Podcast: An In-Depth Overview of the DCSA

Molly O'Casey: Welcome to the eighth episode of Are We All Clear, the podcast on facilitating security clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will discuss DCSA, or the Defense Counterintelligence and Security Agency. We'll review the history, structure and functions of the DCSA, as well as the life cycle of the DCSA clearance process. Today's speaker is Andrew McAllister. Andrew is a partner in the International Trade Group based out of Washington, D.C. Welcome back to the podcast, Andrew. 

Andrew McAllister: Thanks, Molly. I'm thrilled to be back. I guess I must have done at least OK if you've invited me for round two, so thanks. 

Molly O'Casey: You did great. So let's get started. What is DCSA?

Andrew McAllister: So DCSA, Defense Counterintelligence and Security Agency, formerly known as DSS or the Defense Security Service, is an agency headquartered in Quantico, Virginia. It's part of the Department of Defense, and among other things, it is the agency that is tasked with administering the personnel security clearance and facility security clearance process under the National Industrial Security Program, the NISP. I think of particular note to the audience may be that DCSA has a workforce of approximately 15,000 government employees and contractor personnel. 

Molly O'Casey: Got it. So DCSA is the primary government authority when it comes to facility security clearances. And, you know, they have a lot of responsibility given the staff of 15,000 employees. 

Andrew McAllister: Yeah, exactly. And it's actually headquartered on a military base in Virginia, Quantico. And I guess I wouldn't recommend visiting unless you very much want to because you'll be ushered with great traffic and sometimes challenges in getting on to the military base.

Molly O'Casey: Got it. So not the primary vacation spot. Could you tell us a bit about the history of the government agency formerly known as DSS? 

Andrew McAllister: Yeah. So DSS was actually established back in 1972 to consolidate the Department of Defense personnel security investigations, and then subsequent, five years later, the agency also assumed responsibility for the Defense Industrial Security Program. And then later on, fast forward to 2005, the personnel security investigation mission was actually transferred out of DOD to the Office of Personnel Management. So, as you can tell, there's been sort of some back and forth and not necessarily a sort of cohesive approach to security. And so that's why in 2019, the Department of Defense essentially transitioned from DSS to DCSA. And the idea was really to consolidate all of these missions, both the personnel security as well as the industrial security, under one organization. 

Molly O'Casey: Got it. So it sounds like this reorganization was because they recognized the extent to which personnel had an impact on industrial security, and they wanted to fold one into the other for a more cohesive approach. 

Andrew McAllister: Yeah, absolutely. For instance, you'll have situations where, say, a company is trying to acquire or retain its facility security clearance and it has certain individuals that require personnel clearances in order to serve as key management personnel. And so having those activities, both the individuals as well as the company, under one government roof, in a sense, helps with that process. 

Molly O'Casey: And could you tell us a bit more about the structure of the DCSA?

Andrew McAllister: Yeah, absolutely. And so DCSA is led by a director and then under that director is a deputy director. So those individuals oversee the mission of DCSA. I think, again, an important point for the audience is that each of these individuals is a career government employee. Therefore, these are not political appointees. They're not being selected by one party or another. They're not serving at the, you know, in a way, at the whim of the president. And so, again, I think that's helpful in terms of the continuity of the mission at DCSA and ensuring that, you know, the career staff who are not, you know, directly political in nature, can sort of do their work.

And so DCSA carries out its work through four main directorates. Industrial Security (IS), that's one we're going to be speaking primarily about. Then there's the Personnel Security (PS), Counterintelligence and Insider Threat (CI) and the fourth one is Security Training. And so each directorate has an assistant director that oversees that core mission area. And so maybe to give you a little bit of color on at least a couple of the directorates, the Industrial Security directorate conducts risk management activities with respect to the U.S. government's defense industrial base, including critical technologies, defense supply chain, through oversight of the National Industrial Security Program, issuance of facility clearances, foreign ownership control or influence mitigation measures, cybersecurity, and classified and controlled unclassified information. So again, that's the Industrial Security directorate, Personnel Security directorate. Again, a sort of similar charge except it's specific to individuals. So it's individual investigations, screenings, adjudications, et cetera.

Then, I would say in some ways the third directorate is more of an internal-facing directorate, meaning the Counterintelligence and Insider Threat directorate. They're constantly evaluating threats, understanding what the U.S. government's industrial base is. They may coordinate with other intelligence agencies as well as law enforcement organizations.

