Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

The FDIC's Personnel Security and Suitability Program

This is the accessible text file for FDIC OIG report number EVAL-14-003 entitled The FDIC’s Personnel Security and Suitability Program which was released on August 25, 2014.

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possbile. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

FEDERAL DEPOSIT INSURANCE CORPORATION

Office of Inspector General

Office of Audits and Evaluations Report No. EVAL-14-003



Executive Summary

The FDIC’s Personnel Security and Suitability Program

Report No. EVAL-14-003

August 2014

Why We Did The Evaluation

The FDIC’s Personnel Security and Suitability Program (PSSP) is designed to ensure that the Corporation employs and retains only those persons who meet all federal requirements for suitability (i.e., character, reputation, honesty, integrity, trustworthiness) and whose employment or conduct would not jeopardize the accomplishment of the Corporation’s duties or responsibilities. A high-quality program is essential to minimizing the risks of unauthorized disclosures of sensitive information and to helping ensure that information about individuals with criminal activity or other questionable behavior is identified and assessed as part of the process for granting or retaining clearances. Further, potential missed red flags in the backgrounds of individuals who have recently committed serious crimes have brought renewed public and Congressional attention to the criticality and quality of background checks.

An Office of Personnel Management Federal Investigative Services (OPM-FIS) review of the FDIC’s personnel security and suitability program completed in April 2013, primarily covering calendar year 2011, made 11 recommendations for the FDIC to improve its program. In addition, an OIG contract audit completed in 2012 and an OIG audit of controls related to safeguarding sensitive information started in 2013 identified deficiencies in the performance of background investigations for contractors and employees, respectively. In 2013, the FDIC implemented all 11 OPM-FIS recommendations and corrected the deficiencies identified in both OIG audits.

Our objective was to determine whether the FDIC is carrying out its PSSP efficiently and effectively. We evaluated (1) FDIC management’s overall administration of the program, including the extent to which applicable policies and procedures are in place and being followed; (2) oversight and administration of the contract supporting the program; and (3) the nature, extent, allowability, and reasonableness of costs incurred under the contract supporting the program. We engaged BDO USA, LLP to complete tasks detailed in an evaluation program that we developed and approved, provide technical guidance and analytical assistance, and assist in our reporting of evaluation results. Our review covered the period from January 2011 through July 2013.

Background

The authority for determining suitability for federal employment in the competitive service is vested in 5 U.S.C. 3301, 3302, and 7301; Executive Order (E.O.) 10577, as amended by E.O. 12107; and 5 C.F.R. Parts 5, 731, and 736. Applicants, appointees, and employees are also subject to mandatory bars outlined in 12 C.F.R. Part 336, Minimum Standards of Fitness for Employment with the Federal Deposit Insurance Corporation. The FDIC primarily ensures the suitability of its employees and contractors and that the minimum standards of fitness and employment are met through the background investigations process.

The FDIC’s Security and Emergency Preparedness Section (SEPS) within the Corporate Services Branch (CSB) in the Division of Administration (DOA) receives, assesses, processes, and adjudicates personnel security and suitability cases for all FDIC employees, contractors, and subcontractors. The FDIC relies heavily on a contractor for performing background investigation functions and providing personnel suitability support. The Corporation uses the OPM-FIS to conduct background investigations based on the risk level designation for the position the FDIC is filling.

Evaluation Results

During our evaluation, the PSSP was in a state of transition and various aspects of the program were evolving and being improved. In furtherance of those efforts, the FDIC could strengthen controls in the following areas.

Overall Program Administration. Most preliminary clearance and adjudication determinations we reviewed were completed appropriately. However, we questioned a number of decisions and found that some decisions lacked support; not all background investigations performed were commensurate with a position’s risk level designation; some background investigations were not timely; and many investigation case files were missing key documentation. We concluded that our test results could be attributed to weaknesses in policies and procedures, and management resource issues such as continuity and span of control. SEPS indicated that it made a number of program changes following our testing period and realized meaningful program improvements in late 2013 and early 2014, such as:

- Eliminating case backlogs, thereby reducing processing times, both on the front-end for background investigation submissions to OPM and the back-end for completed case adjudications; - Implementing the use of OPM’s e-QIP system for electronic submission of background investigation questionnaires for all employees and contractors to reduce case review time and processing errors; - Reviewing all FDIC position descriptions to ensure they had appropriate position sensitivity determinations; - Instituting a periodic reinvestigation program for incumbent federal staff in moderate risk positions; - Increasing security support contract staffing levels with experienced adjudicators and security assistants, a more experienced senior project manager, and other positions; and - Reorganizing SEPS and hiring an experienced Security Operations Unit manager to provide day-today supervision and management of the security support contract and federal staff.

SEPS also began an effort to digitize background investigation files and automate the PSSP process through an enterprise content management platform, known as the Personnel Security Records (PERSEREC) project. This effort is intended to improve records management, program efficiency, and performance reporting.

Contract Oversight. Most contractor charges that we reviewed were supportable and contract modifications were appropriately executed. However, we identified a few exceptions related to contractor overtime hours, labor category mix, the timely signature of modifications, and written approvals for key personnel changes. Further, while we determined that most contractor staff met minimum qualifications, we identified two staff that did not. Finally, we concluded that contract oversight could be strengthened by SEPS establishing better criteria for measuring contractor production and performance. SEPS developed weekly performance metrics, including contractor metrics, in May 2013. Implementation of the PERSEREC project should help to improve the reliability of underlying performance metric data and automate and enhance performance reporting.

Records Management. Records management controls over PSSP files, which include extensive amounts of sensitive personally identifiable information (PII), needed improvement. These weaknesses create inefficiency and present risks to the FDIC, including the potential for unauthorized release and access to large volumes of PII, and the PSSP team’s inability to respond to inquiries or readily locate documentation supporting background investigation determinations. The transition to PERSEREC should mitigate these weaknesses and inefficiencies.

Information Systems. Data we reviewed in the DOA systems used to capture preliminary clearance data and provide management reporting—the Background Investigation Review Tracking (BIRT) System and the Corporate Human Resources Information System (CHRIS)—were not reliable and, in some cases, redundant. SEPS officials indicated that once PERSEREC is fully operational, BIRT will be retired. SEPS also expects to implement a business process management system in 2015 that will integrate with PERSEREC, CHRIS, and OPM systems to automatically update background investigation case information and track the status of cases. SEPS will need to ensure that it builds adequate workflow process controls into the automation effort to address the weaknesses noted in this report.

As we completed our testing, it was too early to fully assess the effectiveness of SEPS’ operational improvements, hiring of new management and key staff, and ongoing and planned automation efforts. Nevertheless, we considered those efforts in forming our recommendations.

Recommendations

The report contains 10 recommendations intended to complement ongoing PSSP program improvements and to strengthen and sustain associated policies, procedures, and controls.

The Director, DOA, provided a written response dated July 24, 2014, to a draft of this report. In the response, the Director, DOA, concurred with the report’s 10 recommendations. The response described improvements to the PSSP that were occurring during and after the scope of this review and outlined corrective actions that were responsive to the recommendations. DOA has already taken steps that we confirmed were sufficient to close three of the recommendations.

[End of section]

Contents

Background

Evaluation Results

Overall Administration of the PSSP Preliminary Clearance and Adjudication Determinations Extent to Which Background Investigations Were Commensurate with Risk Level Designations Timeliness of Background Investigation Processes Documentation Maintained in Investigation Case Files PSSP Policies and Procedures Management Oversight of the PSSP Program Changes and Improvements Recommendations

Contractor Performance and Oversight Recommendations

Records Management Controls Recommendations

Information Systems Reliability and Controls Recommendation

Digitization and Automation Efforts Recommendations

Corporation Comments and OIG Evaluation

Appendices 1. Objective, Scope, and Methodology 2. Sampling Methodology 3. Questioned or Unsupported Preliminary Clearance or Adjudication Decisions 4. Glossary 5. Acronyms and Abbreviations 6. Corporation Comments 7. Summary of the Corporation’s Corrective Actions

Tables 1. Background Investigations Performed Below PSA Form Risk Rating 2. PSA Forms Not Included in File 3. Investigations Not Submitted to OPM Within 14 Days 4. Forms 79A Not Sent to OPM Within 90 Days 5. National Security Cases Not Adjudicated Within 20 Days 6. Contractor Preliminary Approvals Not Completed Within 5 Days 7. Files With Incomplete Summary Sheet Documentation 8. Files Missing Documents 9. BIRT Records with Missing or Erroneous Data 10. CHRIS Records with Missing or Erroneous Data 11. Background Investigations Processed, January 1, 2011 – July 31, 2013 12. Sampled Files by Type of Investigation 13. Sampled Files by Adjudication Result 14. Sampled Files by OPM Issue Indicator

Figures 1. SEPS New Organizational Structure 2. PSSP Support Contractor Staff Organizational Structure

[End of Table of Contents]

[Letter head] FDIC Federal Deposit Insurance Corporation Office of Inspector General Office of Audits and Evaluations 3501 Fairfax Drive, Arlington, VA 22226 [End of letter head]

DATE: August 7, 2014

MEMORANDUM TO: Arleas Upton Kea Director, Division of Administration

FROM: Stephen M. Beard /Signed/ Deputy Inspector General for Audits and Evaluations

SUBJECT: The FDIC’s Personnel Security and Suitability Program (Report No. EVAL-14-003)

This report presents the results of our subject evaluation. The FDIC’s Personnel Security and Suitability Program1 (PSSP) is designed to ensure that the Corporation employs and retains only those persons who meet all federal requirements for suitability (i.e., character, reputation, honesty, integrity, trustworthiness) and whose employment or conduct would not jeopardize the accomplishment of the Corporation’s duties or responsibilities. A high-quality program is essential to minimizing the risks of unauthorized disclosures of sensitive information and to helping ensure that information about individuals with criminal activity or other questionable behavior is identified and assessed as part of the process for granting or retaining clearances.

Footnote 1: Terms that are underlined when first used in the report are defined in Appendix 4, Glossary.

Objective and Approach

Our objective was to determine whether the FDIC is carrying out its PSSP efficiently and effectively. To fulfill this objective, we evaluated (1) FDIC management’s overall administration of the program, including the extent to which applicable policies and procedures are in place and being followed; (2) oversight and administration of the contract supporting the program; and (3) the nature, extent, allowability, and reasonableness of costs incurred under the contract supporting the program.

We conducted this evaluation in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. We engaged BDO USA, LLP to support the Office of Inspector General (OIG) by completing tasks detailed in an OIG-developed and approved evaluation program, providing technical guidance and analytical assistance throughout the assignment, and assisting the OIG in reporting the evaluation results.

To evaluate the FDIC’s overall administration of the program, we first gained an understanding of program requirements by reviewing applicable laws and regulations. We then reviewed relevant FDIC policies and procedures, interviewed program officials, and observed how FDIC processed background investigations and handled background investigation files. Next we reviewed a non-statistical sample of 108 background investigation files undergoing preliminary clearance or adjudication between January 1, 2011 and July 31, 2013.2 In selecting our sample, we stratified the population to select a representative sample based on type of employment, investigation type, adjudication determination, and Office of Personnel Management (OPM) risk designation. We assessed program administration through a review of file documentation, approvals, and adjudication decisions for the 108 background investigation files sampled.

Footnote 2: The results of a non-statistical sample cannot be projected to the intended population.

We assessed contractor administration and oversight by reviewing the contractor’s day-to-day operations and deliverables, as well as the roles of Security and Emergency Preparedness Section (SEPS) employees and the PSSP support contractor staff (collectively the PSSP Team). We assessed contractor costs by reviewing contractor invoices for reasonableness and accuracy. Appendix 1 provides additional details on our objective, scope, and methodology and Appendix 2 discusses the sampling methodology used for this evaluation.

Background

The authority for determining suitability for federal employment in the competitive service is vested in 5 United States Code (U.S.C.) 3301, 3302, and 7301; Executive Order (E.O.) 10577, as amended by E.O. 12107; and 5 Code of Federal Regulation (C.F.R.) Parts 5, 731, and 736. Applicants, appointees, and employees are also subject to mandatory bars outlined in 12 C.F.R. Part 336, Minimum Standards of Fitness for Employment with the Federal Deposit Insurance Corporation, which prohibits any person from becoming employed or providing service to, or on behalf of, the FDIC who has:

- been convicted of any felony; - been removed from or prohibited from participating in the affairs of any insured depository institution pursuant to any final enforcement action by any appropriate Federal banking agency; - demonstrated a pattern or practice of defalcation regarding obligations to insured depository institutions; or - caused a substantial loss, in an amount in excess of $50,000, to federal deposit insurance funds.

FDIC Circular 2120.1, Personnel Suitability Program, establishes the responsibilities, policy requirements, and procedures for the Corporation's Personnel Suitability Program. The provisions of this circular apply to all FDIC employees, appointees, and applicants for employment. Requirements related to FDIC contractors and subcontractors may be found in FDIC Circular 1610.2, Security Policy and Procedures for FDIC Contractors, while those related to FDIC national security positions may be found in FDIC Circular 1600.3, National Security Program.

The FDIC primarily ensures the suitability of its employees and contractors and that the minimum standards of fitness for employment are met through the background investigations process. This process generally includes a risk designation, application submission, investigation, and adjudication. Specifically, division and office directors complete risk designations for positions and ensure that the designations accurately reflect the risk posed to the Corporation. These designations include consideration of the extent to which the position requires access to sensitive data. After an individual has been selected for a position that requires a personnel security clearance and the individual submits an application for a clearance, a background investigation is conducted commensurate with the risk designation. Adjudicators use the information from these investigations to determine whether an applicant is eligible for a clearance.

