The constantly vexed issue of clearances has once again come under the Australian National Audit Office’s (ANAO) microscope, with a new report released this week.
The report is a follow on from their report from three years ago looking at how the Australian Government implements security measures, with a particular focus on how clearances are handled. This report noted that the “Australian Government Security Vetting Agency’s (AGSVA) security vetting services do not effectively mitigate the Government’s exposure to insider threats.”
In the report from an inquiry from the Parliament’s Joint Committee of Public Accounts and Audit (JCPAA), the committee made three recommendations to Defence. The department agreed with qualification to implement the first recommendation, agreed to implement the second recommendation and did not agree to implement the third recommendation.
“Of the six recommendations made to Defence by the JCPAA and ANAO, Defence has implemented four recommendations and partly implemented two recommendations,” according to the ANAO. “In respect to the two JCPAA recommendations and one ANAO recommendation contained in the non-public Auditor-General report that were made to improve Defence’s security vetting information technology and information security, Defence has: implemented one JCPAA recommendation, partly implemented the second JCPAA recommendation, and partly implemented the ANAO recommendation.
“Defence has implemented the three ANAO recommendations relating to improved processes for conditional clearances and information sharing,” the report concluded.
The report details the work of AGSVA to conduct security vetting, with Defence acknowledging that it handles over 40,000 clearance documents annually under the framework.
Defence delivers AGSVA’s services through an allocation of 275 full-time equivalent Australian Public Service (APS) staff located across Australia. The majority (92 per cent) of security clearances are processed by external vetting providers.
“Defence welcomes the ANAO Performance Audit Report into the Delivery of Security Vetting Services Follow-up and notes the finding that Defence has implemented four and partly implemented two of the ANAO and JCPAA recommendations examined by the audit,” a Defence statement to the ANAO said.
Defence contracts six external vetting providers, who, through a mix of employees (40 per cent) and sub-contractors (60 per cent), support the clearance process by preparing vetting assessments. Defence APS staff are responsible for making all security clearance decisions including procedural fairness processes.
In 2019–20 AGSVA completed 49,425 security clearances, including 3,327 positive vetting clearances. As at 1 July 2020, AGSVA maintained 403,888 active clearances. Defence expenditure on AGSVA services for 2019–20 was $83.26 million.
“Defence safely handles more than 40,000 personnel file movements annually as a part of delivering responsive and assured vetting services for Government and Industry. The report documents a range of measures Defence has implemented since 2018 to safeguard information and ensure quality control, including an active accreditation and assurance program for external security vetting providers to meet Defence and Government security requirements.
“Defence continues to prepare for modernisation under the Vetting Transformation Project, which is still subject to Government consideration. Defence is committed to continuous improvement and is closely examining the report findings related to these measures. Defence takes seriously the oversight of these complex activities and is taking steps to further strengthen the governance of risk and implement the Auditor General’s recommendation,” Defence’s statement concluded.
ADM Comment: A perennial issue from Defence industry is that of timely and cheaper clearances. The creation of AGSVA’s creation in 2010 was the government’s answer to the problem. The ANAO has reviewed the body three times since its establishment, with this most recent report being the most positive of them the three, all things considered.
But the transformation of this process under program ICT2270 has been a matter of debate between the ANAO and Defence. ANAO said speed it up; Defence said no. Since Defence responded to the JCPAA on 23 August 2019, there have been further delays to the IOC delivery date for ICT2270.
“Defence confirmed that at this time it did not have an established enterprise governance process to record and monitor the implementation of Parliamentary recommendations,” the ANAO report said. I doubt Parliament is happy about that.
The moral of the story here from the Defence perspective; ‘We’re working on it.’