PERSONNEL VETTING
Leadership Attention Needed to Prioritize System Development and Achieve Reforms
Statement of Alissa H. Czyz, Director, Defense Capabilities and Management
Before the Subcommittee on Government Operations, Committee on Oversight and Government Reform, House of Representatives
For Release on Delivery Expected at 10:00 a.m. ET
United States Government Accountability Office
A testimony before the Subcommittee on Government Operations,
Committee on Oversight and Government Reform, House of Representatives
For more information, contact Alissa H. Czyz at czyza@gao.gov.
What GAO Found
Since 2016, the Department of Defense (DOD) has been developing the National Background Investigation Services (NBIS)—an IT system for conducting background investigations for most federal agencies and over 13,000 industry organizations that work with the government. DOD originally expected NBIS to be complete in 2019, but repeated delays have hindered deployment. GAO has also found that the previous NBIS cost estimate and schedules were unreliable. After missing multiple targets, DOD’s Defense Counterintelligence and Security Agency (DCSA) paused NBIS development in 2024 to revise its approach. In 2025, it developed a new cost estimate and changed its approach to scheduling.
GAO reviewed DCSA’s 2025 NBIS cost estimate and found it to be reliable because it at least substantially met four characteristics of a reliable cost estimate. DOD now projects spending an additional $2.2 billion on NBIS development through fiscal year 2031, which is in addition to $2.4 billion previously spent on NBIS and legacy systems through fiscal year 2024. A reliable cost estimate should help prevent unexpected cost overruns and provide needed visibility.
GAO also found that DCSA continues to lack a reliable schedule for NBIS. The program’s schedule showed improvements, substantially meeting two characteristics of a reliable schedule. However, it only partially met the credible and well-constructed characteristics. For example, a risk analysis can help the program prioritize those risks that may lead to delays. Not having a reliable schedule is likely to continue to affect the NBIS program’s ability to meet milestones, including the goal to complete development in fiscal year 2027.
Assessment of Department of Defense’s 2025 NBIS Cost Estimate and Schedule Against Best Practices
Continued prioritization of NBIS development will be critical to successfully implement government-wide personnel vetting reforms and address persistent challenges. For example, GAO has found federal agencies have not met timeliness goals for nearly all phases of the security clearance process. In particular, average times for initial Top Secret clearances have consistently trended longer from fiscal year 2022 to 2025. Sustained leadership attention is key to fully deploying the NBIS system and achieving personnel vetting reform.
Why GAO Did This Study
U.S. government personnel vetting processes, such as background investigations, rely on IT systems to process data on millions of federal employees and contractor personnel. DOD has been developing NBIS as the new IT system for personnel vetting since 2016. In 2018, the government initiated a major reform of personnel vetting to better protect national security called Trusted Workforce 2.0. GAO placed the personnel vetting process on its High-Risk List in the same year.
This statement discusses (1) the reliability of DCSA’s 2025 cost estimate for the NBIS program, (2) the extent to which the NBIS program has met scheduling best practices, and (3) the importance of NBIS to achieve personnel vetting reforms under Trusted Workforce 2.0.
This statement is based on GAO’s analysis of DCSA’s 2025 cost estimate and schedule, prior GAO reports on NBIS from December 2021 through September 2025, and ongoing work assessing NBIS development. To perform prior and ongoing work, GAO analyzed information on NBIS from DCSA and interviewed knowledgeable officials.
What GAO Recommends
GAO is making two recommendations to DOD to ensure it aligns its NBIS schedule with best practices. DOD provided technical comments, which GAO incorporated as appropriate.
In prior reports, GAO made one matter for congressional consideration to require DCSA to develop a reliable schedule and cost estimate for NBIS and recommendations to DOD to improve NBIS cybersecurity. GAO will continue to monitor this high-risk area.
Chairman Sessions, Ranking Member Mfume, and Members of the Subcommittee:
Thank you for the opportunity to be here today to discuss the Department of Defense’s (DOD) development of the National Background Investigation Services (NBIS). NBIS is an IT system intended for use in conducting background investigations for most federal agencies and over 13,000 industry organizations that work with the government.
Personnel vetting processes–including background investigations–and the IT systems that support them are vital to determining the trustworthiness of the federal government’s workforce and minimizing risks to U.S. national security. In 2015, two cybersecurity incidents compromised sensitive information in Office of Personnel Management (OPM) systems, including personnel vetting files on over 22 million federal employees and contractor personnel. A year later, the President assigned DOD the responsibility for developing and operating IT systems for personnel vetting processes, and DOD began developing NBIS in 2016.[1] DOD has been developing NBIS for almost a decade.
