Thursday, October 07, 2021

Defense Counterintelligence and Security Agency Director William K. Lietzau Provides an On-the-Record, Off-Camera Briefing on DCSA's Continuous Vetting Program

 Oct. 5, 2021

William K. Lietzau, Director, Defense Counterintelligence and Security Agency

STAFF: Good afternoon, everyone. Welcome to today's roundtable. We're going to have Director Bill Lietzau from DCSA to give a brief statement here about our continuous vetting announcement that you all should have a news release about. After that, we're going to take questions. 

So I would ask you to please just raise your hand if you have a question for us. We have a number of folks participating with us on Zoom, as well, so we'll include them. And when you do get called on, please just identify yourself by name and outlet so that Director Lietzau knows who he's talking to. And we'll answer as many questions as we can.

The roundtable is scheduled to last for a half hour today and it is all on the record. So with that and no further ado, Director Lietzau.

DCSA DIRECTOR WILLIAM K. LIETZAU: Thanks, Chris, and thank you all for being here and helping me communicate this, I think, important and good news to your audiences and the American public. I'm going to read my opening remarks, which is a little bit different for me, but in the interest of time and to leave as much time as we can for questions.

I'm just happy -- I was told there's only one person in here, so I'm happy there's more -- (Laughter) to hear this news cause I do think it's a good news story. I -- as you just heard, my name's William K. Lietzau. I'm Director of the Defense Counterintelligence and Security Agency. For those of you who aren't tracking it, DCSA was established two years ago, almost exactly, with the merger of the legacy Defense Security Service, with the DOD Consolidated Adjudication Facility and the National Background Investigation Bureau from the Office of Personnel Management.

We are the largest dedicated security organization in the U.S. government and we provide some of the most critical functions in national security, including delivering a trusted workforce, protecting America's industry, critical technology and supply chains, and providing enterprise-wide security education, training and certification.

Now, that's why we refer to ourselves as America's gatekeeper. Even though I said I was going to read my opening remarks, I will just go off a little bit with a note of pride that the gatekeeper function, the employees in DCSA, that function is not thought to be a particularly glamorous one but it's clearly an important one, and DCSA's team has been hitting it out of the park since the merger. I realize I just mixed metaphors, with the gatekeeper and baseball, but all right, I'll go back to the written remarks.

Well before DCSA's stand up in 2019, U.S. policymakers worked to design a reformed personnel vetting policy based on a single secure vetting system for the country. The central component to that system is the continuous vetting of individuals in positions of trust who require a security clearance. That policy, called Trusted Workforce 2.0, is the culmination of a whole of government personnel reform effort that is overhauling the vetting process.

This includes replacing periodic reinvestigations every five to 10 years with a continuous vetting program, ensuring a trusted workforce in real time through automated records checks and interagency information sharing.

DCSA has been charged with implementing this continuous vetting policy by building and designing the processes and secure information technology needed to deliver it. Today, I can announce that DCSA has reached full enrollment of the DOD national security population into a continuous vetting program. This includes uniformed service members, civilians and defense contractors from industry.

This is a significant step in the effort to enhance the trustworthiness of our federal workforce and ensure we have even greater confidence in the individuals we trust to protect our national security. To get this done, DCSA designed a program to enroll DOD personnel into an initial version of the continuous vetting system, offering continuous record checks of the most high value data sources. DCSA has offered this service outside of DOD, as well, and today, we have 30 agencies enrolled, outside of DOD. 
Continuous record checks means that issues of risk and concerns regarding an individual's trustworthiness, that it may have taken years to discover previously, can now be identified and addressed in real time.

This step removes the requirement for periodic reinvestigations by applying a risk-managed approach with select automated records checks. But what we're announcing today is only one step in the direction of full Trusted Workforce 2.0 implementation, which will include more data categories and more sources of information, and as a result, also an increased IT capability to assist with the substantial triaging and analytical work that you can imagine would be necessary for the many checks.

Ultimately, in the full Trusted Workforce 2.0 framework, CV, Continuous Vetting, will fully replace periodic reinvestigations with real time, continuous vetting. So what does all this mean as a practical matter? I'd like to share two examples with you.

