The total number of employees and contractors holding security clearances for access to classified information at the Department of Defense dropped by a hefty 900,000 between 2013 and 2016 — or 20% of the total cleared population at DoD. At the start of the current Fiscal Year, DoD had a remaining 3.7 million cleared personnel.

These data were presented in the latest quarterly report on Insider Threat and Security Clearance Reform, 1st quarter, FY 2016, published last month.

Importantly, this was a policy choice, not simply a budgetary artifact or a statistical fluke. A reduction in security clearances is a wholesome development, since it lowers costs and permits more focused use of security resources. It also increases pressure, at least implicitly, to eliminate unnecessary security classification restrictions.

However, reductions in clearances appeared to be stabilizing over the past year, with the elimination of around 100,000 clearance holders who did not have access to classified information, and an increase of around 100,000 cleared persons who did have such access.

Meanwhile, the Insider Threat program is being slowly implemented across the government. The Department of Defense expanded its “Continuous Evaluation” capability — providing automated notification of financial irregularities or criminal activity, for example — to cover 225,000 employees, up from 100,000 last year. The Department of State also initiated its own Continuous Evaluation pilot program.

Overall, the Insider Threat program faces continuing hurdles. “Many departments and agencies are discovering challenges with issues such as organizational culture, legal questions, and resource identification, to name a few,” the latest quarterly report said.

Under a requirement recently enacted by Congress, intelligence agency employees who hold clearances for Sensitive Compartmented Information (SCI) must report any employment with a foreign government entity for up to two years after leaving their US government job.

An internal US Air Force memorandum implementing the new requirement for Air Force intelligence personnel was released under the Freedom of Information Act yesterday.

See Reporting Certain Post-Government Employment by Holders of Sensitive Compartmented Information (SCI) Accesses, Air Force Guidance Memorandum 2015-14-04-O, 5 November 2015.

SCI is classified information that is derived from intelligence sources or methods.

The reporting requirement concerning foreign government employment was adopted by Congress in the FY 2015 intelligence authorization act (section 305) and was enacted into law as 50 U.S.C. 3073a.

It is unclear from the public record whether any specific incident or circumstance prompted the new reporting requirement.

The Department of Defense “is moving forward with the development of its insider threat and personnel security reform efforts,” wrote Michael G. Vickers, then-Under Secretary of Defense (Intelligence) in an April 2015 report to Congress that was released last month under the Freedom of Information Act. “The Department recognizes the magnitude and complexity of these challenges, the need for multi-agency solutions, and is marshalling needed resources,” he wrote.

An insider threat is defined as someone who uses his or her authorized access to damage the national security of the United States, whether through espionage, terrorism, unauthorized disclosures of classified information, or other harmful actions.

The Department of Defense “is directing multiple pilots and concept demonstrations using both ‘push’ and ‘pull’ capabilities to conduct CE [continuous evaluation] on approximately 100,000 military, civilian and contractor personnel” in an effort to identify potential insider threats, the April 2015 DoD report to Congress said.

The overall, government-wide insider threat program is advancing rather slowly, judging by the program’s latest Quarterly Report (for the 4th quarter of FY 2015) that was just published. Several anticipated program milestones have been missed or deferred, the Report indicates.

The most effective way to limit the insider threat may be to reduce the number of “insiders.” If so, substantial progress has been made in that direction, with the elimination of 800,000 security clearances at the Department of Defense between FY2013 and the 3rd quarter of FY 2015, according to the Report. (The very latest security clearance totals have not yet been published.)

The 2016 Omnibus Appropriations bill passed by Congress last month included a provision requiring expanded reinvestigations of security clearance holders, Federal News Radio reported last week (“Agencies directed to use social media in security clearance reviews” by Nicole Ogrysko, December 28).

“The enhanced personnel security program of an agency shall integrate relevant and appropriate information from various sources, including government, publicly available and commercial data sources, consumer reporting agencies, social media and such other sources as determined by the Director of National Intelligence,” the legislation instructed.

