Silicon Mountain
Published in

Silicon Mountain

DoD CAC: Two Federal Experiences Slower than Finding a PS5

Let’s start with a commercial company situation. Employee ‘Jane’ joins your company starting tomorrow. On his first day, would you expect Jane to have access to email, messaging systems, relative-to-position systems? If you are the federal government, not so fast — your journey may be months, even years depending on the requested clearance.

Jane is joining a commercial company. Small or large, the expectation is that in the transaction for her earnings, she will perform a task, or set of tasks that enable the success of the commercial company. It is in both the company’s and the employee’s best interest to provide access to relevant systems, facilities, customers, personnel, and equipment on the first day of employment. Employees often receive a badge and fob or key access on that first day, and similarly return that access as a security precaution on request or at termination of employment.

That’s not how the government chooses to operate. This experience is from both a large contracting company and a small, first-time company team. For the sake of organization we will separate the journeys. These are real experiences by a real person and are intended to be illustrative of the topic at hand.

This story is about two adventures. Both are a year in duration. The current scenario shows:

Six months into a twelve month, $3 million contract, we have not received CAC access.

Large Consulting Company Experience

Day one at a large consulting firm starts with a lot of orientation, paperwork, and a photo that ties to a badge that allows for secured access to company owned or leased facilities. By this point, the potential employee has gone through a pre-screening process. Additionally, this person is issued a computer and other peripheral devices and accessories identified as necessary for their success (external mouse, headset, etc).

This particular consulting firm works with a lot of government agencies, and I was one of those new consultants. On day one, the security team contacted me via email with forms that are built on PDF and request a lot of personally identifiable information (PII). Maybe this company has an encrypted solution to protect these files, maybe not. In most cases, the PDF with email, social security number, date of birth, first name, last name, etc. end up going through relatively unsecured emails to government email addresses and from there to multiple government systems.

As a card carrying member of the 2013 OPM hack that included more personal information than my mortgage holder has access to — what have we learned? PDF and email are still the primary resources for this process. Eight years later, so are the applications that manage the process. The security process has security gaps, is that not ironic?

We should remember that on day one, my payroll was active. I was subject to submitting timecards and billing to a project. That project billing is then used to bill the government. Day one, as with most day ones, contains a lot of culture and process adoption. It is necessary training (e.g. legal, regulatory, privacy, etc.) and not a lot of direct delivery. Day one is likely at the company headquarters and billed to overhead costs.

In this position, I had ambitions to grow my experience and career in the consulting field. In this experiment we are talking about an Homeland Security Presidential Directive 12 (HSPD-12, a civilian agency CAC equivalent). On day two that consulting firm is billing for me on contract with the government that is intended to provide value. In that first week this I was then (as a visitor) going to my place of work, being escorted around the federal office building that housed my cubicle. I completed my security documentation for this step and submitted it to my security liaison within the company that then submitted it to the government after validation of completeness.

The Rub

In this case, I joined the business and was primed for promotion within a period of a year. In those twelve months, I ‘worked’ without: personal physical access, a government-issued computer, government email address, direct access to government information for a period of seven of those months. Want to do some math?

7 Mo * 172 Hr/ Mo * $100 / Hr = $120,400

Keep reading for more on this figure, in this case we’re showing total value. What should be noted is that it is not the company’s or my own fault that the government process took seven months. What is interesting is the perception of security drives this process. The reality is shadow operations are forced to exist to work around these scenarios. Employees are expected to be productive and provide value for their salary, and operational leadership WILL find a way around barriers like access to information in many low security, unclassified environments. However, this results in a lot of rework, confusion, management of multiple email addresses and devices and clutters up the effectiveness of the workforce.

First-Time Small Consulting Company Experience

The world gets more complicated with fewer available resources. I spent the last six years working with for-profit industry from Fortune 50 to startup clients, and learned a lot about what can be accomplished in the commercial, Agile software world. For some reason I am not only willing but enthusiastic about providing this gained knowledge in service of the federal government. At my new company, sure there is veteran ownership and small business classification that enables some success, but the company mostly has gained customers through a rock solid reputation of good advice and quality delivery.

By resilience, persistence, and earnest interest in joining up with innovation in the Department of Defense, we as a team were successful in earning a contract. This time, our resources do not include a security officer or department for that matter. Security coordination is just a role that we have to play. Our company and our employees are learning along the way. As we provide discovery services, we recommended using available tools (collaboration tools like Atlassian’s Jira & Confluence and Mattermost) to solve day-to-day and strategic challenges faced by the operating groups. In order to provide direct support, we need to have access to Information Level 4 (IL-4) systems. IL-4 systems require approval and the pathway to approval is a CAC or Common Access Card.

Common use of a CAC for systems access

Day one, I had learned from previous experience how long this process can take. Day one, I started to seek out how to work through the process to get access. Also on day one, the entire discovery team is starting to provide value. Given, in this scenario, discovery has not yet required IL-4 access, only the subsequent delivery process would require that level of access.

DISCLAIMER: I have a lot of respect for every federal, state, and local contractor, uniformed person, and employee. In my experience the frustration is usually directed at the person and not the process that comes from a series of well-intentioned laws, regulations, rulings, etc. Also budget constraints make some jobs that were once two into one, and with five or more weeks of leave, that can bottleneck a process quickly based on 4.1 million contractors demanding responses. For any given security office this could easily mean 3,000 people are in a backlog that stretches months for that one person. They do not deserve to take the full burden of this issue.

