Audit of the Security Clearance Process

Transcription

1 SECRET Audit of the Security Clearance Process Draft April 2006 Reviewed by CRS in accordance with the Access to Information Act (AIA). Information UNCLASSIFIED. Audit of the Security Clearance Process September (CRS)

2 TABLE OF CONTENTS RESULTS IN BRIEF...i INTRODUCTION...1 Background...1 Objectives...1 Scope...2 Methodology...2 Criteria...2 FINDINGS AND RECOMMENDATIONS...3 Effectiveness of Security Clearance Process...3 Risk Management Strategy...9 Security Clearance Process Control...11 ANNEX A AUDIT CRITERIA...A-1 ANNEX B COMPARISON OF DND/CF & RCMP RELIABILITY STATUS...B-1 ANNEX C MANAGEMENT RESPONSE...C-1 Chief Review Services

3 RESULTS IN BRIEF Chief Review Services conducted an audit of the security clearance process in order to assess the risk management practices, to assess controls in place to ensure a thorough and consistent application of clearance requirements, and to determine whether the clearance program was operating as intended. Personnel security clearances are the first line of defence against both domestic and international security threats. Since most other security measures rely on the involvement of honest and trustworthy people, issuing a departmental or North Atlantic Treaty Organisation (NATO) security clearance to an undeserving individual could: In the worst instance, render security measures ineffective, thus subjecting people, classified information, and facilities and assets to unwarranted risk. Subject NATO to similar risks, thus impacting Canada s relationship and reputation with the various member states of NATO. Overall Assessment The Department s personnel security clearance process Developing a personnel security clearance program that meets the needs of the Department, an expanding CF and commitments to Canada s allies while addressing the program s current... will require clear direction and support from the Deputy Minister and the Chief of the Defence Staff (DM/CDS), and will necessitate the coordinated involvement of numerous departmental organizations. Chief Review Services i/iii

4 Findings and Recommendations RESULTS IN BRIEF Effectiveness of Security Clearance Process. The Deputy Provost Marshal (Security) 2 (DPM Secur 2) It is recommended that the Vice Chief of the Defence Staff/Canadian Forces Provost Marshal (CFPM).. Risk Management Strategy.... It is recommended that before making any changes to the Department s personnel security clearance process,. Security Clearance Process Control. The departmental personnel security clearance policy... It is recommended DPM Secur ensure the timely development of policy and guidance documents that clearly define roles and responsibilities related to the personnel security clearance process along with a training and awareness plan that facilitates the communication and understanding of the personnel security clearance process and associated roles and responsibilities. Chief Review Services ii/iii

5 Management Action Plan RESULTS IN BRIEF The CFPM and DPM Secur concur with the findings and recommendations made in this audit report. The CFPM will immediately initiate a review. While the review will be completed no later than 15 December 2006, recommendations will be made or action initiated as soon as possible to meet action plan timelines (see Annex C) and objectives. The review will address. The outcome of the review, including identified risks, will be communicated to senior management so that informed decisions can be made as to what capabilities will be implemented. Chief Review Services iii/iii