Today, DOD’s Defense Counterintelligence and Security Agency (DCSA) is responsible for developing and securing the NBIS system for personnel vetting while also maintaining legacy IT systems.[2] Additionally, DCSA provides personnel vetting services for most of the government, including conducting around 2 million background investigations each year.[3] However, in early 2024, DCSA paused the NBIS program after it missed multiple milestones for Trusted Workforce 2.0—the government’s major reform of personnel vetting.[4] During the pause, DCSA changed its approach to NBIS, including revising its schedule to meet future milestones and developing a new cost estimate.
We have previously assessed two of DCSA’s key management tools for developing NBIS—its schedule and cost estimate—and found neither was reliable. In 2021 and 2023, we assessed two versions of DCSA’s schedule, and in 2023, we also assessed DCSA’s cost estimate against our best practices and found these tools were deficient.[5] To address deficiencies in both management tools, we have an open recommendation to Congress to consider requiring DOD to develop a schedule and cost estimate that align with our best practices.
You asked us to review DCSA’s continued development of NBIS. This statement provides information on (1) the reliability of DCSA’s 2025 cost estimate for the NBIS program, (2) the extent to which the NBIS program has met scheduling best practices, and (3) the importance of NBIS to achieve personnel vetting reforms under Trusted Workforce 2.0.
This statement is based in part on our prior reports and testimonies reviewing NBIS from December 2021 through September 2025.[6] This body of work also informed our 2025 update on the government-wide personnel security clearance process––an issue on our High-Risk List.[7] More detailed information on the objectives, scope, and methodology for our prior work can be found in the issued reports listed in the Related GAO Products section at the end of this statement.
This statement is also based on our recent work assessing NBIS development. To perform this work, we analyzed information on NBIS from DCSA, including documentation on the status of NBIS system development and the program’s cost estimate and schedule. To assess the NBIS program cost estimate, we obtained the April 2025 estimate and compared it against our best practices for cost estimating.[8] To assess NBIS program scheduling, we analyzed data from DCSA’s Agile software tool from June through September of 2025 and compared these against our best practices for project schedules.[9] We also interviewed officials with knowledge of the NBIS program and legacy personnel vetting systems. More detailed information on our analysis of the NBIS cost estimate and schedule can be found in appendix I and appendix II, respectively.
We conducted this performance audit from March 2025 to February 2026 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
The Personnel Vetting Process and Trusted Workforce 2.0
Personnel vetting processes help ensure the trustworthiness of the federal government’s workforce and those who support it by determining whether individuals are, and remain over time, (1) eligible to access classified information or to hold a sensitive position; (2) suitable for government employment or fit to perform work for, or on behalf of, the government as contractor employees or certain categories of federal employees; and (3) eligible for access to agency systems or facilities. The Security, Suitability, and Credentialing Performance Accountability Council (PAC) is responsible for the government-wide implementation of personnel vetting reforms and helps set NBIS requirements.[10] In March 2018, the PAC’s principal members initiated Trusted Workforce 2.0 to reform the personnel vetting processes. The PAC aims to achieve multiple goals with the reform including reducing the time required to bring new hires on board.
NBIS Development Delays and Cost
Following the 2015 OPM cybersecurity incidents, DOD directed the Defense Information Systems Agency (DISA) to lead the acquisition of a new IT system to replace all OPM legacy IT systems supporting background investigation processes. DOD initially planned for NBIS to be fully operational in 2019, but it did not meet this target. DCSA then took over responsibility for NBIS and legacy systems from DISA in October 2020, as DCSA had assumed responsibility for conducting background investigations for most federal agencies. It projected that it would deliver all initial NBIS capabilities by the end of fiscal year 2023 and decommission all legacy IT systems by the end of fiscal year 2024.
However, DOD missed those targets and in early 2024 paused the NBIS program and undertook a replanning effort to change its approach to develop and manage the NBIS system. Figure 1 shows a timeline of NBIS delays in development since 2016. From fiscal years 2017 through 2024, DOD spent $2.4 billion on developing NBIS and sustaining legacy personnel vetting systems.[11]
Figure 1: DOD’s Missed Deployment Targets for the National Background Investigation Services (NBIS) Program
NBIS Replanning and Development
After pausing development in early 2024, DOD revised its approach to the NBIS program, focusing on modernizing legacy systems rather than building an entirely new IT infrastructure. First, as part of its efforts to address NBIS delays, cost overruns, and technical issues, DOD transferred milestone decision authority for the NBIS program from DCSA to the Under Secretary of Defense for Acquisition and Sustainment.[12] Then, it established the NBIS Requirements Governance Board in October 2024 to manage requirements prioritization and inform decision-making.
As of February 2026, DOD is migrating personnel vetting data to cloud-based infrastructure and modernizing the programming code of legacy systems. DOD projects to complete system modernization by the end of fiscal year 2027 and decommission legacy IT infrastructure in fiscal year 2028.