The FDIC’s SEPS within the Corporate Services Branch (CSB) in the Division of Administration (DOA) receives, assesses, processes, and adjudicates personnel security and suitability cases for all FDIC employees, contractors, and subcontractors. The FDIC uses the Office of Personnel Management Federal Investigative Services (OPM-FIS) to conduct background investigations. As detailed in Appendix 1, Objective, Scope, and Methodology, PSSP processed 6,907 background investigations for FDIC employees and contractors from January 1, 2011 through July 31, 2013, the period covered by our review.

The OIG has not reviewed the PSSP since 2001. However, an OIG contract audit completed in 20123 and an OIG audit of controls related to safeguarding sensitive information started in 20134 identified deficiencies in the performance of background investigations for contractors and employees, respectively. The FDIC implemented actions to address the deficiencies identified in both OIG audits.

Footnote 3: FDIC OIG Report No. AUD-12-010, Controls Related to the FDIC’s Contract with KeyCorp Real Estate Capital Markets, Inc., dated July 3, 2012.

Footnote 4: FDIC OIG Report No. AUD-14-008, The FDIC’s Controls for Safeguarding Sensitive Information in Resolution Plans Submitted Under the Dodd-Frank Act, dated July 3, 2014.

OPM-FIS reviewed the FDIC’s PSSP, primarily covering calendar year 2011. OPM-FIS’s April 2013 report made 11 recommendations for the FDIC to improve the PSSP. The OPM-FIS program evaluation confirmed that the FDIC was validating the need for an investigation through OPM’s Central Verification System (CVS).5 However, the review found that the FDIC needed to improve, and made recommendations for:

- Calculating accurate annual investigation projections, - Using the Electronic Questionnaires for Investigations Processing (e-QIP) system, - Reporting adjudication determinations to OPM, - Making timely adjudication decisions, - Sharing CVS data monthly with OPM, - Appropriately designating position risk and sensitivity, and - Requesting correct investigations and reinvestigations.

Footnote 5: This is a suitability and security automation performance goal that OPM monitors and reports to the Performance Accountability Council established by E.O. 13467, dated June 30, 2008, Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information.

In 2013 the FDIC took action to address each of OPM’s recommendations.

[End of section]

Evaluation Results

During our evaluation, the PSSP was in a state of transition and various aspects of the program were evolving and being improved. In furtherance of those efforts, the FDIC could strengthen controls in the following areas:

- Overall Program Administration - Contract Oversight - Records Management - Information Systems

To that end, we are making 10 recommendations to enhance the FDIC’s PSSP.

Our testing covered the period January 1, 2011 through July 31, 2013. As a result, it was too early for us to evaluate the effectiveness of certain operational improvements and the hiring of new management and key staff aimed at strengthening the PSSP. Nevertheless, we did consider those efforts in forming our recommendations. In that regard, during our evaluation, SEPS began an effort to digitize background investigation files and automate the PSSP process through an enterprise content management platform. This initiative is intended to improve records management and operational efficiency. SEPS has also indicated it is being mindful of building adequate workflow process controls into the automation effort to address issues noted in this report.

Overall Administration of the PSSP

While we concluded that most preliminary clearance and adjudication determinations were completed appropriately, we questioned a number of decisions and found some decisions lacked support, not all background investigations performed were commensurate with a position’s risk level designation, some background investigations were not timely, and many investigation case files were missing key documentation. SEPS indicated that, following our testing period, performance in some of these areas improved significantly.

Preliminary Clearance and Adjudication Determinations

We concluded that most preliminary clearance and adjudication decisions were consistent with federal and FDIC suitability requirements based on information contained in investigation case files. Still, we identified eight files (7 percent) where we questioned preliminary clearance or adjudication determinations or found that decisions lacked support. Further, 52 percent of the files we tested did not contain key documents used to support preliminary clearance or adjudication decisions, or both.

The PSSP review has two key decision milestones: preliminary clearance and adjudication. The PSSP team conducts the preliminary clearance assessment to determine compliance with FDIC-specific suitability criteria, including criminal and financial history. The Preliminary Background Checklist should document and support preliminary clearance decisions and approvals. Once an applicant is approved through the preliminary clearance process, the applicant is eligible to begin work for the FDIC.

Applicants that are preliminarily cleared will then undergo an OPM investigation based on the risk designation for the position. OPM returns its investigation to the PSSP team for final adjudication. The adjudication decision, FDIC approval, and related support are documented on the Personnel Investigation Summary. If an applicant has received a previous favorable adjudication that falls within acceptable timing and risk parameters, then the FDIC may rely upon the prior investigation and not require a new investigation. This process is known as reciprocity.

We tested our sample of 108 files to assess whether preliminary clearance and adjudication decisions were consistent with federal and FDIC suitability requirements based on information available in the case files. Our testing found eight files (7 percent) where we questioned the preliminary clearance or adjudication decisions or found such decisions lacked support, as follows.

- In two cases, we concluded that PSSP’s reliance on a prior background investigation (reciprocity) was incorrect, - In two cases, we concluded that PSSP’s decision to preliminarily clear two staff was based on incomplete or incorrect information, and - In four cases, the background investigation files did not include sufficient support for reciprocity, preliminary clearance, or adjudication decisions.

We provided the SEPS Assistant Director with additional details for each of the eight cases, which are summarized in Appendix 3. He concurred with our conclusions and acknowledged that the FDIC should establish a consistent practice on how it should handle individuals who experienced probation before judgment based on one of the cases we identified. None of the individuals associated with these cases remains employed by, or under contract with, the FDIC.

Legal Division Review. PSSP refers files with potential suitability issues to the FDIC’s Legal Division for additional review.6 Through our review of files, we identified 18 with potential suitability issues and tested them to ensure they were sent to the Legal Division for review and that the Legal Division’s decision was sufficiently documented. Of the 18 files tested, 3 files (17 percent) were not sent to the Legal Division, and 2 files (11 percent) did not clearly document the Legal Division’s decision. The PSSP team explained that there is not a formal policy or consistent practice regarding when files should be sent to the Legal Division for review. Some SEPS employees told us they make that determination on a case-by-case basis, while others suggested that all files involving bankruptcies and felonies should be sent to the Legal Division. We concluded that SEPS should clarify its policies regarding specifically when files should be sent to the Legal Division for review.

Footnote 6: Suitability issues could involve many situations, since each applicant situation is unique. Among other things, suitability issues could involve financial matters, such as bankruptcy; criminal records; or lack of integrity, such as lying on an application or not disclosing complete information.

Documentation. We tested all 108 files for key documents and approvals related to preliminary clearance and adjudication. This testing included reviews of the Preliminary Background Checklist and Personnel Investigation Summary, which are the key documents for preliminary clearance and final adjudication decisions, respectively. Of the 102 files7 applicable in the sample, 55 (54 percent) were missing the Preliminary Background Checklist for preliminary clearance. Although the checklist was missing, we determined that these 55 files, in substance, were preliminarily cleared appropriately. Of the 84 files in our sample that reflected screening work through adjudication, 4 files (5 percent) were missing the Personnel Investigation Summary for adjudication or did not have the appropriate FDIC approval. We concluded, however, that these four files were adjudicated appropriately. By not having the necessary assessment forms included in the file and appropriately approved, the FDIC cannot readily support its preliminary clearance and adjudication decisions.

Footnote 7: This was not applicable to all 108 files because reinvestigations do not go through preliminary clearance reviews.

Extent to Which Background Investigations Were Commensurate with Risk Level Designations

We tested all 108 files to ensure that the type of background investigation performed matched the risk level on the Personnel Security Action (PSA) form completed by the applicant’s hiring manager. One of the key purposes of the PSA form is to identify the risk sensitivity of the applicant’s position within FDIC so the PSSP team can complete the appropriate investigation. The hiring manager completes the PSA form for all new employees and contractors. The position risk is assessed at high, medium, or low as determined by the position's potential for adverse impact to the efficiency or integrity of the service, based on OPM’s Position Designation System.8

Footnote 8: FDIC Circulars also refer to this as the Risk Designation System.

Performing the appropriate level of background investigation on employees and contractors is critical to ensure that the FDIC is in compliance with its own policies and OPM requirements. Typically, lower level reviews address shorter periods of the applicant’s background. Derogatory information from earlier periods could potentially be missed in lower level investigations, which puts the FDIC at risk to favorably adjudicate an applicant with potential suitability issues.

Of the 108 files we reviewed, 23 files (21 percent) indicated the level of background investigation conducted was lower than the required investigation type based on the risk level designated on the PSA form. Additionally, 44 files (41 percent) did not have the PSA form in the file, so we were unable to verify that the FDIC had conducted the appropriate level of investigation.

Table 1: Background Investigations Performed Below PSA Form Risk Rating

Row 1 Contractor Files Tested: 58 Files Exceptions: 15 Files Percentage: 26% Exceptions by Year 2011: 6% 2012: 33% Through July 2013: 35%

Row 2 Employee Files Tested: 50 Files Exceptions: 8 Files Percentage: 16% Exceptions by Year 2011: 25% 2012: 14% Through July 2013: 0%

Row 3 Total Files Tested: 108 Files Exceptions: 23 Files Percentage: 21% Exceptions by Year 2011: 16% 2012: 24% Through July 2013: 23%

Source: OIG analysis of background investigation files.

[End of table]

Table 2: PSA Forms Not Included in File

Row 1 Contractor Files Tested: 58 Files Exceptions: 17 Files Percentage: 29% Exceptions by Year 2011: 65% 2012: 13% Through July 2013: 18%

Row 2 Employee Files Tested: 50 Files Exceptions: 27 Files Percentage: 54% Exceptions by Year 2011: 55% 2012: 57% Through July 2013: 44%

Row 3 Total Files Tested: 108 Files Exceptions: 44 Files Percentage: 41% Exceptions by Year 2011: 59% 2012: 33% Through July 2013: 27%

Source: OIG analysis of background investigation files.

[End of table]

We found similar issues in our 2012 audit of the Controls Related to the FDIC’s Contract with KeyCorp Real Estate Capital Markets, Inc. The audit found that, as of May 2012, the contract risk level designation was “high,” but none of the background investigations for a sample of contractor personnel were conducted at a commensurate level. During our current evaluation, 10 of the 23 files we identified as having lower reviews than designated on the PSA form occurred after that May 2012 finding.

The SEPS Assistant Director told us that, in December 2013, SEPS completed a review of all FDIC position descriptions to validate position sensitivity levels using OPM’s automated Position Designation Tool. The review determined that 26 percent of existing position descriptions were incorrectly designated either lower or higher than determined using the Position Designation Tool. SEPS initiated work with DOA’s Human Resources Branch to correct discrepancies and request appropriate scope background investigations for those incumbent employees.

Timeliness of Background Investigation Processes

Our evaluation assessed PSSP performance with respect to key OPM and FDIC metrics related to requests for investigation, reporting of agency adjudicative actions to OPM, adjudication of National Security9 cases, and the preliminary approval of contractors, as follows:

Footnote 9: National Security positions involve activities of the government that are concerned with protecting the nation from foreign aggression or espionage and that require regular use of, or access to, Classified National Security Information, per FDIC Circular 1600.3, National Security Program.

Request for Investigation. OPM requires that Federal departments and agencies request investigations within 14 days of an applicant’s certification of the Application for Public Trust Positions form or the electronic equivalent, OPM’s e-QIP. We tested the 82 applicable files submitted to OPM for investigation10 by comparing the applicant’s certification date to the date OPM scheduled the subject’s investigation and found that PSSP requested investigations for 74 files (90 percent) in excess of 14 days. Submission times for files that exceeded the 14-day metric ranged from 15 to 557 days, with a median of 59 days. Our testing results were consistent with the OPM-FIS program review that found 86 percent of cases were submitted in excess of 14 days in 2011. SEPS internal performance metrics showed marked improvement in the fourth quarter of calendar year 2013. Further, SEPS management advised the OIG, but we did not confirm as part of this evaluation, that as of March 2014, SEPS was meeting the 14-day criteria to submit investigations to OPM. SEPS also indicated that the FDIC had mandated the use of OPM’s e-QIP system for the electronic submission of all background investigation questionnaires.

Footnote 10: This test was not applicable to all files due to reciprocity.

Table 3: Investigations Not Submitted to OPM Within 14 Days

Row 1 Contractor Files Tested: 39 Files Exceptions: 31 Files Percentage: 79% Exceptions by Year 2011: 88% 2012: 75% Through July 2013: 82%

Row 2 Employee Files Tested: 43 Files Exceptions: 43 Files Percentage: 100% Exceptions by Year 2011: 100% 2012: 100% Through July 2013: 100%

Row 3 Total Files Tested: 82 74 90% Files Exceptions: Files Percentage: Exceptions by Year 2011: 96% 2012: 87% Through July 2013: 89%

Source: OIG analysis of background investigation files.

[End of table]

Report of Agency Adjudicative Action. OPM requires federal departments and agencies to report adjudication outcomes to OPM through paper or electronic Forms 79A, Report of Agency Adjudicative Action, as soon as possible, and no later than 90 days after receiving the investigation from OPM. OPM-FIS tested this metric in its program review and found that the average return time was 242 days. In addition, OPM-FIS noted 343 instances (25 percent of investigations completed within the program review scope) where investigations had been completed for more than 90 days but PSSP had never returned the Form 79A to OPM.

For the 89 files we tested where a Form 79A was submitted to OPM,11 we found that the PSSP team submitted 43 forms (48 percent) to OPM in excess of 90 days. Submission times for forms that exceed the 90-day goal ranged from 93 to 477 days with a median of 224 days. We also identified files in which a Form 79A was never submitted. Of the files we tested, the FDIC improved its submission timeliness each year, significantly in 2013 compared to 2011. In addition, the SEPS Assistant Director advised the OIG that he implemented new procedures in 2014 that should further improve timeliness.

Footnote 11: This was not applicable for all files because not all files went through adjudication.