Numerous advocacy and whistleblower defense organizations this week wrote to the Intelligence Community Inspector General urging him to investigate whether the insider threat program “has been improperly used to target or identify whistleblowers. Additionally, we ask that you lead the initiative to properly distinguish between whistleblowing and insider threats.”

The number of people in the Department of Defense holding security clearances for access to classified information declined by 100,000 in the first six months of FY2015.

There are now 3.8 million DoD employees and contractors with security clearances, down from 3.9 million earlier in the year, and a steep 17.4% drop from 4.6 million two years ago.

Moreover, only 2.2 million of the 3.8 million cleared DoD personnel are actually “in access,” meaning that they have current access to classified information. So further significant reductions in clearances would seem to be readily achievable by shedding those who are not “in access.”

The total number of security-cleared persons government-wide is roughly 0.5 million higher than the number of DoD clearances, putting it at around 4.3 million, down from 5.1 million in 2013.

The new DoD security clearance numbers were presented in the latest quarterly report on Insider Threat and Security Clearance Reform, FY2015 Quarter 3, September 2015.

The reduction in security clearances is not simply a reflection of programmatic or budgetary changes. Rather, it has been defined as a policy goal in its own right. A bloated security bureaucracy is harder to manage, more expensive, and more susceptible to catastrophic security failures than a properly streamlined system would be.

So the Administration’s Insider Threat Program states that one of the objectives of the program is to “Reduce total population of […] Secret and TS/SCI clearance holders to minimize risk of access to sensitive information and reduce cost.”

Reducing security clearances would also go hand in hand with, and help to reinforce, a long-term reduction in national security classification. (Although not widely recognized, original classification activity — the creation of new secrets — across the government has dropped each year for the past four years to a historically low level, according to the Information Security Oversight Office.)

The current insider threat program was initiated in 2012 — after the major WikiLeaks releases but before the Snowden disclosures. Its purpose was “to counter the threat of those insiders who may use their authorized access to compromise classified information.” See National Insider Threat Policy, The White House, November 21, 2012.

Implementation of the program has been slow, however.

A December 2014 milestone to provide “continuous evaluation” of the most sensitive Top Secret-cleared population was missed, the latest quarterly report notes. (Continuous evaluation refers to the automated screening of relevant information streams from multiple sources and databases including law enforcement, counterintelligence, credit reporting, and perhaps others.) Continuous evaluation of all TS and TS/SCI cleared personnel is said to be on track for December 2016.

Last year, the Department of Defense demonstrated continuous evaluation on approximately 100,000 cleared personnel. DoD will expand this capability to 225,000 persons this year, to 500,000 next year, and to 1 million in 2017, the quarterly report said.

Last week, the U.S. Navy issued updated guidance on implementation of its own Insider Threat Program.

Among other things, the guidance calls for a “reduction of Navy privileged users” who have unusually broad access to IT systems and data “and, therefore, could pose a higher risk of insider threat.” See Navy Insider Threat Program, Opnavinst 5510.165A, October 1, 2015.

The Department of Defense recently demonstrated the “Continuous Evaluation” of approximately 100,000 cleared military, civilian and contractor personnel, in order to validate their eligibility for access to classified information on an ongoing basis.

Continuous Evaluation (CE) refers to the automated monitoring of government and commercial databases for signs of criminal behavior, irregular financial activity, or other “triggers” that could lead to suspension of a security clearance. CE is a central feature of the emerging Insider Threat program that is intended to deter and detect espionage, terrorism, unauthorized disclosures of classified information, and other offenses by security-cleared personnel.

According to a new quarterly report on the Insider Threat program, the Department of Defense is on track to expand its Continuous Evaluation capability to 225,000 persons by the end of 2015, to 500,000 persons by the end of 2016, and to 1 million persons during 2017. (There are approximately 4.5 million cleared personnel in government and industry.) See Insider Threat and Security Clearance Reform, Quarterly Report, FY 2015, Quarter 2, June 2015.