In one instance just two months ago our team received a CV alert that generated from a criminal data check. The alert identified a fugitive arrest warrant for attempted murder, felonious assault and other charges related to an incident which had occurred only a day before we received the CV alert. 

We validated the alert and immediately shared the information with relevant security, insider threat and law enforcement points of contact. Coordination of this alert and cooperation with service -- between service component and law enforcement authorities resulted in apprehending the subject. The key is that the alert information, developed through the DCSA Continuous Vetting system, was received and validated five and a half years before the subject's next periodic reinvestigation.

In the second case, an alert was generated from terrorism checks on January in January of 2021, just three days after the subject was enrolled in Continuous Vetting. This alert identified that the subject was under active investigation by another government agency for potential terrorism activities, including planned targeting of United States facilities and ties to known or suspected terrorists.

DCSA validated the alert and immediately shared the with the subject's insider threat and counterintelligence points of contact the existence of the alert. Further, DCSA efforts ultimately resulted in the arrest of the subject, who is now pending prosecution. Again, the alert information developed through the DCSA CV program was received and validated eight years before the subject's next scheduled periodic reinvestigation.

So the bottom line is that continuous vetting is working. It was a good policy to put in place. It's been implemented in its initial stages in a way that is making a difference and it's helping DCSA deliver a trusted workforce.

So with that, again, I thank you for being here. DCSA is proud of the work we're doing to deliver the trusted workforce the country demands and deserves. And I'm happy to take your questions.

Ma'am? I'm I supposed to pick people?

STAFF: You can certainly do that, sir.

Q: Caitlin Doornbos with Stars and Stripes. I'm wondering if you can talk a little bit more about the risk factors in the records that you're (inaudible) that are being continually analyzed.

MR. LIETZAU: So we look at data sources. And it is an evolving system. So this is kind of an initial stage. We're calling it Trusted Workforce 1.25. We have plans to get to 1.5 and 2.0. And what you have is an increasing array of data sources and categories.

The categories include criminal checks, suspicious financial transactions, travel records in foreign travel records, different terrorism and counterterrorism databases, public records, credit bureau reports, and then eligibility requirements that are associated with the agency or department that the person was in. 

So those are the categories and then there's a number of different data sources. And the categories are fairly permanent in policy but we're always looking for better data sources to give us a bigger picture and then we're always looking for better analytical approaches and leveraging IT systems to be able to get from a point of an alert to is this something actionable that we should be doing something about? And that process, obviously is significant.

If I think of this agency generally, if we go to investigations -- let's back up for a minute from Continuous Vetting which is the new development -- in investigations alone, DCSA ingests about 10,000 investigation requests per working day. So this something that's done at scale. This isn't individuals who we're seeing with something in the back window that gave some concern. So we have to be able to do this at scale.

That is a difficult enough process. But if you imagine, then, taking 3.6 million to 4.1 million people, depending DOD versus the whole of the U.S. government that DCSA is cognizant over. And then looking at regular, automated, sometimes daily data checks as the data comes in and you have to identify is it the right person. Is that the person that we have in our databases or is that a different Jeff Smith? And is that new piece of information something we've already looked at before or adjudicated before?

So when you think about the scale of that -- go back to my earlier comment about 10,000 investigations a day, that's for things that we've already identified need to be investigated. Now, we're talking automated checks. It's a large amount of data. And so we have to build the IT systems and processes to be able to handle that data.

Yes, ma'am?

Q: A couple of follow-ups on that -- Tara Copp with Defense One. So you're going to have what sounds like an enormous data collection task of this regular pulling of the population from all these different databases. Are you going to be doing hiring? How are you going to have the infrastructure to be able to process all of this?

And then secondly, you mentioned that -- in one of the examples the individual was flagged by your system in January 2021 because of a wanted arrest or wanted -- you know, suspicion of -- of whatever he's doing. Was this person involved in the Capitol -- the attack on the Capitol on January 6th and is that why they popped?

MR. LIETZAU: Okay, so going to your second question first because it's in my brain. No, it was -- it was a different case. 

