoD)Consolidated Adjudication Facility (DO DCAF); b) if the referred investigations had beenadjudicated; and c) the r esults of those security adjudications. DODCAF is the successororganization to the Defense Industrial Security Clearance Office (DISCO); the U.S. Army,U. S. Navy, U.S. Air Force, Washington Headquarters Services, and Joint Staff CAFs, andfor the adjudicative functions of the Defense Office of Hearings and Appeals (DOHA) .Scope and MethodologyA detailed discussion of our scope and methodology is attached as Appendix B.Report No. DODIG-2 014-0601 1Finding ALack of Effective Personnel Security PolicyWe found a lack of effective personnel security policy. This condition occurred becausethe Department's personnel security policy was largely outdated, or-- as in the case ofpolicy for operation of the Joint Personnel Adjudication System (JPAS) --entirely absent.As a result, a lack of effective security policy procedures existed, with no overarchingwritten policy governing how /when JPAS is to be used.Applicable Personnel Security PolicyWe conducted a detailed review of personnel security policy, including ExecutiveOrders (EO); Intelligence Community (IC) policy issued by the Director of NationalIntelligence (DNI); Office of Personnel Management (OPM)-issued policy; and DoDissued policy. Based on our review, we found:•Many of the 131 Agency IG case summaries included misconduct, whichwarranted either: a) additional conditions, deviations, or waivers attached to afavorable security clearance/access adjudication; or b) revocation/denial ofone's security clearancejaccess.•Under the reciprocity policy of Intelligence Community Policy Guidance (ICPG)704.4, "Reciprocity of Personnel Security Clearance and Access Determinations," afavorable personnel security clearancejSCl access adjudicative determination -absent conditions, deviations, or waivers -- made by one CAF was binding on allother IC elements.•Defense intelligence agencies were required to report unfavorable informationregarding contractor employees to DISCO, and now to DODCAF.Outdated Personnel Security Policy DocumentsDoD Instruction (DoDI) 5025.01, "DoD Directives Program," September 26, 2012,established that "Prior to the 5-year anniversary of their publication date, all issuances· must be reviewed to determine if they are necessary, current and consistent with DoDpolicy, existing law, and statutory authority. They will be either reissued, certified ascurrent, or cancelled, as appropriate ...All issuances certified as current must be reissuedor cancelled within 7 years of the original publication date."The DoD personnel security policy documents we reviewed were between eight and 28years old. None of them met the standards of DoD I 5025.01 for accuracy and currency.Among the many problems we noted were:•Repeated references to the Defense Investigative Service (DIS), whichwas renamed the Defense Security Service (DSS) in 1997.•The documents did not reflect the transfer in February 200 5 of the DoDpersonnel security background investigative mission from DSS to OPM.Report No. DODIG-2014-0601 2•Repeated references to the Directorate for Industrial Security ClearanceReview (DISCR), which was succeeded by the Defense Office of Hearingsand Appeals (DOHA), and which has now been succeeded, in part, byDODCAF.•The documents did not reflect the creation of JPAS, the move ofpersonnel security investigative and adjudicative records from theDefense Clearance and Investigative Index to JPAS, and the furtherrenaming of the Index as the Defense Central Index of Investigations(DCII).•The numerous organizational changes since these policy documents werepublished make the required reporting channels difficult to understand. Ofnote, Commanders and heads of activities are generally required to reportadverse/questionable information concerning contractor employees whoare cleared, or are being cleared, for access to classified information toDISCO/DODCAF.Also of note, USD(I) staff told us that DoD personnel security policy had been underdetailed review, and in coordination since 2012.There is no Overarching Written Policy GoverningJPASJPAS was designed to provide the Department with a common information resource forgranting and sharing personnel security eligibility determinations and recordingpersonnel access to sensitive and non-sensitive compartmented information. We didnot find any overarching policy documents -- such as a directive; regulation, orinstruction-- governing JPAS operation.ResponsibilityDoD! 5145.03, "Oversight of the DoD Personnel Security Program," January 2013,charges the USD(I) with direction, administration, and oversight of the DoD personnelsecurity program. Further, the February 2010 Memorandum of Agreement covering thetransfer of operational control of JPAS and DCII from DSS to the Defense ManpowerData Center (DMDC) stipulated that USD(I) "retained responsibility for creation andinterpretation of all policies governing" JPAS and DC II.ConclusionsDoD personnel security policy is dated, unclear, or entirely absent. Since no system canfunction in the absence of adequate direction; it is imperative that this situation beresolved as soon as possible.Report No. DODIG-2014-0601 3Recommendations, Management Comments, andOur Response:A. 1. We recommend that USD(I) develop and issue an overarching policygoverning operation of the System of Record for Personnel Security Clearances.USD(I) CommentsIn our coordination draft, we recommend that USD(I) develop and issue an overarchingpolicy governing JPAS operation. USD(I) concurred with the recommendation, agreeingthat a consolidated, overarching policy was needed. USD(I) stated that Draft DoOM52200.02, Volume 1, "DoD Personnel Security Program: Investigations for NationalSecurity Positions and Duties," and DoOM 5200.02, Volume 2, "DoD Personnel SecurityProgram: Adjudications, Due Process, Continuous Evaluation and Security Education,"will "provide overarching policy governing operations of JPAS and its successor system(the Joint Verification System), to include requirements for recording issues of securityconcern and adjudications that are based on exceptions due to presence of adverseinformation. Since Volume 2 is still in the formal comment period, we have animmediate opportunity to ensure that we incorporate the IG's recommendations andaddress the need for JPAS functionality as discussed in the IG report."Additional Comment by the Defense Human Resources Activity(DHRA)DHRA recommended that the recommendation be modified to require that USD(I)develop and issue an overarching policy governing the "System of Record for PersonnelSecurity Clearances," stating that a transition from JPAS to the Defense InformationSystem for Security (DISS) is planned.Our ResponseThe USD(I) comments are responsive, and the additional DHRA comment is anappropriate clarification. Accordingly, we modified the recommendation.A.2. We recommend that USD(I) finalize updates to-- or replacements for-- thepersonnel security portions of the following Departmental policies:a. DoD 5200.2-R, "Personnel Security Program," February 23, 1996.b. DoD 5220.22 -R, "Industrial Security Regulation," December 1985.c. DoD 5220.22 -M-Sup 1, "National Industrial Security Program:Operating Manual Supplement," February 1995.USD(I) CommentsUSD(I) concurred with the recommendation, and provided the following timelineReport No. DODIG-2 014-0601 4regarding replacements for the above policy documents:DoD 5220.2-R is being replaced by DoOM 5200.02, Vol. 1, and DoOM 5200.02, Vol. 2.Volume 1 has been in the Office of the General Counsel, Intelligence [OGC(I)],DoD, since July 29, 2013, for legal sufficiency review. Following OGC(I) review,USD(I) will expedite making any required changes before moving the policy toOffice of the General Council (OGC), DoD, for approval. Thereafter, USD(I) isrequired to coordinate with the Federal Register Liaison Office (FRLO),Washington Headquarters Services (WHS), which coordinates with the Office ofManagement and Budget (OMB) to meet OMB's requirements for publishing thepolicy as a federal rule.Formal Coordination of Volume 2 closed on January 17, 2014. USD(I)'s goal is tocomplete adjudication of comments by March 7, 2014. Thereafter, the policyissuance process will proceed according to the steps that WHS established andaccording to the timelines that DoD! 5025.01 established. Once through theDoD policy issuance process, USD(I) is required to coordinate with FRLO tomove the proposed policy through OMB's rule-making process.DoD 5220.22-R will be replaced by DoD 5220.22M, Vol. 2, "National Industrial SecurityProgram: Industrial Security Procedures for Government Activities." DoD will wo rkwith WHS who coordinates with OMB to publish the policy through OMB's FederalRegister process. DoD is currently working with OMB to format the volume and tocomplete information collection in accordance with OMB requirements.DoD 5220.22-M-Sup 1 will be cancelled when the next conforming change to DoD5220.22-M is approved. That policy is currently being processed through the formalDoD policy-issuance process. USD(I)'s goal is to issue the conforming change by January1, 2015.USD(I) advised that despite the issuance of DoD! 5145.03, DoD OGC retained policyresponsibility for DoDD 5220.6, "Defense Industrial Personnel Security ClearanceReview Program," April4, 1999.Our ResponseThe USD(I) comments are responsive .Redirected RecommendationAs a res ult of USD(I)'s comments, w e are redi recting th e foll owingrecommendation to DoD OGC.Report No . DODIG-2014-0601 5A.3. We recommend that DoD OGC prepare an update to-- or replacement forDoDD 5220.6 to make it compliant with the requirements ofDoDI 5025.01 foraccuracy and currency.Report No. DODIG-2014-0601 6FindingBLack of Effective RecordkeepingWe found a lack of effective recordkeeping by the Agency security offices, as well as byDIA, NGA, NRO, and NSA IGs. This occurred because the appropriate investigative andpersonnel security databases-- JPAS, DCII, and the IC's SCATTERED CASTLES system -were not being reliably populated with investigative and security information. As aresult, the failure to effectively document investigative Subjects in JPAS, SCATTEREDCASTLES, and/or DCII significantly hindered personnel security clearance and accessadjudications.BackgroundThe Subjects of the investigations that the Agency IGs conducted generally had thehighest levels of security clearance and access to classified material. The following tablesummarizes our understanding of the authorized levels of security clearance/accessthat the contractor employees (the Subjects) held at the time the IGs conducted theirinvestigations:-Contractor Employee (Subjects) Security Clearance/ AccessAgencyNumber ofSubjects witheither No orUnknown Levelof Clearance/AccessNumber ofSubjects withConfidentialNumberofSubjectswithSecretNumber ofSubjectswith TopSecretCollateralOnlyNumberofSubjectswith TopSecret/SCINumberofSubjectsTotalDIA7NGANRONSA1030400000131213600000Total201567762810928128Eighty-eight percent (113 of 128) of the Subjects held a documented security clearance,and 85 percent (109 of 128) had access to Top Secret/SCI information. Based on thesecurity classification standards articulated in EO 13526, Classified National SecurityInformation, December 29, 2009, Top Secret information -- if compromised -- couldreasonably be expected to cause exceptionally grave damage to the national security.Gaps in Joint Personnel Adjudication System (JPAS)and SCATTERED CASTLESJPAS was designed to provide the Department with a common information resource forgranting and sharing personnel security eligibility determinations and recordingpersonnel access to sensitive and non-sensitive compartmented information.SCATTERED CASTLES serves essentially the same purpose for the IC.Report No. DODIG-2014-0601 7In our review, we found that only 73 percent (94 of 128) of the Subjects were listed inJPAS, and only 53 percent (68 of 128) were listed in SCATTERED CASTLES.Of the Subjects listed in JPAS, only 35 percent (33 out of 94) had relevant incidentreports posted in their JPAS file by their corporate security officers or the Office ofSecurity of the Agency whose IG had conducted the investigation.Conditions/Deviations/Waivers Not AdequatelyDocumented in SCATIERED CASTLESICPG 704.4 raises the issue of conditions, deviations, and waivers in the securityclearance