Personnel Vetting, Security Clearance
Reform, and Trusted Workforce 2.0
Statement for the Record

Mr. David Cattler, Director
10 July 2024

Introduction
Chairman Warner, Vice Chairman Rubio, and distinguished members of the Committee. My name is
David Cattler, and I joined the Defense Counterintelligence and Security Agency (DCSA) as Director in
March 2024. From my first day as Director, I was humbled by the hard work and dedication of the
women and men at DCSA who dutifully support key security functions across the entire Federal
government. There was a lot to learn about DCSA as it is an agency with multiple missions—personnel
vetting, industrial security, counterintelligence, insider threat, and security training.
I appreciate this opportunity to testify before you at this hearing. I am honored to testify alongside the
Undersecretary of Defense for Intelligence and Security, the Honorable Milancy Harris, the Principal
Deputy Director of National Intelligence, the Honorable Stacey Dixon, and the Department’s Chief
Digital and Artificial Intelligence Officer, Dr. Radha Plumb. Thank you for your oversight, the urgency
you have afforded it, and the attention to the Trusted Workforce 2.0 and the National Background
Investigation Services (NBIS) program. I will act with the same urgency to ensure DCSA is responsible
and accountable in what we say and deliver.
DCSA’s shortcomings will be set right under my direction. I welcome and am grateful for the assistance
and technical expertise offered by our oversight partners and DoD stakeholders, and I expect to be held
accountable.
The Role of DCSA and NBIS in Trusted Workforce 2.0
DCSA is the Federal government’s largest investigative service provider, providing vetting services for a
total of 95% of the Federal government. DCSA is the primary implementor of the Trusted Workforce 2.0
(TW 2.0) personnel vetting reforms. Last year, DCSA’s Personnel Vetting mission conducted 2.7 million
investigations, 10,700 investigations per day, 668,000 adjudicative decisions, and the continuous vetting
(CV) of over 3.8 million people in the trusted workforce.
The TW 2.0 initiative is a whole-of-government effort led by the Performance Accountability Council
(PAC) to overhaul the personnel vetting process for security, suitability, and credentialing. This
modernization of the vetting model is a fundamental shift to improve efficiencies and the effectiveness of
our personnel vetting processes, enable workforce mobility throughout the Federal government, and
facilitate interagency information sharing.

1

The Department’s NBIS program supports the TW 2.0 reform effort as a Federal IT system for end-to-end
personnel vetting — from initiation and application to background investigation and adjudication, to
Continuous Vetting. NBIS will deliver robust data security, enhance customer experience, and integrate
data access across the whole of government and cleared industry. NBIS will provide the IT system needed
to ensure a trusted workforce for 115 Federal agencies, including the DoD, and over 13,000 cleared
industry organizations with contractors working for or on behalf of the Federal government.
NBIS Development
In 2015, the Office of Personnel Management announced their background investigation system had been
severely compromised. The President issued Executive Order (EO) 13467, which inter alia tasked the
Secretary of Defense to develop a modern and secure replacement IT system to support the end-to-end
vetting processes for the DoD and Federal government customers. DoD’s NBIS program was established
in 2016 at the Defense Information Systems Agency (DISA) to replace OPM’s legacy background
investigation IT systems.
In 2020, a year after the agency was formed, the NBIS program was transferred to DCSA. At the time of
transfer, only one NBIS capability had been delivered and put into use by DoD and other Federal
agencies. This capability, called the Position Designation Tool, continues to be used to standardize
position designations and inform vetting requirements. DCSA upgraded and hardened the legacy
background investigation IT systems the NBIS program was established to replace, and they are still in
use today to deliver vetting services as NBIS development continues. DCSA is responsible for
maintaining these legacy systems until they are subsumed into NBIS.
Last year, we discovered several issues with the NBIS program after an internal DCSA assessment, the
preliminary findings of a General Accountability Office (GAO) report released in August 2023, and
reviews led by the Office of Under Secretary of Defense for Intelligence and Security (OUSD(I&S)).
These reviews determined there will be a delay in NBIS delivery and sunsetting of legacy IT systems,
hindering the timely achievement of critical TW 2.0 milestones and the Federal government’s
implementation vetting reform. The analysis of the NBIS program identified several key problems
including in oversight, software development methodologies, acquisition strategy, team competencies,
and leadership:
•

A shortage of critical technical, agile, acquisition, and integration skills hindered DCSA’s ability to
lead and implement a program of this scope and complexity,

2

•

The NBIS program did not maintain an accurate integrated master schedule and lifecycle cost
estimate based on requirements that were provided to the program. As TW 2.0 policy evolved, the
lack of adherence to a rigorous requirements management process resulted in requirement changes
and program actions. DCSA was unable to accurately assess or report on the cost, schedule, and
performance impacts to inform decision-making about the program.