DOD Developed a Reliable Cost Estimate for the NBIS Program
We found that the NBIS program’s 2025 cost estimate is reliable. The estimate projects $2.2 billion in costs for the NBIS program from fiscal year 2025 through fiscal year 2031, which is in addition to the $2.4 billion spent on NBIS and legacy systems through fiscal year 2024. The estimate includes the costs of migrating personnel vetting data to the cloud-based infrastructure, modernizing the code of legacy systems, and sustaining personnel vetting systems through fiscal year 2031.
We assessed the 2025 estimate against best practices for developing and maintaining reliable cost estimates as defined in our Cost Estimating and Assessment Guide.[13] The Guide organizes these best practices into four characteristics of a reliable cost estimate: accurate, comprehensive, credible, and well-documented.
We determined that the NBIS cost estimate met two characteristics of a reliable cost estimate and substantially met the remaining two characteristics.[14] A cost estimate is considered reliable if the assessment for each of the four characteristics is met or substantially met. For example, DOD conducted an independent cost estimate of the NBIS program to validate DCSA’s estimate, which is consistent with our guidance on the credibility characteristic.[15] In addition, NBIS officials stated they plan to monitor programmatic, technical, and schedule changes that affect the cost estimate and update the estimate annually to reflect those changes as required by DOD acquisition guidance.[16] Regularly updating the estimate is consistent with the accurate characteristic.
NBIS program management can now rely on the 2025 NBIS program cost estimate to help reduce the risk of future cost overruns and accurately present program performance. Figure 2 shows how DCSA improved the quality of its cost estimate since our 2023 assessment.[17] We provide a table with our full assessment of the 2025 cost estimate in appendix I.
Figure 2: GAO Assessments of the NBIS Program’s 2023 and 2025 Cost Estimates Against Best Practices
Note: We assessed the Defense Counterintelligence and Security Agency’s cost estimate from 2023 and 2025 for the NBIS program against best practices for cost estimating published in our Cost Estimating and Assessment Guide. In our guide, we state that a high-quality cost estimate has four characteristics: it is accurate, comprehensive, credible, and well-documented. See GAO‑20‑195G.
DOD Has Made Improvements but Has Still Not Fully Met Scheduling Best Practices for NBIS
We found that the NBIS schedule does not meet all best practices for a reliable schedule. Figure 3 below shows the extent to which DCSA has met scheduling best practices since our 2021 and 2023 assessments.[18] Our full assessment can be found in appendix II.
Figure 3: GAO Assessments of the NBIS Program’s Scheduling Against Best Practices
Note: We assessed the Defense Counterintelligence and Security Agency’s schedule for the NBIS program from 2021, 2023, and 2025 against scheduling best practices published in our GAO Schedule Assessment Guide and also described in our Agile Assessment Guide. In our guide, we state that a high-quality, reliable schedule has four characteristics: it is comprehensive, well-constructed, credible, and controlled. See GAO‑16‑89G and GAO‑24‑105506.
DCSA is using an Agile software tool to manage the NBIS program schedule. Previously, DCSA maintained both an integrated master schedule and an Agile software tool to track system development work, but it no longer maintains the former.[19] We assessed its use of this tool against best practices for developing a reliable schedule as defined in our Schedule Assessment Guide and Agile Assessment Guide. The Guides organize these best practices into four characteristics of sound schedule estimating: comprehensive, controlled, credible, and well-constructed. All best practices need to be at least substantially met for a schedule to be considered reliable.
We determined that DCSA substantially met the comprehensive and controlled characteristics for the NBIS program schedule. For example, data we reviewed from the program’s Agile software tool are comprehensive because the program defined the work it needs to complete to accomplish its objectives. The program also substantially meets the controlled characteristic because key status information is documented and reviewed regularly, including milestone progress and changes to delivery timelines.
However, DCSA does not meet all of the characteristics of a reliable schedule because it has only partially met the well-constructed and credible characteristics. For example, it has not yet identified a critical path for the NBIS program that could focus management’s attention on the activities whose delay will adversely impact the schedule completion date, a characteristic of a well-constructed schedule.[20] The program has also not conducted a schedule risk analysis. A schedule risk analysis improves the credibility of scheduled dates and prioritizes risks that may lead to delays.
In February 2026, NBIS program officials stated in their response to our analysis of deficiencies that they have a fundamentally different approach to managing their work using Agile. Officials stated that their Agile software tool allows activities to be linked, but that the program does not define or manage a critical path as that, in their view, would misrepresent and constrain the program’s work. However, a valid critical path can provide management with reliable timeline estimates and help identify problems.
Moreover, NBIS program officials said that they discuss cost and schedule impacts of short-term work on a regular basis, but have not done a schedule risk analysis for the whole program because they believe their Agile approach is more effective. This approach, however, does not include a quantitative assessment to determine risk—a best practice. This stated approach also contrasts with the program’s April 2025 action plan, which committed to meeting all characteristics of a reliable schedule with the software tool. Our analysis shows that the program’s actions have not yet met the intent of all of our best practices.