But for instance, if somebody were to be arrested as part of the Capitol -- that is something that would hit Continuous Vetting. In fact, in the industrial security side of the house I'm the one who signs off on removing someone's eligibility in instances like that. And so that certainly can and I believe did come up back in January.

With respect to the processing of all this data, you're absolutely right. And that was my little inject of a pride point for the DCSA labor force. These are dedicated, patriotic Americans that are working at DCSA. They're never going to have a TV show about them, but they are very much interested in having a trusted workforce for the U.S. government.

And so, while this organization was coming together and merging to become what's now DCSA, and we're in a pretty significant transformation process, we're also looking at what processes make sense to be able to check all these categories. 

And I can tell you right now, for a subset of the categories which have the least chaff, if you will -- the least, you know, false hits and things like that. That subset, we can do manually using trained personnel and with analytical capabilities. And they are are using a triaging system where they can go through that small number of hits and work through the cases. 

But, of course, they can't do that with a pretty substantial database with some -- some IT tools that allow them to do an initial screening. What we're trying to build though ultimately is not so much a workforce hiring, which we are in the process of doing. We've built up the continuous vetting workforce. It's in place. Every time I visit, there are more people there than there were the last time I visited. 

But but besides building up that workforce, what we're doing is we're building something called the National Background Investigation Service, NBIS, a IT system which was designed to replace the OPM legacy IT system that was hacked. Besides replacing that system, we're building it to be able to cut back on the workload of those people doing the triage and the analytical work so that the computer-aided capabilities will help us be able to reduce the workforce. If we did all of this with simply a manual workforce, the cost would be astronomical. So we have to be comparing IT systems. 

Q: Just one quick follow-up, if I may. You said that, you know, it sounds like this workforce is going to continue growing. Do you anticipate that the number of databases that you tap will also grow? Do you see your agency ever having a role in looking at social media for potentially like extremists views or behavior as part of the overall vetting? 

MR. LIETZAU: Yes and yes. We will clearly be continuing to grow in these areas. I do see more data sources coming online. I know which ones we're bringing online now, but there is no doubt there might be others that come up. And we already have several pilot programs we're working on to look at the value of social media and how you can look at it, whether it's an event-driven look at social media, whether it's a regular continuous look at some social media, or whether it's a one time when their investigated look at social media. There is different ways you could use some of the social media search capabilities that are out there. We are still right now analyzing how much value we think there is in that. 

Ma'am. 

Q: Sylvie Lanteaume, AFP. You spoke about CV alerts. How does it work exactly? Can you give us an example why you are alerted, what happens? And also how do you reconcile this vetting with the freedom of expression of people who work for the government? 

MR. LIETZAU: Yes, that's a great set of complicated questions that we could talk about for a long time. But I will give you the kind of summary answer. Essentially how it happens is we ingest someone into our continuous vetting system where we put in ttheir personal data so we know who we're looking at, you know, various criteria so that a computer can hopefully identify that this is the Jeff Smith that got the DUI last night is not the Jeff Smith who we don't care about, or vice versa. 

So we have them ingested in a system. And then they're ingested into data sources that automatically report to our team on a -- depends on the type of data source how frequently -- for instance, a credit report might be every six months, whereas a specific suspicious financial transaction might be more frequently, criminal check might be whenever it happens and so that sends to our team in Continuous Vetting the fact that this happened. 

That team then takes it with whatever other analytic capabilities we've built into the IT system yet -- and that's changing hopefully on a regular basis, we're improving it -- and they use that to then look at the person's previous records and say "have we dealt with this before?" We send it to the unit where they're from. They look at it and see if they've dealt with it before and then determine if more investigative action needs to take place to address it. So it becomes manual and we're trying to automate it as much as we can, but, you know, the initial stages are fairly manual, then it gets more automated. 

With respect to freedom of expression, you're kind of delving into, like, a social media category a little bit. And I think in that regard, I kind of push that question off onto the policymakers. We are the implementors of those policies. 

