Enhancing Cybersecurity in DOD Background Investigations: What Federal Contractors Need to Know

In June 2024, the United States Government Accountability Office (GAO) issued a report titled "PERSONNEL VETTING: DOD Needs to Enhance Cybersecurity of Background Investigation Systems" (GAO-24-106179), which highlighted significant cybersecurity issues within the Department of Defense's (DOD) background investigation systems. The research focuses on the Defense Counterintelligence and Security Agency (DCSA), which now uses a combination of recently constructed National Background Investigation Services (NBIS) technologies and legacy systems previously administered by the Office of Personnel Management (OPM). These technologies are crucial for conducting background checks to assess the trustworthiness of federal employees and contractors.

The GAO study discovered that the DCSA did not completely adhere to the DOD's risk management framework when addressing cybersecurity threats connected with these systems. Specifically, DCSA did not complete all required tasks in the framework's preparation step, which included 16 critical tasks. DCSA addressed 11 of them completely, two partially, and three not at all. This lapse in adherence suggests that the government has not adequately prepared to handle cybersecurity threats for the systems it operates.

The study also stated that, while DCSA correctly classified the evaluated systems as high impact risks, it used obsolete recommendations to set baseline security procedures. Despite the fact that a newer version of the National Institute for Standards and Technology (NIST) advice became available in 2020, the government continued to employ an earlier version. The amended guidance now includes additional controls for personally identifiable information (PII) and supply chain management, both of which are critical for strong cybersecurity. By failing to follow the most recent rules, DCSA may have left important vulnerabilities untreated.

In terms of privacy safeguards, the GAO discovered that DCSA had only partially adopted the appropriate steps. These tasks include creating policies and procedures, providing training, identifying and reviewing the types of events to log, and evaluating controls and hazards. The agency does not have a strong supervision structure in place to guarantee that these privacy protections are fully implemented. Without such a process, critical information within its background investigation systems is at risk of being disclosed, altered, or lost without authorization.

The GAO's findings are especially significant in light of a major cybersecurity incident at OPM in 2015, which exposed personal information about over 22 million federal workers and contractors. This hack highlighted the serious consequences of cybersecurity failures, especially in systems that manage highly sensitive data. Following the hack, DCSA assumed responsible for performing background investigations, making the results of this study crucial to understanding the current level of cybersecurity inside these systems.

The GAO study also contained 13 suggestions to remedy the identified cybersecurity and privacy control deficiencies. These suggestions urge the DOD and DCSA to take various steps, including thoroughly defining and documenting all stages of the information life cycle, conducting organizational- and system-level risk assessments, and updating security control baselines to conform with current NIST guidance. The suggestions also emphasize the significance of ensuring that all system users have current security training and certifications, as well as establishing an oversight structure to ensure effective implementation and evaluation of privacy protections.

The DOD's response to the GAO's recommendations will be critical in deciding the long-term security of these systems. Implementing the proposed procedures will most likely entail significant work and money, but it is critical for safeguarding the sensitive information processed by the NBIS and legacy systems. The GAO study serves as an important reminder of the continued challenges of securing federal information systems, as well as the importance of continuous progress and vigilance in managing cybersecurity threats.