The NBIS program’s long-term goal is to complete NBIS system development by the end of fiscal year 2027. However, as noted in our previous assessments, Agile software programs that do not meet scheduling best practices can face delays in system deployment, and the program has a history of repeated delays in meeting milestones. Improving NBIS scheduling practices so that DCSA meets or substantially meets all characteristics of a reliable schedule could decrease the risk that DCSA will continue to have delays in delivering NBIS capabilities to achieve Trusted Workforce 2.0 milestones.
NBIS Is Critical to Advancing Trusted Workforce 2.0 Reforms
Since I last testified on NBIS before this subcommittee in 2024, DOD has taken positive steps to prioritize NBIS development. It is important that DOD continue this trajectory of progress to provide modernized personnel vetting systems to implement Trusted Workforce 2.0. When the PAC initiated the reform effort in 2018, it planned to be finished by the end of fiscal year 2026. However, due to NBIS development delays and other factors, the PAC has pushed that milestone to the end of fiscal year 2028.[21] For example, our analysis of NBIS-related milestones in the January 2026 update to the Trusted Workforce 2.0 Implementation Strategy shows these delays continue—at least 46 percent of these milestones have been pushed out since April 2025.
Meanwhile, challenges that the reform was meant to address persist. In particular, the timeliness of the personnel security clearance process has been a long-standing challenge, and the PAC identifies NBIS as critical to address it. For example, the PAC envisions that NBIS will enable automated electronic adjudication of low-risk cases, allowing adjudicators to focus on more complex cases. In 2018, performance gaps as a result of agencies not meeting timeliness goals prompted us to place the security clearance process on our High-Risk List and led the PAC to initiate Trusted Workforce 2.0. However, performance continues to lag. Agencies have not consistently met goals for nearly all phases of the process for Secret or Top Secret clearances. For example, figure 4 shows that
· As of the second quarter of fiscal year 2025, agencies took an average of 206 days to complete the fastest 90 percent of initial Top Secret clearances—92 days beyond the 114-day goal.[22]
· Average times for initial Top Secret clearances have trended longer from fiscal year 2022 to fiscal year 2025.
Moreover, agencies have not met timeliness goals for the investigative phase for initial Secret and Top Secret clearances since 2021. To address these persistent delays, DOD and PAC leadership must continue to prioritize NBIS development to ensure full implementation of Trusted Workforce 2.0 and its goal for a timely vetting process.
Figure 4: Government-Wide Average Times for the Fastest 90 Percent of Initial Top Secret Security Clearances, Fiscal Year (FY) 2022–Quarter 2 of FY 2025
A fully deployed NBIS system is also critical to implementing continuous vetting of individuals—another key aspect of Trusted Workforce 2.0. Continuous vetting is an approach that consists of enrolling cleared personnel in IT systems that conduct ongoing automated record checks of various data sources used for ensuring, among other things, their ongoing eligibility/access to classified information. Currently, the PAC is enrolling personnel in legacy continuous vetting IT systems while DCSA develops NBIS. However, as we reported in May 2025, continuing to rely on legacy systems that have not been modernized may cause challenges for agencies. In particular, a third of the agencies we surveyed for our May 2025 report stated that NBIS delays had disrupted the implementation of continuous vetting.[23]
The urgency of developing NBIS is heightened by the increasing number of personnel enrolled in legacy continuous vetting systems and a growing number of alerts. PAC quarterly reporting shows that the volume of continuous vetting alerts requiring review has risen from approximately 30,000 per quarter in fiscal year 2023 to over 100,000 in the third quarter of fiscal year 2025. It will be important for DCSA leadership to continue their progress in developing NBIS to provide agencies with modern tools to process the growing number of alerts that continuous vetting systems generate.[24]
Conclusions
Over the past 2 years, DCSA leadership has focused on improving its approach to NBIS. Having a reliable cost estimate for the program is a significant step forward. However, weaknesses in DCSA’s approach to scheduling may continue to jeopardize its ability to meet milestones. The NBIS program has a long history of repeated milestone delays that continue today, with the PAC pushing out nearly half of the NBIS-related milestones in its most recent Trusted Workforce 2.0 strategy. By ensuring that the NBIS program’s schedule aligns with all best practice characteristics defined in our guides—particularly for the schedule practices to be well-constructed and credible—DCSA will decrease the risk of continued delays in delivering NBIS capabilities.
Going forward, DOD must continue to prioritize developing NBIS capabilities to help ensure the success of Trusted Workforce 2.0. We will continue to monitor DOD’s progress in implementing our recommendations in this area.
