The Australian National Audit Office (ANAO) recently released a report on the Australian Government Security Vetting Agency (AGSVA) within the Department of Defence, and their compliance with the Protective Security Policy Framework (PSPF).
The PSPF is a suite of several requirements and strategies to protect the security of people, information and assets, including personnel security background checks.
The ANAO chose to undertake the audit as malicious insiders can cause a lot of damage and personnel checks are vital to the security of Australia’s defence organisations. Additionally, there were outstanding audit points from the last audit and increased delays for positive vetting.
Positive vetting is an extensive inquiry into the background and character of a candidate. A Positive Vetting (PV) security clearance is required to access the higher levels of classified material.
The audit included five government client organisations: The Attorney-General’s Department (AGD), Australian Radiation Protection and Nuclear Safety Authority (ARPANSA), Australian Securities and Investments Commission (ASIC), Department of Home Affairs (Home Affairs) – formerly the Department of Immigration and Border Protection, and Digital Transformation Agency (DTA).
The objective of the audit was to assess the effectiveness of the Australian Government’s personnel security arrangements for mitigating insider threats.
The audit found a series of cascading problems resulting from not adopting changes made to the PSPF in 2014. The changes allowed AGSVA to request candidates expressly provide informed consent to share information about them with other government departments, to aid in processing their application and to maintain their security clearance. Informed consent is where a person consents to sensitive information about them being used within certain guidelines or for a specific purpose. As an example, the infamous Centrelink connection to the ATO is an example where consent is given when applying for Centrelink benefits.
The issues resulting from not adopting changes made to the PSPF in 2014, particularly informed consent, include:
- Risks to the Government from insider threats were not adequately mitigated because AGSVA did not share the risk with other government agencies outside of Defence.
- AGSVA did not let client agencies know about risks AGSVA accepted on their behalf.
- As AGSVA does not communicate risks, the risks are unable to be managed through security clearance maintenance activities.
- Some security clearances were not granted at the level requested, or denied because of the need to share information with other departments.
- PV clearances are significantly delayed by the inability to exchange information with other government bodies.
Further issues with PSPF compliance were found within all the government departments included in the audit. Some of the more notable issues were:
- All the agencies audited including AGSVA did not meet with PSPF mandatory requirements, and the ANAO’s assessment differed from each agency’s self-reported PSPF compliance level.
- All the departments used the temporary access or eligibility waiver provisions of the PSPF while waiting for clearances to be approved.
- Sponsoring agencies did not always notify AGSVA when security-cleared people left the agency.
- None of the agencies had implemented the PSPF annual health check for security clearance holders and their managers.
The audit also found AGSVA ICT systems did not meet the business requirements, resulting in inefficient processes and poor data quality contributing to delays. AGSVA is in the process of defining and implementing new ICT systems anticipated to be available in 2023.
The main recommendation was to fully implement PSPF in all the organisations audited.
All five client agencies audited were found to have differing approaches to personnel security, the ANAO made recommendations on process changes which were readily agreed and quickly implemented.
Organisations covered by the PSPF should seek expert advice on policies and procedures from qualified auditors. Many members of the Agilient team were involved in the development of the PSPF and the ISM, and are available to consult on PSPF policy and processes or recommend alternate strategies and structure. Agilient has solution architects, business analysts, system designers and project managers to bring ICT systems in line with requirements.