Why Continual vetting is Necessary
Trusted! But … Not Really
One of the most tragic attacks on the US military in recent history was the shooting at Ft. Hood. It is tragic not only because of the loss of life but also the survivor’s guilt. Like school shootings, it happened in a place of perceived safety. In hindsight it is easy to spot the warning signs but why so often do these warning signs go overlooked? Those trusted with protecting Ft. Hood, like so many other secure facilities, are faced with the awful guilt and reflection when determining if they could have or should have been able to prevent this. Like the Navy Yard shooting a few years later, both attacks were carried out by trusted personnel. While these incidents have been thoroughly investigated and additional measures have been put in place to prevent future incidents one fact remains true, the strongest fences won’t help when the enemy can walk in through the front gate.
Trust and Verify
Continual vetting is a concept now coming to the forefront of the security industry. The current model for security clearance and determining fitness for access to secure facilities involves background checks. It is a snapshot of a person’s past using a limited amount of available data to predict future behavior. After a few years, the background check is repeated. The problem with background checks is they are only reactionary. These processes may be effective at judging a person’s character based on past behavior and accessing risk, but they leave a big knowledge gap when it comes to accessing risk. When it comes to preventing incidents, it isn’t just about assessing the risk based on past behavior but continually monitoring current behaviors to look for key indicators of increased risk.
A broader concern for employers is workplace crime in the form of theft and fraud. This could be an employee stealing from the company or using company resources to steal from others. Either situation would create a liability for the company that could be mitigated through continual vetting. Fifty percent (50%) of workplace crime involves an employee. The average cost of an incident can range between $5 to $8 million.
Delays in Reporting
A common problem with background checks is the time it takes for data sources to update information and make that information available for inquiry. National Criminal Information Center (NCIC) is operated by the FBI it is a central repository for national crime information and the main data source for criminal information used during a standard background check. Every state contributes through the Interstate Identification Index, which is a pointer system linking back to each state’s criminal history database. The individual states depend on local and county law enforcement organizations to update these records in the state system. It can sometimes take weeks or even years for criminal information to filter its way up to be available for a nationwide criminal history check.
One example happened a few years ago. A contractor working with various military and government installations had passed countless criminal history checks for years. Then one day an arrest warrant resulting from a long-forgotten traffic ticket from a small town finally surfaced in NCIC. Luckily this was a minor issue, and the problem was quickly resolved by the contractor who posed no real risk to the government. What if this had been a bigger issue? What if this would have been for domestic violence? Or Firearm infractions? Or any number of crimes that could have posed a greater risk to these facilities and prevented the contractor from entering as a trusted visitor? This relatively benign example shows the importance of repeated and continual background checks.
It’s not a crime if a law isn’t broken
Various risk indicators could show up through continual vetting that is not crimes and would not be present in a criminal history check. This is the foundation of a continual vetting philosophy implemented by big data companies like ClearForce. They provide continual vetting services of trusted personnel that don’t include criminal history data. When a person is enrolled in ClearForce by an employer that person’s virtual identity is continually monitored and analyzed using a proprietary AI. There are certain thresholds set and a process in place so that when risk flags are issued by the system the employer can take appropriate measures to mitigate potential risks. 
Those risks are not limited to a threat of violence like the examples stated at the beginning of this article. It could be a developing crisis in the person’s personal life that could lead to financial harm to the company or be indications of personal trauma for the employee.
ClearForce gives employers the tools to approach at-risk employees from a position of support and compassion. As are often the case employees do not want to bring up personal troubles with their boss for fear of long-term harm to one’s career. Continual vetting gives employers insight into potential problems and enables them to be proactive instead of reactive.
DoD joins the party
Recently the Department of Defense has expressed increased interest in continual vetting. The COVID-19 pandemic has caused more employees and contractors to work from home. The nature of every work environment has had to rapidly adjust to this new dynamic. Everyone is feeling more isolated, and it is harder for managers to connect with team members on a personal level. Over the past decade, security measures have been less about physical security and more about cyber security. A long-standing tactic used for cyber infiltration is social engineering. If an outside threat can get somebody already on the inside to simply leave a door open, the enemy can walk right through the front gate.
The DoD understands that new threats won’t be the bad guys showing up with guns but of a slow methodical infiltration of trusted personnel who may someday leave the door open. This is the reason continual vetting is becoming important for the DoD. They want to identify potential risks as soon as they form and not react after the fact. The systems VVMS has implemented for the DoD for 2 decades have incorporated a methodology of frequently repeated vetting of “trusted” persons.
William Lietzau, the director of the Defense Counterintelligence and Security Agency, said approximately 4 million defense personnel, including military, civilians, and contractors are subject to the continuous vetting program. This is part of the agency’s Trusted Workforce 2.0 initiative and security clearance process.
Understanding the delay in reporting is reason enough to want an increased level of continual vetting. Coupled with new big data capabilities like that offered by ClearForce and innovations that allow for a more rapid and ongoing aggregation of watchlist data from sources other than criminal history lays a foundation for the future of risk assessment.
DoD has not released specifics about their new continual vetting strategy. The DoD leadership addressing the concerns about incomplete vetting has also indicated the need for a better process for sharing information between agencies. The continuous vetting process might help with reciprocity with a top-down policy clarification on what is acceptable reciprocity. The goal is to establish a mutual understanding across the agencies of what is acceptable under the continuous vetting program. VVMS has been seeing more and more interest in this from the private sector as well.
Continual Vetting Increase Workplace Safety
In General continual vetting is a small measure that has huge benefits. Taking a security posture of continual vetting means employers are deciding to stay engaged with their personnel. This involves more than just criminal history checks to keep tabs on any wrongdoing but also to stay actively engaged in the safety and personal wellbeing of staff. Using available technology to be alerted of potential risks may help to prevent a personal tragedy and especially workplace violence and fraud.
Sources
https://fcw.com/articles/2021/05/27/clearance-trusted-workforce-reciprocity.aspx
