The new head of the Defense Counterintelligence and Security Agency told lawmakers he aims to reverse years of poor management of DCSA’s background check modernization effort, which is already more than five years behind schedule and half a billion dollars over budget.
“We’re 8.5 years into a three-year program. We spent $1.345 billion on a $700 million program,” DCSA director David Cattler told a House Committee on Oversight and Accountability subcommittee at a June 26 hearing. “It’s unacceptable that we’ve gotten to where we are and we need to turn this thing around.”
Cattler was specifically referring to the National Background Investigation Services (NBIS) program, which underpins a larger reform of personnel vetting called Trusted Workforce 2.0. The reforms began after a massive data breach at the Office of Personnel Management in 2015 exposed the data of about 22.1 million federal employees, contractors, and others with personal data on the office’s network.
NBIS is supposed to replace legacy background investigation information technology systems and serve as the federal government’s “one-stop-shop IT system for end-to-end personnel vetting,” complete with better data protection, integration, and usability.
The system was supposed to be fully functional in 2019, and DCSA took charge of it in 2020. But four years later, it is still a long way from complete. The Government Accountability Office blamed the delays on DCSA, which it said ignored multiple recommendations since 2021 to implement basic management principles such as developing a reliable schedule and cost estimates and enhancing oversight, particularly for cybersecurity controls.
“These are key fundamental program management principles, and in the past the program has been so focused on moving out to deliver capabilities that they had told us it was an administrative burden and a waste of time, frankly, to develop a schedule or a cost estimate,” Alissa Czyz, GAO’s director for defense capabilities management, told lawmakers. “ … Well, now they’re years late and behind schedule and over cost too.”
In the meantime, the DOD suffered one of its largest intelligence leaks ever in 2023 when Airman 1st Class Jack Teixeira, a member of the Air National Guard, shared classified material on a social media site. The incident raised questions about insider threats and the vetting process for individuals requesting a security clearance.
Teixeira was not referenced in the hearing, but DCSA provides vetting services for 95 percent of the federal government, which equates to 2.7 million investigations per year, Cattler said in his testimony. The personnel vetting system and its outdated IT infrastructure has long been afflicted by “skyrocketing processing times which created a towering backlog of qualified individuals who could not start serving in national security roles,” said subcommittee ranking member Rep. Kweisi Mfume (D-Md.).
Mfume cited a January GAO report showing that 17 out of 31 federal agencies did not trust each others’ security clearance processes, leading to duplicative, time-intensive vetting at each agency.
“Extensive wait times force talented agency recruits to pursue employment outside of the government when their security clearance stretches for months and sometimes years,” Mfume said. “And can you really blame them?”
As the “one-stop shop” for personnel vetting IT systems, NBIS forms the “lynchpin” to Trusted Workforce 2.0, said Czyz. When it slows, so too does the overall reform effort.
At this point, DCSA does not expect to fully sunset its legacy systems until fiscal 2028, but Czyz expressed confidence in Cattler, who became director of DCSA in March. She recalled the new director quoting from GAO’s past reports when GAO representatives visited DCSA in Quantico, Va., about six weeks after Cattler took the seat.
“He asked us point-blank how his agency had interacted with GAO in the past and that he was committed to having a collaborative relationship in implementing our recommendations,” Czyz said. “So I think we are very encouraged by his early leadership here.”
Indeed, when asked about accountability, Cattler said DCSA has “had some people move on,” and “fundamentally” changed internal and external communications, and taken “punitive measures” against some employees and contractors since he came on board.
The agency is nearly at the end of a 90-day NBIS recovery plan which began April 1. Cattler expects the plan to yield a new roadmap for the system, a new leadership team, a reliable funding profile, an audit conducted by the DCSA inspector general, acquisition oversight from the Office of the Under Secretary of Defense for Acquisition and Sustainment, and other actions meant to reset the process.
“While it’s not my fault, it is my responsibility to make sure DCSA delivers on this set of requirements,” Cattler said. “It’s critical that we do so.”