IT staff with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Department of Defense (DoD), among other federal regulatory, intelligence and law enforcement agencies, all deal extensively with highly classified data. This is particularly true of cybersecurity admins, analysts, auditors, architects and others. All of these professionals have access to data that is vital to national security – and all of them require security clearances.
Even outside the government, many defense contractors and IT outsourcing agencies also have access to classified information. Consequently, the cybersecurity professionals working on those systems have to be cleared in the same way as federal employees.
With all your credentials in order and an interview process that went your way, landing the job you’re after is still contingent on being thoroughly vetted through a security clearance process.This isn’t like a technical certification that you can take a test and acquire, or even like a license that you can apply for. Clearances have to be requested by an employer.
Due to the extensive time and expense associated with getting a clearance, employers are reluctant to go through the process for anyone less than the most exceptional candidates. This, however, is one of the factors that make a current security clearance so coveted. Once you have been given clearance, you have effectively cleared a major hurdle that makes you a highly valuable member of the organization.
Different Clearance Levels – Different Standards
There are three basic levels of official national security clearance, although the nomenclature sometimes varies from agency to agency, they typically align with the three basic clearance levels assigned to sensitive data:
- Top Secret
Within the Top Secret category, an additional classification called “Sensitive Compartmentalized Information (SCI)” is also used, sometimes popularly referred to as “need to know.” SCI data remains Top Secret and is accessible only to a small, select subset of IT professionals with Top Secret clearance, rather than to everybody in the organization with Top Secret clearance.
Basics of the Security Clearance Process
Though, of course, there are different standards for awarding clearance at each of the three levels, the basic steps a candidate will have to go through are the same:
- Complete a questionnaire (an SF-85 or SF-86)
- Submit fingerprints
- Undergo an interview process
The SF-86 is the most common questionnaire used and has a comprehensive set of questions covering everything from where you have lived, worked and gone to school, to the people you have known and currently associate with. Intensely personal questions about sexual status and drug and alcohol consumption are also asked.
It’s important to be absolutely honest and forthcoming when filling out security questionnaires. Any hint of discrepancy or dissimulation will become a huge red flag for investigators. Even unintentional omissions can cause serious problems later in the process.
The Benefits of a Military Background
Even in the civilian world, most positions that stipulate security clearance are defense-related, so military experience is viewed as a plus, particularly if your job in the military was one that required some kind of clearance.
Obtaining a clearance while on active-duty military service is a common requirement for many Military Occupational Specialties (MOS). Processing is faster than in the civilian world, with many clearances coming through in just 90 days.
A clearance does not automatically stay with discharged veterans but can be transferred relatively easily.
Investigators Dig Deep to Vet Clearance Candidates
Once you’ve submitted your information, it’s in the hands of investigators. The depth of the investigation will vary according to the classification of the clearance.
The vast majority of security clearances are issued through the Department of Defense’s Central Clearance Facility (DoDCAF), which uses the Office of Personnel Management (OPM) to conduct investigative checks. Some non-DoD agencies issue their own clearances, but many also use OPM for the background checks, so in most cases OPM investigators will be performing the interviews and record checks.
National Agency Checks and Inquiries with Credit and Local Agency Check
All clearance checks first go through a NACLC (National Agency Checks and Inquiries with Credit and Local Agency Check). This just consists of a credit check, criminal records check at federal and local levels, and verification of references. For the most basic clearance levels, a NACLC and interview might conclude the process.
Single Scope Background Investigation
At higher security classifications, investigators will check with law enforcement agencies in each jurisdiction where the candidate has reported living for any records at all. Interviews will be conducted with friends, neighbors, and family of the candidate, including former spouses. The citizenship of close family members will be verified. There will likely be multiple candidate interviews, some of which will involve polygraph testing.
Other government records will be referenced to corroborate statements made on the SF-86 or other questionnaire:
- Tax returns
- Employment records
- Driver and vehicle licensing records
- Other public records such as county assessor’s data
This intensive investigation is called a Single Scope Background Investigation (SSBI). Any discrepancy between official records and statements, or between the candidate’s statements and those of other interviewees, will be pursued and investigated.
Clearances Aren’t Issued Quickly or Lightly
It can take up to two years to be approved for a new security clearance. Because of this, interim clearances are often issued after the NACLC is completed, allowing candidates to begin working with sensitive information on a provisional basis while the remainder of the background check is finished.
If questionable information comes back with the NACLC, an interim clearance will not be issued but this does not necessarily mean that the clearance will be denied once the investigation is complete and all information can be viewed in perspective.
Only U.S. citizens can be granted clearances, but they can be either native or naturalized. Non-citizens may, in some special circumstances, be issued a Limited Access Authorization to work with compartmented data if no U.S. citizen with the proper skills is available to fill the role.
Clearance Denied! … And the Appeal Process
The worst outcome may be that you are rejected totally for a clearance. Sometimes apparently unimportant factors can result in a clearance being denied. Something as simple as having relatives who are permanent residents of a certain foreign country can result in rejection.
Although it appears arbitrary, investigators are wary of the potential for blackmail or other pressure being applied through overseas connections.
There is a challenge process for rejected applications, so an appeal can be made if you feel there is mitigating information. DoDCAF will provide a list of reasons that the clearance was not granted.
Clearances Don’t Live Forever; Periodic Investigations Will Be Ongoing
Just because the holder of a security clearance was deemed safe to hold classified information at one point doesn’t mean they can be trusted forever. People change, situations change, and so every security clearance must be renewed periodically with a fresh, if less intensive, background investigation.
All clearances are renewed at 5-year intervals, but the degree of reinvestigation varies with the clearance level.
A Confidential clearance, for example, will simply require a fresh NACLC to be run, while Top Secret/SCI require a complete SSBI, although going back only five years.
If a clearance is not renewed, it can fall into one of two categories:
- Current – The clearance is not active, but can be renewed
- Expired – The clearance is not active and cannot be renewed; a fresh application will have to be made
For obvious reasons, it’s important to keep clearances active or current if there is any possibility of continuing to work with sensitive information in cybersecurity.