The Federal government’s primary personnel investigative agency’s deficient cybersecurity oversight and outdated IT systems pose a risk to national security, and the agency’s director this week pledged action to fix those ongoing technology problems – although he said some of the root causes may not be fully addressed for several years.
At a congressional oversight hearing on June 26, a director with the Government Accountability Office (GAO) reiterated the agency’s recent findings that the Defense Department’s (DoD) Defense Counterintelligence and Security Agency (DCSA) needs to improve cybersecurity oversight processes to mitigate security risks posed by the legacy IT systems. DCSA conducts background investigations for about 95 percent of Federal agencies.
“DoD is years late in delivering a fully functional modern IT system intended to support all phases of personnel vetting,” Alissa Czyz, GAO’s director for defense capabilities management, told the House Oversight and Accountability Committee’s subcommittee on Government Operations and the Federal Workforce.
Referring to the National Background Investigation Services (NBIS) systems that defense officials are developing to replace legacy systems, Czyz said: “DoD must get this right. We cannot have another breach … NBIS simply cannot fail. Having fully functional and secure IT systems to conduct personnel vetting is paramount to keeping our nation safe.”
Subcommittee Chairman Pete Sessions, R-Texas, agreed that “a high-quality security clearance process is vital to the security of the United States” and said DoD’s ineffective cybersecurity planning is “potentially exposing millions to the threat of another attack. “
It was an earlier cyberattack – the 2015 hack of Office of Personnel Management (OPM) systems that rocked the government cybersecurity community and exposed data on more than 22 million Federal employees and contractors – that led to DoD being assigned responsibility for developing and operating IT systems for personnel vetting.
In 2019, DoD established DCSA to conduct background investigations. But in its recent report, GAO said DCSA is using a mix of NBIS systems that are behind schedule in their development alongside legacy IT systems formerly owned by OPM.
“In considering the cybersecurity risks of these systems, DCSA did not fully address all planning steps of DOD’s risk management framework,” GAO said. DCSA “lacks an oversight process to help ensure that appropriate privacy controls are fully implemented. Until DCSA establishes such an oversight process and fully implements privacy controls, it unnecessarily increases the risks of disclosure, alteration, or loss of sensitive information on its background investigation systems.”
DCSA Director David Cattler acknowledged the problems and assured legislators that he would fix them. “The GAO recommendations guide my focus and direction as the DCSA Director. DCSA’s shortcomings will be set right under my direction,” he said.
Cattler said an internal assessment had determined that problems with the NBIS program – including in oversight, software development, and acquisition strategies – would cause “a delay in NBIS delivery and sunsetting of legacy IT systems.”
The current plan to sunset the legacy systems, he added, is “no later than fiscal year 2028.”
Cattler’s admission of responsibility, along with his short tenure – he began the job in March – earned him a relatively light grilling from committee members.
Asked by Rep. William Timmons, R-SC., how he could “ensure that bad actors have not gotten through the cracks” in the personnel screening process, Cattler said DCSA does “a tremendous amount of quality control checks.”
“I think I share the same sense of urgency that you are communicating,” Cattler added. “It’s unacceptable how we have gotten to where we are, and we need to turn this thing around…We are 8 ½ years into a three-year-program.
Timmons responded: “It seems like we are moving in the right direction. I appreciate all of your hard work.”