Table 4: Forms 79A Not Sent to OPM Within 90 Days

Row 1 Contractor Files Tested: 43 Files Exceptions: 14 Files Percentage: 33% Exceptions by Year 2011: 50% 2012: 30% Through July 2013: 23%

Row 2 Employee Files Tested: 46 Files Exceptions: 29 Files Percentage: 63% Exceptions by Year 2011: 85% 2012: 56% Through July 2013: 25%

Row 3 Total Files Tested: 89 Files Exceptions: 43 Files Percentage: 48% Exceptions by Year 2011: 73% 2012: 42% Through July 2013: 24%

Source: OIG analysis of background investigation files.

[End of table]

National Security Reviews. The Intelligence Reform and Terrorism Prevention Act (IRTPA) established standards for adjudicative timeliness for National Security reviews. Agencies have a goal to adjudicate the fastest 90 percent of initial security clearance investigations in an average of 20 days. We tested six National Security cases in our sample.12 Two files (33 percent) were adjudicated within the 20-day period. The four files that exceeded the 20-day goal had adjudication ranges of 24-224 days with a median of 133 days. The OPM-FIS program review also tested this metric. OPM-FIS identified 20 National Security investigations in its review, and found the 90 percent fastest adjudicated investigations took an average of 151 days. SEPS internal performance metrics showed marked improvement in the fourth quarter of calendar year 2013. Further, management advised the OIG, but we did not confirm as part of this evaluation, that as of March 2014, SEPS was adjudicating national security cases within an average of 10 days.

Footnote 12: There were 225 National Security cases among the population of 6,907 cases during the evaluation period, or 3 percent of the population. We sampled the 6 National Security cases (3 percent of the 225), as explained further in Appendix 2, Sampling Methodology.

Table 5: National Security Cases Not Adjudicated Within 20 Days

Row 1 Contractor Files Tested: 3 Files Exceptions: 2 Files Percentage: 67% Exceptions by Year 2011: 100% 2012: 0% Through July 2013: 100%

Row 2 Employee Files Tested: 3 Files Exceptions: 2 Files Percentage: 67% Exceptions by Year 2011: 0% 2012: 50% Through July 2013: 100%

Row 3 Total Files Tested: 6 Files Exceptions: 4 Files Percentage: 67% Exceptions by Year 2011: 100% 2012: 33% Through July 2013: 100%

Source: OIG analysis of background investigation files.

[End of table]

Contractor Preliminary Approvals. Per FDIC Circular 1610.2, Personnel Security Policy and Procedures for FDIC Contractors, the preliminary approval process should take about 3 to 5 business days to complete once the PSSP team receives all of the required information. Our test of 52 contractor files showed 36 (69 percent of files tested) did not meet that 5-day goal. This test measured the time between the certification date of the Application for Public Trust Positions form and the date on which the FDIC finalized preliminary clearance. Files that exceeded the 5-day goal took from 6 to 295 days to preliminarily clear, with a median of 29 days.

Table 6: Contractor Preliminary Approvals Not Completed Within 5 Days

Row 1 Contractor Files Tested: 52 Files Exceptions: 36 Files Percentage: 69% Exceptions by Year 2011: 42% 2012: 75% Through July 2013: 81%

Source: OIG analysis of background investigation files.

[End of table]

Documentation Maintained in Investigation Case Files

We tested all 108 files for completeness of the internal Summary Sheet checklist and other key documentation. The Summary Sheet is supposed to be included in each file to track review progress, issues, and milestones and to indicate approvals in certain situations. However, there are no standard protocols or policies on what items should be captured on the form. The sheet is manually completed by the PSSP team and maintained on the left inside flap of each file. Due to the manual nature of the current review process, the PSSP team considers this sheet important because it provides the current status, shows outstanding issues, and helps to ensure the investigation is complete. Missing information on the Summary Sheet increases the likelihood that key milestones could be missed or actions taken on investigations misunderstood by the review team. We reviewed the Summary Sheet for each file to assess whether key review milestones and signoffs were documented.

For our testing related to the Summary Sheet, we tested all files for the existence of the Summary Sheet and nine review milestones, as applicable to each file. Of the 108 files reviewed, 16 files (15 percent) did not include a Summary Sheet and 90 files (85 percent) were missing one or more of the key milestones on the Summary Sheet. In total, we performed 720 Summary Sheet completeness tests13 and identified 385 exceptions related to missing documentation or missing milestones (53 percent).

Footnote 13: Not all tests were applicable for each file based on the unique nature of each background investigation.

Table 7: Files with Incomplete Summary Sheet Documentation

Row 1 Contractor Files Tested: 58 Files Exceptions: 56 Files Percentage: 97% Exceptions by Year 2011: 94% 2012: 96% Through July 2013: 100%

Row 2 Employee Files Tested: 50 Files Exceptions: 50 Files Percentage: 100% Exceptions by Year 2011: 100% 2012: 100% Through July 2013: 100%

Row 3 Total Files Tested: 108 Files Exceptions: 106 Files Percentage: 98% Exceptions by Year 2011: 97% 2012: 98% Through July 2013: 100%

Source: OIG analysis of background investigation files. Note: Tests performed assessed, where applicable, the summary sheet for the following: included in file; updated for e-QIP or Form 85P; fingerprints submitted; fingerprint results; Letter of Inquiry sent (preliminary clearance); Letter of Inquiry received (preliminary clearance); final preliminary clearance assessment; sent to OPM; received from OPM; and Letter of Inquiry sent (adjudication).

[End of table]

We also tested all 108 files for completeness of 24 key documents in the review process that the PSSP team and we considered critical to the review and to support the investigation’s final determination. Of the 108 files reviewed, 100 files (93 percent) were lacking one or more of the documents for which we tested. Of the 100 files with issues identified, we performed 1,794 tests14 and identified 334 exceptions (19 percent). The current, primarily manual operational environment requires a large number of forms and documents to be included and lends itself to higher risk of missing documentation. Files missing key documentation are more susceptible to inappropriate preliminary clearance and final adjudication determinations.

Footnote 14: Not all tests were applicable for each file based on the unique nature of each background investigation.

Table 8: Files Missing Documents

Row 1 Contractor Files Tested: 58 Files Exceptions: 51 Files Percentage: 88% Exceptions by Year 2011: 100% 2012: 83% Through July 2013: 82%

Row 2 Employee Files Tested: 50 Files Exceptions: 49 Files Percentage: 98% Exceptions by Year 2011: 100% 2012: 95% Through July 2013: 100%

Row 2 Total Files Tested: 108 Files Exceptions: 100 Files Percentage: 93% Exceptions by Year 2011: 100% 2012: 89% Through July 2013: 88%

Source: OIG analysis of background investigation files. Note: Tests performed assessed, where applicable, the files for a record of the following: e-QIP or Form 85P; Declaration for Federal Employment; applicant certification statement; tax check waiver; credit report; public record report from LexisNexis® ; previous investigations from CVS; fingerprint card; Background Investigation Questionnaire (FDIC Form 1600/04); Notice and Authorization Pertaining to Consumer Reports (FDIC Form 1600/10); fingerprint results; Letter of Inquiry (preliminary clearance); email to OIG and Division of Resolutions and Receiverships (DRR); OIG and DRR results email; OPM Investigation Report; Letter of Inquiry (adjudication); notification letter to employee; Form 79A; and Certificate of Investigation. Also, testing assessed whether the following, where applicable, were adequately supported: mitigated derogatory OPM results; files OPM returned as unacceptable; mitigated Letter of Inquiry (preliminary clearance); mitigated derogatory preliminary clearance results; and mitigated Letter of Inquiry (adjudication).

[End of table]

As discussed in the next section, we concluded that our testing results could be attributed to weaknesses in policies and procedures and historical management resource issues.

PSSP Policies and Procedures

We concluded that PSSP policies and procedures in key control, process, and reporting areas were not in place, well understood, nor consistently practiced by federal or contractor employees. Policies and procedures are important in ensuring that management directives are carried out completely and consistently. SEPS provided a policies and procedure manual related to preliminarily clearing, investigating, and adjudicating potential FDIC employees and contractor staff. The manual consisted of a loose collection of briefing slides, job aids, and form letters. Most of the SEPS employees that we interviewed did not recognize the manual. SEPS team members initially told us a policies and procedures manual did not exist and that the PSSP support contractor was developing a manual.

SEPS approved and issued the Standard Operating Procedures Handbook for Operations at FDIC in the fourth quarter of 2013 for PSSP support contractor staff. The revised procedures appear detailed and comprehensive. However, SEPS still needs to develop updated procedures that address the roles and responsibilities unique to the SEPS federal employees.

Management Oversight of the PSSP

We concluded that SEPS management resource issues also contributed to some of our testing results, both with respect to continuity and span of control. During the period under evaluation, the former SEPS Assistant Director managed the function through 2012, with the current Assistant Director assuming responsibility in January 2013. The Corporate Services Branch Deputy Director also retired in October 2013. Additionally, the PSSP contractor experienced management and staff turnover. These management and staffing changes created continuity challenges for the PSSP.

The Assistant Director is also responsible for other DOA program areas. Specifically, in addition to personnel security, the Assistant Director oversees emergency preparedness, physical security, and transportation. These areas are staffed by an additional 10 FDIC permanent employees. Having all of these program responsibilities creates a wide span of control for the Assistant Direct and limits his ability to effectively oversee PSSP operations.

In addition to the Assistant Director, the SEPS Personnel Security Unit had five federal employees during the period of our evaluation: a Lead Personnel Security Specialist and another personnel security specialist, both FDIC permanent positions; two additional FDIC term personnel security specialists;15 and a personnel security assistant. The Lead Personnel Security Specialist is responsible for:

- overseeing and directing daily activities of the personnel security staff; - researching, writing and updating program policies and procedures; and - ensuring the PSSP complies with federal regulations, EOs, and FDIC directives.

Footnote 15: Of the two FDIC term personnel security specialists, one individual’s term ended in September 2013 and is no longer with the FDIC. The second individual resigned at the end of May 2014 to accept permanent employment outside the FDIC.

The Lead Personnel Security Specialist position should also serve as the oversight manager (OM) for the PSSP support contract. However, DOA management determined that the current Lead Personnel Security Specialist had a conflict with performing that duty. As a result, DOA management assigned PSSP support contract OM responsibilities to the Assistant Director, which broadens his span of control.

In October 2013, the FDIC approved a new Chief, Security Operations Unit, position that should provide much needed day-to-day PSSP supervision. DOA filled the Chief position in early 2014. Figure 1 represents the new SEPS organizational structure.

[See the pdf version of this report to see the image of figure 1]

Figure 1: SEPS New Organizational Structure

Top Level - Assistant Director, CM-0301-02

Special Security Officer, CG-0080-14 - reports directly to Assistant Director, CM-0301-02

2nd Level, Chief,Transportation Supervisory CG-0301-14, Chief, Security Operations Unit CM-0080-01, Lead, Physical Security Non-Supervisory CG-0080-14

Reports to Chief,Transportation Supervisory CG-0301-14: - Operations Specialist CG-0303-12 - Operations Assistant CG-0303-06 - Lead, Motor Vehicle Operator WL-5703-09

Reports to Chief, Security Operations Unit CM-0080-01 - Lead, Emergency Preparedness Non-Supervisory CG-0089-14 - Lead, Personnel Security Non-Supervisory CG-0080-14 - Emergency Preparedness Specialist CG-0089-14 - Personnel Security Specialist CG-0080-13 - Emergency Preparedness Specialist CG-0089-12 - Personnel Security Specialist CG-0080-11 (term) - Personnel Security Assistant CG-0086-07

Reports to Lead, Physical Security Non-Supervisory CG-0080-14 - Physical Security Specialist CG-0080-11 - Physical Security Specialist CG-0080-11

Source: SEPS.

[End of figure 1]

Program Changes and Improvements

The current Assistant Director indicated that he made a number of program changes following our testing period and realized program improvements in late 2013 and early 2014, such as:

- Eliminating the backlog of pending and in-process cases and reducing the processing time for submissions to OPM. The Assistant Director indicated that SEPS had reduced its background investigations backlog from 650 cases in April 2013 to 113 cases in March 2014. - Eliminating the adjudication case backlog from 464 cases in April 2013 to 14 cases in March 2014. - Implementing the use of OPM’s e-QIP system to electronically submit background investigation questionnaires from 44 percent in June 2013 to 100 percent in March 2014. The Assistant Director noted that the use of e-QIP should result in shorter review time frames before submission to OPM, reductions in submission rate errors, and increased case tracking accountability. - Completing a review of all FDIC position descriptions (1,315) to ensure they had appropriate position sensitivity determinations using OPM’s automated Position Designation Tool. - Instituting a periodic reinvestigation program for incumbent federal staff occupying moderate risk positions. - Increasing manpower levels associated with the security support contract by adding experienced adjudicators and security assistants, replacing the project manager with a more experienced senior project manager, and creating and staffing an assistant project manager and a business analyst position. - As discussed earlier, reorganizing SEPS; establishing one new federal supervisory position to manage the Security Operations Unit, which oversees the PSSP; and hiring an experienced career federal employee to provide day-to-day close supervision and management of the security support contract and federal staff.

As discussed elsewhere in this report, SEPS also began an effort to digitize background investigation files and automate the PSSP process through an enterprise content management platform, known as the Personnel Security Records (PERSEREC) project. This effort is intended to improve records management, program efficiency, and performance reporting.

Recommendations

Overall administration of the PSSP program could be strengthened as indicated by our findings associated with the preliminary clearance and adjudication determinations we reviewed. As noted throughout this section of the report, those findings must be viewed in the context of the timing of our testing and the evolving nature of the program. In that regard, we identified opportunities for DOA to take steps that complement the Assistant Director’s efforts and ensure that program improvements are sustained and effective. Accordingly, we recommend that the Director, DOA:

1. Work with the Legal Division to clarify (a) under what circumstances SEPS should submit background investigations that may fall outside the Minimum Standards of Fitness requirements for legal review and (b) how SEPS should handle background investigation cases involving probation before judgment situations. 2. Establish and implement standard operating procedures for SEPS employees to complement the Standard Operating Procedures Handbook for Operations at FDIC developed for the PSSP support contractor. 3. Direct DOA’s Management Services Branch to follow up on issues raised in this report after a reasonable period of time is allowed for implementation of control improvements.

