Chris Catlin knows the system he's building to handle the federal government's background investigations not only has to be more agile, it also must be more secure.
Catlin, the Defense Information Systems Agency's program manager for the National Background Investigation System, has been tasked with building a new security clearance system to replace the Federal Investigation System, which was compromised in the wake of the 2015 hack of the Office of Personnel Management.
"We have to be, and we are, committed to ensuring that we regain the public's trust and that their privacy is being protected," Catlin said. "To do that, we have to look at how best we can deliver a system that has the capability of meeting our customer's expectations, meaning NBIB, and ensuring that we can effectively do this mission better."
As a result of the breach, which exposed the personal information of more than 21 million people — including federal employees and family members — DISA was designated to help build and maintain a new background investigation system that can handle between 2 million and 3 million inquiries a year.
"Of course we have to understand the lessons learned in the previous system that you want to build from," he said. "We want to make sure that we don't lose any of the functionality associated with the previous system, but we want to make that we design it with cybersecurity in mind."
DISA has moved forward with the development of the NBIS, issuing a request for information to industry stakeholders in March on the capabilities needed to stand up the system. Army officials expect to have at least initial operational capability by September 2018, followed by a full rollout in September 2019.
Catlin said he couldn't comment on the timeline for when DISA would unveil a request for proposal for NBIS system, but said that it would be incorporating a mix of government-owned software solutions and commercial-off-the-shelf solutions to capitalize on the
capability and agilities of both.
"We want to ensure that we have the best in terms of executing those aggressive schedules," he said. "So we've already started some prototyping activities. Those activities will mesh into a pilot."
"We are going to provide industry some additional questions. The government can't do this alone, we have to have industry involved," he added.
However the system is configured, it will have to be a continued collaborative effort that combines DISA's cybersecurity skills, the agile advancements of industry and the management skills of OPM to help securely tackle an increasing backlog of investigations.
"The difficulty is that you have a lot of needs and wants that you have to ensure that you listen to in order to deliver," Catlin said. "To do that, you have to ensure that you have stakeholder trust and have stakeholder communication to be effective. That's not only a
challenge, but it's actually a good challenge, because it shows that the government can really come together on issues and really deliver."
But the ultimate customer that Catlin knows he has to convince is the public, including thousands of federal employees who have had their personal information compromised.
"I want to make sure that the confidence is there, that the public and everyone who has been through this system knows that it is being designed with the latest cybersecurity practices in mind, bottom line," he said.
"I can't give a playbook of what those cybersecurity best practices are. What I can say is, specifically with [the Department of Defense], that we have been dealing with that for a while. I have the ability, where I am, to take the best from that and ensure that it's within [the system] itself. We do not take that likely. It's something that is critical, that there is trust that we are putting the best of the best toward this effort."