Recommendations for Executive Action
We are making the following two recommendations to DOD:
The Secretary of Defense should ensure that the Director of the Defense Counterintelligence and Security Agency aligns DCSA’s schedule for the National Background Investigation Services program with the “well-constructed” characteristic as defined in GAO’s guides for scheduling and Agile software development by addressing those scheduling best practices that were partially met, including establishing a valid critical path. (Recommendation 1)
The Secretary of Defense should ensure that the Director of the Defense Counterintelligence and Security Agency aligns DCSA’s schedule for the National Background Investigation Services program with the “credible” characteristic as defined in GAO’s guides for scheduling and Agile software development by addressing those scheduling best practices that were partially or minimally met, including conducting a schedule risk analysis. (Recommendation 2)
Agency Comments
We provided a draft of this statement to DOD for review and comment. DOD provided technical comments, which we incorporated into the statement as appropriate.
Chairman Sessions, Ranking Member Mfume, and Members of the Subcommittee, this concludes my prepared statement. I would be pleased to respond to any questions you may have at this time.
GAO Contact and Staff Acknowledgments
If you or your staff have any questions about this testimony, please contact Alissa H. Czyz, Director, Defense Capabilities and Management, at czyza@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. GAO staff who made key contributions to this testimony are James P. Klein and Kimberly Seay (Assistant Directors), Parke Nicholson (Analyst in Charge), Dustin Cohan, Victoria Coxon, Emile Ettedgui, Christopher Gezon, Susannah Hawthorne, Jason Lee, Susan Elizabeth Murphy, Alice Paszel, Terry Richardson, Carter Stevens, Daniel Swartz, Anne Thomas, Mary Weiland, and Erik Wilkins-McKee.
Appendix I: Assessment of the Cost Estimate for National Background Investigation Services
We found that the National Background Investigation Services (NBIS) program’s 2025 cost estimate is reliable. As shown in table 1, it met two characteristics of a reliable cost estimate—well-documented and credible—and substantially met the remaining two—comprehensive and accurate. A cost estimate is considered reliable if the assessment for each of the four characteristics is at least substantially met. If any of the characteristics are not met, minimally met, or partially met, then the cost estimate does not fully reflect the characteristics of a high-quality cost estimate and cannot be considered reliable.
To assess the NBIS program’s most recent cost estimate, we reviewed Defense Counterintelligence and Security Agency (DCSA) documentation on the status of the NBIS system development, analyzed DCSA schedule and cost estimate documentation, and met with NBIS program officials to discuss cost estimating. We obtained the April 2025 NBIS program office estimate and compared the estimate against our best practices for cost estimating.[25] In December 2025, we provided DCSA a draft of our analysis for its review. DCSA officials said they did not have concerns with our analysis and did not otherwise provide comments.
Table 1: GAO Assessment of the Defense Counterintelligence and Security Agency’s (DCSA) Cost Estimate for the National Background Investigation Services (NBIS) Program Compared with Best Practices
|
Best practice characteristic and overall assessment |
Best practice |
|
Comprehensive: Substantially met |
Includes all life cycle costs. |
|
Based on a technical baseline description that completely defines the program, reflects the current schedule, and is technically reasonable. |
|
|
Based on a work breakdown structure (WBS) that is product-oriented, traceable to the statement of work, and at an appropriate level of detail to ensure that cost elements are neither omitted nor double-counted. |
|
|
Documents all cost-influencing ground rules and assumptions. |
|
|
Well-documented: Met |
Documentation shows the source data used, the reliability of the data, and the estimating methodology used to derive each element’s cost. |
|
Documentation describes how the estimate was developed so that a cost analyst unfamiliar with the program could understand what was done and replicate it. |
|
|
Documentation discusses the technical baseline description and the data in the technical baseline are consistent with the cost estimate. |
|
|
Documentation provides evidence that was reviewed and accepted by management. |
|
|
Accurate: Substantially met |
Based on a model developed by estimating each work breakdown structure element using the best methodology from the data collected. |
|
Adjusted properly for inflation. |
|
|
Contains few, if any, minor mistakes. |
|
|
Based on a historical record of cost estimating and actual experiences from other comparable programs. |
|
|
Credible: Met |
Includes a sensitivity analysis that identifies a range of possible costs based on varying major assumptions, parameters, and data inputs. |
|
Includes a risk and uncertainty analysis that quantifies the imperfectly understood risks and identifies the effects of changing key cost driver assumptions and factors. |
|
|
Employs cross-checks—or alternate methodologies—on major cost elements to validate results. |
|
|
Compared to an independent cost estimate that is conducted by a group outside the acquiring organization to determine whether other estimating methods produce similar results. |
Source: GAO analysis of Department of Defense information. | GAO‑26‑108838
Note: We assessed the DCSA 2025 cost estimate for the NBIS program against best practices for cost estimating published in our Cost Estimating and Assessment Guide. In our guide, we state that a high-quality cost estimate has four characteristics: it is accurate, comprehensive, credible, and well-documented. “Met” means the program provided complete evidence that satisfies the entire criterion. “Substantially met” means the program provided evidence that satisfies a large portion of the criterion. “Partially met” means the program provided evidence that satisfies about half of the criterion. “Minimally met” means the program provided evidence that satisfies a small portion of the criterion. “Not met” means the program did not provide evidence that satisfies the criterion.
