Personnel Vetting: DOD Needs to Improve Management of the National Background Investigation Services Program
Fast Facts
An agency within DOD conducts background investigations for most federal agencies.
It does so through a combination of old IT systems previously owned by the Office of Personnel Management, and the new, not-fully-developed National Background Investigation Services IT system.
This testimony discusses our prior work on DOD's schedule and cost estimate for the new IT system, among other things. For example, in 2021 and 2023, we raised concerns with the schedule—which haven't yet been resolved.
Our prior recommendations address this and more to help DOD avoid further delays to the system and to personnel vetting reform generally.
Highlights
What GAO Found
The Department of Defense's (DOD) Defense Counterintelligence and Security Agency (DCSA) is developing a new information technology (IT) system—the National Background Investigation Services (NBIS)—for use in conducting background investigations for most federal agencies and over 13,000 organizations that work with the government. DCSA assumed responsibility for background investigation operations after two cybersecurity incidents in 2015 that compromised sensitive data from Office of Personnel Management systems on over 22 million federal employees and contractors. DCSA has developed some NBIS system capabilities to enhance the personnel vetting process, such as an eApplication that agencies and organizations will use to initiate the investigation process. However, DCSA has faced several delays in fully deploying NBIS, which was originally planned for 2019.
DCSA has repeatedly missed targeted milestones for fully deploying NBIS over the past several years, in part because DCSA does not yet have a reliable schedule and cost estimate for NBIS.
GAO's Prior Assessment of How NBIS's Schedule and Cost Estimate Have Met Best Practices
In 2021, GAO recommended that DCSA improve its schedule; after seeing a lack of progress, GAO recommended in 2023 that Congress consider requiring DCSA to do so. GAO also found that NBIS's 2022 cost estimate was not reliable. Given DOD's investment of over a half billion dollars in NBIS since 2016, developing a reliable schedule and cost estimate would improve program management and reduce the risk of cost overruns.
DCSA has also not fully planned for the cybersecurity controls needed to protect NBIS and legacy systems or fully implemented measures to manage privacy risks. For example, DCSA used an obsolete version of government-wide guidance to select the cybersecurity controls for six NBIS and legacy systems GAO reviewed. GAO recommended that DCSA address these gaps, as these systems may not be fully protected. In 2018, GAO placed the government-wide security clearance process on its High-Risk List due in part to challenges with IT systems.
Why GAO Did This Study
U.S. government personnel vetting processes, such as background investigations, rely on IT systems to process data on millions of federal employees and contractor personnel.
This statement summarizes information on (1) DCSA's progress in developing the NBIS system, (2) the reliability of the NBIS program schedule and cost estimate, and (3) DCSA's efforts to plan for cybersecurity and privacy controls for NBIS and legacy systems.
This statement is primarily based on published GAO reports since 2021 that have examined NBIS system development. To perform this work, GAO analyzed information on NBIS from DCSA and the Office of Personnel Management and interviewed knowledgeable officials about the NBIS program and NBIS and legacy systems.
Recommendations
In the reports summarized in this statement, GAO made one Matter for Congressional Consideration on NBIS scheduling and cost estimating. It also made 15 recommendations to DOD to improve NBIS program management and cybersecurity. These recommendations have not yet been implemented. GAO continues to monitor their implementation status.