The U.S. Department of Education is requiring that virtually all non-Federal employees working on contracts or subcontracts with the Department submit materials authorize a "security clearance." For example, all ten of the Regional Educational Laboratories (RELs, totaling more than $300 million) are contracts, and all employees contracted to work on the RELs were told that security clearances are mandatory, whether the employee is in a university or other institution, and regardless of the work they perform. Some contractors with decades of experience doing work under contract to the Department first encountered this requirement in the fall of 2005.
The Department requires the contract employee’s fingerprints, answers to a long list of personal questions, as well as authorization for government investigators to do background checks. In some cases, these background checks include financial and credit information and health information. The information is used to judge "individuals' character, conduct, and loyalty to the United States [emphasis added] as relevant to their association with the Department" (ED document 18-05-17).
This new requirement is shocking, and the Department’s insistence that thousands of non-federal employees submit to “security clearances” raises many important issues, such as:
· Why is this policy being adopted?
· Is the policy uniformly applied to all federal contracts?
· Can a less onerous, less intimidating policy be adopted by the Department to cover the great majority of its contractor employees?
Origin of the Policy
This policy is an outgrowth of Homeland Security Presidential Directive 12, issued in August 2004. HSPD-12 establishes policy for a “common identification standard for federal employees and contractors,” specifically for a “secure and reliable” form of identification. A government agency, the National Institute for Standards and Technology (NIST), then developed standards for “smart cards” that store information about an employee, making identification of the individual more certain and secure. “Only an individual with a background investigation on record is issued a credential,” NIST wrote. As a result, background investigations (including fingerprints) are now required for all federal employees.
The reason for these precautions is to increase homeland security applying to “Federal employees and contractors (including contractor employees) for gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems…” [emphasis added].” In other words, HSPD-12 does NOT require that all contractor employees be issued identity cards or be subject to the procedures required to obtain such cards. Note that NIST references access to “federally controlled information systems,” which presumably means direct access to government computers, such as a computer specialist might have.
Application of the Policy
Most government agencies and departments apply HSPD-12 in reasonable ways. No agencies believe each and every contract employee needs to obtain a government identification card or be subject to the procedures required to obtain such identity cards. For example, at the National Science Foundation, education-related contracts are not subject to the same burdensome requirements imposed by ED.
Even the military uses the clearance process selectively, matching contract requirements to the work being performed. A senior employee developing robots under contract to the Navy said that clearances are not required for employees of the firm who work on unclassified contracts.
The U.S. Department of Education (ED) is taking the policy to an extreme and is out of line with other federal agencies. ED has required thousands of contractor employees not only to be fingerprinted but to authorize government investigators to gather,
“any information relating to my activities from schools, residential management agents, employers, criminal justice agencies, retail business establishments, or other sources of information. This information may include, but is not limited to, my academic, residential, achievement, performance, attendance, disciplinary, employment history, and criminal history record information.”
Within the U.S. Department of Education, the Inspector General’s office wrote an April 2004 memorandum about contractor employee security clearance procedures. The IG’s office found that the security clearance procedures cost the agency about $3 million (not counting the time or expense of contractor employees or those individuals who are contacted by government investigators). The IG’s office recommended,
“given the cost of the clearance process, only those contractor employees who will actually perform the work [requiring a clearance] (and [who] have access to the Department’s systems) should be put through the clearance process, rather than all contractor employees on a team.”
U.S. Department of Education Policy
The U.S. Department’s Office of Management issued a Departmental Directive covering employee personnel security screenings (sometimes referred to as “security clearances”), OM:5-101, updated July 7, 2005. The directive is more than a dozen pages long. Although very poorly written and hard to understand, the directive states that,
“contractor employees who will have physical access to Department controlled facilities, sensitive information or systems for 30 days or less (e.g., a one or two week project), or have infrequent access (e.g., three times a month), do not require any investigation if they are escorted.”
This sentence makes it clear that the background investigations are intended to apply to some, but not all, contractor employees. Similarly, under the heading Definitions, “contractor employee” is defined as:
“For the purpose of this directive refers to all non-Federal employees working on a Department of Education contract, including all subcontractors, requiring (1) access to Department controlled facilities or space, or (2) work, wherever located, on those contracts which involve the design, operation, repair or maintenance of information systems and access to sensitive but unclassified information.”
Again, this definition clearly does not cover all contract employees. However, by defining “sensitive but unclassified information” extraordinarily broadly, the Department is requiring virtually all contract employees to be subject to security screenings. Vast number of tasks being performed by contractors are now said to involve “sensitive” information in ways that OMB, NIST, other federal agencies, and the Presidential directive clearly did not intend. Further, ED requires virtually all contractor employees to be fingerprinted and answer many personal questions (forms SF-85 and OF306), even when they have no access to data (e.g., when they design a study)--and to provide even more information and authorizations (SF-85P) when they do. Within ED, OM:5-101 is not uniformly understood; a few people there interpret OM:5-101 more sensibly.
There are rumors that ED policy is also affected by the Privacy Act of 1974. However, no documentation to that effect is available. Furthermore, the Privacy Act has existed for more than 30 years, but the "security clearances" policy is new.