Are there Differences in Continuous Monitoring for a Government Clearance Holder vs a Contractor?

Insider threat, leakers, and counterintelligence concerns have led to changes in the way security clearance holders are vetted and monitored. Reinvestigations have gone by the wayside and continuous vetting (CV) is now the way forward. One would think the same CV standards would apply to all clearance holders, whether they are a government employee or a contractor working on behalf of the government, right? Wrong! According to a recent study done by the Intelligence and National Security Alliance (INSA) Insider Threat Subcommittee, there are key differences in how CV monitoring is done when it comes to scrutiny on social media platforms and information sharing. Here is summary of each:

• Social Media: Private companies are able to incorporate additional monitoring criteria on their employee’s social media platforms under the auspices of CV and Insider Threat programs Industry are required to have as mandated by the Security Executive Agent. In general, government agencies do not engage in social media monitoring even though they are already allowed to in accordance with SEAD-5.
• Information Sharing: Private companies seem to play it safe by sharing only the information required by policy regarding adverse information on contractor employees. Government agencies don’t share information about “at-risk” contractors with the companies, largely in part due concerns about inadvertently violating Federal privacy laws or acquisition regulations. The Government does a better job documenting information on cleared government employees in security databases, leaving a trail to follow should the employee move to another agency.

The findings in this study confirmed security clearance processes are the same for both government employees and contractors when it came to the initial background investigation and adjudication processes. However, after getting cleared it is the contractors who are subjected to more rigorous CV practices, depending on how aggressive their employer’s monitoring programs are.

Here are some proposed INSA recommendations to alleviate these disparities:

• ODNI should development uniform information sharing criteria amongst the government and Industry so “at risk” employees are identified before something bad happens. This also means the DoD needs to amend acquisition regulations and privacy act rules.
• Agencies across government must develop and utilize tools to obtain publicly available information, including social media, to continuously monitor their employees for personnel security and insider threat purposes.
• Clearance data repositories should contain all relevant information on cleared employees. This means all agencies and contractor FSOs be diligent in documenting adverse information or concerning behavior that can be evaluated in the whole person concept.

All of this just seems like common sense and should already be the norm. For those interested in reading the entire study you can find it here.