Appendix II: Assessment of the Program Schedule for National Background Investigation Services
We found that the National Background Investigation Services (NBIS) program’s schedule includes some, but not all characteristics of a reliable schedule. As shown in table 2, the schedule partially met two characteristics—well-constructed and credible—and substantially met the remaining two—comprehensive and controlled. A schedule is considered reliable if the assessment ratings for each of the four characteristics are substantially or fully met. If any of the characteristics are not met, minimally met, or partially met, then the schedule does not fully reflect the characteristics of a high-quality schedule and cannot be considered reliable.
To assess NBIS program scheduling, we reviewed Defense Counterintelligence and Security Agency (DCSA) documentation on the status of the NBIS system development, analyzed data from DCSA’s Agile software tool from June through September 2025, and met with NBIS program officials to discuss scheduling. We compared the information we collected in our assessment against GAO best practices for project schedules.[26] We then provided our draft analysis to DCSA officials for comment in January 2026 and discussed our analysis with NBIS program officials in February 2026.
Table 2: GAO Assessment of the Defense Counterintelligence and Security Agency’s (DCSA) Scheduling Practices for the National Background Investigation Services (NBIS) Program Compared with Best Practices
|
Best practice characteristic, overall assessment, and description |
Best practice |
|
Comprehensive: Substantially met The program’s Agile software tool generally captures all activities and includes resource allocation and activity durations. |
Capturing all activities |
|
Assigning all resources to activities |
|
|
Establishing the durations of all activities |
|
|
Well-constructed: Partially met Program activities are not sufficiently linked to enable sequencing and identification of a critical path that, if delayed, would impact key milestones. |
Sequencing all activities |
|
Confirming that the critical path is valid |
|
|
Ensuring reasonable total float |
|
|
Credible: Partially met Schedule data lacks sufficient links to enable tracing between program elements and end products. A schedule risk analysis has not been conducted to determine the confidence level in achieving the program schedule. |
Verifying that the schedule can be traced horizontally and vertically |
|
Conducting a schedule risk analysis |
|
|
Controlled: Substantially met Key program status information is generally monitored, and baseline dates are tracked in the software tool. |
Updating the schedule using actual progress and logic |
|
Maintaining a baseline schedule |
Source: GAO analysis of Department of Defense information. | GAO‑26‑108838
Note: We assessed DCSA’s scheduling practices for the NBIS program against best practices for a reliable schedule published in our GAO Schedule Assessment Guide and also described in our Agile Assessment Guide. See GAO‑16‑89G and GAO‑24‑105506. In our guides, we state that a high-quality, reliable schedule has four characteristics: it is comprehensive, well-constructed, credible, and controlled. “Met” means the program provided complete evidence that satisfies the entire criterion. “Substantially met” means the program provided evidence that satisfies a large portion of the criterion. “Partially met” means the program provided evidence that satisfies about half of the criterion. “Minimally met” means the program provided evidence that satisfies a small portion of the criterion. “Not met” means the program did not provide evidence that satisfies the criterion.
Related GAO Products
Personnel Vetting: DOD Actions Needed to Address Cybersecurity of Background Investigation Systems. GAO‑26‑107027SU. Washington, D.C.: Dec 18, 2025.
Personnel Security Clearances: Actions Needed to Address Significant Data Reliability Issues That Impact Oversight. GAO‑26‑107100. Washington, D.C.: December 11, 2025.
Personnel Vetting: Sustained Leadership Is Critical to DOD’s New Approach to Its Background Investigation System. GAO‑25‑108721. Washington, D.C.: September 16, 2025.
Federal Workforce: Observations on the Implementation of the Trusted Workforce 2.0 Personnel Vetting Reform Initiative. GAO‑25‑107325. Washington, D.C.: May 9, 2025.
High-Risk Series: Heightened Attention Could Save Billions More and Improve Government Efficiency and Effectiveness. GAO‑25‑107743. Washington, D.C.: February 25, 2025.
Personnel Vetting: DOD Needs to Improve Management of the National Background Investigation Services Program. GAO‑24‑107616. Washington, D.C.: June 26, 2024.
Personnel Vetting: DOD Needs to Enhance Cybersecurity of Background Investigation Systems. GAO‑24‑106179. Washington, D.C.: June 20, 2024.
Federal Workforce: Actions Needed to Improve the Transfer of Personnel Security Clearances and Other Vetting Determinations. GAO‑24‑105669. Washington, D.C.: January 22, 2024.
Personnel Vetting: DOD Needs a Reliable Schedule and Cost Estimate for the National Background Investigation Services Program. GAO‑23‑105670. Washington, D.C.: August 17, 2023.
Personnel Vetting: DOD Should Improve Management and Operation of Its Background Investigation Working Capital Fund. GAO‑23‑105812. Washington, D.C.: July 27, 2023.
High-Risk Series: Efforts Made to Achieve Progress Need to Be Maintained and Expanded to Fully Address All Areas. GAO‑23‑106203. Washington, D.C.: April 20, 2023.
Personnel Vetting: Actions Needed to Implement Reforms, Address Challenges, and Improve Planning. GAO‑22‑104093. Washington, D.C.: December 9, 2021.
High Risk Series: Dedicated Leadership Needed to Address Limited Progress in Most High-Risk Areas. GAO‑21‑119SP. Washington, D.C.: March 2, 2021.
Federal Management: Selected Reforms Could Be Strengthened by Following Additional Planning, Communication, and Leadership Practices. GAO‑20‑322. Washington, D.C.: April 23, 2020.
High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas. GAO‑19‑157SP. Washington, D.C.: March 6, 2019.
Personnel Security Clearances: Additional Actions Needed to Implement Key Reforms and Improve Timely Processing of Investigations. GAO‑18‑431T. Washington, D.C.: March 7, 2018.
Personnel Security Clearances: Additional Actions Needed to Ensure Quality, Address Timeliness, and Reduce Investigation Backlog. GAO‑18‑29. Washington, D.C.: December 12, 2017.
Personnel Security Clearances: Plans Needed to Fully Implement and Oversee Continuous Evaluation of Clearance Holders. GAO‑18‑117. Washington, D.C.: November 21, 2017.
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on X,
LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454
Media Relations
Sarah Kaczmarek, Managing Director, Media@gao.gov
Congressional Relations
David A. Powner, Acting Managing Director, CongRel@gao.gov
General Inquiries
[1]Specifically, in 2016, Executive Order No. 13,467, as amended by Executive Order No. 13,741, assigned DOD the role of designing, developing, deploying, operating, securing, defending, and continuously updating and modernizing personnel vetting IT systems that support all background investigation processes that had been conducted by the National Background Investigations Bureau within OPM. Exec. Order No. 13,467, Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information, § 2.4(b) (June 30, 2008), as amended by Exec. Order No. 13,741, Amending Executive Order 13467 To Establish the Roles and Responsibilities of the National Background Investigations Bureau and Related Matters, § 1(f), 81 Fed. Reg. 68,289, 68,290 (Sept. 29, 2016).
[2]In this statement, we use the term “NBIS system” to refer to the set of subsystems and associated capabilities that is the focus of the software development effort. We use the term “NBIS program” to refer to the NBIS Program Management Office and its management of the program as a whole, including related subprojects such as acquisition, engineering, training, and cybersecurity. DCSA also manages legacy background investigation systems including existing DOD systems used in personnel vetting and a set of systems previously owned by OPM.
[3]While DCSA conducts 95 percent of the government’s background investigations, some executive branch agencies have the authority to conduct all or some of their own investigations, according to the Office of the Director of National Intelligence. Such agencies include the Central Intelligence Agency, the Federal Bureau of Investigation, and the State Department, as well as some DOD components such as the National Security Agency.
[4]Trusted Workforce 2.0 is a government-wide reform effort intended to better support agencies’ missions by, among other things, reducing the time required to bring new hires on board and improving personnel vetting procedures, among other initiatives. See Security, Suitability, and Credentialing Performance Accountability Council, Trusted Workforce 2.0 Implementation Strategy (April 2022).
[5]GAO, Personnel Vetting: DOD Needs a Reliable Schedule and Cost Estimate for the National Background Investigation Services Program, GAO‑23‑105670 (Washington, D.C.: Aug. 17, 2023); and Personnel Vetting: Actions Needed to Implement Reforms, Address Challenges, and Improve Planning, GAO‑22‑104093 (Washington, D.C.: Dec. 9, 2021).
[6]GAO, Personnel Vetting: Sustained Leadership Is Critical to DOD’s New Approach to Its Background Investigation System, GAO‑25‑108721 (Washington, D.C.: Sept. 16, 2025). See the Related GAO Products section at the end of this statement for additional GAO reports on this topic.
[7]In 2018, we placed the government-wide security clearance process on our High-Risk List due in part to challenges with IT systems. In our latest High-Risk update, we found that the government-wide personnel security clearance process continued to face challenges regarding the timely processing of clearances and development of the NBIS system. We have made numerous recommendations to address these challenges. For more information on our previous recommendations and the status of their implementation, see GAO, High-Risk Series: Heightened Attention Could Save Billions More and Improve Government Efficiency and Effectiveness, GAO‑25‑107743 (Washington, D.C.: Feb. 25, 2025).
[8]GAO, Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Program Costs, GAO‑20‑195G (Washington, D.C.: March 2020).
