Picture of columns
The Nine Most Common Estate Planning Mistakes
Mergers And Acquisitions: The Concerns Of Withdrawal Liability

The (Slowly) Evolving Landscape of Security Clearances in the Cyberworld After Snowden

By Ira Hoffman

Shortly after  Edward Snowden burst  onto  the scene in May 2013, we learned — too late — that there were multiple “red flags” in his background investigation that should have prevented him from gaining access to the countless numbers of classified National Security Agency (NSA) documents that he leaked.  Although Snowden has caused untold  damage to U.S. national security, his actions have also triggered a thorough review aimed at improving our security clearance processes. Since these reforms, if and when adopted, will have a substantial impact on contractors seeking or performing contracts involving Cybersecurity, the purpose of this article is to survey both existing  procedures  and the status of the reforms.

History of Classification/Clearance Authorities

Ever since Benedict Arnold, we have been harmed by leaks of military secrets, and thus have taken steps to protect  information that is vital to our national security.  So, for example, in the Espionage Act of 1917, Congress made it a crime to disclose classified defense information during wartime.  Then, in 1940, after World War II had begun in Europe and Nazi agents were actively spying on the U.S. armaments industry and our military facilities, but before the U.S. entered the war, President Franklin D. Roosevelt issued an Executive Order authorizing Federal officials to adopt procedures to protect information concerning military and naval installations. Presidents since then have continued to set the Government’s classification standards by Executive Order under the authority of their Constitutional role as Commander in Chief, the National Security Act of 1947, as amended, the Atomic Energy Act of 1954, and several more recent statutes, such as the Counterintelligence and Security Enhancement Act of 1994.

In the aftermath of 9/11, Congress passed at least three laws aimed at improving our protection  and use of classified information:   the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, the Homeland Security Act of 2002, and the Intelligence Reform and Terrorism Prevention Act of 2004. Unfortunately, these statutes still left us with multiple Executive Branch agencies having  responsibility  for  different  steps of  the multi-phased personnel security clearance process. In other words, we still lacked government-wide standards, procedures and policies for protecting and disseminating classified information.

Then, in 2007, the Department of Defense (DoD) and the Office of the Director of National Intelligence formed the Joint Security Clearance Process Reform Team, to improve the security clearance process government- wide.  In the following  year, President Bush issued Executive Order 13467, which designated the Director of National Intelligence (DNI) as the Security Executive Agent, who “shall”  be responsible for developing “uniform  and consistent policies and procedures”  to ensure effective investigations and determinations of eligibility  for access to classified information, but only “may”  issue guidelines and instructions to the heads of agencies to ensure “appropriate uniformity” of such investigations and determinations. Moreover, the President also designated the Office of Personnel Management  (OPM) as the Suitability Executive Agent, with responsibility for implementing  policies and procedures for personnel clearance programs.

Then, in 2009, President Obama issued Executive Order 13526 expressly to “prescribe” a “uniform system” for classifying and safeguarding classified information. But we are not there yet.  Instead, we still have a basic dichotomy between Intelligence Community (IC) standards and procedures for contractor clearances and those of most non-IC agencies, which apply the National Industrial Security Program Operating Manual (NISPOM). In short, contractors in the cyber community with IC customers can face different sets of rules from non-IC customers.

Fundamentals of Security Clearances

For the current state of  clearances, we turn  to Executive Order 13526.  There, the three “general restrictions”  on access to classified information are stated as (1) a favorable determination of eligibility for access that  has been made by the agency’s designated official; (2) an approved nondisclosure agreement signed by the applicant; and (3) a “need- to-know”  the information.  Moreover, the Executive Order also contains definitions of key terms, such as “classified national security information,”  which is used interchangeably with the term “classified information,”  and is defined as information that has been determined to require “protection against unauthorized disclosure and is marked to indicate its classified status when in documentary  form.”

“National security,” in turn, is defined as “the national defense or foreign relations of the United States,” and “Need-to-know” means “a determination within the executive branch in accordance with directives issued pursuant to this order that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.”