6 Background INTRODUCTION The Government Security Policy (GSP) requires that departments ensure individuals with access to government assets and information are reliable and trustworthy and, for national security, ensure an individual s loyalty to Canada in order to protect the nation from foreign intelligence gathering and terrorism. To this end, the personnel security clearance process entails the assessment of specific characteristics and circumstances. Granting reliability status, a prerequisite to a security clearance, includes a confirmation of an individual s identity, as well as an assessment of an individual s stability, trustworthiness, discretion, family pressures and habits. The Canadian Forces Recruiting Group (CFRG) has been delegated the responsibility for granting and denying reliability status to all Canadian Forces (CF) recruits while individual commanders and managers have been delegated the same responsibility as it applies to public servants. Security clearance checks are required to assess an individual s loyalty, values and beliefs, and to determine associations that could subject the Department of National Defence (DND) to unnecessary risk. The security clearance process, which is the responsibility of the Deputy Provost Marshal (Security) 2 (DPM Secur 2), relies heavily on information garnered and assessed during the reliability process. Except for updated credit and criminal checks, checks and assessments performed to grant reliability status are not repeated during the clearance process. On average DPM Secur 2 processes or provides information for 40,000 reliability and clearance requests annually, and this number will increase significantly with the expected growth in the ranks of the CF. There is currently a processing backlog of approximately 26,000 requests. A 2003 study of the clearance process conducted by the Director General Strategic Change recommended hiring additional processing staff so that DPM Secur 2 could clear the backlog. The hiring process is under way and, while additional staff has been hired, there is a significant training requirement before a reduction in the backlog will occur. Objectives As shown in Figure 1, the objectives of the audit were to: Assess the risk management strategies employed in the development and conduct of the clearance process; Assess the controls in place to ensure a consistent and thorough application of screening and clearance requirements; and Determine whether the clearance program is functioning as intended. Chief Review Services 1/13

7 Scope INTRODUCTION The audit examined reliability status requests for the period January 2002 to March 2005, attributable to the CFRG, and reliability status requests for the period January 2003 to March 2005, attributable to DND organizations that had granted reliability status to civilian personnel. In addition, security clearance files maintained by DPM Secur 2 were reviewed and assessed. Methodology The recommendations of this audit are based on the results of the following activities: Control Framework Risk Management Control Assessment Wh at have we done to identify What do we do to ensure the process operates and mi tigate risk? as intended? Program ri sk assessment Effectiveness Monitoring & Oversight DM /CDS tolerance for risk Training & Awareness Risk mitigation Does the process operate as intended? Policy/Procedure Process adequacy/completeness Assessment of required characteristics/ circumstances Compliance Review of pertinent Treasury Board, departmental, North Atlantic Treaty Organisation (NATO) and personnel security clearance policies, standards and guidelines; Interviews with managers, individuals responsible for granting reliability status, for delivering the clearance program and those responsible for program monitoring and oversight; Discussions with the Manager, Personnel Security Section for the Royal Canadian Mounted Police (RCMP); Directed sampling of reliability status and clearance files; and Assessment of personnel security clearance process rigour and completeness. Criteria Figure 1. Audit Objectives. Management control framework conditions assessed during the audit. Key criteria utilized to assess the effectiveness of the security clearance process are detailed in Annex A. Chief Review Services 2/13

8 Effectiveness of Security Clearance Process FINDINGS AND RECOMMENDATIONS..... Reliability Status Rigour Table 1 details the results of the civilian reliability file testing 95 percent of the civilian reliability files reviewed while 72 percent It should be noted that even though the recruiting centres files contained 66 percent of the files From management s perspective, the primary concern when hiring an individual is to ensure the individual has the stated qualifications and the personality and willingness to fit in with the organization. Contact with previous employers is to confirm experience, reliability and suitability from a job perspective.... These divergent requirements need to be addressed when considering alternatives to the current reliability process. Chief Review Services 3/13

9 Audit of the Security Clearance Process Final September 2006 FINDINGS AND RECOMMENDATIONS The RCMP has recognized the importance of the reliability process and, consequently, has implemented a much more rigorous reliability assessment and confirmation process. Besides the required reference and qualification checks, all new recruits are required to..and all new employees, including public servants, are.... Annex B shows the differences between the DND/CF and the RCMP reliability processes. Files: Without. copy. of Identification. Without. copy. of photo. ID Without. copy. of education/. Qualifications**.. Did. not confirm 29. f Civilian Reliability Sample Results Location A* Location B Location C Location D Location E Total 35 files 29 files 31 files 29 files 29 files reviewed (153. files) reviewed reviewed reviewed reviewed % % % % f Clearance Documentation Table 1. Civilian Reliability Sample Results. Test results of civilian reliability files maintained by unit security supervisors... Chief Review Services 4/13

10 FINDINGS AND RECOMMENDATIONS Clearance Process Rigour. The Department s current mandatory reliability and clearance checks Chief Review Services 5/13

11 FINDINGS AND RECOMMENDATIONS.... Assessment Characteristics/Circumstances. Residual Risk Personal. ID Discretion Required for reliability Stability. Family.. Pressures. Trustworthiness.. Assessment Check s Reliability - Personal ID/Address Checks - Employment History - Personal ID/Address Checks - Employment History - Education/Qualifications - Standardized Interview (Recruits Only) - Education/Qualifications.. - Standardized Interview (Recruits Only) - Credit Check - CRNC - Credit. Check - CRNC Additional for clearances (up to Level 2) Assessment Checks Secret - Update CRNC - Security Violations Update Credit Check -CSIS Indices - - DPM Secur 2.. *Information in. red indicates. that these assessment checks are not always completed... Figure 2. Assessment Characteristics/Circumstances Chief Review Services Reviewed by CRS in accordance with the Access to Information Act (AIA). Information UNCLASSIFIED. 6/13

12 FINDINGS AND RECOMMENDATIONS It is important to note that the outstanding updates are not included in the backlog number (i.e., 26,000 requests). Chief Review Services 7/13

13 FINDINGS AND RECOMMENDATIONS Recommendation. It is recommended that the Vice Chief of the Defence Staff/Canadian Forces Provost Marshal Chief Review Services 8/13

14 Risk Management Strategy FINDINGS AND RECOMMENDATIONS..... Program Risk Chief Review Services 9/13

15 FINDINGS AND RECOMMENDATIONS.. High-Risk Jobs Recommendation. It is recommended that before making any changes to the Department s personnel security clearance process, the Departmental Security Officer.... Chief Review Services 10/13

16 Security Clearance Process Control FINDINGS AND RECOMMENDATIONS.... Roles and Responsibilities Monitoring and Oversight.... Chief Review Services 11/13

17 FINDINGS AND RECOMMENDATIONS... Training and Awareness. There are no structured training and awareness programs that clearly address roles and responsibilities related to the reliability and clearance processes It is not understood that Documenting securityrelated information does not result in the creation of a duplicate personnel file. Favourable credit and criminal record checks, on their own, do not ensure reliability. Managers are required to continuously monitor employee suitability for a clearance level.... Chief Review Services 12/13

18 FINDINGS AND RECOMMENDATIONS. Recommendation. It is recommended DPM Secur ensure the timely development of policy and guidance documents that clearly define roles and responsibilities related to the personnel security clearance process along with a training and awareness plan that facilitates the communication and understanding of the personnel security clearance process and associated roles and responsibilities. Chief Review Services 13/13

19 ANNEX A AUDIT CRITERIA Control Framework Components Risk Management. Assess risk management strategies employed in the management of the security clearance and reliability check processes. Control Assessment. Assess the controls in place to ensure a consistent and thorough application of GSP security clearance requirements. Effectiveness. Assess management practices employed to deliver an effective, efficient and timely security clearance and reliability check process. Audit Criteria Security clearance and reliability check requests are processed in a timely manner so as to minimize negative impacts on CF and DND operations. Risk associated with screening/clearance process has been identified, assessed and mitigation plans have been developed, implemented and communicated. Departmental procedural documents clearly detail the information to be collected, analyzed and maintained for each level of security. There is a quality control process in place to ensure security clearance and reliability check requests are processed in accordance with policy requirements and to ensure decisions regarding the granting, denying or rescinding of a clearance are suitably and consistently substantiated, reviewed and authorized. Departmental policy and procedural documents clearly detail management responsibilities throughout the clearance and screening process and there is an effective communication and training strategy in place to ensure managers are aware of their responsibilities. Managers continuously monitor and report situations or activities that might adversely affect the validity of employee clearance levels. Clearance organizations are staffed with qualified individuals and the resources required to provide an efficient and effective clearance and screening process. There is a continuous monitoring and assessment of all aspects of the security clearance and screening processes in order to ensure and improve the efficiency and effectiveness of operations. Information gathered during the clearance and screening processes is maintained and used in accordance with policy requirements. Chief Review Services A-1/1

20 ANNEX B COMPARISON OF DND/CF & RCMP RELIABILITY STATUS Characteristic & Circumstance Validation and Security DND Checks to Determine Reliability RCMP Checks to Determine Reliability. * For public servants & civilian members only ** Regular members of the RCMP only 1.. Chief Review Services B-1/1

21 ANNEX C MANAGEMENT RESPONSE (c) The CFPM and DPM Secur concur with the findings and recommendations made in the audit report A review must establish what capabilities are needed. We must be able to state the risk of not adopting each capability, so that senior management can understand the risk and then decide whether or not to expand resources for each capability. CRS Recommendation OPI Management Action and Milestones Recommendation. It is recommended that the Vice Chief of the Defence Staff/Canadian Forces Provost Marshal initiate a full review and revision of the personnel security clearance program determining: CFPM The CFPM will immediately initiate a review that addresses the security clearance process.... The review team will include DPM Secur 2, DPM RM, key personnel from DPM Secur 2, and a consultant/contractor. While the review will be completed no later than 15 Dec 06, the review will recommend or initiate action as soon as possible to meet action plan timelines and objectives. 1. Additional checks required. the reliability/clearance process to: Ensure the assessment of characteristics and circumstances currently required by the GSP. Meet DND/CF specific requirements, objectives and treaty obligations. DPM Secur The review will make recommendations to take action to ensure the GSP guidelines and treaty obligations are met. As a result of the security screening review,. An implementation plan will be complete NLT 15 Dec 06. Chief Review Services C-1/4

22 (c) ANNEX C CRS Recommendation OPI Management Action and Milestones 2. The documentation to be accepted as proof of identity and how the validity of the documentation will be determined. DPM Secur Who will perform the identified checks and under what circumstances will these checks be conducted. DPM Secur.. Immediately, we will staff a CANFORGEN message reminding hiring authorities that they are required to conduct these checks While a plan will be completed on 15 Dec 06, a shorttem solution might be implemented sooner. 4. Who will perform reliability checks and grant reliability status, and how will documentation be retained to ensure security file integrity and privacy. DPM Secur Currently, the hiring manager is the authority for granting reliability status and the DSO provides input for reliability but is the authority for security clearances Chief Review Services C-2/4

23 CRS Recommendation OPI Management Action and Milestones 5. The resource requirements and organizational structure required to implement a meaningful clearance process including: ANNEX C (c) DPM Secur DPM Secur DPM Secur By 15 Dec 06, Chief Review Services C-3/4

24 and Security ANNEX C CRS Recommendation OPI Management Action and Milestones Recommendation. It is recommended that before making any changes to the Department s personnel security clearance process, the Departmental Security Officer conduct a risk management assessment of the clearance process that addresses, at a minimum, each of the riskrelated issues DPM Secur The security clearance process review will include a risk management assessment that will address each risk related issue...raised in the CRS review. The risk management assessment will be completed by 1 Nov 06. Recommendation. It is recommended that DPM Secur ensure the timely development of policy and guidance documents that clearly define roles and responsibilities related to the personnel security clearance process along with a training and awareness plan that facilitates the communication and understanding of the personnel security clearance process and associated roles and responsibilities. DPM Secur Once the security clearance process review is complete, a plan will be developed that facilitates the communication and understanding of the personnel security clearance process. The plan will be complete and implementation will begin by Mar 07. In the short-term, DPM Secur will draft at least one CANFORGEN giving guidance on reliability screening to hiring authorities. We have coordinated a Qualification Standards writing boards for Unit Security Supervisor (USS) courses and will ensure training plans are prepared NLT 15 Oct 06. We expect that the CF Military Police Academy will start running USS courses soon after that. Chief Review Services C-4/4