We are looking at where we can use social media to identify problems but we have adjudicative guidelines that our adjudication team uses when they're determining if somebody should keep their clearance or not have their clearance. And so those are the guidelines that drive us, not any particular comment made or political speech. Those issues aren't really at the forefront for us yet because we're looking at the kinds of categories I mentioned to determine if there's a risk for that person to continue to hold a clearance.

So I think those questions you're asking -- freedom of speech -- those are absolutely appropriate questions and privacy questions, as well, that are all going to be dealt with over time as we kind of incrementally move forward in this.

Sir?

Q: Yes, thanks. Sort of following up -- my name is Tom Squiteri, I'm with Talk Media News. You said a couple of things before and I want to repeat them, to make sure I heard them clearly.

At one point, you said something like "we get about 10,000 requests per day," and then a couple minutes later, you said "areas that we have identified." To -- to me, I'm a little confused -- are you -- you – do you have in your database now, everybody from DOD? This is -- these are the -- this is my question -- how -- are you -- do you wait until an agency requests "could you check on Jeff Smith for us?" to do that, or is this continuously vetting of DOD people -- "no, no, no, that's OK, we'll get a look at the E-Ring today and vet those people?" 

MR. LIETZAU: Yeah.

Q: That's -- in other words, do you start -- are you proactive in your own or you're reactive or both? Does that -- does that make sense?

MR. LIETZAU: Yeah, it absolutely does, and I realize I probably caused that question a little bit. They're a little bit different issues. My 10,000 comment is just cause it's a nice, even number that I've been able to remember, and that's the number ... 

Q: (Inaudible)…that number for my boss, just for my next raise.

(LAUGHTER)

MR. LIETZAU: It -- it -- that is investing -- that's -- that would exist apart from continuous vetting. Those investigations that come in every day are everything from "this person needs a top secret clearance to be able to do the work that they need to do in the Pentagon" ... 

Q: OK.

MR. LIETZAU: ... to "we have a childcare worker on the southern border and we need to do a quick check on their background."

Q: ... that would be -- in other words, like Tara's example, that the January -- that was a specific request to look at this individual? That would be that kind of thing?

MR. LIETZAU: Yeah, but it wasn't based on an event. It's usually based on they're going to join the workforce. So your first time coming in the workforce, you get that kind of investigation. Then, I have a pool of somewhere 12 to 15 million that have suitability clearances and probably about four million who have national security clearances, like at secret or top secret.

Within that pool, that's the pool that, right now, we are doing Continuous Vetting on. And so that is automatic. So the policy is such that if you're the Army, you can't say to DCSA "hey, we want to do an initial investigation of these, you know, 100 recruits to see if they're good soldiers and should we bring them in as recruits and give them a secret eligibility so they can be in the Army."

Once they tell us "here's the 100 people, we want to recruit them, put them in the Army, do a background," that's one of the 10,000. We do an investigation. Once we do that investigation, even now, as we're doing it, we're ingesting them into Continuous Vetting.

So in the past, 15 years ago, that person might get a secret clearance eligibility assigned to them, and 10 years later, we'll reinvestigate to see if they still should have it. Today, we're doing that same investigation but then we're going to kick off Continuous Vetting.

Q: OK, so that -- that does answer it. And then the -- the -- if I may, just to follow up a little bit on that -- so I got that, you get -- you get them. And once you're in the pool, you're doing the Continuous Vetting of them. How often would that happen then without any kind of triggering incident? So look at me, let's say, or, you know -- how often would I be vetted or anybody who was in that pool?

MR. LIETZAU: All -- all the time.

Q: All -- all -- well ... 

MR. LIETZAU: So it's -- so it's automated and it depends on the check that it -- so that's where your credit might get checked every six months, but if you've got a DUI, we're going to find out the next day.

Q: So a DUI would come in and -- and trigger or flip -- it -- send out a red flag and you'd say "oh, let's look at Jeff Smith, he got a DUI?"

MR. LIETZAU: Exactly.

Q: OK, thank you very much. I appreciate your patience on ... 

MR. LIETZAU: Sure -- sure.

And I know you've been (waiting ?).