A Different Journey

Without a security officer (who is usually paid in part by government funding via overhead or G&A) at our small business, there is a lot more mystery in the process. Researching the problem lead the company to believe they needed someone to sponsor the team, and especially needed a Trusted Agent. At that point, no one we worked with on the government side knew a Trusted Agent. All we knew was that we needed to get a Trusted Agent Support System form (TASS) to get credentials. This form is in PDF and contains a great deal of PII, and that form is requested to be saved but requires a pro license of Adobe products to save. We completed these forms on what can be described as day one. Trouble is, it was the wrong form. At this point, the team completed discovery that identified an existing IL-4 tool as capable of creating value for the government with support from the team.

When informed of the error we learned that we were not in JPAS (Joint Personnel Adjudication System) or DISS (Defense Information System for Security). What are those? Great question. JPAS is a legacy system that DISS is replacing. These tools likely take that PII from the PDF form into them from what only can be rekeying the information. These tools are case management tools for the National Background Information Services (NBIS), which likely engages another agency outside of the realm of influence of the Department of Defense. We were not off to a good start.

Second form request, another PDF form with PII embedded is OMB Form 3206–0182, which is entitled Declaration for Federal Employment. This form kicked off on roughly day 30 initiated a primary background check, or at least that is what we think happened. Between days 30–85 there were conflicts in leave schedules and COVID dependencies that explained away the situation. Around day 85 we were asked to participate in fingerprinting for background checks…wait, those were done, right? Yes, but apparently there is a pre-check for the check on each individual.

Next up after fingerprinting is data re-entry into a system called e-QIP (Electronic Questionnaires for Investigations Processing) by each of us. This process is a little more modern, managed by a secured web portal. The trick here is the fuse length on the fingerprinting is 30 days. After that period, the fingerprinting would need to be recompleted, which happens at your local secured site, in our case an Air Force Base. Again, leave schedules resulted in challenges in processing the request. At day 110, with less than a week remaining in the fingerprinting, help came in the form of a senior ranking officer that has a knack for enhancing progress. The very next day we had e-QIP invites and we started filling out the rather robust set of personal data, including addresses, references, people you knew when, etc.

Since then, continued pressure applied by senior leadership resulted in some gains. However, the process is not transparent to us in terms of expectation management. Our sponsors regularly ask for status on CAC access as the value we provide would be more direct with IL-4 access. It is impossible to make that estimate, and each day that passes is a day further from the largest guess (I think it was 23 days from e-QIP was our pessimistic value). We can only be sure of one thing, there are other systems that we do not yet know about.

The Rub

We are sitting at the time of writing this article at day 130+ from starting the request process and half way into our task order’s period of performance. We identified seven members of our team need access to IL-4. We have made work around solutions to continue to provide value by building something in IL-2 and having others pull solutions into IL-4. We operating at probably (optimistically) 60% effectiveness of direct delivery. Let’s do some fun math again.

5 Mo * 172 Hr/Mo * $100/Hr/Person * 7 Person * .6 (Effectiveness Coefficient) = $361,200

If we go further and assume safely that at least 10% of the 4.1 million contractors are running into this same issue at the same duration each year, with the same effectiveness coefficient,

the government wastes at least $21.16 billion each year

due to delays in the onboarding process. As mentioned in a previous article, this situation does not suggest bad people, but a learned helplessness in the culture. In response to the involvement of senior, ranking leadership, one candid response was:

“I do not see why leadership needs to be involved, [the CAC process] is proceeding on normal timelines.”

Additional Thoughts

In this situation, we were aware of the potential for delay from previous experience. As a result, work arounds for productivity were built. Relying on others good will compounds inefficiency. We are driven to provide value, so we have made it work. In the large company example, access was such a problem that there was closer to 30% efficiency possible during the waiting period. Access to ‘Public Trust’ level data was restricted. Due to the nature and risk aversion of the personnel providing it, the data is usually more restrictive than necessary.

The challenge we have is that $21.16 billion in annual wasted value is tolerable. There are a lot of valid reasons to have processes to protect the security of the organizations. However, the current solution is creating outcomes that circumvent those provisions out of a different kind of helplessness. We are also reinforcing a heavy dependence on large contracting firms that have ‘figured out’ how this game works and relied on compound interest in justifying their billing rates. How can we do better? How can we strive to have day one access? How about we look at it as we have $21.15 billion to spend fixing the problem and we break even in year one (even profit!).

NOTE: The Sony PlayStation 5 console (PS5) was released on 12 November 2020. Our task order started 27 September 2020. I have had a PS5 for two weeks as of this article. First attempt to get a CAC during walk-in hours last week was unsuccessful due to issues accessing the base for a walk-in appointment. As of writing this article, just beyond six months from the start of our period of performance, I received my CAC.

--

--

--

Silicon Mountain is a small company based out of Denver, CO with multiple SBIR awards. We deliver DevSecOps as a service to enable our employees and customers to own their mission success.

Recommended from Medium

{UPDATE} Bongga Ka 'Day Hack Free Resources Generator

{UPDATE} 企鹅跳跳-超级跳跃之小企鹅免费游戏 Hack Free Resources Generator

Dating Apps Exposed 800+ GB of Explicit Photos, Chats, and More

Unlocking your phone: how should we treat fingerprint and facial recognition?

The Importance of Implementing an Enterprise Security Program

#LeetCode (May LeetCoding Challenge): Ransom Note

The Top Five Email Compliance Concerns for 2018

Step By Step Instructions to Remove Shortcut Virus from Windows or USB Streak Drive (Pen Drive)…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Michael Downard

Michael Downard

Michael works for a small business as Principal Investigator for multiple SBIR awards and earned a part-time MBA from George Mason and is both a PMP & PMI-ACP.

More from Medium

Fake BTS in Action.

Example about k-anonymity, l-diversity, delta-presence, and t-closeness

Monads, again

DATEV Nine-Nine | Flattening Operators