Contractor Performance and Oversight

DOA substantially relies on the PSSP support contractor to perform background investigation functions and to provide personnel suitability program support. We found that most contractor charges that we reviewed were supportable. We identified a few exceptions related to contractor overtime hours, labor category mix, the timely signature of modifications, and written approvals for key personnel changes. Further, while we determined that most contractor staff met minimum qualifications, we identified two staff that did not. Finally, we concluded that contract oversight could be strengthened by SEPS establishing better criteria for measuring contractor production and performance.

As of the start of our field work in September 2013, the PSSP was supported by 22 contractor staff, as shown in Figure 2, below.

Figure 2: PSSP Support Contractor Staff Organizational Structure

Top level - Senior Project Manager

Assistant Project Manager reports directly to top level Senior Project Manager

2nd Level reporting to Senior Project Manager Group 1 - Adjudicator II, Adjudicator II, Adjudicator II, Adjudicator I, Adjudicator I Group 2 - Personnel Security Specialist III (Lead) Group 3 - Personnel Security Specialist II, Personnel Security Specialist II, Personnel Security Specialist II, Personnel Security Specialist II Group 4 - Personnel Security Specialist I, Personnel Security Specialist I Group 5 - Personnel Security Assistant I, Personnel Security Assistant I Personnel Security Assistant I, Personnel Security Assistant I Personnel Security Assistant I, Personnel Security Assistant I-Supports Transportation Group 6 - Business Process Consultant Group 7 - Emergency Preparedness Officer

Source: SEPS.

[End of figure 2]

We performed tests of the contractor’s invoices and assessed the extent to which the contracting officer (CO), OM, and technical monitor (TM) for the PSSP support contract followed FDIC procedures related to their roles in oversight and administration of the contract. Results of this aspect of our review follow.

Invoice Testing. We obtained the population of invoices submitted and paid during the evaluation period and selected a non-statistical sample of four invoices to identify the nature and extent of costs incurred, verify rates billed were correct, determine that hours billed were authorized, and confirm labor category maximums defined in the contract were followed. We found that most contractor charges were supportable. The few exceptions we did identify related to labor category mix and overtime hours and were either satisfactorily addressed by the OM or not significant.

Contract Modifications. The current PSSP support contractor assumed the contract from a previous contractor via a novation contract effective May 1, 2013 and retained the previous contract terms and the previous contractor’s personnel supporting the FDIC’s PSSP. We reviewed all contract modifications associated with the PSSP support contract. While contract modifications were appropriately signed, signatures were not always timely. First, 2 of 32 contract modifications and other notifications that we tested were signed 28 days after their effective date. The CO noted that this is not against FDIC policy. Second, the language in the body of the novation contract, which changed the contractor from the old to the new PSSP support contractor, stated the modification was effective April 1, 2013. However, the top of the modification shows an effective date of May 1, 2013, which was also the date the modification was signed. The CO advised us that the novation was anticipated to be effective April 1, 2013, but the process for approval took longer than expected. The CO noted that the April 1, 2013 effective date in the body of the contract was an oversight. Signing contracts after their effective date could raise legal challenges as to responsibilities and obligations if disputes were to arise regarding events occurring between the effective date and the signature date of the contract.

Contractor Key Personnel. The PSSP support contract requires the contractor to give the CO notice 14 days prior to key personnel changes, and the CO is required to approve all such changes in writing. Further, the FDIC’s Acquisition Policy Manual (APM) requires that the CO issue a contract modification when such changes are needed. In 12 of 35 key personnel changes we tested, there was no documentation supporting that the CO was notified, nor any evidence of a contract modification addressing the changes.

Contractor Staff Qualifications. We assessed 25 contractor personnel additions and 6 contractor position level increases associated with the PSSP support contract. Our evaluation compared PSSP support contractor staff résumés relative to the minimum qualifications outlined in the PSSP support contract for each labor category. We did not receive contractor résumés for two PSSP support contractor staff.

We determined that most contractor staff met minimum qualifications. However, there were two instances where our assessment found PSSP support contractor staff were cleared as Personnel Security Assistants with qualifications lower than the minimum required criteria cited in the contract. The Personnel Security Assistant is the lowest level labor category associated with the contract. The CO advised us that the minimum qualifications are a guideline and the ultimate decision is at the OM’s discretion. However, the FDIC’s Acquisition Procedures, Guidance and Information provides that the OM must ensure that contractor personnel possess the requisite experience and qualifications required by the contract through evaluation of an individual’s résumé, observation of an individual’s performance, or both.

We found one instance in which a PSSP support contractor staff member was promoted from Personnel Security Assistant to Security Specialist I within a few months of going through clearance. In our view, the person’s qualifications and background were not satisfactory for the promotion based on the minimum position criteria and the PSSP support contractor staff member’s project experience. The PSSP support contractor staff member was eventually demoted back to Personnel Security Assistant because, according to the PSSP support contractor Senior Program Manager, there was reduced need for a Security Specialist I position. Based on discussion with SEPS employees, the individual was not qualified for the position and was not performing in the Personnel Security Assistant role or the Security Specialist I role.

Evaluation of Contractor Performance. The OM, with the TM’s assistance, performs annual evaluations of the PSSP support contractor to document the quality of the contractor’s product or service, the contractor’s cost control, timeliness of the contractor’s performance, business relations, and satisfaction with the contractor. The FDIC has not identified any negative performance issues through those evaluations since the contract originated in November 2010. The contract does not include either measurable production or performance criteria, and the deliverables noted in the contract are very broad and have no milestones or timing requirements. Specifically, Section 3.0, Requirements/Tasks, of the contract’s Statement of Work (SOW) summarized contractor expectations as general support of the PSSP in the areas of: personnel security, physical security, and emergency preparedness. Another SOW section indicates only that the “Contractor shall deliver the required services as specified in the SOW,” essentially referring to itself, with no specific contract deliverables or related milestones specified. As the contract requirements are geared towards general support of these areas, performance deliverables and assessment of these deliverables are not easily quantifiable or measured.

The Assistant Director told us that he and the PSSP support contractor Senior Program Manager began having weekly one-on-one status meetings in 2013, upon his arrival. In addition, in conjunction with these status meetings, the Assistant Director and the Senior Program Manager began developing weekly performance metrics in May 2013. Performance information is currently collected and reported manually by each federal employee and contractor. Implementation of the PERSEREC project should help to improve the reliability of underlying performance metric data and automate and enhance performance reporting. SEPS plans to have PERSEREC present management with a real-time, online dashboard reporting capability.

The APM recommends performance-based acquisition and performance-based management for service contracts over $1,000,000. The PSSP support contract awarded in 2010 was for more than $18 million but did not stipulate performance criteria, defined deliverables, or milestones to meet the APM performance-based acquisition and management criteria. Such metrics facilitate monitoring contractor performance and efficiency. Further, strong contract oversight helps to prevent the FDIC from overpaying for services, paying for services that are not allowed under the contract, accepting changes or additions to key personnel and contract terms without appropriate consideration, or violating FDIC contracting policy.

Recommendations

To strengthen the FDIC’s oversight of the PSSP support contractor, we recommend that the Director, DOA:

4. Amend the PSSP support contract to establish clearly defined deliverables, key milestones in the background investigations process, and measurable performance criteria.

5. Apply APM guidance for performance-based management to the PSSP support contract to periodically assess and document contractor performance against defined deliverables, process milestones, and measurable performance criteria.

[End of section]

Records Management Controls

We concluded that records management controls over PSSP files, which include extensive amounts of sensitive personally identifiable information (PII), need improvement. We observed that file rooms were overloaded and disorganized and contained boxes of unfiled background investigation documents. PSSP was challenged in timely providing background investigations files that we selected for our review. We also observed that physical security over SEPS work space could be strengthened. For example, the SEPS office suite is not secured by card entry and contractors work in cubicles that cannot be secured as effectively as an office. These records management weaknesses create inefficiency and, along with physical security issues, present risks to the FDIC. Circular 1210.1, FDIC Records and Information Management (RIM) Policy Manual, stipulates that files “should be maintained in an orderly, systematic manner so documents can be retrieved quickly and sensitive information protected.”

We performed a walkthrough of the PSSP work environment, including the PSSP file room, contractor work rooms, SEPS employee offices, and the FDIC file storage room, all of which are within the FDIC’s Virginia Square office complex. The PSSP work space and files for current FDIC employees and contractors, or “active files,” are located at the Virginia Square location. “Non-active files” are transferred to an offsite records management storage facility.

We recognize that while the current PSSP environment is paper-based and manual, SEPS has begun to digitize and automate the PSSP process. Digitization and automating PSSP processes should help address the issues we found during our review; however, digitizing and automating PSSP processes does not ensure or negate the need for strong, comprehensive records management controls in PSSP’s future environment.

PSSP Work Space. At the time of our evaluation, the PSSP file room had boxes of files stacked on the floor and on top of the file cabinets. There were also boxes of unidentified personnel forms and documentation that had yet to be included in personnel files. While more organized than the PSSP file room, the PSSP support contractor work rooms also had large volumes of boxed files and a significant amount of unfiled documents on desks.

The applicant file information (e.g., fingerprint results, OPM follow-up results, etc.) that was unfiled and stored in boxes in the PSSP file room was not easily retrievable because the files were not labeled to match the official background investigation file or maintained in any particular order, such as by applicant name. The PSSP support contractor Senior Program Manager advised us that the documents were associated with completed background investigations. Therefore, in his view, the effort and cost of associating the documents with files at an offsite storage facility were not warranted in light of the impending digitization of background investigation files. Nonetheless, at the time of our review, the records digitization effort had not determined how to associate this information with digitized background investigation files.

The PSSP support contractor standard operating procedures document issued in late 2013 discusses file construction and composition in detail; however, it has few references to file storage and maintenance. The PSSP support contract addresses records management only generally in that contractor staff will file and “maintain” file rooms; however, the contract provides no criteria to establish what “maintain” would mean in terms of organization of files, work space, or file rooms.

File Storage and Inventory. We also performed a walkthrough of the FDIC background investigation file storage room in the basement of the FDIC’s Virginia Square facility. The FDIC engaged a records management contractor at the beginning of 2012 to reorganize the file room and create a records management system. One records management contractor employee maintains the room. SEPS employees indicated that the file room organization has improved greatly since the records management contractor became involved. We observed that the file room was, to some extent, organized. However, there was not sufficient space to house the files in the filing cabinets. There were boxes piled on top of the filing cabinets and on the floor. The records management contractor employee indicated that the many boxes on the floor either needed to be refiled or were non-active files that needed to be transferred to an offsite records management facility.

The records management contractor employee also walked us through his records management system, which consisted of several electronic spreadsheets. The records management contractor updates the spreadsheet when each file is taken from the room and when it is returned. The spreadsheet only captures file activity since the records management contractor became associated with the project in early 2012 and is limited to files located in the storage room. We did not identify any PSSP-specific records management policy, nor did we see any indication in other policies denoting responsibility for maintaining a master inventory of background investigation files. The records management contract indicates the contractor “shall provide staff and supervisory personnel for records management operations and services on site at FDIC locations, or on Contractor's premises while conducting FDIC business.” However, the contract stipulates only for off-site processing and storage that the contractor must “implement adequate administrative, technical, physical and procedural security controls to ensure that all FDIC information in its possession or under its control is adequately protected from loss, misuse, and unauthorized access or modification.”

The records management contractor also told us that his list would not capture all file movement because the PSSP team has access to the file storage room and can remove files without his knowledge. Access to the file room is maintained by a lead physical security specialist. SEPS could not readily provide us a list of personnel with access to the file room. As a result of our inquiry, SEPS indicated that it removed eight individuals from the file storage room access list.

Requested Files. These records management weaknesses also impacted SEPS’ ability to provide requested files for our detailed testing. We selected an original sample of 118 files and selected 14 additional files because SEPS was having difficulty locating some of the files. We reviewed 108 files that SEPS provided timely. SEPS provided most of the remaining files over a 3-week period; however, five files remained missing at the end of our field work. The records management contractor’s file system also did not accurately reflect the status or location of some of the files.

The records management weaknesses we identified pose risks to the FDIC, including unauthorized release and access to large volumes of PII and the inability to readily obtain documentation that supports background investigation determinations. As discussed later, during our evaluation, SEPS began an effort to digitize background investigation files and automate the PSSP process through an enterprise content management platform. This effort should greatly improve records management controls and process efficiency. SEPS has also indicated that it is being mindful of building adequate workflow process controls into the automation effort to address deficiencies noted in this report.

Recommendations

We recommend that the Director, DOA:

6. Ensure that the ongoing and future records digitization and PSSP automation efforts include effective inventory controls that include clearly defining responsibilities to periodically inventory both electronic and non-electronic PSSP records, whether maintained at the FDIC’s Virginia Square facility or offsite; maintaining PSSP work space in a manner that would prevent loss or inadvertent disclosure of electronic and non-electronic records; conducting periodic inspections of work and file spaces; and setting and monitoring timeframes for filing or recording information.

7. Establish effective physical controls to all PSSP work space, including PSSP support contractor work space, to ensure space can only be accessed by authorized personnel.

[End of section]

Information Systems Reliability and Controls

We concluded that the background investigation data were not reliable in the DOA systems used to capture preliminary clearance data and provide management reporting: the Background Investigation Review Tracking (BIRT) System and the Corporate Human Resources Information System (CHRIS). We determined that the controls over BIRT data input and review could be strengthened and that the two systems contained redundant data.