•

DCSA measured success based on software code releases that did not aggregate to a usable
capability, resulting in significantly underestimating the timelines to deliver services to our DoD and
Federal customers.

•

The decision in October 2020 to transfer the management of legacy Information Technology systems
to DCSA, resulted in a shift in focus towards addressing cyber security standards and compliance
without additional personnel or resources to perform these duties. The cost, schedule, and
performance impacts of these additional responsibilities were not assessed or reported.

DoD 90-day NBIS Recovery Plan and Immediate Actions
When I began as DCSA’s Director on March 24, 2024, the OUSD(I&S) had finalized the plans to begin a
90-day NBIS sprint effort to understand and address the acquisition approach, financial status, technology
approach, and requirements governance in partnership with our DoD colleagues—the Office of the Under
Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), the Chief Digital and Artificial
Intelligence Officer, and other Department experts. The Department’s holistic approach looked at
multiple facets and interdependencies of the program. The Department began that effort on 1 April, and
we have worked together closely throughout the process.
Upon approval from the Acquisition Milestone Decision Authority, USD(A&S), key outcomes from the
recovery plan will include the baseline and alignment of resources around clearly defined requirements,
the delivery of a capability roadmap for internal and external planning and programming, the stand-up of
a new NBIS leadership team with clear roles and responsibilities, a disciplined contracting strategy, and
the establishment of a reliable funding profile to stabilize and sustain the program.
The OUSD(I&S), as the Program Sponsor for NBIS, will drive collaboration across the Department and
lead a new NBIS requirements process. This will improve requirements management and allow DCSA to
sharpen its focus on NBIS delivery. As Program Sponsor, OUSD (I&S) is updating the Capability Needs
Statement and the User Agreement, two foundational documents that define the program and drive
requirements and user governance.

3

DoD transferred the NBIS Milestone Decision Authority from DCSA to the USD(A&S) for acquisition
oversight. We are moving through the stages of the approval process, which will culminate in an inprogress review meeting in early July. The elevation of oversight adds rigor and discipline to the
acquisition process necessary to guide a major program of NBIS’ size through the software acquisition
pathway.
OUSD(I&S) and DCSA have together hired new leadership. In addition to my appointment as Director on
24 March, DCSA has upskilled the NBIS team by hiring a highly experienced and knowledgeable NBIS
Executive Program Manager (EPM) and Program Executive Officer (PEO) to lead and supervise the
program.
Working with this new team, I directed an internal NBIS program restructuring to comply with proper
governance, business, and security protocols. We are also strengthening NBIS cybersecurity as
recommended in a recent GAO cybersecurity report. We continue to work in partnership with the
Defense Digital Service to focus on human-centered design and understanding the user experience to
inform our modernization activities.
In order to aid my strategic guidance and to ensure internal accountability, I have also directed our DCSA
Inspector General (IG) to audit the NBIS program to assess whether and to what extent: 1) funding was
expended, and capabilities were delivered to functional and end users; 2) quality metrics exist, and if so,
whether they are accurately measured and reported; and 3) internal controls are in place, appropriately
designed, and operating effectively to provide reasonable assurance that the performance objectives of the
program are being achieved. The DCSA IG will collect all historical documentation to support his
assessment with a focus on FY21 to FY24. I will ensure he has the full cooperation of the DCSA
workforce and full access to DCSA records.
Way Forward on NBIS
DCSA will prioritize five actions over the next 18 months: modernizing and migrating NBIS applications,
aligning acquisition and development actions, adapting our NBIS workforce, aligning program cost and
service pricing, and strengthening cybersecurity protections.
First, we will conduct a wholesale digital transformation to implement the proposed capabilities in the
NBIS capability roadmap over the next 18 months. Subject to approval by our Acquisition Decision
Authority, I will put in motion the migration of select systems to the DoD Joint Warfighting Cloud
Capability (JWCC). This will give NBIS a stable, modern platform, security, the ability to scale and will