process. While guidelines may support security clearance/access revocationor denial, operational considerations at times might make this difficult. OPM describesthese conditions as "access eligibility granted or continued with the proviso that one ormore additional measures will be required, such as additional security monitoring,restrictions on access, and restrictions on an individual's handling of classifiedinformation." For example, for an individual who was investigated for time andattendance fraud, a "condition" might include a requirement that contractor andgovernment management exercise significantly heightened oversight of the individual'stime, attendance, and financial claims. The fact that clearance/access was granted withconditions, deviations, or waivers should be documented in the "Exception Information"block of the Subject's SCATTERED CASTLES file, indicating the type (condition,deviation, or waiver), and date of the exception. Such a properly documented exceptionwould afford a second agency the opportunity to deny reciprocity under ICPG 704.4.In our review, at least 45 percent of the Subjects (57 of 128) continued in status or hadclearance/access granted or restored after the closure dates of their IG investigations.Although substantiated Agency IG investigations existed regarding these 57 Subjects,only 10 Subjects had entries in the "Exception Information" block of their SCATTEREDCASTLES files by any CAFs:-------------------------------~---Subjects' Files in SCATTERED CASTLES Where the "Exception Information" Block IndicatesClearance/Access was Granted with a Condition, Deviation, or WaiverInvestigating AgencyDIAIGNGAIGNRO IGNSAI GTota lNumber of Subjects with annotations indicating Condition"C", Deviation "D," or Exception "E"1 "C" entered by NRO CAF2 "D" e nte red by DIA CAF1 "D" entered by both DIA and CIA CAFs01 "D" e ntere d by DIA CAF1"0" e ntered by NRO CAF3 "C" a nd "D" entered by NRO CAF1 "D" e ntered by CIA CAF10The misconduct documented in the IGs' investigative case summaries appear ed towarrant referral to their Agencies' CAF fo r adjudication, and referrals did occur in all 57cases. We cannot determine from the data provided to us whether the CAFs either: a)Report No. DODIG-2014-0601 8made the judgment that the misconduct was not of sufficient significance to warrantgranting clearance/access with conditions, deviations, or waivers; or b) ifclearance/access was granted with conditions, deviations, or waivers, but theseexceptions were not documented by the CAFs in the Subjects' SCATTERED CASTLESfiles.Without a documented condition, deviation, or waiver, a Subject would be eligibleunder the reciprocity policy of ICPG 704.4 for equivalent or lower access at all other ICentities.Gaps in the Defense Central Index of Investigations(DCII)DCII was created in February 1966 -- under a December 3, 1965, memorandum signedby Deputy Secretary of Defense Cyrus Vance -- to constitute a computerized centralindex of investigations conducted by DoD investigative activities. Despite extensiveefforts, we have been unable to recover a copy of Mr. Vance's memorandum todetermine his intent in directing the establishment of DCII. The initial executive agentfor DCII was the Office of the Assistant Chief of Staff for Intelligence, U.S. Army.Executive agency was subsequently transferred to DIS/DSS in 1972. And, in mid-2010the Deputy Secretary of Defense transferred operational responsibility for DCII to theDMDC. From the chain of executive agency for DCII -- and the historic inclusion ofpersonnel security background investigations, counterintelligence polygraphexaminations, counterintelligence investigations, security investigations, and personnelsecurity clearance data in DCII, as well as criminal investigative data -- it is reasonableto conclude that the database was initially broadly defined as an investigative index.A DCII file consists of a Subject's name; social security number; date, state, and countryof birth; investigative file number(s), location and year the file(s) was created; contextof the Subject's relationship to the investigation (i.e., Subject, witness, cross reference,etc.), retention period of the investigative file(s); and date the investigation(s) wasclosed. The file contains no investigative information and simply functions as a findingguide for where DoD investigative files are located.The majority of the 131 Agency IG investigations we reviewed involved possibleviolations of Federal criminal statutes. For example, time and attendance fraud -- whichcomprised 68 percent of our case sample (89 of 131 cases) -- generally involves somecombination of violations of the following Federal criminal statutes:•18 U.S. Code (USC), 287, False, Fictitious, or Fraudulent Claims•18 USC 1001, False Official Statement•18 USC 1341, Mail Fraud•18 USC 1343, Fraud by WireMoreover, in order to significantly profit from time and attendance fraud, a Subjectmust have submitted false claims/statements during repeated payroll cycles. The timeand attendance fraud investigations involved an average loss per investigation of$41,788.96.Report No. DODIG-2014-0601 9A possible violation of the criminal statutes is indicated when an IG refers aninvestigation to the Criminal' and Civil Divisions of the Department of Justice (DoJ), or tolocal prosecutors.However, while investigations were referred for possibleprosecution, they were not always titled and indexed in DCII (as shown in the followingchart):Overall Agency TotalsAgencyDIANGANRONSATotalCases inOur 131CaseSampleDuplicateCaseSummaries203802813100112ExclusivelyCorporateSubjects(i.e., noidentifiedindividualSubjects)415212IndividualSubjectsIdentifiedCasesReferredTo DoJor LocalProsecutors(based uponthe 131 Casesummaries)IndividualSubjectsTitled andIndexed inDC IIIndividualSubjectsNot TitledandIndexed inDC II2137628128318023124313729853531685As documented in the above chart, only 34 percent of the Subjects (43 of 128) weretitled and indexed in DC!!. Only the Defense Criminal Investigative Service (DCIS), thelaw enforcement investigative arm of DoD IG -- which had worked jointly with Agency!Gs on some cases-- and DIA IG titled and indexed Subjects in DC! I.We noted some anomalies during our research. While the Subjects in nine NSA IG caseswere presented to Federal prosecutors for possible prosecution, five of those Subjectswere not titled or indexed in DC!!. Nor did corporate or Agency security officials filerelevant incident reports in JPAS. Also, three of those five Subjects continued to holdSCI access with NSA, even after the NSA IG investigations concluded.Additionally, while the Subjects in 72 NRO cases were presented to Federal prosecutorsfor possible prosecution, 20 were not titled or indexed in DCII, and no relevant incidentreports were filed in JPAS regarding those Subjects.We also received some anecdotal data during our revi ew. Staff members of the NGA,NRO, and NSA !Gs told us that:•NGA IG had only recently obtained "read only" access to DCII, and wasattempting to obtain "fu ll user" access to DC!! so that it could t itle and indexSubjects in DC!!. In response to our draft report, NGA advised that NGA IG hadobtai ned fu ll user access to DCII, effective August 26, 2013 .•NRO IG had not titled and indexed Subj ects fr om its crim inal investigations inDCII for "some years," and staff did not know if their IG still had a staff memberwith decisional authority to title and index Subjects in DC! I. In response to ourReport No. DODIG-2014-0601 10draft report, NRO advised that NRO IG never had access to DCII and its IGinvestigators may have misspoken. NRO IG had relied on the NRO Office ofSecurity and Counterintelligence to title and index Subjects of IG investigations"in the appropriate system(s) of record."•NSA IG worked with DCIS on "all criminal investigations." Therefore, as acriminal investigative entity, DCIS was responsible for titling and indexing theSubject(s) in DC!!. No one was designated at NSA to title and index individualsin DC!!. In this context, we noted that only 43 percent of NSA IG's Subjects (12of 28) were titled and indexed in DC!!.Results of Gaps in DCII DataPersonnel security investigations begin with a National Agency Check (NAC), which isdefined in 32 Code of Federal Regulations (CFR) 154, Appendix A, as a scan of at leastthree databases: DC!!; Federal Bureau of Investigation (FBI) headquarters investigativefiles; and FBI identification files.A favorable NAC, local agency check, credit check, and verification of a Subject's birth(NACLC) are the basic criteria for granting eligibility for access to Confidential andSecret information. The Single Scope Background Investigation (SSBI) expands on theNACLC by verifying employment, education, and residence, as well as interviews of theSubject and character reference s. Paragraph 10.a., ICPG 704.1, "Personnel SecurityInvestigative Standards and Procedures Governing Eligibility for Access to [SCI] andOther Controlled Access Program Information," requires that, at a minimum, six databases be queried as part of a NAC for SCI access. DCII is one of these databases.OPM maintains the Security and Suitability Investigation Index (SII) and the CentralVerification System (CVS) . Those systems allow personnel security and suitabilitycommunities to validate the need for new investigations and share information on priorbackground investigations, adjudications, security clearances, and Homeland SecurityPresidential Directive (HSPD) 12 credential determinations. If criminal investigativefiles are identified through a DCII check, the file is then copied into the Subject'sbackgrou nd investigation and the investigation indexed in SII.Therefore, fa ili ng to title and index investigative Subjects in DCII significantly hindersthe NAC and SSBI processes. DMDC staff told us that no system impediments currentlyexist for providing DCII system access to additional users, which means the Defenseintelligence agencies !Gs should be able to access DC!I.This situatio n caused us to furthe r examine the historical develo pment of DC!!. Otherthan references to former Deputy Secretary of Defense Vance's memorandum, we havebeen unab le to find an over-arching DoD policy document -- directive, regulation,instruction, or manual -- governing the operation of DC!!. This has resu lted in a degreeof confusion regarding which investigatio ns should be titled an d indexed in DC!I.Report No. DODIG-2014-0601 11An examination of copies of the CFR published between 1978 and 2009 provides thefollowing information regarding DCII:"The DCII, which contains reference to investigative records created and held bythe DoD components. The records indexed are primarily those prepared by theinvestigative agencies of the Military departments and DIS, covering criminal,fraud, counterintelligence, and personnel security information." [32 CFR298.4.(a), July 1, 1978; and 32 CFR 298.3.(a), July 1, 2009]"DIS maintains the [DCII], which contains reference to investigative recordscreated and held by DoD components. The records indexed are primarily thoseprepared by the investigative agencies of the DoD, covering criminal, fraud,counterintelligence, and personnel security information." [32 CFR 298.3.