NEWS + ADVICE
How the Misuse of Information Technology Systems Can Impact Your Security Clearance
Under Guideline M, Use of Information Technology, the government may have security concerns related to the misuse of information technology systems as it tends to show an inability to follow laws, rules, and regulations and thus creates a heightened risk of coercion, exploitation, or duress.
The main concern that is typically alleged by the government in a Statement of Reasons (the document issued by the government expressing the security concerns) revolves around unauthorized use or entry into any information technology system. This can include incidents such as using a co-worker’s password or computer to gain access to a government computer or system, downloading or storing any sensitive, classified, or proprietary material, or negligent or relaxed security practices.
Furthermore, you don’t even need to have engaged in this behavior intentionally or deliberately for you to be disqualified from obtaining or maintaining a security clearance. Therefore, the question that must be asked is, can any misuse of government information technology systems really cause me to have a security clearance denied or revoked? In short, it can, depending on the circumstances.
On several occasions, Guideline M becomes relevant after it is determined, whether through self-reporting or routine monitoring, that a misuse of an information technology system has occurred. The most common incidents are related to:
- The use of a co-worker’s password
- Using the information technology system in a way that is against government or company policy, such as usurping installed protections to visit unauthorized websites while at work or even downloading or inserting unauthorized media into the system.
The main concerns of the government are two-fold: a failure to follow policy, rules, and/or regulations; and the potential to damage the national security of the United States. Even unintentional violations could call into question your ability to safeguard classified material.
Despite these common disqualifying conditions referenced above, it is not a certainty that anything negative will happen to your security clearance if you engage in such behavior. In an abundant number of cases, simply providing the proper mitigation can be the difference between the revocation or denial of a security clearance and retaining one’s national security eligibility. While in some cases, the intent of an individual may be considered disqualifying, producing information or evidence showing the conduct was unintentional or inadvertent and was properly and promptly reported to the appropriate individuals could mitigate these concerns.
Another mitigating aspect is if the misuse was minor or done solely in the interest of organization efficiency and effectiveness (as described in SEAD 4). This could include using a co-worker’s password to ensure the protection of national security or to promptly resolve any unintentional leak of sensitive, classified, or proprietary information. This would constitute unique and unusual circumstances occurring and done in the interest of organization efficiency, thus showing mitigation. Ultimately, while the seriousness of the misuse is considered, showing that the proper steps were taken after the misuse and there is no pattern of similar behavior is paramount to proving mitigation.
Real-World Guideline M Outcome
In ISCR Case No. 19-03928, an applicant was issued a Statement of Reasons that alleged he had used a colleague’s account to access a DoD classified system after his account had lapsed. He admitted to the allegation, explaining that on infrequent occasions he visited the company lab without obtaining a current group password, and a colleague would log in to the group account on his behalf.
The findings showed that he held the proper security clearance to access the group account and had an official purpose to access it. The applicant was also eligible to obtain the group password, which was identical for everyone who possessed it. The Director of Integration and Testing stated it was not unusual for one person to login with the group password and have others piggy-back onto the log-on, showing the company’s instruction and training was lacking. This practice has since stopped and the applicant understands that he must personally obtain a new group password on all occasions going forward.
Since this issue came to light, the applicant has been very careful about his access to any group account, and about the importance of personally maintaining his own current passwords. He has also completed numerous security training courses. He provided the proper mitigation and was granted eligibility for a security clearance.1
It is always important to stay vigilant regarding the potential windfalls of misuse of information technology systems, especially considering the numerous and ever-instituted telework policies that many government agencies and contractors have been implementing since the start of the COVID-19 pandemic. Without showing the proper mitigation, not only will your ability to obtain or maintain a security clearance be in jeopardy, but this could potentially impact your ability to obtain a security clearance in the future.
Find more articles about safeguarding your security clearance here.
Ryan C. Nerney, Esq. is a Managing Partner in the Southern California office of Tully Rinckey PLLC, where he focuses his practice primarily on national security law, with experience in federal employment and military matters. Ryan represents clients who have security clearance issues against agencies such as DHS, NSA, DIA, DOD, NRO, and DOE. He has represented numerous clients in security clearance revocation proceedings and has a proven record of saving clients’ jobs, as well as anticipating and resolving potential future issues with their security clearances. Ryan is also a standing member of the National Security Lawyers Association executive board. He can be reached at [email protected] or at (888)-529-4543.