But progress has been uneven. The Office of the Director of National Intelligence missed a December 2014 milestone for Continuous Evaluation of the most sensitive Top Secret and TS/SCI (Top Secret/Sensitive Compartment Information) clearance holders in government and industry. The revised goal is “to have CE completed on a portion of the TS and TS/SCI population in the Executive Branch by the end of FY 16,” the new quarterly report said.

The Insider Threat problem is a difficult one particularly since the fraction of employees who are spies, terrorists, or leakers is minuscule. Nor does this tiny contingent have a simple, readily identifiable profile. (Convicted spy Aldrich Ames and fugitive unauthorized-discloser Edward Snowden, for example, seem to have few traits in common, although both apparently passed their polygraph examinations without difficulty.)

Therefore, even though Continuous Evaluation is years away from full implementation, security policy officials are already looking beyond it for other options.

Last week, the Intelligence Advanced Research Projects Agency (IARPA) invited researchers to submit proposals for its Scientific advances to Continuous Insider Threat Detection (SCITE) Program.

The SCITE Program seeks “a new class of insider threat indicators, called active indicators, where indicative responses are evoked from potential insider threats,” according to the June 18 Broad Agency Announcement issued by the IARPA “Office for Anticipating Surprise.”

“Current practice and research is heavily focused on passive indicators that monitor existing data sources for indicative behaviors,” IARPA said.

By contrast, “Active indicators introduce stimuli into a user’s environment that are designed to evoke responses that are far more characteristic of malicious users than normal users. For example, a stimulus that suggests that certain file-searching behaviors may be noticed is likely to be ignored by a normal user engaged in work-related searches, but may cause a malicious user engaged in espionage to cease certain activities.”

The number of persons holding security clearances for access to classified information decreased by more than 635,000 (or 12.3 percent) last year, according to a new report to Congress from the Office of the Director of National Intelligence.

It was the first reported drop in the total security-cleared population since the government began systematically collecting statistics on security clearances in 2010.

The majority of the reductions involved persons who had been cleared for access to classified information but did not in fact have such access. Still, at the end of FY 2014, there were 164,000 fewer individuals with access to classified information than at the beginning of the year, the ODNI report said. Most of the reductions occurred within the Department of Defense, which reported a 15% decrease in clearances (Secrecy News, March 26).

Altogether, there were 4.5 million cleared persons as of October 1, 2014, down from 5.1 million cleared persons a year earlier. Top Secret clearance holders, including government employees and contractors, numbered 1.4 million persons, down from 1.5 million the year before.

What makes the new reductions particularly interesting is that they were not simply a statistical blip or an artifact of changes in the budget. Rather, they were purposefully achieved through a “concerted effort” by agencies seeking to reduce the number of security clearances.

“These decreases were the result of efforts across the USG to review and validate whether an employee or contractor still requires access to classified information,” the ODNI report said.

The implication is that the national security bureaucracy, including the national security classification system, is susceptible to deliberate regulation and is not, as sometimes appears, an autonomous entity driven obscurely by its own internal dynamic. It follows that additional changes in the size and structure of the national security system may be achievable.

The new ODNI report also noted:

*    There was a 14.4% reduction in new and renewed security clearances.

*    The National Security Agency had the highest reported rate of security clearance denials (9.2%), while the FBI had the lowest reported rate (0.1%). The CIA reported a denial rate of 6.5% and a revocation rate of 0.6%.

The ODNI report cautioned, however, that different agency denial rates may not be comparable due to differences in reporting practices.

The unclassified annual report on security clearances was required by Congress in the FY 2010 Intelligence Authorization Act.

In a significant retrenchment of the national security bureaucracy, the Department of Defense has reduced the number of employees and contractors who hold security clearances in the past two years by more than 700,000 persons, a cut of 15% in the total security-cleared population in DoD. The previously undisclosed reductions were reported in data provided by DoD to the Office of the Director of National Intelligence.

This is the first documented drop in the overall number of security clearances since FY 2010, when the systematic collection of statistical data on clearances began, and it is probably the first major decline in the number of cleared personnel since 9/11.

Most of the new reductions involved persons who had been investigated and deemed “eligible” (or “cleared”) for access to classified information but who did not have or need such access in fact. But a sizable 117,000 persons who were “in access” (i.e. who actually did have access to classified information) were also dropped from the clearance rolls between FY 2013 and FY 2015, according to the new statistics.

A 2014 report from the Office of Management and Budget recommended reductions in the cleared population since the “growth in the number of clearance-holders increases costs and exposes classified national security information, often at very sensitive levels, to an increasingly large population.” A cut in clearances may also lead indirectly to reduced production of classified information.

In the first quarter of FY 2015, following the new reductions, there were 3.9 million DoD personnel (employees and contractors) with security clearances, down from 4.6 million in FY 2013, for a drop of 15.3%. The total number of clearance holders government-wide is about 0.5 million higher than the DoD figure.

The new data were disclosed last week in the latest quarterly report on implementation of the Insider Threat Program.

The data also indicated that the backlog of Top Secret/SCI clearance holders whose periodic reinvestigations were overdue (or “out of scope”) had been reduced by 63,000. However, there are still 356,000 TS/SCI clearance holders that remain “out of scope” and in need of an updated reinvestigation, according to the DoD data.

A new annual report to Congress on security clearances government-wide (including non-DoD agencies) “is in its final stages, but not yet ready for release,” said a spokesman for the Office of the Director of National Intelligence. It will be made available next month, he said. Last year’s annual report is here.

The number of people who hold security clearances for access to classified information has been reduced by ten percent, the White House said in budget request documents released this week.

“The Administration achieved its objective to reduce the total number of security-cleared individuals by 10 percent,” according to the White House/OMB budget request (at p. 51).

The security-cleared population has grown steadily for several years, with 5.1 million people eligible for classified access, according to the latest data from October 2013.

Taking the new ten percent reduction into account, the total number of cleared individuals should now be around 4.6 million. The actual figure is not available for public release, said Eugene Barlow, a spokesman for the Office of the Director of National Intelligence. But he said it will be presented in April in the next annual report on security clearances, as required by the FY2010 intelligence authorization act.

The security clearance system naturally becomes harder to manage — and more expensive — as it becomes larger.

A 2014 report from the Office of Management and Budget said that periodic reinvestigations had not been performed as required for around 22 percent of the people that hold that hold Top Secret or TS/SCI clearances. “This backlog poses unacceptable risk, leaving the U.S. Government potentially uninformed as to behavior that poses a security or counterintelligence concern.”

Executive branch agencies spent $1.6 Billion on the security clearance system in 2012. A background investigation for a Top Secret clearance cost an average of $3,959 each, according to OMB.

The new ten percent reduction in clearances “will allow agencies to better deploy resources to priority activities, such as completing periodic investigations for the most sensitive populations,” the White House said.

In 2013, the Director of National Intelligence (who also serves as “Security Executive Agent”) wrote to executive branch agencies directing them to validate the clearance requirement for each currently cleared individual. This validation process produced the desired reduction in clearances. A copy of the DNI’s letter to agencies is not available for public release, Mr. Barlow of ODNI said.

The National Archives is seeking a new Director of the Federal Register program, a position that requires a Top Secret security clearance.

The Federal Register is sometimes described as the “daily newspaper” of the executive branch. Each weekday, it “provides citizens access to proposed and final regulations, rules, and other administrative actions of the Federal government,” according to an announcement in USA Jobs.

In addition to overseeing the Federal Register itself, the Director of the Federal Register program is responsible for administering the Code of Federal Regulations, the United States Government Manual, the Public Papers of the Presidents, and other foundational U.S. government documents.

So why does the Director need a Top Secret clearance? One reason is that he or she would play a role in continuity of government under conditions of national emergency, and would be responsible in particular for production of the so-called Emergency Federal Register.

“Over the past several years, Federal agencies have developed contingency plans to maintain operations in the case of a broad range of emergency circumstances,” according to a recent proposed rule that was published (naturally) in the Federal Register on October 28. “The FRA [Federal Register Act] authorizes the President to activate the Emergency Federal Register (EFR) system in place of the daily Federal Register in certain limited circumstances…. The purpose of the EFR is to support the preservation of the rule of law and a constitutional form of government,” the proposed rule explained.

Up to now, as far as anyone can tell, the Emergency Federal Register “has never actually replaced the ‘real thing’,” said Harold C. Relyea, a specialist in U.S. government information policy.

The search for a new Director of the Federal Register is open through November 21.

Polygraph testing is here to stay, judging from a new directive issued by Director of National Intelligence James Clapper. The directive governs the use of polygraph testing in vetting executive branch agency personnel for security clearances or determining their eligibility for “sensitive” positions.

The new Security Executive Agent Directive 2 on the use of the polygraph was obtained by Marisa Taylor of McClatchy News, who has done a series of in-depth news reports on polygraph testing over the past couple of years.

The directive does not seem to entail any major departures from current polygraph policy, but it has several noteworthy features.

Above all, it signals that polygraph testing is not going away. Despite significant skepticism among scientists about the validity of using the polygraph for employee screening, the directive envisions continued reliance on polygraph testing. It states that agencies may even “expand an existing polygraph program” or “establish a new program.”

The directive also represents the further consolidation of the authority of the DNI in his capacity as “Security Executive Agent.” The new directive applies to all executive branch agencies, not just those that are formally members of the U.S. intelligence community.

Finally, among all the possible occasions for use of polygraph testing, the directive singles out “espionage, sabotage, [and] unauthorized disclosure of classified information,” suggesting that these diverse offenses are of comparable significance and concern.

In another recent issuance, the Office of the Director of National Intelligence produced a Strategy and Schedule for Security Clearance Reciprocity in response to a congressional mandate. Reciprocity here refers to the mutual recognition by executive branch agencies of each other’s security clearance approvals, which has been a longstanding but elusive goal.

A bill introduced in the House of Representatives by Rep. Bennie Thompson (D-MS) would direct the President to reduce the amount of classified information by 10%. It is one of several new congressional initiatives seeking to rectify perceived defects in the national security classification system.

Most prominently, the Senate Intelligence Committee is engaged in an ongoing dispute with the Administration over declassification of the Committee’s report on the CIA’s post-9/11 detention and interrogation program.

Sen. Dianne Feinstein, the Committee chair, said the Administration’s proposed redactions to the executive summary of the report were unacceptably broad.

“I have concluded the redactions eliminate or obscure key facts that support the report’s findings and conclusions,” she said on August 5. “Until these redactions are addressed to the committee’s satisfaction, the report will not be made public.”

With this contentious experience fresh in mind, one might have expected the Senate Intelligence Committee to have acquired special insight into the failings of the existing classification system and to have devised some well-considered remedial measures to address them.

But that does not appear to be the case.

In its new intelligence authorization bill for Fiscal Year 2015 (S. 2741, sec. 311), the Committee weakly requires the Director of National Intelligence to prepare a report “describing proposals to improve the declassification process throughout the intelligence community.”

Under current circumstances, this proposed reporting requirement seems like a failure of imagination and leadership, and probably a waste of everyone’s time. Perhaps it is just a placeholder for something more ambitious that is still to come.

By contrast, the bill introduced by Rep. Thompson in the House and by Sen. Ron Wyden in the Senate is prescriptive and solution-oriented in its treatment of the issue.

Among its several provisions, the new bill (HR 5240) would require the President “to establish a goal for the reduction of classified information by not less than 10 percent within five years through improved declassification and improved original and derivative classification decision-making,” according to a Fact Sheet on the bill, dubbed the CORRECT Act. (It is unclear how the 10 percent reduction in information would be measured, whether in pages or bytes or number of classification decisions or by some other standard.)

The Thompson/Wyden bill would also bolster and expand the Public Interest Declassification Board, assigning it the responsibility to evaluate the continuing validity of all current classification guidance. Though this provision may seem innocuous, it is a clear challenge to the autonomy that is currently enjoyed by executive branch agencies regarding what is to be classified. As such, it represents the kernel of a solution to the problem of overclassification.

The bill would further direct the Privacy and Civil Liberties Oversight Board to establish standards for the emerging insider threat program, and it would decisively break from current practice by authorizing the Merit System Protection Board to review agency denials or revocations of security clearances.

However, the deliberative effort that has gone into preparing the bill is not going to yield any near-term reward. In all likelihood, Rep. Thompson’s CORRECT Act will not even receive a hearing in the remainder of this expiring Congress.

Another modest but potentially useful legislative effort is an amendment to be introduced by Sen. Jeanne Shaheen that would enhance the authority and capacity of the National Declassification Center.

If the Senate Intelligence Committee wants a report on “improving declassification,” as the new intelligence authorization bill requires, then there is already a report with that very title that was prepared by the Public Interest Declassification Board in December 2007.

Several of the report’s recommendations have still not been acted on. Among them is a proposal that “formal procedures should be established for the declassification review of classified [congressional] committee reports and hearing transcripts.”

Because such records are produced and held by congressional committees, such as the Senate Intelligence Committee, they are not eligible for declassification unless and until the originating committee takes the initiative to have them reviewed and declassified. Yet this is rarely done, despite the importance of these materials.

“Frequently, closed sessions of congressional committees are the only occasion when executive branch policy in the national security area is explained, challenged (by members), and defended by administration representatives. The exchanges at these hearings, as well as the views of Congress (elaborated in classified committee reports), often affect the policy choices of the executive branch. Yet, because the records of the committees involved are classified and never subjected to declassification review, the public and historians are largely unaware of their existence,” the PIDB report said.

“Despite their historical significance, classified records created by the Congress are reviewed for declassification only on a hit-or-miss and relatively limited basis. As a result, the public is denied a valuable source of historically significant information,” the report said.

So, for example, not a single classified annex to the annual intelligence authorization bills produced by the congressional intelligence committees has ever been declassified.

A secure U.S. government facility in Herndon, Virginia needs a master chef who holds or who can obtain a Top Secret security clearance.

The job opening was announced by Sodexo, the international food service company.

“Sodexo’s Government Services Division is seeking a strong Executive Chef to manage all the culinary operations at a high profile government dining account in Northern Virginia. The successful candidate must be able to obtain a TS/SCI clearance,” the announcement said.

Though it may seem ridiculous, the requirement for a chef with a Top Secret clearance exemplifies a significant policy problem, namely the use of the security clearance process as an employee screening tool.

To all appearances, a chef does not need a security clearance. Although the successful applicant “must become familiar with Sodexo recipes,” those recipes are not national security secrets, and a clearance should not needed to perform the job of Executive Chef.

Nevertheless, a clearance requirement has evidently been imposed because the “culinary operations” are to be conducted in a secure government facility that will place the chef in proximity to secrets, even if he or she does not actually come into possession of any.

This use of the national security clearance process has contributed to the skyrocketing growth in security-cleared personnel. As of October 2013, the number of persons eligible for access to classified information had grown to 5.1 million persons, including over 1.5 million with Top Secret clearances. According to an ODNI report, only 60% of those persons had access to classified information, suggesting that vastly more clearances are being requested and granted than are actually required.

A February 2014 report to the President from the Office of Management and Budget said the security clearance system had become too large and that it needed to be reduced.

“[The] growth in the number of clearance-holders increases costs and exposes classified national security information, often at very sensitive levels, to an increasingly large population,” said the OMB review.

Accordingly, the OMB recommended that the government “reduce [the] total population of 5.1M Secret and TS/SCI clearance holders to minimize risk of access to sensitive information and reduce cost.”

Eliminating the TS/SCI clearance requirement for access to the kitchens and dining rooms of government facilities might be a sensible place to start.

Food service at CIA headquarters, which has been managed by Sodexo, was the subject of some persnickety complaints from CIA employees that were recently disclosed through the Freedom of Information Act by MuckRock. (WaPo)

The Department of Defense revoked more than 19,000 existing security clearances from FY2009 through the first half of FY2013, DoD told Congress in a hearing record that was published earlier this month.