And then the last one is Security Training. And as you might expect, that's about sort of outreach and interaction with the community, the business community, but both the companies as well as the individuals. 

Molly O'Casey: So I imagine these directorates have a decent amount of overlap. But at least when you're dealing with DCSA, it's helpful to kind of keep the separation in mind. 

Andrew McAllister: Yeah, exactly. And again, I think as I mentioned, the ones that are most directly sort of public-facing in terms of processing clearances as well as sort of maintaining clearances are, again, that Industrial Security for companies and Personnel Security for individuals. 

Molly O'Casey: You kind of alluded to the fact that we should be focused on the Industrial Security directorate. Could you outline how the Industrial Security directorate is organized? 

Andrew McAllister: Yes. So I think noteworthy is in 2021, DCSA sort of realigned the structure of that Industrial Security directorate based upon a regional field office structure. And so essentially there are four regions: the western, central, eastern and mid-Atlantic. And so each of those regions has generally between six to nine field offices, one of which is assigned to the cleared facility according to its location. So take for example, if you have a cleared facility that's located in Arlington, Virginia, just outside of Washington, more than likely that facility would be under the mid-Atlantic region. So that would be its region. And then within that region there are different field offices. And so, for instance, there's a field office in Alexandria, Virginia, which is the neighboring jurisdiction. And so that's sort of how it works in terms of structuring.

And then at the field office, DCSA would have what is referred to as an industrial security representative. And that's the DCSA officer who's charged with facility visits, audits, assists with questions throughout the FCL process and sort of works with the staff at the company to ensure the protection of classified information. So again, that's the general structure, the general setup.

However, in addition to those four regions, there is also a new program referred to as the National Access Elsewhere Security Oversight Center, a little bit of a mouthful I would say. And so DCSA's got an acronym for that because we want to have an acronym for everything. 

Molly O'Casey: Of course,

Andrew McAllister: So NAESOC is the acronym, right? I'm sure it's good dinner party conversation. If you can slide NAESOC in the discussion, I'm sure you would pique someone's interest. 

Molly O'Casey: It really sounds like an indie rock band.

Andrew McAllister: And so what is NAESOC? Well, NAESOC generally applies to facilities that do not possess classified information. And so these are referred to as non-possessing facilities. And so this might be a company that, yes, they have an office located in Washington, D.C., but the only place that they access classified information, it's when they go to the Pentagon each day. And so they don't house any classified information at their facility. And so this program is designed for companies such as that, where there's less of a need to, you know, perform on-site audits, et cetera, and instead, it's more about, you know, sort of a call center and a central depository. And so these companies work with that NAESOC office directly. And so you may get officer number one on a Monday, but then you have a follow-up question on Thursday, and you would get whoever is available to help you. So the idea, again, is that it's more efficient, more effective and DCSA's able to manage lots and lots of non-possessing facilities. 

Molly O'Casey: So if we're mapping this in our head within the matryoshka doll that is DCSA. the Industrial Security directorate has four region structures, which then have six to nine field offices, and then each of them has a security representative. And then separately, there's the National Access Elsewhere Security Oversight Center.

Andrew McAllister: Great. I'm impressed that you got the whole thing out after having just heard it. So perfect. And I think one additional point, the Industrial Security representative, that is a key part of any company's relationship with DCSA because that is the entry point, really, for all communications, all guidance, all questions that the company may have, so that, that's a key relationship to continue to foster in terms of building that trust with DCSA. 

Molly O'Casey: Got it. Can you go into more detail on how the Industrial Security directorate functions and the main stages in the DCSA clearance process life cycle? 

Andrew McAllister: Yeah, absolutely. And so as I think we've talked about in prior podcasts, right, DCSA determines that, sort of, an entity has a legitimate need to access classified information. And at that point there is a sponsorship request that is filed with DCSA that sort of confirms that need to know, as well as the particular contract associated with the company's desire to work on classified projects. And so the FCL process is really overseen by three main divisions. Of course, those divisions have just changed names recently. Right. We want to keep everybody on their toes. We don't want people thinking that what they learned six months ago is still relevant today. And so we have three. We have the Verification and Triage unit, the Due Diligence unit and the Risk Management unit. And so just to give the sort of prior names: Verification and Triage unit used to be the Facility Clearance branch. The Due Diligence unit previously was referred to as the Business Analysis unit. And then the last one, Risk Mitigation unit, was referred to as the Mitigation Strategy unit. 

