Should security clearances be outsourced?

Everything from cleaning to IT development work is outsourced by governments these days, but should security clearance processes, which dictate what access a person has to government information systems, be included in that bundle?

Outsourcing can be a useful tool for government agencies to increase staffing levels without making the same HR commitment that applies to public sector employees.

That's exactly the path the Department of Immigration and Citizenship (DIAC) has followed in order to progress its AU$496 million Systems for People IT refresh.

According to Mark Handley, DIAC's director of protective security, the agency has been issuing a phenomenal number of security clearances since 2004. Pre-2004 it issued around 800 clearances per year, but since then, its annual issuance rate has consistently reached 2,500 per year — a figure driven largely by the Systems for People overhaul, which kicked-off in June 2006.

By the end of this year DIAC will have issued security clearances to over 12,500 contractors in four years — meanwhile DIAC only maintains a 7,000 strong permanent staff level.

These figures have led to what Handley calls a high "churn" of staff, meaning that thousands are being pumped through its operations each year. However, DIAC made a decision in 2004 to outsource all but its highest priority security clearances to a panel of selectors from an external company, and also to allow long-term contractors to issue security clearances for those staff they select for work at DIAC.

"We share much of the responsibility for security with our contracted service providers," said Handley. "For example, our larger providers may develop their own security policy — based on our interpretation of the [government] Protective Security Manual, of course... We have agreements with some companies that they will actually manage the security clearance process."

It sounds like an efficient solution — DIAC pays the panel AU$1 million a year to do a job that its own team of 10 clearance officers could not possibly do. But what has occurred since it made its decision in 2004 is that 90 per cent of DIAC's security clearances are issued by an organisation other than DIAC itself.

Now it is possible that this practice is entirely safe. According to Handley, the invisible hand of commercial incentives makes the system work. "Commercial companies are more accountable for their performance than government agencies because let's face it, your current and future business with government agencies depends on your performance in the security field," he said.

And the Australian National Audits Office in a recent audit of four government agencies' handling of security clearances for staff did not find any major problems with the way DIAC issues security clearances.

However, can the "laissez-faire" system of trust really stand up to other incentives that commercial outfits face, like making money where money is available? For example, let's say a service provider faces a tight labour market, but needs to quickly bring in more skills to meet a tight deadline. Is there no risk that the commercial outfit could cut corners on the clearance process?

Perhaps decision-makers in Canberra are so closely tied to their suppliers there is no wall between the two. But I find it very odd that an agency so crucial to national security as DIAC can outsource a process which governs who has access to its systems.

What do you think? Should security clearance processes be banned from being outsourced?