Hearing Wrap Up: DoD Must Finish Long-Overdue Background Check IT System to Protect National Security and Taxpayer Funds

WASHINGTON-Yesterday, the Subcommittee on Government Operations held a hearing on "An Update on DoD's Struggling Background Check System." During the hearing, members reviewed the progress made over the last 18 months to address the issues causing delays in National Background Investigation Services (NBIS) implementation. Members also examined potential solutions to ongoing problems and actions Congress can take to help the Department of Defense (DoD) overcome these challenges.

Key Takeaways:

The Defense Counterintelligence and Security Agency (DCSA) had lacked a clear vision for improvement, but has made some progress and remains committed to making major policy and agency improvements to correct programmatic shortcomings.

• Justin Overbaugh, Deputy Under Secretary of Defense for Intelligence and Security and Acting DCSA Director at the U.S. Department of Defense, testified that "The agency's original purpose became blurred, drifting towards an intelligence focused entity rather than embracing its vital security mission. Instead of focusing on executing its most important functions with excellence, the agency attempted to accumulate more missions to the point that it failed to achieve its core purpose altogether. The lack of a viable vision, clear expectations, and leadership accountability from past department oversight allowed DCSA to fail."
  
• Alissa Czyz, Director of Defense Capabilities and Management at the U.S. Government Accountability Office (GAO), testified that "[The] government is years late in delivering NBIS. This failure happened in part because DCSA had not developed a reliable schedule for the system, as we first recommended several years ago. DOD had originally planned for NBIS to be fully functional in 2019 and has changed its deadline several times since then. In 2024, DCSA paused in this development while it drafted a recovery plan. Just last summer, the department began development again. DCSA now projects it will finish in this development in 2027 or [fiscal year] 2028, according to a statement. This is nearly a decade after its original goal. The latest NBIS schedule shows some improvements in key areas, but overall, we find that it is still not reliable, putting NBIS at risk of further delays."

Larger personnel vetting reforms aimed at improving the issuance of security clearances, have been delayed by a lack of progress with NBIS implementation.

• Mr. Overbaugh testified that "In my short time as Acting Director, I have found what I expected-a dedicated, talented, and innovative workforce unfortunately shackled by burdensome processes designed not to empower them, but to maintain the status quo and sustain layers of management. Our focus now is on unleashing their potential. To that end, we are designing the agency for purpose, moving it from a cumbersome bureaucracy to an agile organization that can serve as a model for the rest of government."
• Ms. Czyz testified that "As you know, the us government relies on over four million personnel with security clearances to protect our nation. Personnel vetting helps ensure a trusted workforce, but the government has struggled with managing this process for years. This issue has been on GAO's high-risk list since 2018, due in part to challenges with it. Systems reform is urgently needed. The federal government is taking too long to grant security clearances to essential personnel. For example, it takes over 200 days to grant a top-secret clearance. This is 80 percent longer than the government's goal. As you know, after a massive cybersecurity breach of [Office of Personnel Management] systems in 2015, the President tasked DOD with building a new [information technology] system to manage personnel vetting. The department began developing NBIS in 2016."

Congress must continue to assess the progress made in the implementation of NBIS technology, examine continued hindrances in implementation, and identify the best path forward to speeding up progress while protecting sensitive data and limiting additional costs to taxpayers.

• DCSA has been operating without permanent leadership since September 2025. Congress must understand why the position remains vacant and discuss how this gap in leadership may impact the completion of the NBIS system and the reliability of the federal government's security clearance process.
• Ms. Czyz further testified that "[While] DCSA has a reliable cost estimate for NBIS now, delays have caused the price tag to balloon. The department has already spent at least $2.4 billion developing new systems and maintaining OPM's legacy systems. It now projects spending an additional 2.2 billion to finish NBIS bringing the total cost to the taxpayer to about $4.6 billion. This is a 100 percent increase over DCSA's previous projections."

Member Highlights:

Subcommittee Chairman Pete Sessions (R-Texas) asked about DCSA's data collection issues.

Subcommittee Chairman Sessions: "Is that what you also have, a system problem?"

Mr. Overbaugh: "In the sense if I understand your concern-"

Subcommittee Chairman Sessions: "Well you put your data in something that would be reviewed by-you decide how many-but several people, it's not just a one person process. You've got an investigator that goes out and they put their data and information. Is that a problem of getting that data and information? We're dissecting this now in this subcommittee. Is that a problem? Because it seems like that may be part of your daytime job."

Mr. Overbaugh: "Yes, Chairman Sessions, and what I would say is-that's the problem that you're highlighting-is the exact reason why it's so important that we give this online so that we're able to achieve the goals laid out in Trusted Workforce 2.0. As it stands right now, from a system standpoint, we're using old and antiquated technology, I think developed in the [1980s], in order to do the task of personnel vetting."

Rep. Virginia Foxx (R-N.C.) asked if DCSA has taken action to mitigate potential cybersecurity and privacy risks.

Rep. Foxx: "Ms. Czyz, in the Committee's 2024 hearing, you raised concerns about cybersecurity privacy protections. Has DCSA taken concrete steps to mitigate those risks, and have you seen evidence these steps are effective?"

Ms. Czyz: "Yes. DCSA has taken swift action to address our recommendations. At the time of our last hearing, we put out a report with 13 recommendations, mostly focused on the management of cybersecurity, making sure that there's current guidance and effective oversight. The previous DCSA director, Director [David] Cattler, made it a priority to implement all of those recommendations within one year, which is very fast for a GAO report to have all recommendations closed in one year. So we think that that's a very positive effort. DCSA does need to remain very, very vigilant on this. This is the whole reason that the department has responsibility for personnel vetting because of that cybersecurity breach in 2015 that compromised, as the chairman mentioned, data on over 22 million federal employees and contractors. We do have work that's not available in the public setting to discuss looking more specifically at NBIS and testing of cybersecurity controls, and issued a recent report in December on that, which we have discussed with DCSA. But we are confident that they are taking it seriously."

Rep. Tim Burchett (R-Tenn.) inquired about the steps DCSA has taken to address cultural issues within the agency that are impeding progress.

Rep. Burchett: "Thank you, [Mr. Overbaugh], since you were appointed, what steps have you taken to address the cultural issues? I think you [identified] them in your opening statement."

Mr. Overbaugh: "Representative Burchett, thank you for the opportunity to chat with you today. There's been a couple things that we've done from a cultural perspective. The first thing was we looked at leadership across the organization, and we identified where we had individuals who were stymieing progress because they were too comfortable with the status quo, and we made some changes in that regard. Second thing that we've done is myself and Miss Jones have traveled to a number of the different locations where our DCSA colleagues and teammates reside. We have over 163 different locations across the United States, and we've begun to hear from folks who work on the front line across our agency about the types of things that we can do at a leadership level to change the culture. Ultimately, the steps that we're taking are designed towards transforming it from a reactive to a proactive organization, from a risk based or correction, from a fear-based culture, to one that looks for opportunities to continue to shore up security for the American people."

Click here to watch the hearing.