What's Behind OPM's Ousting of USIS?Federal Agency Won't Renew Services of Security Clearance Firm
The Office of Personnel Management's decision to stop using U.S. Investigations Services for certain security clearance services, which came a month after a breach of company computers, could be as much a reflection on OPM as it is on USIS.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
USIS, which was established in 1996 as a result of the privatization of the investigative branch of OPM, was awarded a five-year contract, which was later renewed, to help with security clearance background investigations for more than 95 federal agencies.
OPM last week declined to exercise its option to continue using USIS services.
Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs
The move comes not only after the August breach but also follows work performed by USIS in helping to vet National Security Agency leaker Edward Snowden and Navy Yard shooter Aaron Alexis. The Justice Department also is suing USIS related to other work the Falls Church, Va., company performed for the government.
"By not renewing their contract, OPM is showing a lack of confidence both in USIS as an organization, but to another degree, in its own processes and rules," says Evan Lesser, who has closely followed the government's security-clearance apparatus since co-founding the employment site ClearanceJobs.com in 2002.
"Security clearance reform is needed to fully review and fix the end-to-end process, as well as update adjudicative criteria to reflect modern concerns," he says. "The non-renewal of USIS services will likely result in a slowdown of clearances being issued and re-investigated and a backlog of investigations piling up."
An OPM spokeswoman confirms a slowdown in processing clearances will occur. "We expect there to be some impact on timeliness and we are working to minimize delays," she says. "The quality and security of our background investigations and data are our priorities. We are working with our customers to address any concerns and we are taking the necessary steps to resume normal operations."
The spokeswoman suggests the contract wasn't renewed because of an Aug. 6 breach of USIS computers that likely exposed personal information of 25,000 government workers (see Report: Breach Hit 25,000 Gov't Workers). "Since OPM issued a stop work order on Aug. 6, 2014, after a breach in USIS's computer network, background investigations have been assigned to other available assets, including contractors and federal investigative staff," she says.
Sensing its contract might not be continued - on Sept. 8, a day before OPM notified USIS of the suspension of its contract - the company issued a press release titled Myth vs. Fact, in which it defended itself in regards to the breach.
USIS says it reported the breach to OPM, other federal agencies and law enforcement authorities as soon as it discovered it. "Most of the country's prominent defense contractors have been victims of similar cyber-attacks, as have the Pentagon, OPM and several other agencies," the release says. "Yet, despite attacks like these on other large government contractors, USIS is not aware of any case where the government has issued a stop-work order or refused to award new contracts."
Earlier, USIS was involved in the security clearances of Snowden and Alexis, who fatally shot 12 people and three others at the Naval Sea Systems Command at the Washington Navy Yard last September. In its release, USIS contends it followed all OPM-mandated procedures and protocols in its background investigation of Snowden. USIS says OPM confirmed in testimony before Congress that the investigative file compiled by the company on Alexis "was complete and in compliance with all investigative standards."
USIS also is being sued by the Justice Department. A whistleblower accused the company of speeding through a mountain of investigations as the wars in Iraq and Afghanistan fueled a heightened demand for cleared workers, according to the Washington Post. The Justice Department joined the whistleblower civil suit, accusing the company of submitting 665,000 background checks that were incomplete.
USIS, in its press release, contends it has cooperated fully with the Justice Department regarding the civil complaint allegations "concerning certain practices at USIS during the period 2008-2011" and the allegations in that complaint do not involve the work it had been conducting at OPM under the contract that's not being renewed.
"No current USIS employee has any connection to the allegations in the DOJ civil complaint," the release says. "Since learning of these allegations, USIS installed entirely new leadership largely from outside of the company, starting with a new president and CEO (Sterling Phillips) who joined the company in January 2013."
Is USIS being treated fairly?
"Being the largest employer of contract investigators, USIS is taking the brunt of the highly publicized criticism," says Lesser of ClearanceJobs.com. "Data breaches happen to companies large and small, known and unknown. The timing of the USIS breach is such that the damage from the other issues that have unfolded are compounded."