Reliability of BIRT and CHRIS Data. The PSSP team uses BIRT solely to capture and retain preliminary clearance data related to the PSSP. BIRT was created to house preliminary clearance related data so CHRIS would not be used to house data for potential employees or contractor personnel that did not preliminarily clear. The PSSP team updates data in BIRT manually, and there is neither review of data entered into BIRT nor approval functionality in the system. Generally, any field in BIRT can be updated and overwritten by anyone with access, at any point in time. BIRT has an audit function, but it is not used. BIRT’s data is redundant in regards to preliminary clearance data captured in CHRIS for employees and contractor personnel who have been preliminarily cleared, although BIRT captures more data fields than CHRIS.

CHRIS is the FDIC’s human resources information system, which also contains the employee and FDIC contractor staff data for the PSSP. CHRIS retains both preliminary clearance and adjudication data in separate areas, but the primary CHRIS function related to the PSSP is to capture and retain adjudication data. The preliminary clearance section of CHRIS is redundant of information captured in BIRT, capturing only a subset of the BIRT data. BIRT and CHRIS do not interface, and all input is manually entered into each system.

We tested all 108 files for accuracy and completeness of 7 key BIRT fields and 9 key CHRIS fields as applicable to each of the respective files. Of the 108 files in our sample, we identified issues in 93 files (86 percent). In total, we performed 1,132 tests16 and identified 278 exceptions (25 percent) among the 93 files.

Footnote 16: Not all 16 fields were applicable to each file based on the unique nature of each background investigation.

For BIRT, we tested 7 key fields for completeness and accuracy, resulting in 545 applicable tests. We identified 86 exceptions (16 percent) in 39 files (36 percent).17

Footnote 17: Not all BIRT fields are applicable to each file.

Table 9: BIRT Records with Missing or Erroneous Data

Row 1 Contractor Files Tested: 58 Files Exceptions: 23 Files Percentage: 40% Exceptions by Year 2011: 53% 2012: 29% Through July 2013: 41%

Row 2 Employee Files Tested: 50 Files Exceptions: 16 Files Percentage: 32% Exceptions by Year 2011: 15% 2012: 43% Through July 2013: 44%

Row 3 Total Files Tested: 108 Files Exceptions: 39 Files Percentage: 36% Exceptions by Year 2011: 32% 2012: 36% Through July 2013: 42%

Source: OIG analysis of background investigation files and BIRT system data. Note: Tests performed, where applicable, confirmed BIRT recorded the following: receipt of e-QIP; fingerprints submitted to Department of Justice; fingerprint results received; Letter of Inquiry sent (preliminary clearance); Letter of Inquiry Response (preliminary clearance); transfer records; and preliminary clearance assessment.

[End of table]

For CHRIS, we tested 9 key fields for completeness and accuracy, resulting in 587 applicable tests. We identified 192 exceptions (33 percent) in 83 files (77 percent).18

Footnote 18: Not all CHRIS fields were applicable to each file based on the unique nature of each background investigation.

Table 10: CHRIS Records with Missing or Erroneous Data

Row 1 Contractor Files Tested: 58 Files Exceptions: 35 Files Percentage: 60% Exceptions by Year 2011: 53% 2012: 58% Through July 2013: 71%

Row 2 Employee Files Tested: 50 Files Exceptions: 48 Files Percentage: 96% Exceptions by Year 2011: 100% 2012: 95% Through July 2013: 89%

Row 3 Total Files Tested: 108 Files Exceptions: 83 Files Percentage: 77% Exceptions by Year 2011: 78% 2012: 76% Through July 2013: 77%

Source: OIG analysis of background investigation files and CHRIS data. Note: Tests performed, where applicable, confirmed CHRIS recorded the following: transfer records; final information summary sheet for transfer records; sent to OPM; date form sent, received, and investigation initiated; preliminary clearance assessment; OPM schedules review; OPM results received; Letter of Inquiry submitted; final adjudication.

[End of table]

We found no clear or consistent practices for updating or reviewing data entries made to BIRT and CHRIS. This results in inconsistent updates to CHRIS and BIRT fields. The resulting reports produced from these systems are incomplete and not reliable. As noted previously, CHRIS can be updated by members of the PSSP team as well as other groups within the FDIC without approvals or an audit trail. This situation poses a risk that background investigation information could be inadvertently or purposefully changed without detection.

The Assistant Director indicated that when PERSEREC is fully operational, BIRT will no longer be needed and will be retired. SEPS also plans to deploy a business process management system, known as eWORKS (Enterprise Workforce Solution) in 2015. eWORKS will integrate PERSEREC with CHRIS and OPM systems to effect automatic data synchronization, track and update the status of cases as DOA completes each step in the process, and automate the sending and receiving of background investigation case information. eWORKS is currently in the planning stage.

Reliability of PSSP Reporting. Our evaluation included an assessment of the current PSSP reporting environment and structure. Discussions with the PSSP team identified the current reports the team used. For the 11 reports identified, we determined the source data for the reports, how they were prepared, and report purpose. Two of the reports are from BIRT, one report is from CHRIS, four reports are prepared manually, and four reports are from OPM. These reports are currently used to ensure completeness of reviews and appropriate investigation standing of each employee and contractor staff person within the FDIC.

The seven reports that are extracted from CHRIS or BIRT or manually derived may pose risks in terms of both completeness and accuracy of reporting. The manually prepared reports are based on PSSP support contractor staff inputs for which there are no validity controls in place. Because the inputs for all seven of these reports lack accuracy and completeness, the reports generated from such inputs may be unreliable.

Standardized reporting—based on OPM and internal metrics—should be a fundamental management tool to measure PSSP success. The current paper-based records management system, coupled with unreliable BIRT and CHRIS data, hampers SEPS’ ability to accurately measure PSSP successes, failures, or progress where constructive improvements have been made.

Recommendation

We recommend that the Director, DOA:

8. Evaluate existing reporting systems and establish more comprehensive and reliable reporting mechanisms that:

- Provide adequate controls to ensure data input and reports are timely and accurate, - Align with OPM-required timeframes and other key operational metrics, and - Allow for identifying and addressing missing file documentation.

[End of section]

Digitization and Automation Efforts

As discussed throughout this report, during our evaluation, SEPS began an effort to digitize background investigation files and automate the PSSP process through an enterprise content management platform, known as the PERSEREC project. This effort should improve records management and efficiency. However, SEPS will need to ensure that it builds adequate workflow process controls into the automation effort to address the weaknesses noted in this report.

The SEPS Assistant Director indicated that he has developed a three-phase plan to digitize existing and future background investigation files and automate the background investigation process.

- Phase I of the project will consist of digitally scanning approximately 650,000 pages of existing paper background investigation case files into Documentum, an FDIC-owned document storage system, and developing a method for scanning documents from ongoing background investigation cases into the Documentum repository going forward. In December 2013, the FDIC’s Chief Information Officer’s Council approved the PERSEREC project and $280,000 to complete Phase I.

- Phase II of the project will be to develop a process workflow management system to allow SEPS to electronically implement, manage, and monitor the background investigations process. The Assistant Director has $80,000 in DOA discretionary funding to begin researching Phase II solutions. In this respect, we understand that SEPS completed an “as is” evaluation of the background investigation process and was planning on completing a “to be” process evaluation which would identify process gaps and control weaknesses that the workflow management system should address.

- Phase III of the project is conceptual at this point, but would create an enterprise system to manage personnel suitability issues for an employee or contractor “cradle to grave” across employees’ and contractors’ tenure with the FDIC.

The digitization and automation planning documents available to us during this evaluation lacked specificity and did not clearly address how SEPS will remediate existing gaps and weaknesses in the PSSP through the use of Documentum, or what the next automation steps might be once Phase I is completed. Management advised us that such planning is currently underway and future digitization and automation efforts would address PSSP process control weaknesses. We believe it is important that the PERSEREC project plan specifies specific system-related control activities such as reasonableness and edit tests, supervisory review and approvals, reconciliations, task assignment and case tracking, and elapsed-day metrics, to help ensure that the digitized files are complete and to drive process efficiency. SEPS should also use this automation effort as an opportunity to build meaningful performance metrics, dashboard capabilities, and activity reports.

Recommendations

To ensure the digitization and automation effort optimizes PSSP records management and operations, we recommend that the Director, DOA:

9. Complete the “to be” background investigation process evaluation and identify process gaps and control weaknesses that the workflow management system should address, including issues identified in this report.

10. Ensure the PERSEREC project plan is sufficiently detailed and comprehensive to address process gaps and control weaknesses; desired reporting and performance metric capabilities; and costs or savings associated with migrating data from BIRT and CHRIS and retiring BIRT, destroying hard copy background investigation records, and digitizing records.

[End of section]

Corporation Comments and OIG Evaluation

The Director, DOA provided a written response, dated July 24, 2014 to a draft of this report. The response is presented in its entirety in Appendix 6. In the response, the Director, DOA, described program improvements that were occurring during and after the scope of our review associated with many of the report’s findings and recommendations. The Director, DOA, concurred with the report’s 10 recommendations and described corrective actions to address each recommendation. The completed or planned actions are responsive and the recommendations are resolved. DOA’s management response indicated that it had completed corrective action for three recommendations (recommendations 8, 9, and 10). We met with SEPS officials and reviewed supporting documentation and confirmed that those recommendations could be closed. The remaining recommendations will remain open until the FDIC’s Corporate Management Control Branch notifies the OIG, or the OIG independently confirms, that corrective actions have been completed. A summary of the Corporation’s corrective actions is presented in Appendix 7.

[End of section]

Appendix 1

Objective, Scope, and Methodology

Objective

Our evaluation objective was to determine whether the FDIC is carrying out its Personnel Security and Suitability Program efficiently and effectively. To fulfill this objective, we evaluated (1) FDIC management’s overall administration of the program, including the extent to which applicable policies and procedures are in place and being followed; (2) oversight and administration of the contract supporting the program; and (3) the nature, extent, allowability, and reasonableness of costs incurred under the contract supporting the program.

Scope and Methodology

The scope of this evaluation included the FDIC’s oversight and administration of the Personnel Security and Suitability Program and contractor personnel and billings from January 1, 2011 through July 31, 2013. We performed our work at the FDIC’s headquarters offices in Arlington, Virginia, and Washington, D.C., from August 2013 to January 2014 in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation.

The OIG contracted with BDO USA, LLP to assist OIG staff in completing the plan for this evaluation, and conducting, analyzing and presenting testing results. The OIG remained responsible for all decisions, including the scope, methodology, and reporting.

Program Administration. To evaluate the FDIC’s overall administration of the program, we first gained an understanding of program requirements by:

- Reviewing the Federal Deposit Insurance Act, as amended, and related regulations; - Reviewing the following FDIC corporate policies and procedures: - FDIC Circular 2120.1, Personnel Suitability Program; - FDIC Circular 2120.5, Minimum Standards for Employment with the Federal Deposit Insurance Corporation ("Corporation") as Mandated by the Resolution Trust Corporation Completion Act ("RTCCA"); - FDIC Circular 1610.2, Security Policy and Procedures for FDIC Contractors; - FDIC Circular 1600.3, National Security Program; - FDIC Circular 3700.16, FDIC Acquisition Policy Manual (APM); and - FDIC Acquisition Procedures, Guidance and Information (PGI), August 2013; and

- Identifying and reviewing SEPS standard operating procedures in place during the scope of our review, and identifying that the PSSP support contractor was developing, and that SEPS issued during our field work, comprehensive procedures for PSSP support contractor staff.

In addition, we interviewed the following FDIC officials to determine their roles, responsibilities, and perspectives related to this evaluation’s objective, including how business processes have changed to address OPM program review findings and recommendations or improve PSSP procedures generally:

- Acting Chief Information Officer; - Director, DOA; - Deputy Director, CSB (retired early October 2013); - Assistant Director, SEPS; - Lead Personnel Security Specialist and other SEPS personnel; - Senior Program Manager and other PSSP support contractor staff; and - The file storage room records management contractor employee.

We also interviewed the Chief Inspector, Agency Oversight, OPM-FIS.

We performed a walkthrough of the PSSP work environment, including the PSSP file room, contractor work rooms, SEPS employee offices, and the FDIC file storage room, all of which are within the FDIC’s Virginia Square office complex.

Through extracts from CHRIS, we determined that PSSP processed 6,907 background investigations for FDIC employees and contractors from January 1, 2011 through July 31, 2013, as shown below:

Table 11: Background Investigations Processed, January 1, 2011 – July 31, 2013

Row 1 Employee 2011: 1,934 2012: 1,250 Through July 2013: 461

Row 2 Contractor 2011: 689 2012: 1,530 Through July 2013: 1,043

Row 3 Total 2011: 2,623 2012: 2,780 Through July 2013: 1,504

Source: OIG evaluation analysis of CHRIS data extracts.

[End of table]

We selected a non-statistical sample of 108 background investigation files from that universe, as described in Appendix 2, Sampling Methodology.

Finally, we reviewed the 108 background investigation files to determine if the PSSP was conducted economically, efficiently, and effectively by testing and analyzing, where applicable, the following:

- Summary Sheet data, - File documentation, - Accuracy and completeness of CHRIS and BIRT data, - Prior investigation(s), - Risk level of position and investigation performed, - Preliminary clearance and adjudication decisions, and - Processing timeliness.

In addition, we reviewed the proposed IT improvement strategy and performed a gap analysis to identify areas for improvement to the IT program in support of the PSSP.

Contract Administration. To evaluate oversight and administration of the PSSP support contract, we first obtained the relevant contract dated in 2010 and contract modifications. We then:

- Interviewed the current and former COs, OM (who is the SEPS Assistant Director), and TM;

- Reviewed the contract and modifications to confirm they were processed timely and correctly under FDIC policies and procedures;

- Determined the extent to which the CO, OM, or TM vetted key contractor staff when changes occurred, and

- Assessed how the CO and OM assessed contractor performance.

