Government employees and contractors who require a security clearance are subject to Continuous Evaluation – comprehensive monitoring and periodic re-investigation of their behavior. According to government policy, both should be subject to the same vetting and adjudication process. However, the Intelligence and National Security Alliance (INSA) has found two critical differences: the consideration of social media, and personnel security information sharing.
A new white paper, Same but Different: Security Clearances for Contractors and Government Employees, written by INSA’s Insider Threat Subcommittee, says individual government contractors face more rigorous scrutiny, as private companies can monitor employee’s social media as part of their continuous vetting and insider threat protocols. However, despite the existence of a directive permitting them to do so, government agencies do not monitor their employees’ social media. Given that intelligence often traces the intention of criminal acts to an individual’s social media use, this is a potentially dangerous lapse in the vetting process.
INSA interviews found this is due to a “lack of clear guidance on how to implement the existing directives and security policies”. The Alliance calls for government agencies to agree upon a single common standard regarding the use of publicly available electronic information, specifically social media, for personnel security and insider threat purposes. Subsequently, guidelines for the implementation of this standard should be established throughout the sector.
However, during the vetting process, several intelligence agencies require a psychological evaluation to assess suitability of government employees, whereas contractors are not required to undergo psychological testing for fitness determinations, and few, if any, companies routinely administer psychological screening of their own employees.
That said, any individual (government or contractor) who acknowledges seeking counseling during the background investigation stage will be evaluated to see if their psychological issues pose a potential security threat.
The paper explains that reports of adverse behavior by government employees are entered into appropriate security databases and follow them from employer to employer, but only as long as they continue working for the government.
INSA says only contractors share information regarding at-risk employees. “The government does not share with industry when they identify a “red flag” about a contract employee working at a federal facility. This unwillingness to share data prevents the employee’s firm from mitigating the potential risk”.
Although agencies reserve the right to refuse the services of any contractor or applicant who is judged to be a security risk, the government is not permitted to provide details of its reasoning as a result of Privacy Act restrictions. When the government doesn’t explain why it refused an individual contractor, the employing company has no cause to fire the person. The concern then, is that the company could still place the employee on another contract in another department or agency.
INSA says intelligence agencies, in coordination with the Department of Justice, must agree on a uniform government-wide interpretation of what information sharing is permitted under the Privacy Act. Should changes to this statute be required to address security risks, INSA says the Administration should propose such changes to Congress.
The paper also says that “current Federal Acquisition Regulations (FAR), constrain communications between government managers and their contractors”. INSA recommends changes to the FAR, which could permit more comprehensive and rapid sharing of information on personnel security risks.
In addition to the recommendations made to government, INSA says industry should be required to provide the government with a standard set of suitability information on employees that is equivalent to the information acquired for government employees.
The Alliance also wants to see more companies train supervisors to manage offsite employees with an eye to monitoring their status and wellbeing, and advises a collaborative approach to such training.
On January 16, INSA released a new white paper that calls on the government to share basic personnel security information with its partners in the cleared contractor community, in order to strengthen insider threat training programs and bolster U.S. national security.
Developed by INSA’s Insider Threat Subcommittee, the paper, Legal Hurdles to Insider Threat Information Sharing provides an overview of the issue, including the legal challenges associated with information sharing, and offers recommendations that government can take to help mitigate the threat of the malicious insider while still respecting individuals’ privacy.
“Cleared contractors have developed state-of-the-art insider threat detection programs to protect classified and sensitive information, as required by the government, but companies need the government agencies to share information they may have about potential risks,” said Suzanne Wilson Heckenberg, INSA’s president. “If changes to existing statutes are needed to permit the sharing of such information, government and industry should work together to develop a new legal framework that effectively mitigates insider threats.”
The paper offers a number of practical recommendations, including modifications to existing legal frameworks, and robust government collaboration with industry partners. In particular, it recommends that government agencies – which differ in their reading of statutory requirements – agree upon a uniform, government-wide interpretation of what information can be shared with industry under the existing legislation.
This story was updated on January 18.