(a),July 1, 1992]DOD! 5505.07, "Titling and Indexing Subjects of Criminal Investigations in the [DoD],"January 27, 2012, discusses only the titling and indexing of the Subjects of criminalinvestigations conducted by the Defense Criminal Investigative Organizations (DCIO).DOD! 5505.16, "Criminal Investigations by Personnel Who Are Not Assigned to a[DCIO]," May 7, 2012, applies to all DoD Components outside the DCIOs. It establishesthe policy that DoD Components who employ personnel conducting criminalinvestigations will ensure that Subjects of criminal investigations are titled and indexedin DCII. It requires that such DoD Components will develop an automated recordsmanagement and information system which is compatible with DC II. If the componentdoes not have full DCII user access they will execute an agreement with a DCIO or otherDoD law enforcement organization to meet DCII reporting requirements. If aninvestigation is transferred to a DCIO, then that DCIO becomes responsible for titlingand indexing the Subject(s) of the investigation in DCII.What is much less clear are the policy requirements for titling and indexing the Subjectsof complaint type personnel security, counterintelligence, security violation,unauthorized · disclosure, administrative, senior official, and other investigationsconducted by DoD Components.In addition to policy issues, inadequate DCII system capacity prio r to mid-2 00 6 limit edthe ability of th e Agency IGs and othe r organizations t o title and index Subjects in theDCII du ring much of DI S/DSS's administration of th e DCII. For example, DIA IG beganr equesting full user a ccess to the DCII in the early 1990s, but did not r eceive access untilthe summer of 2006 when DSS expanded DCII system capacity, relieving the earliersystem capacity issues. When t he DIA Office of Security (SEC) commenced conductingcou nteri ntelligence p olygraph examinatio ns in the 1990s, it was several years beforeDSS could provide SEC with system capability to title and index the polygraphexaminatio ns in DCII, despite DoD polygraph policy whi ch required t hat theexaminatio ns be titled and indexed.Report No. DODIG- 2014-0601 12Complete DCII Record keeping is Critical to theProjected Shift in ReinvestigationsDuring a March 5, 2013, Intelligence and National Security Policy Reform Symposium,the Director, Office of Security, NRO, said that due to constrained funding, the NSA andNRO Offices of Security had suspended the conduct of periodic reinvestigations forcontractor employees, and were instead concentrating on entry-level backgroundinvestigations. In response to our draft report, NSA stated that it had, in fact, notsuspended contractor reinvestigations. DSS -- which funded most industry backgroundinvestigations and periodic reinvestigations -announced in June 2013 that due to fiscalconstraints it was suspending all industry periodic reinvestigations for the remainder offiscal year 2013.Additionally, substantial momentum exists toward Continuous Monitoring, Evaluation,or Observation. This concept began when the Defense Personnel Security ResearchCenter (PERSEREC) started examining aperiodic reinvestigations -- in lieu of thecurrent reinvestigations, which are supposed to occur every five years. As a result ofthis research, PERSEREC developed the Automated Continuing Evaluation System(ACES). PERSEREC described this system as follows:" ... These evaluations involved automated checks of security-relevant databases,such as criminal history, credit, foreign travel, and large-currency transactions.This approach would reduce security risk by detecting more cases involvingissues of serious security concern and by detecting those cases earlier.Furthermore, it would substantially reduce demands on investigative resources.This would be accomplished by applying more investigative resources to therelatively small number of cases where they are needed the most and fewerresources to cases where they are needed the least. Using this approach, fullscale investigations would be triggered based on factors such as the person'slevel of access, the time elapsed since the last investigation, whether issues weredetected in the last investigation, and the seriousness and number of new issuesdetected by automated checks of security-relevant databases ..."The current system r equires a minimum five -year gap between investigations, eventhou gh personnel security specialists have long recognized that s ignificant securityevents could affect a Subject's life between investigations. Based upon preli minarystudies and fie ld testing, the testing organizations believed ACES to be effective andsubstantially less expensive than the current personnel security reinvestigation system.Movement away from traditional background investigatio ns -- particularly t he five -yearperiodic reinvestigation -- requires accuracy in the data sear ches that w ill replace thoseinvestigations. DCII is among the databases contained in PERSEREC's ACES set ofdatabases.Report No. DODIG-2014-0601 13If ACES or another continuous monitoring program is to replace periodic reviews, DoDentities must ensure the Subjects of all DoD investigations are titled and indexed inDC!!. This would enable those investigations to be recovered by the CAFs holdingpersonnel security adjudicative responsibility for civilian government employees,military personnel, and contractor employees.In light of our earlier study on suspension and debarment, we note that ACES does notinclude the Excluded Parties List System (EPLS) or the follow-on System for AwardManagement (SAM) in the set of databases being accessed. The General ServicesAdministration (GSA) administers EPLS/SAM, which contains the identities ofindividual and corporate contractor employees who have been suspended or debarredfrom government contracting because of misconduct or poor performance. Suspensionand debarment and personnel security adjudication are closely linked, because bothdeal with suitability: suspension and debarment relates to the government conductingbusiness only with responsible contractors, while personnel security adjudicationrelates to suitability for access to classified information.Lack of Reporting to DISCO/DODCAFDoD 5220.22-R requires that the head of a user activity shall report to DISCO anyadverse or questionable information that comes to that person's attention concerning acontractor employee who has been cleared for access to classified information, whichmay indicate that such access is not clearly consistent with the U.S. national interest.Historically, sponsoring organizations would submit requests for contractor employees'security clearance determinations to DISCO . DISCO would then task the investigativeentities, receive the results of the investigations, and adjudicate for collateral securityclearances. Cases that contained significant derogatory information were referred toDOHA for further adjudication and, if required, due process action. When the processwas favorably completed, DISCO granted the clearances. If the contractor employeesubsequently required SCI access, the case was adjudicated a second ti me by one of theDefense intelligence agency or Military Service CAFs. This process was admittedly timeconsuming.DNI subsequently delegated autho rity for the enti re personnel security process to t hefou r Defe nse intelligence agencies fo r personnel falling within t heir security cognizance.The four agencies now can conduct background investigations and personnel securityadjudications fo r government employees and contractor employees, for both collateraland SCI access.We provided our list of 128 investigative Subjects to DODCAF and fo llowed up by askingDODCAF to review its files to determine if its predecessor CAFs had received copies ofthe relevant investigative reports that the Agency !Gs prepared. DODCAF replied that itcould only positively determine whether or not it had received an IG report on 20Report No. DODIG-2014- 0601 14percent of the Subjects (26 of 128); and for those 26 Subjects, it had only received fivereports-- all of them on NRO IG Subjects.Therefore, the four Defense intelligence agencies have not complied with the DoD5220.22-R requirement to report to DISCO adverse/questionable informationconcerning a contractor employee with access to classified information.Continued Focus on Existing DatabasesThe Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) requiredestablishing a single, integrated personnel security database no later than 12 monthsafter the law was enacted.The Government Accountability Office (GAO) said in a report entitled, Personnel SecurityClearances: Progress Has Been Made to Improve Timeliness but Continued Oversight IsNeeded to Sustain Momentum (GA0-11-65, November 2010), that the executive branchagencies have instead opted to focus on leveraging existing systems rather thanestablishing a new database, citing concerns related to privacy, security, and dataownership. Thus, it is increasingly important for existing databases to contain currentand accurate personnel security data.Destruction of Old Personnel Security RecordsNational Archives and Records Administration (NARA) General Records Schedule (GRS)18: Security and Protective Services Records, Item 22, provides for the following:"22. Personnel Security Clearance Files."Personnel security clearance case files created under Office of PersonnelManagement procedures and regulations and related indexes maintained by thepersonnel security office of the employing agency."a. Case files documenting the processing of investigations on Federalemployees or applicants for Federal employment, whether or not a securityclearance is granted, and other persons, such as those performing work for aFederal agency under contract, who require an approval before having access toGovernment facilities or to sensitive data. These files include questionnaires,summaries of reports prepared by the investigating agency, and other recordsreflecting the processing of the investigation and the status of the clearance,exclusive of copies of investigative reports furnished by the investigatingagency."Destroy upon notification of death or not later than 5 years after separation ortransfer of employee or not later than 5 years after contract relationshipexpires, whichever is applicable (Nc1 -GRS-80-1 item 23a)"c. Index to the Personnel Security Cases Files."Destroy with related case file. (NC1-GRS-80-1 item 23c)"Report No. DODIG-2014-0601 15Throughout our review, we tried to determine: a) if a CAF had received a copy of one ofthe Agency IG's reports of investigation; b) if the information contained in theinvestigation had been adjudicated; and c) the results of the adjudication. However, ourefforts were stymied because adjudicative files and indices had been destroyed inaccordance with NARA GRS 18. When the Agency IG's investigative Subjects are nottitled and indexed in DCII and personnel security records are also destroyed, it(inaccurately) appears as if no investigation was ever conducted. However, NARA is notwithin our oversight purview.ConclusionsIf the personnel security system is to function properly, it is imperative that theappropriate investigative and security databases be populated with accurate andcomplete information by every entity - investigative and security - which has had anequity in the investigative/security Subject. It is clear from our evaluation that this hasnot been occurring consistently.Recommendations, Management Comments, andOur ResponseB.1.a. We recommend that USD(I) prepare an overarching policy governingthe operation ofDCII, including identification ofthe categories ofinvestigations to be titled and indexed, and the retention criteria forinvestigations so titled and indexed.USD(I) CommentsUSD(I) concurred with the recommendation. It will convene a working group todevelop, as appropriate, overarching policy governing the operation of DCII bySeptember 30, 2014.Our ResponseThe USD(I) comment is responsive. We request that USD(I) provide us with a copy ofthis policy by October 15, 2014.B.1.b. We recommend that USD(I) direct the Defense intelligence agencies toreview the procedures that their Offices of Security use to ensure that JPASand SCATTERED CASTLES are being properly populated.USD(I) CommentsUSD (I) concurred with the recommendation, and will issue a memorandum directingthe recommended review by April15, 2014.Report No. DODIG-2014-0601 16Our ResponseThe USD(I) comment is responsive. We request that USD(I) provide us with a copy ofthe memorandum by May 1, 2014.B.l.c. We recommend that USD(I) direct the Defense intelligence agencies toensure that the Subjects of Agency IG criminal investigations are titled andindexed in DCII in accordance with DoDI 5505.16.USD(I) CommentsUSD(I) concurred with the recommendation, stating that it would work with DoD IG "todetermine the correct authorities for issuing such a requirement."Our ResponseThe USD(I) comment is responsive. However, we believe that for the present time, DoDI5505.16 provides adequate authority to support this recommendation. It may beappropriate in the future to meld the provisions of DoDI 5505.16 and DoDI 5505.07 intothe overarching DCII policy that was discussed in Recommendation B.1.a.B.l.d. We recommend that USD(I) conduct one of the following actions toensure Subjects of past investigations are titled and indexed in DCII:•Initiate action with OPM to require that OPM investigators conductingbackground investigations on current and former civilian employees,military assignees, and contract employees of the Defense intelligenceagencies conduct name checks with the IGs ofthose agencies.