Congress last week pushed through two bills aimed at overhauling the security clearance process, an issue that has been hotly debated since classified documents were found at former President Donald Trump’s Mar-a-Lago residence and reached a dispute. flashpoint following the alleged breach of significant amounts of classified information by Massachusetts Air National Guardsman Jake Teixeira. The Classification Reform Act of 2023 and the Sensitive Classification Act of 2023 propose a number of changes to the governance and accountability of the classification process, along with steps to reduce overclassification.
While much of the proposed policy will likely go unnoticed by most federal offices, the last section of the Sensitive Classification Act of 2023 includes provisions that could have a significantly negative impact on the homeland security contracting space. The language echoes a common problem with understanding the security clearance process today and how agencies track their authorized personnel.
The Sensitive Classification Law establishes the “sense of the Senate” that “the number of people with access to classified information is excessively high and must be justified or reduced.” It continues to require agencies to account for their eligible authorized population, along with plans to reduce the number of people eligible for classified information.
The bill runs counter to current market realities and runs counter to what has been one of the most significant federal government hiring pushes in decades, as many agencies seek to onboard and attract new talent to take the job. instead of a grizzled government workforce. The vast majority of those positions require some level of security clearance. And while government hiring cycles move 12 to 18 months into the future, the Sensitive Classification Act requires plans to reduce the authorized workforce within the year. The legislation requires agencies with classified workers to provide a count of the number of individuals eligible for security clearance within their agencies, along with plans to reduce that number.
The bill goes on to require, “a description of how the head of the agency will ensure that the number of security clearances issued by said agency is kept to the minimum required for the performance of the agency’s functions, in accordance with the agency size, needs and mission
The legislation echoes the drumming of Congress over the past month. Sen. John Cornyn, R-Texas, called the number of people with security clearance “crazy.” Sen. Mark Warner, R-Va., recently argued at a news conference that too many people have security clearance and that led to the recent leaks and unauthorized disclosures.
It’s not the first time Congress has looked at the number of people who have security clearance to combat breaches that were actually caused by lax security procedures. In general, the problem of leaks has been blamed on the number of people with access to classified information. Current legislation rightly frames it as a consequence of overclassification, but instead of addressing data security or IT policies around protecting classified information, it focuses on the numbers.
A zero trust framework is good for IT, but unfortunately it doesn’t work for people, where the reality is that we are always in a position to reduce risk, not eliminate it. Congressional proposals to reduce the number of security clearances fail to address the real issue, which is how lax security procedures have allowed the printing and deletion of classified documents from licensed facilities, which has been the case in nearly every scenario. of major leaks. the last years.
Eligibility vs. Access: There is a difference
It’s easy to criticize the number of people with a security clearance, where at first glance, four million people with access to sensitive information seems like a lot. Breaking down the number further and considering what the term “eligible to access classified information” means is key to understanding why the number of people with classified information is not the issue.
In quarterly progress reports, the government already tracks and provides information on its eligible population vs. the authorized access population. The number of people with access is always significantly less than the eligible number. Includes active duty service members, federal government civilians, and government contractors.
The Department of Defense, specifically, saw a dramatic reduction in the number of people with access to classified information after the pandemic, and the population with access today is still 300,000 fewer people than it was before the pandemic. The blue bar indicates the number of people currently using their authorization eligibility within the DOD. Access is based on position and eligibility is tied to the person. If you’re eligible but don’t have access, that means you’re not accessing classified information in your current role, but you’re still eligible to do so—a demand-supply elasticity that’s critical to ensuring job mobility and allowing IT professionals to national security to change jobs or organizations without the need for a new security clearance investigation. By drastically reducing eligibility, it also removes the government’s ability to expand its workforce as needed. There is also a cost component. Reducing the number of individuals eligible for clearance means you will need to process more new investigations, a process that is currently ramping up and takes an average of 137 days for a top-secret security clearance for Department of Defense/Industry applicants, and a cost of more than $5,000 per applicant.
The right thing to do is to look at access and make sure only those who need it do it. But reducing authorization numbers does not improve security or eliminate risk. Desk audits of the authorized workforce have happened before, and they did nothing to stop the Navy Yard shooter, Reality Winner, or Harold Martin.
Current Senate legislation considers the supply of authorized security talent without addressing current hiring needs or the national security implications of an aging workforce and a reduced pool of authorized talent. Today, the government needs more people willing to get security clearance and support national security, not less. In January, the NSA announced one of its biggest hiring increases in 30 years. Last month, FBI Director Chris Wray stressed that there are 50 Chinese hackers for every FBI cyber professional in his request for an additional $63 million to help the agency increase cyber capacity and hire 192 positions. All of those jobs require a security clearance.
The government doesn’t have four million people with security clearance today. It has approximately 2 million people with access to classified information. You can argue that even that number is too high, but you shouldn’t eliminate it until you create hiring authorities, job category reforms, and government office accreditation plans that spell out how you’ll keep your job and workforce safe, when you have unauthorized professionals. working very close to the secrets of our government.
Reducing the authorized population indicates that the Senate wants less investigation and less security, at a time when it should require greater protocols to protect confidential information. Security clearances provide eligibility, but also create penalties for unauthorized disclosures. And they also come with punitive responses for those who break the government’s trust.
A general reduction in the size of the authorized workforce, which is the reality you’ll get when you tell your agencies they have too many authorized people, will affect the mobility, upskilling, and diversity of our homeland security workforce. Let the market and threat landscape dictate the number of security clearances. Don’t let a negative news cycle do it.