So I think now that I've given lots and lots of terminology, let me turn to just sort of a quick discussion of the steps. So again, once that sponsorship letter and request is put in through NISS, which is the sort of DCSA portal for all things facility clearance, the Verification and Triage unit is the one that reviews that sponsorship package. And then once they accept that package, they assign an ISR rep and begin to process the facility clearance. And so, also at that point, DCSA begins to request a lot of business records and other documents, and then it moves to sort of that next stage, which is DCSA's Due Diligence unit, carrying out a security and business vulnerability assessment. So they're again, they're reviewing all the different documents, whether it's an SF-328 certificate pertaining to foreign interests, whether it's company records on how it's managed through an operating agreement or corporate bylaws, et cetera, and they sort of perform and evaluate the risk indicators may also include things such as foreign ownership control or influence. And then sort of the final stage is that last unit: the Risk Mitigation unit. So they would look at the sort of risk profile, the risk indicators and determine if any measures need to be enacted in order to guard against FOCI, guard against other, you know, supply chain concerns, et cetera. And so that's sort of how those three units function together in order to take a facility clearance from that sponsorship place all the way through to a issued facility clearance. 

Molly O'Casey: Right. So I guess just at a high level, the facility security clearance processing involves document package with sponsorship letter, then the assignment to the ISR contact, the security and vulnerability assessment, which is essentially a document review, and then we move on to reviewing the risk profile and indicators to determine mitigation measures. Is that sort of a good high-level summary?

Andrew McAllister: Yeah, that's exactly right. And I would say in terms of, you know, timing, it sort of depends on workload of those various units. Also depends on, you know, how well the document presentation is done by the company. Right? Filling out that SF-328. I believe that was discussed in prior iterations of the podcast, but some of these documents, there's sort of an art to creating them in a way, in a set of language that DCSA understands and can move forward. 

Molly O'Casey: Besides the constant name changes, have there been any recent developments in this area?

Andrew McAllister: Yeah. So I guess one that I would highlight is earlier in 2024, in March, a new director of DCSA was appointed, David Cattler. So in addition to his military career in the Navy, Director Cattler also has extensive policy experience, having served as assistant secretary general for intelligence and security at NATO, senior adviser to director of national intelligence and a role as a deputy director for intelligence at the Defense Intelligence Agency. So he certainly comes to the position, I would say, as having both that military background, but also more of a sort of policy and operational slant as well, and so I think that sparked some of these new changes in trying to organize things in sort of the best fashion, making sure that DCSA is known. That people in the community understand what DCSA does. 

Ironically, in one of his first interviews, he stated, the first task of him coming to the DCSA is to really be sure that people know who we are, what we're doing, why we're doing it and that we do it well and that we're responsible about the protection of that critical data. And so couple important points I think there. One is, again, critical data. We're talking about all of this structure and name change and reorganization. The core mission is protecting data. And so that is certainly not lost on him. And then I think the other piece is just being collaborative with the security community, making sure that people understand who DCSA is and what its mission is. 

Molly O'Casey: And so your classic who, what, where, when, why. Thank you so much for coming on and discussing the DCSA, Andrew. 

Andrew McAllister: No problem. It's been a treat.

Molly O'Casey: This area is full of acronyms. This week's episode had a rather spectacular amount. I've tried to edit down to the most current and relevant. So we have the Defense Counterintelligence and Security Agency or DCSA. Defense Security Service or DSS, the National Background Investigations Bureau, NBIB, Industrial Security representative, ISR, the National Access Elsewhere Security Oversight Center, or NAESOC. The Verification and Triage Unit, VTU. The Due Diligence Unit, DDU, and the Risk Management Unit, RMU. Each episode, we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Andrew, would you like to choose an acronym?

Andrew McAllister: Well, I think since you went through so many that I couldn't even maybe keep track of all of them. I think I'll just pick the last one, which was RMU. And so I would say regular meaningful updates. And the reason I would say that is DCSA is very much a fluid organization, right? Structures are changing. Priorities are evolving, you know. The risk of today may not be the risk of tomorrow. For instance, you know, obviously IT security is a huge piece of the mission. The other thing is supply chain. Understanding supply chain of classified work. So I would say, again, regular meaningful updates. Don't just stick with the status quo. What may have been true six months ago could have changed.

Molly O'Casey: Well, thank you very much for your updates.

Andrew McAllister: Thanks, Molly.

Molly O'Casey: Thank you. On our next episode, we will be discussing the interactions between FCLs and M&A, specifically around diligence concerning FCLs and PCLs and providing notifications to DCSA. I hope everyone has a great week in the meantime.