Q: Meghann Myers, Military Times. So how does this work in with DOD's efforts to monitor extremist behavior, extremist ties? And you mentioned this a little bit but what kind of security clearances and job descriptions, job levels would be covered under this? Because clearly it's not every single person who works in the building or every single person who's in uniform necessarily, it would be different levels for different clearance requirements.

MR. LIETZAU: Yeah, so it's a -- so the monitoring extremism ties, it's -- it's directly related. We're -- we obviously are in our adjudicative standards and have, for years, been looking at extremist behavior of different sorts. And so clearly, the efforts at finding extremist behaviors are very much related to Continuous Vetting.

There's other programs -- I just came here from down the road at our -- what we call our DITMAC, Defense Insider Threat -- help me out.

(LAUGHTER)

... Management Center, DITMAC, D-I-T-M-A-C. That's the insider threat hub that collects from 43 other DOD insider threat facilities, specifically looking for maybe a more event-driven look at potential extremist behavior. So Continuous Vetting is unquestionably a benefit for identifying potential movement in the direction of extremist behavior. 

In terms of how many people, right now, we're looking at the -- the DOD people -- well, it's more than DOD. I said it's gone outside. The way the policy in the U.S. government works, you're not required to use DCSA, there are other providers, but we're the 95 percent solution. So all of DOD's people with national security clearances, which does include everyone in uniform, are in our Continuous Vetting program, and then other agencies -- like I said, as of yesterday it was 27, today it's 28 plus two more are enrolled but haven't actually enrolled any people yet. So this is growing every day as people say, oh this thing's successful.

We're going to enroll our agency as well. I think our biggest -- I think the FAA is the largest, we have the VA that's also enrolled, GSA, HHS, several other agencies have joined us. So that number will grow, but DOD has the lion’s share of people who have national security clearances. 

Now, eventually this should go to the broader set of government workers that have suitability clearances and hopefully we will -- we will learn as we go. But again, to do that kind of growth I also need to be at the same time building the IT architecture that can support it. And so, it's a question of managing this growth. 

Q: (inaudible) on just -- on Meghann’s question, so with the databases you've got -- now you've got -- you said about seven, how are you flagging an extremist now? Or is that there's something lacking and that's why it needs to be expanded? 

And then just secondly, what are the issues that I didn't get use, just DoD’s policy on PPI and how are you going to safeguard all of this through this massive database and (inaudible) expansion?

MR. LIETZAU: Ok, that is not a quick question.

Q: I know, sorry.

MR. LIETZAU: That's (inaudible). But in fact we -- so first of all it's not seven databases. It's seven categories of data and the databases are often not our databases. We're going out to various agencies, some we pay for, some we are from the U.S. government and they're free. Some are from the U.S. government and people are thinking that we can charge for this. And I deal with those things all the time. Don't quote on that, maybe we charge for this part.

So it is a number of data sources. But then -- I wrote down what you said -- oh, in terms of flagging extremists, what we're still using is we're flagging anything that hits one of the adjudicated guidelines and I probably should have them here for you and I could find them, but I don't have them at my fingertips. 

But these are the adjudicated guidelines and would include tendency toward anti-American activities or terrorist activities or extremist behaviors. That's part of the essence of what we've been doing for years. So in that regard it's not new. It's not like we said, oh, we didn't care about extremists before let's start looking at extremists. What we're doing is recognizing that that is a particular area of threat today. 

And so, there's a little bit more focused attention to it. But there's no particular database that's an extremist category database. There's all of them that give us indicators that someone could -- and that's, in fact, the group that I just left, the Insider Threat Management Team, where you have behavioral scientists and things like that looking at what are the indicators that somebody may be heading in a wrong direction. 

PPI is something we're very focused on all the time. So you can imagine what was the big -- I said we're going to build this NBIS program which is going to assist the continuous vetting team in triaging and analyzing lots of data. 

Well, remember that NBIS computer system that's going to do that was originally put in place to replace the 1987 system that OPM has that was breached. That -- I now own that system. It is up and running. It's the one that's ingesting 10,000 investigation requests of some sort every day. But it's fragile and we're replacing that at the same time. 