Contract Costs. To determine the nature, extent, allowability, and reasonableness of costs incurred under the contract(s) supporting the FDIC’s Personnel Security and Suitability Program, we tested a non-statistical sample of contractor invoices for services performed from January 2011 through July 2013. (See Appendix 2, Sampling Methodology, for further information.)

Ongoing Program Changes. We determined that SEPS made a number of program changes, realized some program improvements in late 2013 and early 2014, and hired new management and key staff. While we expect that these efforts will strengthen the PSSP, they occurred largely after our testing period, and we were unable to review or verify them. However, we did consider those efforts in forming the recommendations in this report.

[End of section]

Appendix 2

Sampling Methodology

This evaluation used non-statistical samples for all testing. The results of non-statistical samples cannot be projected to the intended population by standard statistical methods.

Program Administration Testing

The figures below depict the 108 sample files that we judgmentally selected for testing. The population consisted of all files active in the PSSP from the period January 1, 2011 through July 31, 2013, which included 6,907 files identified through CHRIS based on activity within those periods.

We originally selected 118 files, and then selected an additional 14 files due to missing files that the PSSP team was not able to locate over a period of 20 days, 5 of which were still missing as of January 31, 2014, 3 months after our initial request for files and a month after the end of our field work. Of the total 132 files selected, only 108 were tested. We excluded from testing four files due to core activity being performed outside of the review period and not related to active personnel security and suitability checks, and 15 files because the PSSP team was not able to locate the files timely.

The 108 files selected for testing were from the population of active reviews identified in the CHRIS system. We requested all files that had activity in the CHRIS preliminary clearance module as well as the CHRIS employee and contractor modules. FDIC officials provided three CHRIS data extracts, one for each of these CHRIS modules, showing all files that had activity in our evaluation period.

In selecting our sample, we first identified files that were reflected in both the CHRIS preliminary clearance population as well as the CHRIS employee or contractor populations. We identified the type of employment, background investigation type, adjudication determination, and OPM risk designation. We then judgmentally selected files from each category to obtain a representative number of files based on employment type and background investigation type. These were further broken down by the adjudication determination and OPM risk designation, to identify and include higher risk files in our sample, relative to the population.

Appendix 2

Sampling Methodology

Row 1 Investigation Type: ANACI Population - Contractor: 1 Population - Employee: 16 Population - Total: 17 Population - Percentage: 0% Sample - Contractor: 1 Sample - Employee: 1 Sample - Total: 2 Sample - Percentage: 2%

Row 2 Investigation Type: BDI Population - Contractor: 2 Population - Employee: 1 Population - Total: 3 Population - Percentage: 0% Sample - Contractor: 1 Sample - Employee: 1 Sample - Total: 2 Sample - Percentage: 2%

Row 3 Investigation Type: BI Population - Contractor: 470 Population - Employee: 156 Population - Total: 626 Population - Percentage: 9% Sample - Contractor: 13 Sample - Employee: 3 Sample - Total: 16 Sample - Percentage: 15%

Row 4 Investigation Type: Fingerprint Request Population - Contractor: - Population - Employee: 17 Population - Total: 17 Population - Percentage: 0% Sample - Contractor: - Sample - Employee: 2 Sample - Total: 2 Sample - Percentage: 2%

Row 5 Investigation Type: LBI 5 Population - Contractor: 5 Population - Employee: 334 Population - Total: 339 Population - Percentage: 5% Sample - Contractor: 1 Sample - Employee: 4 Sample - Total: 5 Sample - Percentage: 5%

Row 6 Investigation Type: LDI Population - Contractor: 1 Population - Employee: 1 Population - Total: 2 Population - Percentage: 0% Sample - Contractor: 1 Sample - Employee: 1 Sample - Total: 2 Sample - Percentage: 2%

Row 7 Investigation Type: MBI Population - Contractor: 2,422 Population - Employee: 2,404 Population - Total: 4,826 Population - Percentage: 70% Sample - Contractor: 27 Sample - Employee: 24 Sample - Total: 51 Sample - Percentage: 47% Row 8 Investigation Type: NAC Population - Contractor: 1 Population - Employee: 1 Population - Total: 2 Population - Percentage: 0% Sample - Contractor: 1 Sample - Employee: 1 Sample - Total: 2 Sample - Percentage: 2% Row 9 Investigation Type: NACI Population - Contractor: 285 Population - Employee: 466 Population - Total: 751 Population - Percentage: 11% Sample - Contractor: 3 Sample - Employee: 5 Sample - Total: 8 Sample - Percentage: 7% Row 10 Investigation Type: NACLC Population - Contractor: 6 Population - Employee: 43 Population - Total: 49 Population - Percentage: 1% Sample - Contractor: 1 Sample - Employee: 1 Sample - Total: 2 Sample - Percentage: 2% Row 11 Investigation Type: PRI Population - Contractor: 6 Population - Employee: 48 Population - Total: 54 Population - Percentage: 1% Sample - Contractor: 2 Sample - Employee: 1 Sample - Total: 3 Sample - Percentage: 3% Row 12 Investigation Type: PRIR Population - Contractor: 2 Population - Employee: 1 Population - Total: 1 Population - Percentage: 0% Sample - Contractor: 2 Sample - Employee: 1 Sample - Total: 1 Sample - Percentage: 2% Row 13 Investigation Type: RSI Population - Contractor: - Population - Employee: 2 Population - Total: 2 Population - Percentage: 0% Sample - Contractor: - Sample - Employee: - Sample - Total: - Sample - Percentage: 0% Row 14 Investigation Type: SAC Population - Contractor: - Population - Employee: 1 Population - Total: 1 Population - Percentage: 0% Sample - Contractor: - Sample - Employee: 1 Sample - Total: 1 Sample - Percentage: 1% Row 15 Investigation Type: SGI36 Population - Contractor: 3 Population - Employee: 3 Population - Total: 6 Population - Percentage: 0% Sample - Contractor: 1 Sample - Employee: 1 Sample - Total: 2 Sample - Percentage: 2% Row 16 Investigation Type: SGI60 Population - Contractor: - Population - Employee: 2 Population - Total: 2 Population - Percentage: 0% Sample - Contractor: - Sample - Employee: 1 Sample - Total: 1 Sample - Percentage: 1% Row 17 Investigation Type: SSBI Population - Contractor: 44 Population - Employee: 65 Population - Total: 109 Population - Percentage: 2% Sample - Contractor: 2% Sample - Employee: - Sample - Total: 3 Sample - Percentage: 3% Row 18 Investigation Type: SSBI-PR Population - Contractor: 14 Population - Employee: 79 Population - Total: 93 Population - Percentage: 1% Sample - Contractor: 1 Sample - Employee: 1 Sample - Total: 2 Sample - Percentage: 2% Row 19 Investigation Type: Total Population - Contractor: 3,262 Population - Employee: 3,645 Population - Total: 6,907 Population - Percentage: 100% Sample - Contractor: 58 Sample - Employee: 50 Sample - Total: 108 Sample - Percentage: 100% Row 20 Investigation Type: Total % Population - Contractor: 47% Population - Employee: 53% Population - Total: 100% Population - Percentage: Sample - Contractor: 54% Sample - Employee: 46% Sample - Total: 100% Sample - Percentage: Source: OIG evaluation analysis.

[End of table]

Table 13: Sampled Files by Adjudication Result

Row 1 Adjudication Result: No Adjudication Population Number: 1,132 Population Percentage: 16% Sample Number: 16 Sample Percentage: 16%

Row 2 Adjudication Result: Favorable Population Number: 5,733 Population Percentage: 83% Sample Number: 76 Sample Percentage: 69%

Row 3 Adjudication Result: Other Population Number: 15 Population Percentage: 0% Sample Number: 4 Sample Percentage: 4%

Row 4 Adjudication Result: Unfavorable Population Number: 27 Population Percentage: 0% Sample Number: 12 Sample Percentage: 11%

Row 5 Adjudication Result: Total Population Number: 6,907 Population Percentage: 100% Sample Number: 108 Sample Percentage: 100%

Source: OIG evaluation analysis.

[End of table]

Table 14: Sampled Files by OPM Issue Indicator

Row 1 OPM Issue Indicator: C & D Issues* Population Number: 400 Population Percentage: 6% Sample Number: 43 Sample Percentage: 40%

Row 2 OPM Issue Indicator: All Other Population Number: 6.507 Population Percentage: 94% Sample Number: 65 Sample Percentage: 60%

Row 3 OPM Issue Indicator: Total Population Number: 6,907 Population Percentage: 100% Sample Number: 108 Sample Percentage: 100%

Source: OIG evaluation analysis. * “C” issues are substantial and the conduct or issue, standing alone, may be disqualifying. “D” issues are major and the conduct or issue, standing alone, would be disqualifying.

[End if table]

Contract Cost Assessment: Invoice Sample

We judgmentally selected four invoices from a total of 78 invoices that were submitted and paid during the review period. In testing the four invoices, we reviewed:

- the nature of hours charged and the related source documentation, - expenses for compliance with FDIC policies, - hours billed within contract limits, and - number of contractors billed in regards to labor category maximums.

[End of section]

Appendix 3

Questioned or Unsupported Preliminary Clearance or Adjudication Decisions

Following are summaries of the 8 files where we questioned the preliminary clearance or adjudication decisions or found such decisions lacked support.

Questioned Reciprocity Decisions. We questioned the PSSP’s reciprocity use in the following two cases:

- In 2011, the PSSP team indicated in a file that it identified a previous investigation through CVS and entered that information into CHRIS. However, we could not identify a prior investigation through any CVS documentation in the file. We verified that CVS had no prior investigation for the applicant by having a PSSP team member research CVS during our field work. We concluded that a prior investigation for this applicant did not exist; therefore, reciprocity should not have been used. The PSSP team indicated that the cited prior investigation may have been for another applicant, but could not be certain.

- In 2012, the PSSP team indicated in a file that it identified a previous investigation through CVS and entered that information into CHRIS. However, that investigation did not have a favorable adjudication. We verified that CVS annotated the adjudication as "please call," which means the adjudication was not favorable or unfavorable, by having a PSSP team member research CVS during our field work. As a result of the “please call” notation, this applicant’s file should have been sent to OPM for investigation; however, this never occurred. PSSP should not have relied on the prior investigation since it was not indicated as “favorable,” a criterion allowing reciprocity. The PSSP team said this was an oversight either due to information from the prior investigation being entered into CHRIS incorrectly, or this file was overlooked.

Questioned Preliminary Clearance Decisions. We questioned the PSSP’s decisions to preliminarily clear two staff:

- In a 2011 case, fingerprint results revealed a simple assault arrest and a second degree assault charge, which is a felony. At the time of the PSSP Team’s review, the applicant was on probation before judgment for the second degree assault charge. PSSP sent a Letter of Inquiry to the applicant on the simple assault arrest, but not the second degree assault charge. The PSSP team also did not refer that issue to the Legal Division to review. The applicant was cleared to work as an FDIC contractor. Minimum Standards of Fitness for Employment with the Federal Deposit Insurance Corporation (12 C.F.R. Part 336), prohibits any person from becoming employed or providing service to, or on behalf of, the FDIC who has been convicted of any felony. FDIC and PSSP policies and procedures do not mention probation before judgment situations. However, for a number of federal statutes and regulations, the term “conviction” is defined as a judgment or any other determination of guilt of a criminal offense by any court of competent jurisdiction, whether entered upon a verdict or plea, including any resolution that is the functional equivalent of a judgment, including a plea of nolo contendere, probation before judgment, or deferred prosecution.19 The PSSP team agreed that since the applicant was on probation, the applicant should not have been preliminarily cleared and a Letter of Inquiry should have inquired about both the simple assault arrest and the second degree assault charge. The applicant no longer works under contract for the FDIC.

Footnote 19: See 8 U.S.C. §§ 1101; 42 U.S.C. 1320a-7; 5 C.F.R. § 919.925; 29 C.F.R. § 98.925; 29 C.F.R. § 1471.925; 41 C.F.R. § 105-68.925; and 48 C.F.R. 1409.403.

- PSSP began a review in 2010 and did not complete adjudication for 2 years. Preliminary clearance and adjudication processes identified financial issues. The Legal Division approved the applicant through preliminary clearance even though the applicant had a history of financial difficulties, and also noted the applicant would be potentially filing for bankruptcy. After preliminary clearance, the applicant filed for Chapter 7 bankruptcy for an amount exceeding the FDIC’s statutory limit for debts owed to insured depository institutions. In light of these circumstances, we questioned the favorable preliminary clearance.

Unsupported Decisions. Our testing also identified four cases where files did not include sufficient support for reciprocity, preliminary clearance, or adjudication decisions.

- PSSP used reciprocity to clear an applicant in 2013; however, FDIC Circular 1610.2 requires previous approval must have been granted within the last 24 months and there must have been no break in employment in excess of 59 days. The applicant’s file did not document that the prior clearance met that criteria. The PSSP team advised us that they do not consider the 24-month requirement when evaluating a candidate for reciprocity, which is contrary to FDIC Circular 1610.2.

- A 2011 applicant’s file was missing fingerprint results, the Preliminary Background Investigation Checklist, and the Summary Sheet, so there was not enough information in the file to draw a favorable preliminary clearance conclusion.

- In 2011, PSSP requested a prior OPM review for an applicant but did not rely upon it for reciprocity. Therefore, the FDIC should have conducted its own adjudication; however, the PSSP team acknowledged adjudication was not performed, likely due to an oversight. No adjudication based on reciprocity information was entered into CHRIS. Therefore, based on our review, the adjudication decision was not present or unsupported.

- The file for an applicant contained no support for the late 2012 preliminary clearance or early 2013 adjudication determinations. The PSSP team indicated that the file was incomplete but was unable to locate additional support. Therefore, the preliminary clearance and adjudication was unsupported.