•Or, direct that the Directors of the Agencies ensure that the Subjects ofpast Agency IG criminal investigations are titled and indexed in DCII.USD(I) CommentsUSD(I) concurred with the recommendation, and will "explore both options by June 30,2014, and identify the best way forward."Our ResponseThe USD(I) comment is responsive.determination by July 15, 201 4.We request that USD(I) advise us of itsB. 2.a. We recommend that the Directors ofDIA, NGA, NRO, and NSA, in theabsence of an overarching DCII policy, evaluate titling and indexing in the DCIIthe Subjects of all non-criminal investigations conducted by all Agencyinvestigative elements.DIA CommentsDIA concurred with the recommendation, stating that DIA offices currently entered dataReport No. DODIG-2014-060J 17into the DCII.NGA CommentsNGA concurred with the recommendation. NGA IG obtained full user access to DCIIeffective August 26, 2013, and will evaluate titling and indexing the Subjects of its noncriminal investigations in DCII. The NGA Office of Security currently had read-onlyaccess to DCII, but will request full user access no later than April 30, 2014, so that itcan title and index its personnel security investigations and polygraph examinations.NRO CommentsNRO non-concurred with the recommendation. NRO stated:"The NRO has considered this recommendation and interprets 'non-criminalinvestigations' to pertain to personnel security investigations. Individualsdetermined eligible for and briefed into [SCI] access with a Condition, Deviation,or Waiver are reflected accordingly in Scattered Castles. It is our understandingand interpretation that the [DCII] is no longer used for this purpose, as thereport indicates on page 3, second bullet, since personnel security investigativeand adjudicative records were removed from the DCII."NSA CommentsNSA non-concurred with the recommendation. NSA stated:"We disagree with applying Recommendation 8(2)(a) to the extent that it wouldapply to security investigations. The DoD-designed repository for investigationsof security significance is []PAS]. NSA already submits all such cases on DoDcontractors to JPAS and to SCATTERED CASTLES (as the IC repository)."Our ResponseThe DIA and NGA comments are responsive to our recommendation.The NRO and NSA comments are not responsive. Their responses illustrate theconfusion - in the absence of an overarching DCII policy -- regarding whichinvestigations by which investigative entities are to be titled and indexed in DCII. It isour understanding that Deputy Secretary Vance intended that all investigationsconducted by all DoD investigative entities would be titled and indexed in DCII.Consequently "non-criminal investigations" might reasonably include administrativeinvestigations that. the Agency !Gs conducted, as well as complaint type personnelsecurity, security violation, unauthorized disclosure, and counterintelligenceinvestigations that the Agency counterintelligence and security elements conducted.Indices on personnel security background investigations and adjudications were movedfrom DCII to JPAS with the creation of JPAS. Complaint type personnel securityReport No. DODIG-2014-0601 18investigations seemingly appear in JPAS only to the extent that information from themis used to populate the incident report fields in JPAS. Because incident report fields inJPAS were not necessarily populated with relevant information from the Agency IGinvestigations that we examined in this assessment, we are concerned that the samesituation is occurring with regard to complaint type personnel security, securityviolation, unauthorized disclosure, and counterintelligence investigations. Titling andindexing an investigation in DCII provides clear data which may be used by anotherfederal entity to obtain a copy of the investigation from the originator. We request thatthe Directors, NRO and NSA respectively, reconsider our recommendation to ensureSubjects of investigations are titled and indexed in DCII, and provide additionalcomments in response to the final report.B. 2.b. We recommend that the Directors ofDIA, NGA, NRO, and NSA directtheir Offices of Security to develop formal procedures to ensure that reportsof investigation into misconduct by contractor personnel are reported toDODCAF.DIA CommentsDIA concurred with the recommendation, stating that it already had a process in placein which the DIA Office of Security and DIA IG notified DODCAF of derogatoryinformation regarding contractor personnel.NGA CommentsNGA concurred with the recommendation. The NGA Office of Security had adjudicativeauthority over its contractors and investigated and adjudicated all reports ofmisconduct by contractor personnel. The Office of Security will enter reports ofmisconduct by contractor personnel into JPAS and develop formal procedures to ensurethat repo rts of investigation are forwarded to DODCAF no later than June 30, 2014.NRO CommentsNRO non-concurred with implementing this recommendation at NRO. NRO stated that:"A process is already in place that ensures NRO Office of Security andCounterintellige nce (OS&Cl) reports denials and revocati ons on co ntractorswith [DoD] equities directly to the [DODCAF]. All other cases involvingderogatory information developed on contractors during personnel securityprocessing are reported via Scattered Castles Daily Exception Rep orts, whichare available to DOD. In addition, the NRO OIG reports cases involvingmisconduct of contractor personnel to OS&C I, and this information is reportedvia Scattered Castles Daily exception Reports."NSA Comme ntsNSA concurred with the recommendation, stating that prio r to DODCAF's establishmentinvestigations were repo rted t o DISCO. Since then, any cas es involving contracto rmisconduct with a national security clearance eligibility nexus have been reported toReport No. DODIG-2014-0601 19the DODCAF in accordance with internal operating procedures. NSA said it willcontinue to enforce its internal procedures that require the reporting of any derogatoryinformation regarding DoD contractors to DODCAF.Our ResponseThe DIA, NGA, and NSA responses are responsive to the recommendation. The NROcomments are partially responsive and require no further action.The NRO response acknowledging that contractor information was being provided toDODCAF highlighted an issue with the DoD personnel security system. Even thoughJPAS is the Department's personnel security database, NRO uses SCATTERED CASTLES.Paragraph 5.a., DoDD 5105.23, "National Reconnaissance Office," June 28, 2011,designates NRO as a Defense Agency, yet it does not report to, or accept personnelsecurity clearances from, JPAS. This situation further supports Recommendation A.1.regarding the need for an overarching JPAS policy. An overarching policy will eitherdirect NRO to report to JPAS or give it a clear exception to policy.B. 2.c. We recommend that the Directors ofDIA, NGA, NRO, and NSA ensurethat controls are in place to ensure that favorable personnel securityadjudicative determinations made with conditions, deviations, or waivers aredocumented in the "Exception Information" block of the Subject's SCATTEREDCASTLES file.DIA CommentsDIA did not respond to the recommendation.NGA CommentsNGA concurred with the recommendation, stating that all favorabl e personnel securitydeterminations made with conditions, deviations, or waivers were being documented inthe "Exception Information" block of the Subject's SCATTERED CASTLES fil e.NRO CommentsNRO did not respond t o t he recommendation.NSA CommentsNSA concurred with the recommendation, stating that NSA had provided information toSCATTERED CASTLES since approximately 2002. In accordance with lCD 704,"Personnel Security Standards and Procedures Governing Eligibility for Access to [SCI]and other Controlled Access Program Information," pro cedu res were already in place toensure that this information was entered into SCATTERED CASTLES.Report No. DODIG-2014-0601 20Our ResponseThe NGA and NSA comments are responsive to the recommendation. However, as westated earlier in this report, we could not determine from the data provided to uswhether the CAFs either: a) judged that the substantiated misconduct that the AgencyIGs identified was not of sufficient significance to warrant granting clearance/accesswith conditions, deviations, or waivers; orb) granted clearance/access with conditions,deviations, or waivers, but these exceptions were not documented by the CAFs in theSubjects' SCATTERED CASTLES files. The NGA and NSA responses imply that themisconduct was not regarded as sufficient for clearance/access to be granted withconditions, deviations, or waivers. That operational decision, unless documented as acondition, deviation, or waiver, then becomes binding through the reciprocity processon all other elements of the IC.Through an inadvertent editing error, we left this recommendation off theRecommendations Table in our coordination draft, which may account for the lack ofresponse from DIA and NRO. We request that the Directors of DIA and NRO respond tothe recommendation.B.3. We recommend that the Inspectors General of DIA, NGA, NRO, and NSA workwith the Offices of Security of those Agencies to ensure that IG reports ofinvestigation into misconduct by contractor personnel are reported to DODCAF.DIA CommentsDIA concurred with the recommendation, stating that DIA already had a process inwhich DIA IG notified DODCAF.NGA CommentsNGA concurred with the recommendation, stating that the NGA IG provided reports ofinvestigation into misconduct by NGA civilians and contractors to the Office of Securityfo r information and re-adjudication. The Office of Security will work with NGA IG toensure reports of investigation are forwarded to DODCAF, with the process to be inplace no later than June 30, 2014.NRO CommentsNRO concurred with the recommendatio n, stating that NRO IG had:" .. .a transmittal memorandum template that accompanies all resp onses sent tothe NRO Office of Security and Counterintelligence (OS&CI). This templatecontains language requesting OS&CI update all appropriate databases uponr eceipt of a report. The OIG an d OS&CI have regularly scheduled meetings toaddress various issues and the OIG will use this forum to continue workingclosely with OS&CI and ensure that all OI G investigati ons are correctlyreported."Report No. DODIG-2014-0601 21NSA CommentsNSA disagreed with the recommendation as written, stating that:"As written the proposed Recommendation language could impair theindependence of the NSA IG. NSA suggests modifying Recommendation B(3) toclearly state the separate roles for those two organizations, and changing thereport to delete the potentially ambiguous 'work with' language. Accordingly,we suggest that the Recommendation might state something such as:"'We recommend that the Inspector General of NSA continue to provideIG reports of investigation into substantial misconduct by contractorpersonnel (or summaries of these reports) to the NSA Office of Securityto enable the NSA Office of Security to report to DODCAF, as required."'"However, effective immediately all NSA OIG reports of contractor misconductreceived by the ADS&CI will now be disseminated to DODCAF. The ADS&CI isalso implementing a protocol to ensure the OIG is notified when such reportsare forwarded."Our ResponseThe DIA, NGA, and NRO comments are responsive to the recommendation. NSA'sinterpretation achieves the objective of the recommendation and requires no furtheraction.B.4. We recommend that the Director, Defense Human Resources Activity, workwith GSA to add EPLS/SAM to the set of databases being accessed by ACES.Defense Human Resources Activity (DHRA) CommentsDHRA non-concurred with the recommendation, stating that it was "premature sinceanalysis of this data is required to include value of data source in identifying issuesimpacting federal investigative standards, and determining if the use of that data sourcemeets legal, privacy, and Paperwork Reduction Act requirements. Incorporating[EPLS/SAM] into ACES would also requi re business analysis, software development,interface development, testi ng and additional funding/ resources to accomplish thatw ork."Our ResponseDHRA's comments are not responsive to the recommendation. We reiterate thatcontractors and contractor employees