Executive Order 13526 also provided that information may be classified at one of the following three levels:

1. “Top  Secret,” which applies to information  for which unauthorized disclosure could reasonably be expected to cause “exceptionally  grave damage to the national security” that the original classification authority is able to identify or describe;

2. “Secret,”  which applies to information for which unauthorized disclosure could reasonably be expected to cause “serious damage to the national security” that the original classification authority is able to  identify  or describe; and

3. “Confidential,” which applies to information for which unauthorized disclosure could reasonably be expected to cause “damage  to the national security” that the original classification authority is able to identify or describe/

In addition, there are two other major categories of classified information that are commonly associated with the “Top Secret” or “TS” level:

1. “Sensitive Compartmented Information” (SCI), which refers to intelligence sources and methods; and

2. “Special  access programs”  (SAPs),  which are defined as programs that are established for “a specific class of classified information that imposes safeguarding and access requirements that exceed those normally required for information at the same classification level.” Unless authorized by the President, only the Secretaries of State, Defense, Energy and Homeland Security, the Attorney General, and the Director of National Intelligence (DNI), or the principal deputy of each, may create a SAP. Moreover, only the DNI has authority to establish  SAPs pertaining to “intelligence sources, methods and activities (but not including military operational, strategic, and tactical programs).”

Given the heightened sensitivity of information classified as SCI or SAP, eligibility  standards and investigative requirements for access to either of them are higher than for other information classified at the same level, i.e., as TS.

With limited  exceptions, eligibility  for access to classified information shall be granted only to contractor employees who are U.S. citizens who have undergone completed investigations by appropriate  authorities,  and  whose “personal and professional history affirmatively indicates loyalty to the United States, strength of character, trustworthiness, honesty, reliability, discretion, and sound judgment,  as well as freedom  from conflicting  allegiances and potential  for coercion, and willingness and ability to abide by regulations governing  the use, handling,  and protection  of classified information.”  Exec. Order 12968.

Application Procedures

For access to classified information at a particular level, private contractors are subject to the same clearance procedures as Government employees at the same level. When a contractor requires access to classified information  and needs to assign an employee to perform requirements necessitating such access, the contractor must inform its Government customer, the “sponsoring agency,” that the employee requires access to classified materials, but does not have a clearance. The sponsoring agency then initiates the first of four key steps to obtaining and maintaining a clearance: pre-investigation; investigation; adjudication; and reinvestigation.

1.   Pre-Investigation. During this phase, the sponsoring agency ascertains whether the contractor has a genuine requirement for the applicant to gain access to classified information.  If the sponsor confirms the need, it will direct the applicant to submit his or her clearance application (e.g., Standard Form 86), which typically requires the applicant’s employment history; prior residences; education; identification of supervisors, colleagues, friends and neighbors; credit history; and details on organization memberships.  If, however, the applicant has an active clearance from a prior contract with the customer or with another agency or because he/ she is a former government employee, then the sponsoring agency may accept the existing clearance, or  it  may require  an additional  investigation.

2.   Investigation.   In certain instances, an agency may have jurisdiction to conduct all or some of its background investigations.  The CIA is one such agency, with authority to conduct its own investigations and those for other IC employees and contractors.  Most, if not all, of those investigations require a polygraph examination. More than 90% of background investigations, however, are conducted or overseen by OPM’s Federal Investigative Services (OPM-FIS). Indeed, in  recent  years, approximately  45% of  the investigations conducted by private contractors under contract to OPM-FIS were “conducted” by one contractor — U.S. Investigations Services, LLC (USIS) — including that of Edward Snowden. Although  the Department  of Justice recently intervened in a False Claims Act suit against USIS for failing to perform quality control reviews in connection with its background investigations for  OPM-FIS, the  quality  and  backlog  of clearance investigations remain problematic.

Adjudication.  Once the background investigation is complete, the sponsoring agency makes a determination  whether  to  grant  the  application a clearance, based on the information  adduced during  the  investigation.    For non-IC positions, the sponsoring agency applies the following 13 adjudicative guidelines in making its determination:

a.    allegiance to the United States;

b.    foreign influence;

c.     foreign preference;

d.    sexual behavior;

e.    personal conduct;

f.     financial considerations;

g.    alcohol consumption;

h.    drug involvement;

i.     emotional, mental and personality disorders;

j.     criminal conduct;

k.    security violations;

l.     outside activities; and

m.   misuse of information technology systems.

