Our review found that the OBDs were not effectively implementing their contractor personnel security responsibilities and, consequently, were providing access to sensitive Department data and facilities to hundreds of contractors who did not have the necessary security clearances. Individuals hired as permanent employees in the Department undergo background checks when they begin their employment and periodically again throughout their careers. We believe that contract employees - who often work side-by-side with Department employees - should receive similar scrutiny commensurate with the security risks associated with their positions. The OBDs' failure to ensure that all contractor employees receive an appropriate security review presented an unacceptable security risk to the Department's data, facilities, and personnel.
Contractor Personnel Clearances
We found that 44 percent of the 628 contract employees we examined did not have the required security clearance. In addition, at least 10 percent of other contract employees had clearances that were insufficient for the sensitivity of their work. One OBD had no security information on 136, or 90 percent, of the 151 contract employees who worked on sensitive cases in the OBD's office space. In another OBD, only two of nine contract employees who were required to have a clearance at a specified level had the requisite clearances. One of the nine employees was later found to have had financial issues that would have been detected had the clearance been requested earlier under contract provisions. Nonetheless, a year after the financial issues were uncovered, the contract employee continued on an assignment to the OBD's sensitive cases in the OBD's office space even though SEPS had not resolved the derogatory issues and approved a clearance.
Contract Security Certifications
The SPMs were required to certify contract security requirements under the 1997 JAR amendment. JMD's Procurement Services Staff (PSS) maintained the certifications in the contract file. We found that SPM certifications were included in less than 25 percent of the contracts that required them. Our review of the contracts disclosed the following:
Program Oversight and Guidance
SEPS, which has overall responsibility for the Department's security programs, provided training to the OBDs on the Contractor Personnel Security Program requirements when these responsibilities were transferred to the OBDs in July 1997. In addition, SEPS issued program guidance in October 1997. According to the guidance, every contract employee with unescorted access to Department facilities or information should receive a BI based on the position's risk level. The guidelines state that the SPMs must determine the risk level for each contractor position and should base this assessment on the damage that an untrustworthy contractor could cause to the efficiency or the integrity of Department operations.
The guidelines also state that the SPMs should ensure BI requirements for contractor personnel are met and favorably adjudicated. With the exception of one OBD, however, SEPS did not delegate to the OBDs the authority to make security determinations for contract employees. The authority to make security determinations, including adjudicating BIs and approving clearances for contract employees in the OBDs, had been delegated previously to SEPS. With the responsibility for contractor personnel security program shifting to the OBDs from SEPS, this delegation should have been provided to the OBDs. In addition, the SPMs should ensure that the contractor conducts the prescreening and investigative requirements to the extent practicable and ensure that the contractor retains appropriate records of investigations. The SPMs should also establish procedures to ensure the validity of applicant fingerprint cards, which are furnished by the contractor for each contract employee. The JAR states that the contracting officer is responsible for including in the contract file the SPM certification of the personnel security requirements.
Although SEPS provided training and guidance to the OBDs, we found that SEPS did not effectively monitor the OBDs' implementation of this program. In some instances, we found that the roles and responsibilities of SPMs were not clear to the OBDs' security, procurement, and program staffs and that JMD's program guidance was not sufficient. Procurement officials, including the contracting officer's technical representatives (COTR), did not coordinate with their SPMs regarding contract employees assigned to the contracts. Also, procurement staff told us that they did not know who the OBDs had designated as the SPM for a contract. In other cases, we found that the OBDs were either not following established JMD guidance and their own procedures or not adhering to personnel security requirements set forth in the contracts. Also, the OBDs' lack of administrative procedures for managing contract employee information and records hindered implementation of the Contractor Personnel Security Program.
