On March 12, 2017, the United States’ Office of Personnel Management (OPM) issued a notice of proposed rulemaking (NPRM) that would require new applicants for security clearances to complete a series of security training courses and pass a background check.
The OPM’s proposed rule would also mandate that applicants pass a “risk assessment” to assess their “intrusion risk” and “threat-related risk” as well as their “risk tolerance.”
This “risk mitigation” requirement was also included in the Privacy Act, a 2010 law that was amended in 2012 to require the government to collect personal information from individuals requesting a public record.
The Federal Bureau of Investigation (FBI) also announced that it would conduct its own security training.
“We have been clear that this is an area where we do need to look at what our security professionals are doing and how we can help them better protect the public,” FBI director James Comey said at the time.
“And we are looking into whether that is something that can be part of the background checks.”
The FBI is one of the federal agencies responsible for enforcing the Privacy Protection Act.
In March 2018, the Department of Homeland Security (DHS) issued guidance stating that federal employees need to pass a risk assessment to get a security clearance.
In addition to the Office of Management and Budget (OMB), which is responsible for the federal government’s security, the Office for Civil Rights (OCR) has oversight of the Federal Bureau’s (FBI’s) compliance with the Privacy and Civil Liberties Oversight Board (FPOBL).
OCR has also provided guidance to agencies regarding the OPM proposal.
But the FBI has also pushed back on the FBI’s background check requirements, saying the bureau’s requirements for background checks do not apply to private sector employees.
The FBI has argued that the agency does not have the expertise or training to handle the types of data that the proposed rule requires for federal employees to obtain security clearings.
“The FBI does not need a background to become an agent of the United State,” FBI Director Christopher Wray said in March.
“In fact, the FBI does have a great track record in the field of data protection, and we’re looking into how we could improve our data practices and how that’s going to impact the public.”
The OMB has also made clear that the FBI will not be able to require a security background check for private sector workers.
Instead, the bureau would need to complete its own screening.
And the FBI said that the OPAB does not require security clearers to pass any additional requirements or tests beyond those outlined in the Federal Information Security Management Policy.
“There’s nothing in the OPP that would allow the FBI to require us to perform a background,” FBI Deputy Assistant Director in Charge John McQuarrie said in a March 21, 2018, press conference.
“It’s the OSP that we need to be applying.”
The privacy of private sector data is an issue that the Trump administration has taken a less aggressive stance on.
Earlier this year, the DOJ sent a letter to private companies saying that they must ensure that their employees do not have access to any personally identifiable information or data collected from their employees.
On October 27, the Justice Department sent a similar letter to a number of companies stating that they would have to comply with the new federal law barring federal employees from having their information shared with any government agency without their consent.
The Department of Justice has been more proactive than the FBI in the past, but the FBI says it has been unable to enforce the Privacy Protections Act against its employees in the way it had hoped.
“This rule will make it harder for us to hold accountable our own security personnel who have been failing to comply, and will undermine the privacy protections that exist for all of us,” FBI Assistant Director McQuara said.
“If we cannot get our own employees to take responsibility for their actions, then the only answer is to start hiring a whole bunch more FBI agents.”
The EFF is currently working to file a Freedom of Information Act (FOIA) request with the FBI requesting documents pertaining to the OAPs proposed rule.
“These new rules will have an enormous impact on the ability of law enforcement and private sector employers to keep their workers safe,” EFF Senior Staff Attorney Matt Wood said in an email.
“Without a better system to track and enforce the privacy rules that are already in place, we may never have the tools to make sure that our digital lives are protected and our personal information is safe.”
This story has been updated with the latest information on the proposed FBI rule.