[End of section]

Appendix 4

Glossary

Term: Adjudication Definition: The process of making suitability determinations and taking suitability actions in cases involving positions subject to investigation.

Term: Background Investigation Definition: A background investigation (BI) seeks information about an applicant's employment, criminal, and personal history in an effort to investigate behavioral reliability, integrity, and personal adjustment. Background evaluations are conducted to determine whether there are any historical facts that would interfere with an applicant's ability to perform the job, including violations of statutes, regulations, or laws.

Term: Bankruptcy Definition: Legal procedure for liquidating a business that cannot fully pay its debts out of its current assets, or property owned by an individual who cannot fully pay his or her debts out of its current assets. Bankruptcy can be brought upon itself by an insolvent debtor (called “voluntary bankruptcy”) or it can be forced on court orders issued on creditors' petition (called “involuntary bankruptcy”). Two major objectives of a bankruptcy are to provide: (1) fair settlement of the legal claims of the creditors through an equitable distribution of the debtor's assets, and (2) the debtor an opportunity for a fresh start. Bankruptcy amounts to a business-failure, but voluntary winding up does not.

Term: Central Verification System (CVS) Definition: CVS, which OPM maintains, is the key system supporting government-wide reciprocity of security clearance and suitability vetting determinations for federal employment, fitness for contractor employees, and eligibility for access to classified information.

Term: Certification Date Definition: Date on which the Application for Public Trust Position was signed and submitted.

Term: Derogatory Information Definition: Any information with a potentially negative impact on an applicant’s assessment for suitability. Typical examples include fraud, trust, patterns of financial difficulty, and felonies.

Term: Felony Definition: In general, felonies are descriptive of serious crimes, both violent or nonviolent in nature, which result in a punishment of fines, and in nearly all cases, a prison sentence of at least one year.

Term: Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) Definition: IRTPA, which is Public Law 108-458, addresses many different facets of information gathering and the intelligence community. IRTPA’s eight titles reflect its broad scope.

Term: Letter of Inquiry Definition: An inquiry sent on behalf of the FDIC to obtain additional information from an applicant related to the individual’s background investigation.

Term: Minimum Standards of Fitness Definition: Outlined in 12 C.F.R. Part 336, Minimum Standards of Fitness for Employment with the Federal Deposit Insurance Corporation prohibits any person from becoming employed or providing service to, or on behalf of, the FDIC who has: - been convicted of any felony; - been removed from or prohibited from participating in the affairs of any insured depository institution pursuant to any final enforcement action by any appropriate federal banking agency; - demonstrated a pattern or practice of defalcation regarding obligations to insured depository institutions; or - caused a substantial loss, in an amount in excess of $50,000, to federal deposit insurance funds.

Term: National Security Position Definition: Positions that involve activities of the government that are concerned with the protection of the nation from foreign aggression or espionage and that require regular use of, or access to, Classified National Security Information. See FDIC Circular 1600.3 for further information on these types of positions.

Term: Non-Statistical Sample Definition: All samples that do not have all the characteristics of statistical sampling, which involve random sample selection and use of probability theory to evaluate sample results. The results of non-statistical samples cannot be projected to the intended population by standard statistical methods.

Term: Novation Contract Definition: Substitution of an original party to a contract with a new party, or substitution of an original contract with a new contract. Upon substitution, the obligations of the withdrawing-party are automatically discharged and no express-release is required. To be effective, however, the substitution must be agreed-to by all the original and new parties to the contract. Novation is never presumed; if the novation agreement is not in writing, it must be established from the acts and conduct of the parties. Novation is not the same as assignment of an agreement where no new agreement is needed and the rights and duties are transferred from the assignor to the assignee.

Term: Performance-Based Acquisition (PBA) Definition: An acquisition structured around the results to be achieved, as opposed to the manner in which the work is to be performed. PBA methods give prospective contractors an opportunity to propose: (1) services and solutions that achieve the overall objective and (2) the methods for evaluating the progress of the work and the end product/results/deliverables.

Term: Performance-Based Management (PBM) Definition: A documented, systematic approach to acquisition management. Like traditional project management, PBM involves planning and defining (Planning Phase), implementing and assessing (Measure and Monitor Phase), and changing (Evaluate and Adjust Phase). These disciplines are not sequential but come into play throughout the pre-award and post-award phases of the acquisition cycle. Unlike traditional project management, PBM applies these disciplines in a holistic way to facilitate project success.

Term: Personnel Investigation Summary Definition: Worksheet completed prior to the adjudication determination to document all relevant factors of the investigation. Used as support for the final adjudication determination and FDIC approval.

Term: Personnel Security and Suitability Program (PSSP) Definition: FDIC program to ensure that the Corporation employs and retains in employment only those persons who meet all Federal requirements for suitability (i.e., character, reputation, honesty, integrity, trustworthiness) and whose employment or conduct would not jeopardize the accomplishment of the Corporation’s duties or responsibilities.

Term: Policies and Procedures Manual Definition: A set of principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals and typically published in a booklet or other form that is widely accessible. Policies and procedures are designed to influence and determine all major decisions and actions, and all activities take place within the boundaries set by them. Procedures are the specific methods employed to express policies in action in day-to-day operations of the organization. Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.

Term: Position Designation System Definition: OPM developed the Position Designation System to guide agencies in determining the proper level of investigation and screening required based on an assessment of risk and national security sensitivity. Position designation is established by 5 C.F.R. 731.106, section 3 of E.O. 10450, as amended, and 5 C.F.R. 732.201.

Term: Preliminary Background Checklist Definition: Worksheet completed prior to the preliminary clearance determination to document all relevant factors of the investigation used as support for final preliminary clearance determination and approval.

Term: Preliminary Clearance Definition: A preliminary assessment performed by the PSSP team to ensure applicants meet minimum integrity and fitness standards as set forth by the FDIC. These may include checks of Federal Bureau of Investigation (FBI) fingerprint criminal records, review of personnel security questionnaires, credit reports provided by the three major credit reporting agencies, and other internal FDIC resources.

Term: Probation Before Judgment Definition: Probation before judgment is a term used in some states for a deferred adjudication, used by some states in sentencing certain first offenders. Laws governing probation before judgment are governed by state laws, which vary by state. The term and conditions of the probationary period are at the discretion of the judge. In some states, if the term of probation is successfully completed and there are no further violations, a sentence of not guilty will be imposed. Whether a probation before judgment counts as a conviction or is eligible for expungement varies by jurisdiction. However, for a number of federal statutes and regulations, probation before judgment is included in the meaning of the term “conviction.”

Term: Reciprocity Definition: This is a process in which the applicant is granted full clearance if he or she has already been the subject of a favorable investigation by another agency and that such investigation was within acceptable timing and risk parameters.

Term: Sensitive Information Definition: Privileged or proprietary information which, if compromised through alteration, corruption, loss, misuse, or unauthorized disclosure, could cause serious harm to the organization owning it. Also called sensitive asset.

Term: Summary Sheet Definition: Worksheet attached to all paper files that outlines investigation milestones and signoffs.

[End of section]

Appendix 5

Acronyms and Abbreviations

Acronym/Abbreviation Explanation 79A - Report of Agency Adjudicative Action on OPM Personnel Investigations ANACI - Access National Agency Check and Inquiries APM - Acquisition Policy Manual BDI - Update of Previous BI Completed BI - Background Investigation BIRT - Background Investigation Review Tracking C.F.R. - Code of Federal Regulations CHRIS - Corporate Human Resources Information System CO - Contracting Officer CSB - Corporate Services Branch CVS - Central Verification System DOA - Division of Administration DRR - Division of Resolutions and Receiverships E.O. - Executive Order e-QIP - Electronic Questionnaires for Investigation Processing FDIC - Federal Deposit Insurance Corporation IRTPA - Intelligence Reform and Terrorism Prevention Action LBI - Limited Background Investigation LDI - Update of Previous LBI Completed MBI - Moderate Background Investigation MSB - Management Services Branch NAC - National Agency Check NACI - National Agency Check and Inquiries NACIC - National Agency and Inquiries with Credit Check NACLC - National Agency Check with Law and Credit OIG - Office of Inspector General OM - Oversight Manager OPM - Office of Personnel Management OPM-FIS - Office of Personnel Management Federal Investigative Services PBA - Performance-Based Acquisition PBM - Performance-Based Management PII - Personally Identifiable Information PRI - Periodic Reinvestigation PRIR - Periodic Reinvestigation and Residence Coverage PSA - Personnel Security Action PSSP - Personnel Security and Suitability Program PSSP - Team SEPS employees and PSSP support contractor staff RSI - Reimbursable Security/Suitability Investigation SAC - Special Agreement Check SEPS - Security and Emergency Preparedness Section SGI36 - Upgrade to SSBI from BI completed: 0 to 36 Months SGI60 - Upgrade to SSBI from BI completed: 37 to 60 Months SOW - Statement of Work SSBI - Single Scope Background Investigation SSBI-PR - Single Scope Background Investigation Periodic Reinvestigation TM - Technical Monitor U.S.C. - United States Code

[End of section]

Appendix 6

Corporation Comments

[Letter head] FDIC Federal Deposit Insurance Corporation 3501 Fairfax Drive, Arlington, VA, 22226-3500 Division of Administration [End of letter head]

July 24, 2014

TO: Stephen M. Beard Deputy lnspector General for Audits and Evaluations

FROM: Arlens Upton Kea Director, Division of Administration

SUBJECT: Management Response to the Office of the Inspector General Evaluation Report Entitled, The FDIC's Personnel Security and Suitability Program (Assignment No. 2013-048)

The Division of Administration (DOA) has completed its review of the subject Office of Inspector General (OIG) Draft Audit Report dated June 12,2014, based on its evaluation for the period between January 1, 2011, and July 31, 2013. We are gratified by the OIG's conclusion that most preliminury clearance and adjudication determinations Were colmpleted appropriately. We further appreciate the OIG's recognition of recent improvements tO the Agency'S Personnel Security and Suitabi1ity Progrnm (PSSP). including DOA's Security and Emergency Preparedness Sections (SEPS).

Tn addition to concurring fully in the OIG's 10 recommendations. we also would like to take this opportunity to provide a more complete picture of the current status of the programs As described later in our response corrective actions are either planned, underway, or completed for each recommendation. We would welcome another evaluation of the program as our improvements continue to be implemented.

As mentioned in the OIG's report, the FDIC hired thousands of employees and contractors in a very short timefHme to support the Agcncy's mission during the recent financial crisis. Each of these new hires required DOA's SEPS to process and adjudicate suitability cases and conduct background investigations to ensure that individuals met the minimum standards of fitness and integrity. To handle this sudden and substantial workload, SEPS hired additional employees and contractor personnel to successfully process in excess of 10,000 cases during this period.

In the aftermath of the financial crisis and the Agency's surge hiring effort, DOA's SEPS has now returned to a more "steady state" operating environment. The program has progressively evolved in a Careful measured and de1iberate manner. The improvements within SEPS are partly attributed tO key management changes. The assigmnent of the current Assistant Director for Security and Emergency Preparedness in December 2012 and the subsequent selection of a new project manager in April 2013 have resulted in significant and quantifiable program improvements.

As the OIG acknowledged in its report, the l'SSP was in a transitional state during the OIG's evaluation. Throughout the c::valuation period, significant change were being made to the overall security program. DOA's management team and the Office of Personnel Management Federal lnvestigative Service (OPM-FIS) had identified similar findings and observations. As such, the SEPS team had already initiated major program improvements.

We are pleased to report that the lollowing improvements directly address many of the OIG's findings and recommendations. To date, DOA has:

- Eliminated case backlogs, thereby reducing processing times, both on the front-end for background investigation submissions to OPM und the back-end for completed case adjudications; - Implemented the use of e-QIP for electronic submission of background investigation questionaires for all employees and contractors, resulting in shortened turnaround review time before submission to OPM, significant reductions in submission rate errors, and increased tracking accountability versus hardcopy submissions; - Digitized on-hand hardcopy personnel security files to provide authorized users secure electronic access to selected personnel security records from their desktop and ability to refer cases electronically to Ethics and Labor & Employee Relations, when necessary; - Reviewed all FDIC position descriptions for appropriate position sensitivity determinations using the OPM automated Position Designation Tool (PDT); - Instituted a periodic reinvestigation program for incumbent federal staff occupying moderate risk positions; - Increased staffing levels associated with the security support contract by adding experienced adjudicators and security assistants, replaced the project manager with an experienced senior project manager, and created and staffed an assistant project manager and a business analyst position; and - Reorganized SEPS business operations by establishing one new federal supervisory position to manage the Security Operations Unit, which oversees the PSSP, aud hired a highly experienced career federal employee to provide day-to-day close supervision and management of the security support contract and federal staff.

Continued Progress Within the Personnel Security and Suitability Program

DOA continues to implement changes to the PSSP that are further improving the program's business operations. DOA's PSSP is rapidly transitioning from a paper-based process to a fully automated system. This transition is well underway aud already providing measurable benefits. Below is an outline of actions DOA has taken that have been completed, are in progress, or are planned over the next few years.

In July 2013, SEPS compiled and analyzed the "as-is" state of peresonnel security and suitability operations by mapping all key business processes. This mapping process resulted in the decision to digitize all personnel security case files, mandate use of digital fingerprint collection for all employees and contractors, and develop training and standard operating procedures within the personnel security unit.

In December 2013, DOA's Assistant Director of SEPS partnered with the Chief Information Officer (CIO) and Director of the Division of Informution Teclmology (DIT) to digitize and secure online storage of personnel security records. The CIO Council unanimously approved funding for this effort, known as PERSEREC (Personnel Security Records) Phase I. In March 2014, DOA engaged contractor support to digitize all hardcopy personnel security records - about 650,000 pages. As of June 30, 2014, the digitization effort was approximately 75% complete and was on schedule as well as under budget.