are listed in EPLS/ SAM because they have beensuspended or debarred for incompetence or misconduct on federal contracts.Misconduct on a federal contract should have a direct bearing on eligibility fo rpersonnel security clearance/ access. Any future continuous monitoring system shouldincorporate data from EPLS/ SAM. We request that the Director, DHRA, reconsider ourreco mmendatio n to add EPLS / SAM to the set of databases being accessed by ACES, an dReport No. DODIG-2014-0601 22comment in response to the final report. We also request that the Director, DHRA,provide this office with an action plan with milestones to achieve this objective.Report No. DODIG-2014-0601 23Finding CAvoidance of Personnel Security Adjudication andDue Process IssuesAgency security offices were avoiding the adjudication of Agency IG investigations afterthe discovery of employee misconduct and consequently avoiding the initiation of dueprocess.BackgroundEOs 10865, "Safeguarding Classified Information within Industry," and 12968, "Accessto Classified Information," require that personnel, including contractor employees ,whose security clearance was denied or revoked be given due process. EO 12968further requires that personnel security actions shall cease upon termination of theapplicant's need for access to classified information. Due process in contractorpersonnel security cases requires that an employee: a) be advised in writing of thegovernment's intent to revoke or deny security clearance/access; b) be provided accessto documentation supporting that conclusion; c) be afforded a reasonable opportunityto respond to the conclusion in writing, including representation by counsel; d) beafforded an opportunity to appear personally before an adjudicative authority; e) beadvised in writing of the government's decision; and f) be afforded an opportunity toappeal an unfavorable decision to a high-level panel. DoDD 5220.6 carries out theprovisions of EO 12968 by stating: "Actions pursuant to this Directive [that is personnelsecurity actions] shall cease upon termination of the applicant's need for access toclassified information except in those cases in which:•••"A hearing has commenced."A clearance decision has been issued; or"The applicant's security clearance was suspended and the applicant provided awritten request that the case continue."Failure to Implement Due Process ProceduresIn many of the IG investigations we reviewed, we found failures to pursue personnelsecurity clearance and due process procedures. As soon as employee misconduct wasdiscovered, the contracting company either fi red the employee, or the employee"resigned." Once this occurre d, the employee no longer had a need fo r access toclassified information and no further personnel security action was taken. This meantt he case was not adjudicated fo r denial or revocation of security clearance/ access, norwas it reported to JPAS except as a "loss of jurisdiction." In JPAS it appeared that thecontractor employee was still eligible for a security clearance.DIA Office of Security (SEC) staff described a process they used, which was a creativevariation on this theme. Due to limited resources to conduct forma l adjudicationswhich would result in due process actions, when SEC received a DIA IG investigationappearing to warrant adverse action regardi ng contracto r employees' securityclearance/access, SEC terminated their phy sical access to DIA facilities by confiscatingReport No. DODIG-2014-0601 24security badges and having DIA police escort them from the facility. Because mostcontractor employees were hired to work on a specific project at a specific location,terminating physical access generally led the contracting company to fire its employee.SEC then posted an entry ("Z" Code) in JPAS, reporting a "loss of security jurisdiction."In the future, knowledgeable security professionals would understand that if they saw a"Z" code regarding a potential contractor employee, they should contact SEC to receivefurther information on that individual. No formal adjudicative determination by the DIACAF existed regarding the contractor employee's clearance/access to classified material.Additionally, after three years, the contractor employee's paper file was destroyed.Therefore, during a future background investigation, OPM potentially would neverdiscover the IG report of investigation unless the OPM background investigation scopesheet contained a requirement that the investigator consult with the Agency IG. OPMstaff told us that OPM investigators only conducted file checks with the Agency IGswhen an IG investigation was titled and indexed in DCII, or when the investigationdeveloped a lead indicating that the IG might have an investigative record.Another technique that Offices of Security used was "withdrawing of eligibility forsecurity clearance/access." Because a security clearance was not denied or revoked, norequirement existed for due process, even though the functional result-- i.e., the Subjectno longer had access to classified material and could no longer hold a job requiring suchaccess -- was the same. Under these circumstances, a possibility existed of one of twoevents occurring:••Contractor employees would go into a "security limbo" in which they would notreceive due process; their misconduct would not be adjudicated; their securityclearance would not be revoked or denied; and they would not be grantedaccess to classified information or facilities.Or, contractor employees would be granted security clearances/access inanother location at a later time.ConclusionsThe requirements of EOs 10865 and 12968 for due process in the revocation or denialof contractor employees' security clearances/access have led to an avoidance ofpersonnel security adjudications. On the part of government agencies, this results froman effort to avoid time and resource intensive due process procedures. On the part ofcontracting companies, it may result from an understanding that a preemptive"termination" or "resignation" could reduce the potential for suspension or debarment,and might also preserve the contractor employee's security clearance/access eligibilityfor possible future use.Recommendation, Management Comment, and OurResponseC. We recommend that USD(I) initiate the process to revise EO 12968 by requiringthat in substantiated misconduct cases personnel security clearance adjudicativeactions continue, even if the contractor employee has been terminated andjor noReport No. DODIG-2014-0601 25longer has access to classified information. If the misconduct is sufficient towarrant denial or revocation of security clearance/access, then that action shouldbe formally accomplished.USD(I) CommentsUSD(I) concurred with the recommendation, and offered to submit ourrecommendation to the Director of National Intelligence, who is responsible forcoordinating national personnel security policy with the Executive Office of thePresident.Additional DIA CommentsAlthough DIA was not required to comment, it disagreed with the recommendation,stating that:"Recommending that actions continue in the case of a contractor that no longerrequires an eligibility determination to be rendered is counter to andinconsistent with being good stewards of the taxpayer money and the Office ofthe Director of National Intelligence policy that only those that require accessare granted eligibility. An appropriate notation entered into [JPAS] andScattered Castles would be sufficient to provide information to a futureadjudicative authority."Our ResponseVSD(I)'s proposed course of action is responsive to the recommendation. With regardto DIA's comment, we note that of the 94 IG investigative Subjects listed in JPAS, only 35percent of the Subjects had relevant information contained in the incident report blocksof their JPAS files.Report No. DODlG-2014-0601 26Finding DLack of Personnel Security Information SharingIC and DoD personnel security policies broadly require the reporting of unfavorablepersonnel security information. We noted a lack of external information sharingregarding security clearance investigations and adjudications. This condition occurredbecause of the lack of policy, recordkeeping, and proper security adjudication/ dueprocess. As a result, contractor employees with previous, adverse/questionable, andclosed intelligence agency IG investigations were being inappropriately grantedsecurity clearance/access with other IC elements.Internal Personnel Security Information SharingIf a particular Agency IG conducted an investigation and presumably completed a reportof investigation, it seemed reasonable to assume that the CAF of that same Agencywould in the future have been able to access that report of investigation and make afully informed adjudicative judgment. From the Agency IG investigations we reviewed,we noted only three instances where this situation did not occur.In two NSA cases, the NSA IG told us it had sent a copy of its reports of investigation tothe NSA Office of Security; however, the NSA Office of Security said it did not receive thereports and had consequently taken no adjudicative action. In one DIA case, DIA CAFtold us that the security files of the two Subjects did not contain the DIA IG report ofinvestigation and that no security action was taken regarding those Subjects.Lack of External Personnel Security InformationSharingWe found that contractor employees were retaining security clearance/access- or werebeing granted security clearances/access by another CAF at a later time. Of the caseswe reviewed, 45 percent (57 out of 128) of the Subjects continued to hold or were regranted security clearance/access after Agency IG investigations were closed.After reviewing this data, we conducted data calls to several CAFs to see if any of theCAFs had made a favorable security/access adjudicative determination on a Subjectwho had been investigated by another Agency's IG. We sought to determine ifinformation had flowed from one agency to anothe r, which would give that agency theability to make a fully-informed adjudicative determination.We noted one case in which an external agency CAF was aware of a Defense intelligenceagency IG investigation at th e time that CAF adjudicated th e Subj ect for securityclearance/ access. In 2006, one Subject was debriefed by the NRO Office of Security, andwas titled and indexed in DCII by DCIS in 2007 . SCATTERED CASTLES indicated thatthe Subject was then briefed for a "Q" clearance by the Department of Energy (DoE)from 2011-201 2. Do E told us it was aware of th e NRO IG report of investigation at thetime it made its favorable adjudicative decision.Report No. DODIG-2014-0601 27In all the remaining cases covered by our data calls, the CAFs of other IC elements wereunaware of the earlier Defense intelligence agency . IG investigations. Summaries ofsome of these cases follow:DCIS and DIA IG had investigated a Subject. Later, the Department of HomelandSecurity (DHS) -- unaware of the earlier DCIS/DIA IG investigation -- granted theSubject SCI access under reciprocity, based on DIA's adjudication. Then, in 2012, DHSdebriefed the Subject from SCI.SCATTERED CASTLES indicated the Subjects of two NRO IG investigations were laterbriefed for SCI by DIA. DIA CAF told us that:••It had no adjudicative record of the Subject of one NRO IG case.It could not locate its paper adjudicative file on the Subject of the secondNRO IG case, and its electronic index did not indicate whether the case wasadjudicated with knowledge of the NRO IG investigation.Eight Subjects of three NSA IG cases, four NRO IG cases, and one DIA IG case, were laterbriefed for SCI by the Central Intelligence Agency (CIA). Regarding those Subjects, theCIA told us that:"CIA Clearance Division reviewed the security records of the eight individualshighlighted in the DOD IG request. All eight individuals were originally briefed(crossed over) by CIA based on adjudicative guidelines for reciprocity ofanother agency's positive adjudicative decision. Depending on when theapproval was made (processing varied based on the tools available at the timeof the review) CIA reviewed JPAS; DCII, and/or Scattered Castles prior to makinga determination, based on standard guidelines. On four of the eight individuals,our records indicate that CIA received adverse information subsequent to thecrossover decision. As a result two were denied access, one is undergoing areinvestigation, and the other requires an event driven action. CIA was unawareof the IG i11vestigations of the other four individuals until the DOD IG request. Ofthose four, three remain in access at this time. As a result of the suppliedinformation, CIA will be reviewing their records and initiating personnelsecurity processing as appropriate."As stated earlier in this report, we provided our list of 128 investigative Subjects toDODCAF an d asked it to review its files to determine if its predecessor CAFs hadreceived copies of the related investigative reports that the Agency IGs prepared.DODCAF answe re d t hat it could only positively determine whether or not it hadreceived an Agency IG report on 20 percent of the Subjects (26 of 128); for thoseSubjects, it had only received five reports-- all of them on NRO IG investigative Subjects.Results of Lack of Personnel Security InformationSharingThe misconduct documented in the IG investigations we reviewed did not result insuspensio n or debarment, or generally in prosecution; furtherm ore, for 4 5 percent ofth e Subjects (57 of 128) it did not result in permanent denial or revocatio n of securityRepo rt No. DODIG-2014-0601 28clearance/access to classified material.