And we're replacing it partly because when that data breach occurred, PPI went out the door and so you can rest assured that the most secure unclassified system that we can put in place that is accessible by right now we have 120 government agencies that are our customers and maybe 10,000 companies in industry, that system is as secure as you can make it to protect against leakage of PPI.

STAFF: Sir, we do have time for one more question. Before we take one from the floor and apologies, we should check with the control room and see if anyone's calling in through Zoom that's connecting might have a question for us. And we'll do that now. 

MR. LIETZAU: I forgot about the Zoom part.

STAFF: (inaudible).

Q: Hi.

STAFF: Go right ahead with your question.

Q: Yes, great. I’m Pat Tucker from Defense One, can you talk a little bit about the third party contractors that you are -- might be using or plan to use in the future to help you with this process?

MR. LIETZAU: I can. We use a number of contractors and they have different roles. We use contractors to help us and ultimately we look for things that are inherently governmental functions or done by government employees. And then on some other things we can contract it out. 

For example, adjudicating whether somebody should keep their clearance or get a clearance or whatever, that's an inherently governmental function. But some of the background checks that might have to be done in an initial investigation can sometimes be done by contractors. And there's a split. 

Again, there's also contractors who help us do some analytic work but not make decisions when they're collecting the CT hits, we have contractors who are -- who are collecting data and assisting us in kind of filtering through it. 

And then we're also using contractors to help us build the IT systems to put in place. And again, we're doing it so carefully for PPI reasons, so that no one contractor has the code or the capability to later kind of breach the system or get at those things. So that's how we're using. We're using contractors in numerous capacities. 

Q: Well, are the contractors able to make recommendations for adjudication? Or are they able to like make briefs that have bullet points saying like this is the areas of concern that we detect in and then that passes to adjudication, but there's already a series of bullet points that might influence decision making or something like that?

MR. LIETZAU: There would be certainly nothing to stop a contractor from doing that and the dynamic on the team is such that that -- there's no one who's got to worry that, oh my goodness I see something of concern and I can't get the word out. But on the other hand the process is set up so that that's going to happen on its own anyway. 

The government employees there are doing the analytical work then determining what additional investigative work might be needed before an adjudication can take place. Or do we need to take immediate action and maybe pull somebody's access to classified material or their eligibility. And at this stage that's the primary thing that we're looking at, is access to classified material. 

And then it eventually gets to an adjudicator. So along that route there's plenty of opportunity for any contractor to raise any concerns they see, though they're probably not in a position where they're looking at the holistic picture the way an adjudicator would. 

STAFF: And with that we're going to have to conclude today's roundtable.

MR. LIETZAU: I feel bad because this lady had her hand up the whole time. I feel like I've hit all the hands if I can give her a chance.

STAFF: Sir, it's your round table. Absolutely.

MR. LIETZAU: I tried to hit all the hands that were up and I know you had yours up ma'am.

Q: (inaudible) AWPS News. Thank you for taking my question. So big database and the public that hears about this, I can hear already some of the worry that people might express. Are you going to ever, at some point, collect biometric data and archive that? Are there plans for that?

MR. LIETZAU: No, that's a great question. Thanks for ending me on a very controversial topic, sort of like going into PII. But no, I think -- well to some degree we already do. To some, for instance, fingerprints are part of a clearance process and we're building into the IT systems with a view toward the future, the ability to collect biometric data. 

But all of the concerns that you can imagine are ones that we work through and policy people are working through. And this is where I happily step back and say we're the ones who implement. The benefit is we're the ones who actually bring across the finish line a more trusted workforce but a lot of the difficult policy questions are which my metric data is appropriate to have in a database is something that I'm usually differing to other folks in this building and outside this building for. 

But what I can assure you is that we're putting in place the protections so that what happened back in 2015 or so with the loss of data and it doesn't happen today that we do keep as trusted a workforce as we can possibly have for the United States government.

And that we ensure that trusted workforce is trusted in as a responsible manner as we can. So we will -- we will not be allowing data to leak, not while I'm here.

Q: Thank you.

MR. LIETZAU: With that, thank you.

STAFF: Thank you all very much. If you have any follow-up questions, feel free to contact myself, Chris Bentley, or your rep as well.

No comments: