‘America’s gatekeeper’ has a message for small defense contractors – MASHAHER

There’s a lesser-known Pentagon agency you must get to know if you’re a small business hoping to break into the multi-billion dollar defense contracting arena.

In an interview, its new director said the Defense Counterintelligence and Security Agency, nicknamed America’s gatekeeper, is better known for conducting 95% of background investigations for federal workers and military personnel, but less so for its role protecting the nation’s industrial base.

David Cattler, who took the reins in March, wants to change that.

In an effort to centralize the government’s sprawling personnel security system, Congress sought to move this responsibility to DCSA from the Office of Personnel Management, which was finalized via an executive order in 2019. Now, Cattler said he’s in the midst of a “90-day approach” as the leader of an organization that should be at full performance in five years.

The White House has said small businesses are “the engines of the economy,” and it has told agencies like DCSA to ensure their participation in government contracts. Last year, they spent a record $178 billion on small businesses. DoD alone increased its spend by 8%.

There’s an imperative from government to extend a welcome to small businesses, and DoD has a growing portfolio of commercial technology and services that can diversify the industrial base. There’s also a need to ensure barriers to entry aren’t too high without compromising security. That’s where DCSA comes in.

This interview was edited for length and clarity.

You’ve been in this role for a little less than three months. What’s new to you? What’s your vision for the agency?

I’m a big “first 90 days” person. This is one of several organizations I’ve either joined or created or led over the course of my career that is new or beginning or had some big issues that needed to be addressed. And this one’s no exception.

As far as the “first 90 days” approach, I tend to see this as an organization that after five years should be in full performance. In a lot of ways it is because it builds off a pretty strong legacy, whether you were formerly with the Office of Personnel Management or the Defense Department. We’re talking decades of experience and structure and qualification in the workforce.

The first thing that struck me in this 90 days is that we’re not actually fully confident in every way we should be. We’re not fully mature. Some things have to be worked out. If you put it in commercial terms, we’ve gone through a five-year period of strategic merger and acquisition, and that can be tough because you do need to have a mindset of one culture, one team, one brand.

This is a purpose-built security agency that combines a lot of elements from the legacy Office of Personnel Management and its authorities and statutory responsibilities, along with a similar and impressive set of things from DoD. And the expectations for what DCSA will do span across the federal government.

DCSA is not just America’s gatekeeper; DCSA should be the nation’s premier provider of integrated security services. So the first task is not to assert that we are that, but to have other people see us in that way, and relatedly to have them see us as their preferred partner.

How does DCSA interface with the defense-industrial base and its security?

If you’re outside the national security community, especially the security part of the national security community, and if you’re outside of the defense-industrial base, do you know who we are? I don’t think so. And that’s a real shame because taxpayers are paying $2.8 billion for it this fiscal year. I take this very seriously. You’re paying 15,000 people to do the work.

We were created as a result of yet another inflection point: the OPM hack. We’ve accreted some of these additional responsibilities like the insider threat role, in no small part because of the series, conditions and departmental analysis after the Navy Yard active shooter [incident], Fort Hood, and related tragedies and real problems within the security community to anticipate, detect, characterize, intervene and mitigate those sorts of threats.

If you work for a company, if you want to start one or if you want to keep up business at a company that requires a facility clearance, the odds are pretty good you’re going to work with DCSA. If you have a cyber problem, if you have an insider threat problem or if you have a counterintelligence problem, the odds are pretty good you’re going to interact with DCSA. If you want to be certified to be a professional in a space, or if you want to get better as a professional inside and outside government, you’ll likely interact with DCSA.

What is the ideal relationship between the agency and industry?

Security can be viewed by some as an overhead cost. It’s a must-do, but I’m going to go to compliance. Some — many even — may go the extra mile.

I sent a letter to our key partners in government and in the private sector when I first arrived, saying: “Call me directly, anytime. Send me an email I want to meet you all. I really want to hear from you. If I can help you, I will.”

We’re going to expand CEO-level and C-suite engagement. I get that security can be viewed as overhead and as a cost, but we need to practice security by design, which means that security really should be baked in from the very beginning. Security is a required element to one’s approach to tackling a contract — the same as it is for us in government before we embark on anything.

Be reasonable, particularly on the cost of compliance. You need to be efficient and effective. You don’t have to build to the minimum; you can build in some additions so that there’s more resilience and maybe some fallbacks or spillover so that you’ve got overlapping capabilities.

I was a little surprised by how warmly welcomed I was by industry. We are on the same team. And to be clear, it’s not that they think they’re going to have an easier time in a compliance inspection; that’s not what it is. It’s that you don’t start in an adversarial way. We want industry to be proved to be secure. Nobody who works for DCSA is going out trying to have someone lose their security clearance or fail on a facility clearance review.

So the relationship with industry is critically important. It’s very, very close. And it is mutually respectful, hopeful and very supportive.

The federal government is trying to increase business with small companies. How do you ensure the barriers to entry aren’t too high without cutting corners on security?

A lot of this stuff becomes about balance. We want to trust you. We want you, as a small business, to be able to compete. For classified work, we want you to be able to sustain the facility so you can do the work and compete for more work or different work. But that’s also about trust and the right balance.

Now that the internal directives have been approved, we’re moving forward with Section 847 implementation, [a provision from the fiscal 2020 National Defense Authorization Act that says DCSA will review Defense Department contracts that exceed $5 million for foreign ownership, control or influence in its supply chain]. The clock will soon start for that to be implemented. Put that human terms: Say I’m the CEO of a company that’s won a DOD contract of $5 million-plus. That’s just about everybody, right? We’re going to have to take a hard look at that coming in. We want 25 calendar days to complete our review.

That’s an inflection point in terms of responsibility, authority and accountability. There’s no one that works at DCSA that wants to be in a position to tell the CEO of a small business: “Sorry, that’s going to take 40 days, 80 days, 120 days.” We’re going to do everything we can to make sure we’re ready when the light turns green, to move forward and be able to satisfy that set of requirements.

That’s why we’ve asked again for more resources and proper authorities. Give us the guiding directives to get the policy framework built so that we know what we’re required to do.

If I put myself in the shoes of somebody in the private sector and ask myself, “Would I just spend money on security?” — maybe, maybe not.

But if the government came to me and explained — and we can and we do — the reason why we have changed this policy that will correspondingly increase cost is X, Y and Z, and we provide the expert that can give you the details, they get it.

Is that baseline trust there, or is DCSA in the rebuilding stage with industry and its stakeholders?

It’s there. The only thing that surprised me was how strongly positive these interactions have been. Industry is telling me: “Wouldn’t it be great if DCSA had more responsibility and authority?”

From a workforce perspective, DCSA conducts 95% of the federal government’s background clearances. How are you tackling the modernization of this system? What advice do you have for someone who’s looking to get cleared for the first time?

One bit of advice I would give to somebody that’s coming in from the outside is: Plan ahead and be realistic.

If you’ve never held a security clearance and you wish to pursue a government job that requires one, it could take some time. Hiring is one thing; onboarding is another.

The second thing I would say is: Be honest. When you open that eApp form and you start typing, fill it out completely and honestly. Don’t overthink it. Not to sound harsh or overly dramatic, but we’re going to find out about things because we’ve got awesome people and great databases, and we’re going to check you six ways to Sunday before we put you in a position of trust. So be honest. A mistake that you made that you’ve picked yourself up from and recovered and moved on from — that’s perfectly understandable. Nobody’s perfect.

The next thing I would stress to people coming in from the outside is: If you’ve had a security clearance and it’s fairly recent, and you are enrolled in [continuous vetting], you can actually be re-onboarded, re-adjudicated and authorized for onboarding very quickly. And that’s another element of Trusted Workforce, [a whole-of-government approach to reforming the personnel security process].

Reciprocity is also a piece of this. If you come into the DOD, I’m proud to say that the DCSA team can get that done for your employer in less than one day. Reciprocity going in other directions can be more of a challenge.

What’s the latest on timelines for security clearances?

When we talk about the timelines that are in Trusted Workforce — and where we are with the inventory and the goals — what we’re tracking right now is the toughest 10% of cases.

So in 90% of the cases, you’re going to move quite quickly through because you probably haven’t had a brush with the law or you haven’t traveled extensively.

Many of the things we’re looking for in terms of potential indicators where — it’s not a bar to your clearance or a bar to your re-clearance, it’s just something that gets flagged for investigation and adjudication, and we have to take a deeper look. That deeper look can take time. And that time can aggregate.

Especially after the COVID-19 pandemic, we continue to do interviews remotely, but we also do a great number of interviews and investigations in person. It can be challenging. People are working from home, sometimes in remote areas. They’re working odd schedules. Your references need to be checked, and they’re working from home, they’re working on schedules, they’re traveling. That all takes time to get through.