In February 2014, SEPS collaborated with DIT to initiate the PERSEREC Phase 2 project. This project was designed to further automate PSSP by ensuring that the Phase I digitization project would: provide secure storage; reduce processing and storage costs; eliminate paper documents stored at Iron Mountain; increuse control over securing and backing-up case files; conduct background investigations more efficiently, accurately, and timely; automate status reporting; and retire BIRT (Background Investigation Reporting Tool) and seven spreadsheets used for tracking.

In May 2014, also in collaboration with DIT, SEPS initiated the next phase of its plan to automate SEPS PSSP processes. This next phase is known as eWORKS (Enterprise Workforce Solution).

DOA's goal for 2015 is to establish eWORKS as a Business Process Management(BPM) system, incorporating PERSEREC as the document management hub, automating case flow, tracking, and updating, and implementing interfaces with e-QIP (Electronic Questionnaires for Investigations Processing), the Office of Personnel Management's (OPM) Clearance Verification System (CVS), and OPM's e-Delivery (electronic delivery of background investigation results).

During 2016, SEPS will use eWORKS to provide a web-based reporting capability for FDIC stakeholders while implementing additional interfaces with CHRIS HR (Corporate Human Resources Information System), IAMS (Identity Access Management System), ICAM (Identity, Credential, and Access Management), and PATS (Parking Assignment Tracking System).

As noted ahovc, DOA concurs with all 10 recommendations. Below is a description of DOA's specific corrective actions in connection with each of them.

FINDING; OVERALL ADMINISTRATION OF THE PSSP

Recommendation 1: Work with the Legal Division to clarify (a) under what circumstances the Security and Emergency Preparedness Section (SEPS) should submit background investigations that may fall outside the Minimum Standards of Fitness requirements for legal review and (b) how SEPS should handle background investigation cases involving probation before judgment situations.

Management Response: DOA concurs with the recommendation.

Corrective Action: SEPS will include the appropriate clarification and outline associated procedures in Standard Operating Procedures for PSSP federal and contractor employees.

Completion Date: December 31, 2014.

Recommendation 2: Establish and implement standard operating procedures for SEPS employees to complement the Standard Operating Procedures Handbook for Operations at FDIC developed for the PSSP support contractor.

Management Response: DOA concurs with the recommendation.

Corrective Action: Standard operating procedures for SEPS employees will be developed.

Completion Date: December 31, 2014. Recommendation 3: Direct DOA’s Management Services Branch (MSB) to follow up on issues raised in this report after a reasonable period of time is allowed for implementation of control improvements.

Management Response: DOA concurs with the recommendation.

Corrective Action: MSB will evaluate the issues raised in the OIG’s report and follow-up on corrective actions and SEPS’ progress as part of the Division’s annual internal review and risk management program. MSB’s first review will be completed by the end of the 2nd quarter 2015.

Completion Date: June 30, 2015

FINDING: CONTRACTOR PERFORMANCE AND OVERSIGHT

Recommendation 4: Amend the PSSP support contract to establish clearly defined deliverables, key milestones in the background investigations process, and measurable performance criteria.

Management Response: DOA concurs with the recommendation.

Corrective Action: The Contracting Officer and Oversight Manager will refine the existing Statement of Work (SOW) to include a clear list of deliverables, the key milestones in the background investigations process based upon updated PSSP policies and procedures, and other requirements not clearly defined to date but already part of the contractor’s performance. The Contracting Officer will negotiate these changes with the Contractor and issue a modification to incorporate the revised SOW.

Completion Date: December 31, 2014.

Recommendation 5: Apply APM guidance for performance-based management to the PSSP support contract to periodically assess and document contractor performance against defined deliverables, process milestones, and measurable performance criteria.

Management Response: DOA concurs with the recommendation.

Corrective Action: Upon completion of the Corrective Action under Recommendation 4 above, DOA will be able to periodically assess and document contractor performance against the newly defined deliverables, process milestones and performance criteria. In order to assess performance on a more regular basis during the initial year of the refined SOW, interim performance evaluations will be initiated by the CO and OM on a quarterly basis.

Completion Date: June 30, 2015.

FINDING: RECORD MANAGEMENT CONTROLS

Recommendation 6: Ensure that the ongoing and future records digitization and PSSP automation efforts include effective inventory controls that include clearly defining responsibilities to periodically inventory both electronic and non-electronic PSSP records, whether maintained at the FDIC’s VS facility or offsite; maintaining PSSP work space in a manner that would prevent loss or inadvertent disclosure of electronic and non-electronic records; conducting periodic inspections of work and file spaces; and setting and monitoring timeframes for filing or recording information.

Currently, SEPS is in the process of digitizing active background investigation case file records into Documentum. In-active case files are stored with the FDIC records management contractor.

Management Response: DOA concurs with the recommendation.

PERSEREC solutions use FDIC’s current Enterprise Secured Documentum Repository (Documentum) system to store, secure, and manage background investigation cases. Documentum is a unified Content Management System that provides tools for working with many types of content (i.e., documents, drawings, scanned images, and hard copies) in a single repository. The Documentum repository is controlled and securely backed up on a nightly basis to ensure case files are efficiently and effectively managed so that information is not inadvertently lost.

Documentum also has controls in place to prevent the misuse of data. Such security measures and controls consist of passwords, user identification, database permissions, and software controls. An access matrix has been established to prevent individuals who are not authorized to use the system or who do not have direct need to know certain information from accessing the system. The FDIC assigned a user ID and password to all PERSEREC users. DOA SEPS management grants or denies access to the PERSEREC solution. These access controls provide security protection of case information filed in Documentum.

In 2014, under the security support contract, SEPS initiated an effort to digitize all active hardcopy personnel security records maintained at FDIC as well as Iron Mountain – records management contractor. This digitization effort continues to be in process with expected completion in the 3rd quarter 2014. Upon completion, hardcopy files that have been digitized will be returned to Iron Mountain following Chapter 12. Off-Site Paper Records Management in FDIC Circular 1210.1 entitled FDIC Records and Information Management Policy Manual and will be disposed of accordingly.

DOA will continue to store in-active case files off-site at Iron Mountain storage facilities. SEPS will also continue to comply with FDIC Circular 1210.1 when creating, maintaining, transferring, or disposing of non-electronic records stored off-site. SEPS uses the Automated Records Management System (ARMS) to track case file records stored off-site. The ARMS administrators within the DOA Records and Information Management Unit oversee the ARMS system. Access to SEPS records is limited to certain authorized personnel in SEPS as well as the ARMS administrator.

Corrective Action: Completion of the records digitization project.

Completion Date: December 31, 2014

Recommendation 7: Establish effective physical controls to all PSSP work space, including PSSP support contractor work space, to ensure space can only be accessed by authorized personnel.

Management Response: DOA concurs with the recommendation.

SEPS has already established access controls to PSSP work space. Currently, all doors to PSSP work spaces are equipped with electronic cypher locks that limit access to only authorized personnel. Moreover, all work files containing PII are stored in an adjacent, separately secured file room. Digitizing case file documentation also will enhance the existing physical controls of records within the program and bring added protection to records containing PII.

Corrective Action: Completion of the records digitization project.

Completion Date: December 31, 2014

FINDING: INFORMATION SYSTEMS RELIABILIITY AND CONTROLS

Recommendation 8: Evaluate existing reporting systems and establish more comprehensive and reliable reporting mechanisms that:

a. Provide adequate controls to ensure data input and reports are timely and accurate, b. Align with OPM-required timeframes and other key operational metrics, and c. Allow for identifying and addressing missing file documentation.

Management Response: DOA concurs with the recommendation.

Corrective Action: The PERSEREC solution that DIT delivered into production in June 2014 provides automated reports that will allow DOA SEPS to retire the current Background Investigation Results Tracking (BIRT) system as well as provide reports necessary to manage the SEPS background investigation program. Specific reports that were delivered with the implementation of the PERSEREC solution include:

- Daily Status Report - National Security Cases Report - Issue Cases Report - Special Security Officer Priority Cases Report - Daily Workflow Status Report

Additionally, subsequent to the OIG’s evaluation, SEPS coordinated with the Office of Personnel Management (OPM) to obtain various reports that will assist SEPS management to evaluate whether FDIC is meeting critical OPM processing metrics in the background investigation program. Specific reports that OPM provides to SEPS include:

- Initiation Timeliness Report1 - Suitability Adjudication Timeliness Report2 - Security Adjudication Timeliness Report3 - Unacceptable Case Returns Report4

Completion Date: Completed – June 27, 2014

Footnote 1: Initiation Timeliness Report - provides the amount of time it takes from when a person completes their e-QIP and FDIC sends it to OPM

Footnote 2: Suitability Adjudication Timeliness Report - provides timeliness information of suitability investigations. Note: Current OPM requirement is 90 days. FDIC is at 20 days.

Footnote 3: Security Adjudication Timeliness Report – pertains to security investigations such as the SSBI, ANACI, etc. that are tracked by the Office of the Director of National Intelligence (ODNI).

Footnote 4 Unacceptable Case Returns Report - identifies cases that FDIC submits and are returned from OPM for incomplete information.

FINDING: DIGITIZATION AND AUTOMATION EFFORTS

Recommendation 9: Complete the “to be” background investigation process evaluation and identify process gaps and control weaknesses that the workflow management system should address, including issues identified in the report.

Management Response: DOA concurs with the recommendation.

The “to be” background investigation process for automation and document storage was completed in the digitization and automation efforts under the PERSEREC solutions project. PERSEREC was delivered into production by DIT in June 2014.

Corrective Action: DIT release of PERSEREC to production.

Completion Date: Completed – June 27, 2014

Recommendation 10: Ensure the PERSEREC project plan is sufficiently detailed and comprehensive to address process gaps and control weaknesses; desired reporting and performance metric capabilities; and costs or savings associated with migrating data from BIRT and CHRIS and retiring BIRT, destroying hard copy background investigation records, and digitizing records.

Management Response: DOA concurs with the recommendation.

Corrective Action: Subsequent to the OIG’s evaluation, SEPS began digitizing background investigation case files and has coordinated with DIT to implement PERSEREC. DIT released PERSEREC into production in June 2014. The planning and implementation of PERSEREC fully satisfies this recommendation.

Completion Date: Completed – June 27, 2014

[End of section]

Appendix 7

Summary of the Corporation’s Corrective Actions

This table presents corrective actions taken or planned by the Corporation in response to the recommendations in the report and the status of the recommendations as of the date of report issuance.

Row 1 Rec. Number: 1 Corrective Action: Taken or Planned: SEPS will include the appropriate clarification and will outline associated procedures in Standard Operating Procedures for PSSP federal and contractor employees. Expected Completion Date: 12/31/2014 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open

Row 2 Rec. Number: 2 Corrective Action: Taken or Planned: Standard operating procedures for SEPS employees will be developed. Expected Completion Date: 12/31/2014 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open

Row 3 Rec. Number: 3 Corrective Action: Taken or Planned: DOA’s Management Services Branch (MSB) will evaluate the issues raised in the OIG’s report and follow up on corrective actions and SEPS’ progress as part of the Division’s annual internal review and risk management program. The first MSB review will be completed by the end of the 2nd quarter 2015. Expected Completion Date: Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open

Row 4 Rec. Number: 4 Corrective Action: Taken or Planned: The Contracting Officer and Oversight Manager will refine the existing SOW to include a clear list of deliverables, the key milestones in the background investigations process based upon updated PSSP policies and procedures, and other requirements not clearly defined to date. The Contracting Officer will negotiate these changes with the contractor and issue a modification to incorporate the revised SOW. Expected Completion Date: 12/31/2014 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open

Row 5 Rec. Number: 5 Corrective Action: Taken or Planned: Upon completion of the corrective action under recommendation 4, DOA will be able to periodically assess and document contractor performance against the newly defined deliverables, process milestones, and performance criteria. In order to assess performance on a more regular basis during the initial year of the refined SOW, the CO and OM will initiate interim quarterly performance evaluations. Expected Completion Date: 6/30/2015 Monetary Benefits: Resolved:a Yes or No: Open or Closedb:

Row 6 Rec. Number: 6 Corrective Action: Taken or Planned: PERSEREC will include supervisory review controls to help ensure that all required documents are included in digitized case files. MSB may also verify as part of periodic internal reviews that sampled files are complete. SEPS also noted that completion of the PERSEREC records digitization project will enhance documentation back-up and system access controls. Expected Completion Date: 12/31/2014 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open

Row 7 Rec. Number: 7 Corrective Action: Taken or Planned: SEPS reiterated existing physical security controls and implemented a clean-desk policy. SEPS also noted that completion of the records digitization project will provide added protection to sensitive records. Expected Completion Date: 12/31/2014 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open

Row 8 Rec. Number: Corrective Action: Taken or Planned: The PERSEREC solution that DIT delivered into production in June 2014 provides automated reports that will allow DOA SEPS to retire the current BIRT system as well as provide reports necessary to manage the SEPS background investigation program. SEPS also coordinated with OPM to obtain various reports important to OPM case processing metrics. Expected Completion Date: 6/27/2014 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Closed

Row 9 Rec. Number: 9 Corrective Action: Taken or Planned: DIT completed the “to be” background investigation process for automation and document storage associated with the release of PERSEREC to production. Expected Completion Date: 6/27/2014 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Closed

Row 10 Rec. Number: 10 Corrective Action: Taken or Planned: SEPS provided a PERSEREC Requirements Specification document and a more detailed PERSEREC Documentum Design document that addresses case processing work flow controls. DIT released PERSEREC into production in June 2014. Expected Completion Date: 6/27/2014 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Closed

a Resolved – (1) Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation. (2) Management does not concur with the recommendation, but alternative action meets the Intent of the recommendation. (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective actions are complete or (b) in the case of recommendations that the OIG determines to be particularly significant, when the OIG confirms that corrective actions have been completed and are responsive.

[End of section]

Print Print
Close