•OPM has not routinely cross-checked the names of Defense intelligenceagencies' current/former employees, military assignees, and contractoremployees with the IGs of those agencies.•Withdrawing either a) physical access to facilities; or b) eligibility for access toclassified materials in lieu of formal denial or revocation of securityclearance/SCI access appears to be a deliberate effort to avoid personnelsecurity adjudication and the due process requirements for contractoremployees contained in EOs 10865 and 12968, and DoDD 5220.6.---- --------------Personnel Who Held Security Clearance/Access Following Closure of an IG Investigation *IG OfficeConductingInvestigationNumber ofCases**Number ofIndividual SubjectsNumber of Subjects Who HeldClearance/ Access Following Closure of anIG Investigation***DIA202115NGA3308076NSA2828TOTAL131128*Based on Datafrom}PAS and SCATTERED CASTLES.NRO251757**Of the 131 cases, two were duplicate reports and 12 involved exclusively corporate Subjects withno individual Subjects identified.*** Some of th e Subjects held or retained clearancejaccess that multiple agen cies granted followingthe conclusion of th e JG investigation in which they were titled.ConclusionWe found throughout this assessment that the appropriate DoD and IC databaseswere not being populated with information on the Subjects of substantiated Defenseintelligence agency IG investigations. This affected the ability of CAFs across the ICto conduct fully informed personnel security clearance/access adjudications. Thepopulation of investigative and personnel security databases with accurate andcomplete information is absolutely critical in preventing unsuitable individualsfrom obtaining sequential personnel security clearancej access.Recommendation DWe beli eve that our earlier recommendations (i.e., Recommendations A, 8, and C) willenable effective internal and external information sharing.Report No. DODIG-2014- 0601 29Finding ELack of Connectivity Between DCII and JPASNo vehicle exists for entries in DCII to automatically flag JPAS. As a result, if a personnelsecurity adjudicator with authorized access queries JPAS regarding a specific Subject,no mechanism exists in JPAS to tell the adjudicator that DCII also contains an entry.BackgroundIn June 2010, the Deputy Secretary of Defense directed that operational responsibilityfor ]PAS and DCII be transferred from DSS to DMDC.There was extremely limited connectivity between JPAS and DCII. DMDC staff told us novehicle currently existed for entries in DCII to automatically flag JPAS. Therefore, if apersonnel security adjudicator with authorized access queried ]PAS regarding a specificSubject, no mechanism existed in JPAS to tell the adjudicator that DCII also contained anentry. To determine if a Subject had a DCII entry, the adjudicator would have to use asecond password and authenticator to transfer from ]PAS to DCII.Thus, although DCII's purpose is to ensure that investigative information on Subjectstitled and indexed in DCII can be retrieved at a later time, DCII does not have aninterface with JPAS to alert security adjudicative personnel.ConclusionThe current lack of connectivity between DCII and ]PASS does not facilitate theidentification of investigative information titled and indexed in DCII by authorizedpersonnel security adjudicative staff.Recommendation, Management Comments, andOur ResponseE. We recommend that the Director, Defense Human Resources Activity, developsoftware to automatically flag the Case Adjudication Tracking System (CATS) ofthe Defense Information System for Security (DISS) family of systems that a DCIIfile exists on a specific Subject.Defense Human Resources Activity (DHRA) CommentsIn our coo r dination draft we recommended that DHRA develop software t oautomatically flag the personnel security adjudicative portion of ]PAS that a DCII fileexisted on a specific Subject. DHRA concurred with that recommendation, but providedthe following clarification: that software should be developed t o "automatically flag thepersonnel security adjudicative portio n of the Case Adjudication Tracking System(CATS) that a [DCII] fil e exists on a specific subj ect. CATS, and not [J PASJ, is now theprimary personnel security system that th e [DODCAF] uses for adjudicati on pur poses.Report No. DODIG-2 014-0601 30CATS is one component of the Defense Information System for Security (DISS) family ofsystems."Our ResponseDHRA's comments are responsive. Because JPAS is becoming a legacy system as theDepartment moves toward DISS, we concur with DHRA's exception to our draftrecommendation and accordingly changed the recommendation.Report No. DODIG-2014-0601 31Other ObservationObservation ASimilar Issues with DoD Civilian and MilitaryPersonnelThis study was conducted specifically with regard to a sample of unclassifiedinvestigative summaries involving contractor employees. We note that the casesummaries contained in the Classified Annexes to the [DoD IG's] Semi-Annual Report toCongress involving contractor employees were significantly outnumbered by those oncivilian and military Subjects assigned to the Defense intelligence agencies. We believefurther evaluation is needed regarding security clearance/access processing for theDefense intelligence agencies' civilian employees and military personnel. We willreview this matter and work with the Agency !Gs to determine appropriate scope and atwhat level the review should take place.Report No. DODIG -2014-0601 32Appendix A' BackgroundOn September 5, 2012, this office published the memorandum report, The Four DefenseIntelligence Agencies Have Had No Effective Procedures for Suspension and Debarment.That report's objective was to determine if the four Defense intelligence agencies-- DIA,NGA, NRO, and NSA -- had carried out basic and effective suspension and debarmentprocedures. We found that none of the Agencies had ever debarred a contractor,consultant, or contractor employee. We also found that only one of the Agencies-- NSA-- had ever suspended a contractor, consultant, or contractor employee: NSA suspendedthree individuals in 2011 following their felony convictions in federal court.During our research fo r that project, we found that procurement and counsel staffassumed that Subject contractor employees involved in misconduct would lose theirsecurity clearance and access. We examined this theory using the same 131 cases thatwe had used in the suspension and debarment study. Furthermore, the contentionignored the fact that -- absent suspension or debarment -- individuals involved inmisconduct that the Agency IGs investigated could work on unclassified governmentcontracts even if they had lost their security clearance and SCI access.Prior to October 1, 2010, DoD IG published the Classified Annex to the [DoD IG's] SemiAnnual Report to Congress. The Annex was largely a compendium of significant auditand investigative case summaries that the Agency IGs provided. With their increasedstatutory authorities as IGs of Designated Federal Entities under the Inspector GeneralAct of 1978, as amended, the IGs began publishing their own semi-annual reports toCongress, circa April 2011. As part of our research for the suspension and debarmentstudy, we reviewed Annexes covering the period from October 1, 2000, throughSeptember 30, 2010. The case summaries indicated that the IGs had achieved somesuccess in identifying and investigating misconduct by individual contractor employees,and that their efforts had generally improved over time. From Annexes covering that10-year period, we selected 131 unclassified investigative case summaries involvingcontractors in the Defense intelligence community. Our selection of cases represented ajudgmental sample at several levels. First, in determining which cases to report to us,the IGs had made their own judgments regarding which cases were "significant."Secondly, we selected only unclassified case summaries from the Annexes in a deliberateeffort t o make Th e Fou r Def ense Intelligence Agencies Have Had No Effec tive Proceduresfor Suspension and Debarment available for the widest possible dissemination.Sixty-eight percent of these cases (89 out of 131) involved time-and-attendance fraudby individual contractor employees or groups of contractor employees. In the 86 casesinvolving individual employees, the loss per employee ranged from $433.00 to$2 65,698.00. The median loss was $32,443.88, and the average loss was $41,788.96. Inthe 89 time-and-attendance cases, the aggregate loss was $4,336,140.40. In mostinstances, these losses were fu lly recouped from the contractors' employers.Therefore, a widespread belief existed among the personnel security staff and at theDepartment of Justice that recouping the losses made the government "whole" again,thereby reducing the need for further action.Report No. DODIG-2014-0601 33We expected virtually all of the Subjects to be referred to the appropriate CAF forsecurity clearance/SCI access adjudication. However, our current review proved thatthis did not necessarily occur. The DoD personnel security program's purpose is toensure that granting federal employees, military personnel, contractor employees, andother affiliated persons access to classified information is clearly consistent with U.S.national security. In considering the continuum of misconduct documented in the IGinvestigations, a point is reached when the ability of the contract employee toresponsibly hold a security clearance and have SCI access must be questioned.Report No. DODIG-2 014-0601 34Appendix BScope and MethodologyThis evaluation was conducted from September 2012 to January 2014, in accordancewith Quality Standards for Inspection and Evaluation that the Council of the InspectorsGeneral on Integrity and Efficiency issued. Those standards require that we plan andperform the evaluation to obtain sufficient, appropriate evidence to provide areasonable basis for our findings and conclusions based on our evaluation objectives.To accomplish our objectives we:•Reviewed applicable EOs, and DNI and DoD personnel security policy.•Sent data calls to the four Defense intelligence agency IGs asking them toprovide biographic information -- name, employer, employer Commercial AndGovernment Entity (CAGE) code, date and place of birth, and social securitynumber -- for the individuals they had identified as Subjects of their 131investigations. We also asked for the security clearance and access level of theseSubjects at the time of the IG investigations, and whether the IG had referred acopy of their report of investigation to their Agency CAF or any other CAF. Inresponse to this data call, the Agency IGs identified 128 individual Subjects. Allsubsequent data calls depended upon the accuracy of the responses to this datacall.•Received the data provided by the Agency IGs and sent data calls to the DIA,NGA, NRO, and NSA CAFs, and to DODCAF requesting that they determine if theyhad received copies of the IG reports of investigation, if they had conductedsecurity clearance/access adjudications as a result of the reports, and the resultsof those adjudications.