Each of  these guidelines  is substantially similar, if not identical, to IC guidelines; each describes circumstances that could raise a security “red flag”; and each identifies activities that may be disqualifying. But adverse information does not necessarily disqualify an applicant,  because the guidelines require an assessment of the “whole person.”  Thus, for example, if an applicant had been arrested for possession of a small amount of marijuana 10 years ago, that would ordinarily not be disqualifying.   If, however, the applicant had been convicted of distributing  illegal drugs five years ago and owes credit card companies and the IRS thousands of dollars, the adverse evidence in the application is compounded  not only by the gravity of the conduct leading to the arrest, but also by the applicant’s debts, which make him or her a greater security risk.

Reinvestigation.   Persons with security clearances are subject to periodic reinvestigations, applying the same criteria. The frequency of reinvestigations varies by agency and by level of clearance, but in most cases it is 5 years for Top Secret, 10 years for Secret, and 15 years for Confidential.

Appeals

An applicant who has been denied a clearance, or a cleared person who has had his or her clearance revoked, may appeal the adverse decision.  Each agency that  is responsible for  adjudicating  and granting  clearances has its  own  policies  and procedures for an appeal of a clearance determination. Typically, the appellant has the right to a hearing before an administrative law judge  and may call witnesses. Of course, the Government has the right to cross-examine the witnesses and present rebuttal evidence.   It is well-settled, however, that courts will not review the denial or revocation of a security clearance because the agency head charged with the protection  of classified information  “’should have the final say,’” and the courts “should not intrude.” Hegab v. Long, 716 F.3d 790, 797 (4th Cir. 2013) (following and quoting  Department of the Navy v. Egan, 488 U.S. 518, 529 (1988)).

Likely Reforms

Even before Edward Snowden emerged, the U.S. Government Accountability Office (GAO) had issued several reports in recent years that criticized the inadequate progress of DNI and OPM in coordinating policies and procedures and improving the security clearance process. In recent testimony to the Senate Select Committee  on Intelligence, a senior ODNI official stated that DNI and OPM are preparing a joint revision to the regulations governing the personnel security clearance process, from determination  of whether a position  requires a clearance, through application submission, investigation, and adjudication. In addition to the commitment to make more meaningful progress on harmonizing standards and procedures, DNI testified that it is developing, in concert with OPM, DoD and other Federal partners, a Continuous Evaluation (CE) process that would assist the investigating and adjudicating agencies in being better informed about intervening behavior that raises a security or counterintelligence risk. DNI also stated that OPM is developing a Position Designation Tool that will assist other agencies in determining position sensitivity and the type of security clearance processing that will be required for each position.

In conclusion, the Government is making slow, but sure, progress in reforming the security clearance process, which will benefit  not only sponsoring agencies, but also contractors in the cyber community.

If you have any questions regarding the evolving landscape of security clearances in the cyberworld or about cybersecurty please contact Ira Hoffman via the information provided below.

About Ira Hoffman

Governor's International Advisory Council

ihoffman@offitkurman.com | 240.507.1723

Ira E. Hoffman has been practicing law for more than 25 years, focusing on government contracts, export controls and other international issues.  More recently, he has expanded his focus to include cybersecurity law and policy.  He counsels large and small companies alike, on a wide range of government contracts issues, such as bid protests, claims, teaming agreements, cybersecurity contracting, subcontracting, intellectual property rights, mergers and acquisitions, cost allowability, ethics and compliance, audits and investigations, the False Claims Act, suspension and debarment, security clearances, and small business issues, including 8(a), HUBZone, SBIR, SDVO and WOSB small businesses, and size protests. He has extensive experience in government contracts cases, ranging from protests at the GAO, Court of Federal Claims and ODRA, to disputes and alternative dispute resolution. His international practice focuses on export controls (both ITAR and EAR), the Foreign Corrupt Practices Act (FCPA), and Office of Foreign Assets Control (OFAC) sanctions.  His cybersecurity practice focuses on M&A, IG investigations, and liability issues for security breaches.

You can also connect with Offit Kurman via FacebookTwitterGoogle+YouTube, and LinkedIn.