The October 1997 guidance did not address reinvestigation requirements for contractor personnel or for accepting clearances granted under other contracts. Of the 349 contract employees with clearances, we found that over 10 percent had clearance dates older than five years - the time reinvestigations are due for most Department employees with similar access. In addition, the three contracts we reviewed had stricter time limits on acceptable BIs, stipulating that previous BIs at the required level could not be older than 36 months prior to the date of the contract. Under one of the contracts, all four contract employees had access to the Department's most critical computer systems. According to the Department's Security Officer, the contract employees were in critical sensitive positions that required a more extensive BI. We found that three of the four employees had BIs clearances that were older than three years and the fourth employee did not have a clearance.
Timeliness of BIs
Using the available records for the 628 contract employees, we found that a significant amount of time elapsed at all stages in the BI process - from the time the employee's security forms were prepared, to the time OPM completed the background checks, to final adjudication by the SPM or SEPS. Records showed that OPM investigations could take as long as four months even when no derogatory issues were disclosed. When there were derogatory issues, OPM investigations could take as long as eight months to complete. 2
Once contract employees' security forms were submitted to the OBDs, contractors began assigning employees to projects while the BI was being conducted. Although the OBDs' policies varied on when a contract employee could begin work on a contract, 3 they all had procedures for removing an employee when suitability issues were detected. However, our review disclosed that contract employees were not being removed promptly once suitability issues were disclosed and remained unresolved for an extended period of time. In some instances, contract employees continued to work under the contract even when they failed to obtain clearances.
In other instances, contract employees worked on sensitive projects before the BI was initiated. In one instance, the SPM initiated the BI nearly one year after an employee assigned to a sensitive position began working on the contract. 4 According to contractor records, the employee worked a total of 426 hours from March to June 1998 and again in January 1999. The SPM did not obtain the employee's security forms from the contractor until January 1999. In February 1999, the first steps of the BI revealed that the employee had been arrested six times since 1988 for theft and being a fugitive and therefore did not meet the personnel security standards necessary to work on the contract. The employee had not revealed his arrests as required on the security forms. When the employee failed to respond to the derogatory information in March 1999, the SPM removed him from the project - year after he began work on sensitive cases in the OBD.
At the time of our review, the OBDs had established varying contractor personnel security record maintenance requirements for the SPMs, but we found that the SPMs had not fully implemented the requirement. For the 628 contract employees we reviewed, we found that the SPMs had records or files for approximately 35 percent. In addition, some files that we located did not fully document the clearance process, including resolution, adjudication, and clearance decisions.
The October 1997 SEPS guidelines state that the SPM must safeguard the BI files pursuant to requirements of the Privacy Act requirements. When the Contractor Personnel Security Program was transferred to the OBDs, SEPS distributed contractor personnel security files to the OBDs that were using the contract employees. Since then, the SPMs have been collecting the same sensitive security information on contractor personnel that had been maintained by SEPS. This information includes name and fingerprint checks from the FBI, personnel security forms, OPM investigation reports, resolution information pertaining to derogatory issues disclosed in the OPM report or credit check, final adjudication decisions, and approved clearances. In addition to establishing procedures for maintaining contractor personnel records, procedures are needed to ensure personnel security information is properly safeguarded.
According to the October 1997 SEPS guidelines, SPMs should also ensure that contractors maintain appropriate personnel security records. JMD officials stated that one of the objectives of creating a revised Contractor Personnel Security Program was to increase contractor responsibility for ensuring suitable employees are assigned to projects. The guidelines state that contractors should prescreen employees, conduct credit checks, and submit to the SPM fingerprint cards and completed security forms. The guidelines also state that contractors should retain records of prescreening activities. In addition, the guidelines require the SPMs to ensure that the contractor conducts prescreening activities and retains records of the investigations.
The three specific contracts we reviewed required contractors to prescreen employees; however, only one of the OBDs required the contractor to maintain records of prescreening actions and credit checks. Neither the contract nor the OBDs required the other two contractors to maintain personnel security records or records of prescreening checks for the employees assigned to the contracts. We believe that contractors should be required to maintain records of prescreening activities and other security information for each employee for the life of the contract. Also, SPMs should periodically review the contractors' records to verify that prescreening is performed and records are being maintained.