•Discovered that some contractor employees held security clearance and accesswith subsequent agencies following the closure of the first agency's IGinvestigation, therefore we sent limited additional data calls to determine if thesubsequent agency's CAF was aware of the first agency's IG investigation.•Interviewed personnel from DIA, NGA, NRO, NSA, DODCAF, DMDC, and OPMregarding procedures at their organizations, and requested they providesupporting agency documentation.•Conducted checks in DCII and SCATTERED CASTLES on the Subjects identifiedby the Agencies' IGs. The SCATTERED CASTLES database is the IC'sauthoritative personnel security repository for verifying personnel securityaccess approvals regarding SCI and other controlled access programs. By usingSCATTERED CASTLES rather than }PAS, we were able to determine if theReport No. DODIG-2014-0601 35individual Subjects of the IG investigations had subsequently held securityclearance/access not only with DoD entities, but within the IC outside of DoD.•Noted some anomalies in our data, and ultimately requested that DMDC provideinformation from the Subjects' files in JPAS.•Culled data from a variety of sources and databases. During our effort, we noteddata anomalies which we were unable to fully resolve. This report representsour best effort to coherently integrate the information provided to us.LimitationsWe did not evaluate the personnel security adjudicative decisions that the CAFs made.It is within the scope of authority of the Directors of the Defense intelligence agenciesand DODCAF to grant security clearance/access within adjudicative guidelines to thosethey believe appropriate in achieving the Agencies' and DoD's operational missions. Wealso note that operational needs, the passage of time, and other mitigating factors mayoverride adverse personnel security adjudicative decisions.Report No. DODIG-2014-0601 36Appendix COffice of the Under Secretary of Defense forIntelligence Response to Our Draft ReportOFFICE OF THE UNDER SECRETARY OF DEFENSE!1000 DEFENSE PENTAGONWASH INGTON , DC 20301 ·!1000FEB 1 9 201~I NTU.UCii~CIEMEMORANDUM FOR DEPARTMENT OF DEFENSE INSPECTOR GENERALSUBJECT: Response to DoD IG Draft Report, "An Assessment of Contractor PersonnelSecurity Clearance Processes in the Four Defense Intelligence Agencies (Project No.D2013-DINTOI-0009.000), January 28, 2014In response to the January 28, 2014 request for comments on an update to OIG Report D2006-077, we provide the following responses pertaining to DoD IG recommendations for theOffice of the Under Secretary of Defense fo r Intelligence (USD(I)).•Recommendation A. I: Develop and issue an overarching policy governing Joint PersonnelAdjudication System (JPAS) operation.USD(I) Response: USD(I) concurs with this recommendation. Given the challengesinherent to the goverrunent policy issuance process, we have issued JPAS policy via memorandaover the past severa l years and agree that a consolidated overarching policy is needed. DoOM5200.02 Volume I, "DoD Personnel Securi ty Program (PSP): Investigations for NationalSecurity Positions and Duties" and DoDM 5200.02 Volume 2, "DoD Personnel SecurityProgram (PSP): Adjudications, Due Process, Continuous Evaluation and Security Education, asdescribed below, each provide overarching policy governing operation of JPAS and its successorsystem (the Joint Verification System), to include requirements for recording issues of securityconcern and adjudications that are based on exceptions due to presence of adverse information.Since Volume 2 is still in the formal comment period, we have an immediate opportunity toensure that we incorporate the IG 's recommendations and address the need for JPASfunctionality as discussed in the IG report.•Recommendation A.2: Coordinate with Office of Management and Budget (OMB) tofinalize updates to- or replacements for - the following Departmental policies:USD(J) Response: USD(I) concurs with the recommendation to finalize updates orreplacements for the policies. We do suggest nuancing the recommendation to reflect thediversity of roles and responsibilities that pertain to the policies that are of concern to theDoD IG. To assist in appropriate rev isions, we provide more detail about the ownership andstatus of the policies listed in Recommendation A.a. DoD Directive (DoDD) 5220.6, " Defense Industrial Personnel Security ClearanceReview Program," April4, 1999Status : DoDD 5220.6 does not fall under the authorities of the USD(I). It is issued by theDoD General Counsel (DoD GC). The DoD IG should correct the findings to assignresponsibility for this recommendation to the DoD GC .b. ·DoD 5200.2-R, "Personnel Security Program," February 23, 1996Report No. DODIG-2014-0601 37Status: The DoD 5200.2-R is being replaced by DoOM 5200.02 Volume 1, "DoDPersonnel Security Program (PSP): Investigations for National Security Positions andDuties" and DoOM 5200.02 Volume 2, "DoD Personnel Security Program (PSP):Adjudications, Due Process, Continuous Evaluation and Security Education."Volume 1 has been in the Office of the General Counsel, Intelligence (OGC(I)) since July29,2013 for legal sufficiency review. Following the OGC(I)) review, OUSD(J) willexpedite making any required changes before moving the policy to DoD OGC forapproval. Thereafter, USD(I) is required to coordinate with the Washington HeadquartersService (WHS) Federal Register Liaison Office (FRLO) which coordinates with OMB tomeet OMB's requirements for publishing the policy as a federal rule .The formal coordination of Volume 2 closed January 17,2014. USD(I)'s goal is tocomplete adjudication of comments by March 7, 2014. Thereafter, the policy issuanceprocess will proceed according to steps established by WHS as published athttp://www.dtic.mil/whs/directives/corres/writing!DOD_process_home.html andaccording to timelines established by the Director of AdministTation and Management inDoD Instruction 5025 .01, "DoD Directives Program." Once through the DoD policyissuance process, USD(I) is again required to coordinate with the WHS FRLO to navigatethe proposed policy through OMB's rule making process.c. DoD 5220.22-R, "Industrial Security Regulation," December 1985.Status: The DoD 5220.22-R will be replaced by DoD 5220.22M Volume 2, "NationalIndustrial Security Program : Industrial Security Procedures for Government Activities."The DoD will work with WHS who coordinates with OMB to publish the policy throughOMB's Federal Register process. The DoD is currently working with OMB to format thevolume and to complete information collections according to OMB requirements (e.g.,approval of a revised DD Form 254, "Contract Security Classification Specification.").d. DoD 5220.22-M, "National Industrial Security Program : Operating Manual," February28,2006Status: The DoD 5220.22-M was updated and posted to the Washington HeadquartersService Website for DoD Issuances on March 28, 2013 .e. DoD 5220.22-M-Sup I, "National Industrial Security Program: Operating ManualSupplement," February 1995.Status: DoD5220.22-M-Sup I will be canceled when the next conforming change toDoD 5220.22-M is approved. The policy is currently being processed through the formalDoD policy issuance process. Our goa l is to issue the conforming change by January l ,2015.•Recommendation B.l.a: Prepare an overarching policy governing the operation ofDCII,including .identification of the categories of investigations to be titl e and indexed, and theretention criteria for invest igations so titled and indexed.2Report No. DODIG-2014-0601 38USD(I) response: Concur. We will convene a working group to develop, as appropriate,overarching policy governing the operation of the DCII by September 30,2014.•Recommendation B.l.b: Direct the Defense Intelligence Agencies to review the proceduresthat their Offices of Security use to ensure that JPAS and Scattered Castles are beingproperly populated.USD(I) response: Concur. USD(I) will issue a memorandum directing the recommendedreview by April 15 , 2014.•Recommeodation B.l.c: Direct the Defense Intelligence Agencies to ensure that theSubjects of Agency JG criminal investigations are titled and indexed in DCIJ in accordancewith DoDI 5505 . 16.USD(l) response: We concur with the recommendation to ensure that the subjects of!Gcriminal investigations are titled and indexed in the DCII. We will work with the DoD IGto determine the correct authorities for issuing such a requirement.•Recommendation B.l.d: Ensure that subjects of past investigations are titled and indexed inthe DC II either by requiring OPM to conduct checks of Defense Intelligence Agencies ' IGrecords or directing the Directors of the DoD Intelligence Agencies to ensure that subjects ofpast IG criminal investigations are titled and indexed in the DCII .USD(l) response: We concur with the recommendation to ensure that past investigationsare accessible in background investigations for determining eligibility for access toclassified information. USD(I) will explore both options by June 30,2014 and identifythe best way forward.•Recommendation C: Initiate the process to revise EO 12968 by requiring that insubstantiated misconduct cases, personnel security clearance adjudicative actions continue,even if the contractor employee has been terminated and/or no longer has access to classifiedinformation.USD(I) response: Concur. To initiate the process, we will submit the IG 'srecomm endation to the Security Executive Agent (i.e., the Director ofNationaJIntelligence pursuant to EO 13467) who, in tum , is responsible for coordination ofnational personnel security policy with the Office of Management and Budget'sExecutive Oflice of the President.My point of contact is • • • •~{4~~ill"lligeoe<(Intelli gence & Security)3Report No. DODIG-2014-0601 39AppendixD=-=====Defense Intelligence Agency Response to Our DraftReportDEFeNSE INTELLIGENCE AGENCYFebruary 18, 2014U-14-85,023/SECDefense Intelligence Agency Comments on the Draft Report for Review: An Assessment ofContractor Personnel Security Clearance Processes in the Four Defense IntelligenceAgenciesThis paper responds to a request to review and comment on the above referenced draft reportfrom the Department of Defense (DoD) Inspector General (/G).Findings and recommendations provided by the DoD IG illustrate the inconsistency of theinformation provided and available to the adjudicative offices in the Intelligence Community.When information regarding a contractor is missing from any one or all of the availabledatabases, it is possible for subjects to move from one contract vendor to another or from oneagency to another without completing the security processing in the previous assignment.Response to Recommendations Specific to Defense Intelligence Agency (DIA)•Recommendation B.2.a. DIA agrees with this recommendation. DIA offices currently enterdata into the Defense Central Index of Investigations.•Recommendation B.2.b. DIA agrees with this recommendation. DIA already has a processin place by which the DIA Office of Security and DIA IG notifies the Department of DefenseConsolidate Adjudication Facility (DoDCAF) of derogatory information regarding contractorpersonnel.•Recommendation B.3. DIA agrees with this recommendation. DIA already has a process bywhich DIA IG notifies the DoDCAF.(U) Responses to Recommendations Other Than DIA Specific Recommendations•Recommendation C. DIA disagrees with this recommendation. Recommending that actionscontinue in the case of a contractor that no longer requires an eligibility determination to berendered is counter to and inconsistent with being good stewards of the taxpayer money andthe Office of the Director of National Intelligence policy that only those that require accessare granted eligibility. An appropriate notation entered into Joint Personnel AdjudicationSystem and Scattered Castles would be sufficient to provide information to a futureadjudicative authority.cc: Defense Intelligence Agency, DirectorDefense Intelligence Agency, Inspector GeneralDefense Intelligence Agency, Office of SecurityCommitted to Excellence In Defense of the NationReport No. DODIG-2014-0601 40Prepared by:, Oir·ectorateSecurity Division, Staff Director,Services, Office of Security, Perso!UlelStephen R. NortonDirector of Security2Report No. DODIG-2014-0601 41Appendix ENational Geospatial-lntelligence Agency Response toOur Draft ReportUNCLASSIFIED// _ _ _ _ _ __NATIONAL QfOSPATI I.- INTELLIGENCE AGENCY1!001#£0Mtlf.rt- .... lllld,\',IJha U iloGEMOAANOUM FOR IIISPECTOR GENERA DEPARTMENT OF UEFENSEUEPIJlY fNSP ·CTOrl G . N RA FOR INTEl. IGEti CE ANDSPECIAL PROGRAMASSESSMENJ'S. DEPAATM~ 0[)£FE 5£SUBJECT:(U) Na1iooal Ooospatlsl-lnlell-gooce Agency Respo.nse !o Ploj!JaNo. 02013-DINTO l .(JOOD.OOOREFERE :CE:(U) 'All As&..>ssmenl of Contractor Pers0011e:1 Secur~ CiealalbOflProtl.l~o~ ifl ro Fow Dei J1$0 lrr~Higcnce N{J n.c~ea · ~P10je<:tNo. OZ01J Olf'fl OHIOO!i.OOO}, ?.8 Jnf'lullry 20141 (IJ) Jl nk '1'00 flaee no li!!:Elr lhan lO Juoo 20111.~~a~llkl''"I)mLeb A. loognil torc.:· U1· w Seer litl'!' Q1 D rltfll!lIIllil n~nlt.,Ill:<'2UNCLASSIFIED/_ __ _ _ _ __Report No. DODIG-2014-0601 43Appendix FNational Reconnaissance Agency Response to OurDraft ReportUNCLASSIFIEDNATIONAL RECONNAISSANCE OFF IC E14675 Lee RoadChonlilly, VA 201 51-17 15Office of the Director21 February 2014MEMORANDUM FOR INSPECTOR GENERAL, DEPARTMENT OF DEFENSESUBJECT :REFERENCE:National Reconnaissance Office Response to Department ofDefense, Inspector General Draft ReportInspector General, Department of Defense ~lemorandum andDraft Report, An Assessment of Contractor PersonnelSecurity Clearance Processes in the Four DefenseIntelligence Agencies (Projec t No . D2013-DINT010009.000), 28 Jan 14Thank you for your work on the above referenced subject and theo ppor t un i ty t o commen t o n t h e recoJnme ndat i o n s i d e n t if i ed fo r t heNational Reconnaissance Office (NRO).The draft reportrecommendations table on page iv indicates that responses are requiredfrom the Director, NRO for Recommendations B.2.a and B.2.b, and theOffice of Inspector General (OIG) for RecOJnmendation B. 3 .The NRO's consolidated response and comments on theRecommendations are as follows:a. Recommendation B.2.a.In the absence of an ove r archi n gDCII policy, evaluate titling and indexing in the DCII the Subj ec t s ofall non-criminal investigations conducted by all Agency inve s t igat i veelements.The NRO disagrees with implementing Re c ommendati o nB.2.a at the NRO . The NRO has considered this recommendation andint e rpre ts "non-criminal inves t iga t ionsu to pertain t o personnelsecurity investigations.Individuals determined eligible for andbri e fed into Sensitive Compartmented Information (SCI) ac c ess with aCo ndi ti on , Dev i a ti o n , or Wa i ver ar e r e fl ected ac~ord in g ly in Scattere dIt i s our understanding a nd interpre t at i on t ha t th e DefenseCastle s .Central Inde x of Inves t ig a tions ( DCII) i s no l o n g er u s ed f o r t hisp urpo s e, as t h e repo rt indi cates o n page 3 , s e co nd bull e t, si ncep e r so nn e l sec u rit y invest i ga t ive a nd ad jud icative r ecords were r e mo v e dfro m the DCII.b.Recommenda tion B.2 . b . Dire ct t hei r Offices o f Secu rityto devel op f o rmal pro cedu res t o e n s u re t h at r eports of invest i g ationi nto mi s con d uct b y con tr ac t o r p e rsonnel a re repor ted t o t he DODCAF .UNCLASSIFI EDReport No. DODIG-2014-0601 44UNCLASSIFIEDSUBJECT:National Reconnaissance Office Response to Department ofDefense, Inspector General Draft ReportThe NRO disagrees 1-1ith implementing RecommendationB.2.b at the NRO.A process is already in place that ensures NROOffice o f Security and Counterintelligence (OS&CI) reports denials andrevocations on contractors Hith Department of Defense (DOD) equitiesdirectly to the Department of Defense Central Adjudication Facility(DODCAF) . All o ther cases involving derogatory information developedon contractors during personnel security processing are reported viaScattered Castles Daily Exception Reports, which a re available to DOD.In addition, the NRO OIG reports cases involving misconduct ofcontractor personnel to OS&Cl, and this information is reported viaScat tered Castles Daily Exception Reports.c. Recommendation B.3. We recommend that the InspectorsGeneral of DIA, NGA, NRO and NSA work with the Offices of Security ofthose Agencies to ensure that the IG reports of investigation intomisconduct by contractor personnel are reported to DODCAF .The NRO Inspector General agrees with includingRecommendation B.J for the NRO.The NRO OIG has a transmittalmemorandum template that accompanies all responses sent to the NROOS&CI . This template contains language request in g OS&CI update allappropriate databases upon r e ceipt of a report.The OIG and OS&CIhave regularly scheduled meetings to address various issues and theOI G will use this forum to continue working closely with OS&CI andensure that all OIG investigations are correctly reported.Questions concerning this response may be directed to my OS&CIpoint of contact,•• · Personnel Security Division, at/1TiJ07'Betty J. S'appAttachment:(U) SD Form 818 , Jul 102UNCLASSIFIEDReport No. DODIG-2014-0601 45UN CLASSIFI EDCOM i\U: NTS !\·IATRLX FOR Doll ISS UANCES : Co ntrn cwr l'€.•rso nul'l Secu r ity C lrnr<~ nn· 1-.: 'ul uuti on(1'/.:tu e rcto.:!..}!wmctioll \ 1111 bod( hl!fi_".'.:.'...cc_m_,nfc''.. " -i".:?.ge...f o_r_m_:_.J_ _ _ _ _ _ _ __ __ _ __~(:()\l\ll~'\1 /'ii ,J I "il ll·lr \ IIC W , ,\ ~0 OtUt ;I " •\I"OU JrSJIII C" \ I If)'\' FO il R I:.SOLIJII Cl;\IllCuo nJln:ttor Co mmL·nt: T heuf lnspt'l:lor Ge llc r:l l (OIG) h ~~ :1 pointof d nri fi cou ion in the rqwrt. 'l11 c OIG bt.•lic\'CS thnt unc of ourinvcstignt nrs m.1y lu\\'e misc; pokcn \\hen inter\'i cwcd. Th ~ OICi has tte vcrhnd ac\css to th~ Defense Cri mi nal Index of lnHstign tions (DCIJ)dnrnbasc. ·1he Ol(j has always rc liI TION IS OllSOL. H EUNC LASSI FIEDReport No. DODIG-2014-0601 46JAppendixGNational Security Agency Response to Our DraftReportUNCLASSIFIEDNATIONAL SEC UR ITY AGE N CYFOIH OF.OilGt: G. ,...EAOC, MARVL A,ND 20755-600025 February 2014MEMORANDUM FOR DEPUT Y ASSISTANT IN SPECTOR GENE RAL FORINTELLIG ENCE EVAL UATIONSSUBJ ECT: An Assessment of Contrnclor Personnel Securit y Clearance Process in the FourDefense Inte lligence Agencies (Project No. 0201J.lliN TOI-0009.000) - ACTIONMEMORANDUM(U) Per your 28 January 2014 request for comments from the Director of NSAconcerning the Rccommendalions set forth in your druf\ Assessment of Contrac tor Perso nnelSecurity Clearance Processes in the four Defense Intelligence agencies (hcreuficr. Report), weaddress two general points, as well as the specific subscction!i with in Finding B, Luck ofEITeelive Recordkecping, as they upply to NSA.(U) The first general point concerns page fi ve, Findiny B, Lack of EffectiveReco rdkccping. The bas is upon which yo u find th at the NSA Office of the Inspector Ocncrul(OIG) locked eiTcctivc recordkeeping is un clear. The O IG provided oil of the DoD 10-requestcddm: uments, and to our knowledge, the OIG was neither intervie wed nor otherwise reques ted toprovide infommlion regarding rccordkeeping pructicc s, To the ex tent thut the finding stem s fromevidence th ot the in vestigati ve and personnel dotabases, poniculorl y the Defense Ccntntl Index ofInvestigation (DCII), were not reliably populated, the OIG belie ves thut this problem muy stemfrom a lack of overarching po li cy governing DC II operations.(U) The second general point is that the statement on page II of the Repon thot " ]d]ue toconstrained funding, th e NSA and NRO Offices of Sec urity ind icated that they have suspendedthe conduct of periodic reinvestigations for contractor employees ... " does not occurotely rcncctthe situation. In fact, the NSA docs not fund its own periodic reinvestiga tions for contmctors;NSA fund ing was not an issue. ' To be clear, NSA did not suspend the conduct of period icreinvesti gations for its co ntractor populntion. While not speaking on behulf of oth er ugcncics ,NSA understands that the DSS (Defense Security Scrvke) and NRO (National Reco tutuissunccOffice) had susponded conduct of cont rnctor periodic reinvcsti g111ions for 11 ccnain peri od underfunding constro ints.(U) Otherwise, Recommendations 13(2)(u-c) ond H(J) in you r Rcpon make specificrecommendations concerning NSA. Accordingly, we ud..Jrcss cuch oflhcsc Recommendationssequentially:•(U) ll(2)(a). Rccomm cndution that the Director of NSA "[i]n the absence of onovcrarching DCII policy, ev11lu ute titling und indexing in the DCIIthc Subjects ol' ullnon-crimi nal invest igations conducted by all Agency in vestigat ive clements."I (U) /\1 NSA, the DoD funds con!ractor (ahu kn011 nus industriul) periodic rd m·estig.a tions (PKs) .UNCLASSIFIEDReport No. DODIG-2014-060 1 47UNCLASSIFIEDDisagree. We disagree with applying Recommendation ll(2)(n) to the extent thut itwould apply to security investigations. The DoD-designated repository for investigationsof security significance is the Joint Personnel Adjudication System (JPAS). NSA alreadysubmits all such cases on DoD contractors to JPAS and to SCA n ·ERED CASTLES (asthe IC repository).•(U) B(2)(b). Recommendation that the DirectorofNSA "[d)irect [its Office) of Securityto develop fonnal procedures to ensure that reports of investigation into misconduct bycontractor personnel are reported to DODCAF" (the DoD Consolidated AdjudicationFacility).~-Prior to the establishment of the DO DCA~· in fiscal year 2013, investigationswere reported to the Defense Industrial Security Clearance Office. Since then, any caseinvolving contractor misconduct with n national security clcaro.ncc eligibility nexus hasbeen reported to the DODCAF in accorduncc with intemal standard operating procedures.We will continue to enforce our internal procedures that require the reporting of anyderogatory infonnation regarding DoD contractors to the DODCAF.•(U) B(2)(c). Recommendation that the Director ofNSA "[ejnsure that controls nrc inplace to ensure that favorable personnel security adjudicative determinations made withconditions, deviations. or waivers are documented in the 1 Exception lnfonnation' blockof the Subject's SCA1TERED CASTLES file."~-NSA has provided infonnation to SCATIERED CASTLES since circa 2002. Inaccordance with lCD 704 (Personnel Security Standards and Procedures GovemingEligibility for Access to Sensitive Compartmented lnfomtation and Other ControlledAccess Program Information), procedures are already in place to ensure that thisinfonnation is entered into SCA TI'ERED CASTLES.•(U) 8(3). Recommendation that the NSA 10 "work wi th the Offices of Security of[NSA) to ensure that 10 reports of investigation into misconduct by contractor personnelare reported to DODCAI'."Disagree. As written, the proposed Rccommendlltion language could impair theindependence ofthc NSA 010. NSA suggests modifying Recommendation B(J) toclearly state the separate roles for those two organiwtions, nod changing the report todelete the potentially ambiguous "work with" language. Accordingly, we suggest that theRecommendation might state something such as:"We recommend that the Inspector General ofNSA continue to provide10 reports of investigat ion into substantiated misconduct by co ntractorpersonnel (or summaries of these reports) to the NSA Office of Security toenable the NSA Ollicc ofSccurity to report to DODCAF, as required."However, effective immediately all NSA OJO reports of contractor misconduct receivedby the ADS&CI will now be disseminated to DODCAF. The ADS&CI is alsoUNCLASSIFIEDReport No. DODIG-2014-0601 48UNCLASSIFIEIJimple111entiug u protm:ol to ensure thut OIG is noli lied when such n:p011s urc forwurdcdto DODCi\F.(U) We apprec iate the opportunity to comment on your Rcpmt and investigation.2U ;t-b:.<.h) . i!I-.IVI""""-'ELfZABETH R. BROOKSChief of Stan·UNCLASSIFIEIJReport No. DODIG-2014-0601 49AppendixHDefense Human Resources Activity Response to OurDraft ReportDEPARTMENT OF DEFENSEDEFENSE HUMAN RESOURCES ACTIVITYDEFENSE MANPOWER DATA CENTER4800 MARK CENTER DRIVE . SUITE 04E25-01ALE XANDRIA , VA 22350·6000MEMORANDUM FOR DEPARTMENT OF DEFENSE INSPECTOR GENERALSUBJECT: An Assessment of Contractor Personnel Security Clearance Processes in the FourDefense Intelligence Agencies (Project No. D2013-DINT01 -0009.000)Thank you for the opportunity to provide comments to the recommendations in the draftreport, An Assessment of Contractor Personnel Security Clearance processes in the Four DefenseIntelligence Agencies (Project No. D2013-DINTOI-0009.000).The Defense Human Resources Activity and Defense Manpower Data Center commentsto the report recommendations are included in the attachment. Please feel free to direct anyquestions to me, Mary Snavely-Dixon, at571 -372-0978 or rnary .m.sna\'ely-d ixon .civ