4

provide application developers and investigative service providers access to modernize to their specific
needs. In time, this move will allow for shared services. The proposed 18-month NBIS capability
roadmap includes milestones of ongoing product delivery and support to the mission owners, and the
underlying data and engineering elements required to effectively operationalize capabilities in the cloud.
Second, we will assess, review, initiate technical and contractual actions to support the implementation of
the NBIS capability roadmap in an 18-month timeframe in close coordination and subject to approval by
our oversight authority.
Third, we will implement the recommendations of a manpower skill review to include targeted hiring,
internal restructuring, and training of our NBIS team to ensure we have the required deep technical
expertise and senior acquisition expertise required for a program of this magnitude and complexity.
Fourth, I am working with my Chief Financial Officer, the OUSD(I&S), the DoD Comptroller and OMB
to assess cost and pricing impacts due to the delay in NBIS deployment to develop courses of action to
minimize the impact to our customers. The milestones in the NBIS capability roadmap will drive the costs
and impact. DCSA will communicate any potential impact of product and service rates charged to our
customers. Aligned with prior year practices, the Department announced preliminary FY26 rates at the
Enterprise Investment Board meeting on June 27, 2024, and will set final rates for FY26 in August 2024.
Finally, we continue to work closely with GAO on ongoing assessments. The team is actively addressing
process and satisfying administrative deficiencies that were identified in a forthcoming GAO report on
cybersecurity compliance. I have prioritized these efforts and have instructed my teams to fully integrate
cybersecurity oversight and governance of NBIS with DCSA Chief Information Officer and the Chief
Information Security Officer.
TW 2.0 Is Being Successfully Implemented
Before closing, I want to share several major TW 2.0 milestones that DCSA has helped the DoD and
federal agencies implement to improve efficiencies and reduce risk in the trusted workforce to include
deploying case initiation capabilities for DCSA customer agencies and industry to initiate vetting within
NBIS, establishing and delivering Continuous Vetting services for DCSA customers, and improving
reciprocity timeliness.
•

Transition from e-QIP to eApp. All 115 customer agencies and more than 10,000 industry companies
have been onboarded into the front end of NBIS. This allows these entities to initiate cases in NBIS

5

and for applicants to use the Electronic Application (eApp) to complete their vetting forms, replacing
the previous application, Electronic Questionnaires for Investigative Processing (e-QIP) and
improving the applicant experience.
•

Tool to standardize position designation decisions. The Position Designation Tool, mentioned earlier,
is used by all Federal agencies to assign position sensitivity and risk determinations. The tool helps
ensure positions are properly designated to protect national security, public trust, and the integrity of
government operations and establishes consistency across all agencies for the level of investigation
needed for that position.

•

Rapid reciprocity decisions to increase workforce mobility. Reciprocity timeliness remains at all-time
lows for transfers into DoD. Through process improvements, we reduced the time to make a
reciprocity decision into DoD to an average of one day, down from 65 days in mid-2020.Continuous
Vetting serves to replace periodic reviews. Our Continuous Vetting services are being used across the
DoD and more than 90 non-DoD entities, enrolling more than 3.8 million personnel. The program is
preparing to expand to wider Federal populations this summer. Continuous Vetting enables DCSA to
identify and mitigate risk in the trusted workforce in a matter of days and weeks, rather than years
under the periodic reinvestigation construct.

The TW 2.0 Continuous Vetting model, especially, delivers a comprehensive and efficient vetting
process, helping risk management decision-making by focusing in-depth investigations on specific issues
of greatest concern. Continuous Vetting involves regularly reviewing an individual’s background through
automated records checks, time or event-driven investigative activity, and information such as self or
command reporting, security incidents and violations, and insider threat information. The implementation
of Continuous Vetting has been crucial in ensuring that the personnel vetting process continues to make
improvements in security, quality, and efficiency.
In addition to the success of Continuous Vetting, the fastest 90% of end-to-end timeliness of DCSAprovided background investigations has gone from over 400 days for a top-secret investigation in April
2018 to an average of 187 days in May 2024. This current average is up by 80 days from its lowest point
in FY2021, due to a recent surge in demand for background investigations. Through a combination of
process improvements, technology adoption, and an increase in workforce size, DCSA and its predecessor
agencies were successful in reducing the amount of time it takes to process a clearance, getting trusted
personnel to work more quickly in critical positions. Reductions of timelines allow our government
employees to commence work more quickly, ensuring that key talent is in place to fill important national
security positions, while meeting the needs of the American people.

6

Continued implementation of TW 2.0 will further improve efficiencies in the personnel vetting process.
TW 2.0 brings new data sources, new timeliness standards, and new enterprise tools such as the Personnel
Vetting Questionnaire and self-reporting. With the aid of full NBIS delivery, the Federal government will
see improved information sharing, and a risk-based trusted person model.
Conclusion
The Executive Branch and Congress have entrusted DCSA with delivering NBIS to enable full
implementation of TW 2.0. When deployed, NBIS will support the personnel vetting mission and our
customers who utilize NBIS for its secure and efficient investigation and adjudication process. DCSA and
the DoD are committed to its development and fielding, and we will finish our part.
DCSA has several steady partners in examining NBIS and identifying the many challenges it faces. We
are systematically addressing these issues raised by our partners and taking bold action to correct
deficiencies as identified during our 90-day recovery plan. We’ve taken these lessons learned seriously
and to task. DCSA will move forward with a program that instills confidence; a program that delivers
capabilities to uphold mission without fail. I am confident in our path forward and expect to be held
accountable. We've embraced collaboration with our oversight partners, GAO, DoD, the PAC members,
and mission owners—together we will take NBIS on a sustainable pathway forward to ensure a trusted
workforce, to protect the Nation and earn and secure the public's trust.

7