[9]The NBIS program uses an Agile software tool for scheduling purposes, which we evaluated against best practices. For the purposes of this report, we refer to this as the NBIS program schedule. Agile methodology is an approach to software development in which software is developed incrementally and is continuously evaluated for functionality, quality, and customer satisfaction. While there are differences between Agile software development philosophy and past scheduling approaches, a high-quality program schedule is still applicable to all federal programs. See GAO, Schedule Assessment Guide: Best Practices for Project Schedules, GAO‑16‑89G (Washington, D.C.: December 2015) and Agile Assessment Guide: Best Practices for Agile Adoption and Implementation, GAO‑24‑105506 (Washington, D.C.: November 2023).
[10]The PAC was established in June 2008 by Executive Order No. 13,467. See Exec. Order No. 13,467, § 2.2, 73 Fed. Reg. 38,103, 38,105 (June 30, 2008).
[11]This total includes around $1.1 billion that DOD initially spent to develop the NBIS system and around $1.3 billion to maintain legacy systems. It is based on actual amounts in DOD budget justification documents for research, development, testing, and evaluation (RDT&E) and operation and maintenance (O&M). DOD pays for legacy systems by using two funding sources that originated from the transition in 2019 of background investigation functions from OPM to DOD. First, DCSA established a working capital fund in June 2019 to finance personnel vetting activities, such as background investigations. Defense working capital funds recover costs by charging customers a standard price for a product or service. Second, OPM transferred ownership of legacy IT systems to DCSA in October 2020, but these systems continue to reside on OPM’s network. Under a series of interagency agreements, DCSA will continue to pay OPM for services associated with the legacy systems until they are no longer needed.
[12]The milestone decision authority is the program decision authority and specifies the decision points and procedures for assigned programs. See Department of Defense (DOD) Instruction 5000.02, Operation of the Adaptive Acquisition Framework (Jan. 23, 2020) (incorporating change 1, effective June 8, 2022). The Under Secretary of Defense for Intelligence and Security serves as the NBIS program sponsor, which approves the Capability Needs Statement, interfaces with the user community, establishes and leads a requirements governance process, and ensures the oversight board conducts value assessments of NBIS capabilities.
[14]For the ratings described here, “not met” means the program provided no evidence that satisfies any of the criterion. “Minimally met” means the program provided evidence that satisfies a small portion of the criterion. “Partially met” means the program provided evidence that satisfies about half of the criterion. “Substantially met” means the program provided evidence that satisfies a large portion of the criterion. “Met” means the program provided complete evidence that satisfies the entire criterion. If any of the characteristic ratings is not met, minimally met, or partially met, then the cost estimate cannot be considered reliable.
[15]We determined that this independent cost estimate prepared by the Office of Cost Assessment and Program Evaluation at DOD was sufficient to allow for reconciliation to the program office cost estimate.
[16]See DOD Instruction 5000.87, Operation of the Software Acquisition Pathway (Oct. 2, 2020).
[17]We found in 2023 that the program did not have a reliable cost estimate for the NBIS program. See GAO‑23‑105670.
[18]In 2021 and 2023, we reviewed two versions of the NBIS program’s schedule and found that they did not meet our best practices. DOD concurred with our 2021 recommendation to align the NBIS program schedule to meet our best practices, but did not implement this recommendation. We then recommended in 2023 that Congress consider requiring DOD to develop a reliable program schedule. For more information, see GAO‑22‑104093 and GAO‑23‑105670.
[19]An integrated master schedule is a program schedule that includes the entire required scope of effort, including the effort necessary from all government, contractor, and other key parties for a program’s successful execution from start to finish.
[20]The critical path is the longest continuous sequence of activities in a schedule and determines the program’s earliest completion date. See GAO‑16‑89G. As such, a delay in any of these activities will cause a delay to the program finish date. In 2021 and in 2023, the NBIS program schedule did not have a true critical path; we instead found discontinuous critical paths.
[21]In our High-Risk reports, we have noted the PAC’s commitment to Trusted Workforce 2.0 and have highlighted key practices that agencies should adopt to demonstrate leadership commitment to sustain high-risk efforts. For example, see GAO, High-Risk Series: Heightened Attention Could Save Billions More and Improve Government Efficiency and Effectiveness, GAO‑25‑107743 (Washington, D.C.: Feb. 25, 2025).
[22]While it is important that agencies meet timeliness goals for security clearance processing, it is also important for the Office of the Director of National Intelligence (ODNI) to have reliable data on the time it takes agencies to complete the process. However, we reported in December 2025 that more than 60 percent of the data ODNI uses to oversee the process that we reviewed from fiscal year 2024 were inaccurate or incomplete. We made recommendations to improve the reliability of these data. ODNI did not explicitly agree or disagree with our recommendations. See GAO, Personnel Security Clearances: Actions Needed to Address Significant Data Reliability Issues That Impact Oversight, GAO‑26‑107100 (Washington, D.C.: Dec. 11, 2025).
[23]We surveyed 45 federal agencies and 626 contractors about Trusted Workforce 2.0 implementation. GAO, Federal Workforce: Observations on the Implementation of the Trusted Workforce 2.0 Personnel Vetting Reform Initiative, GAO‑25‑107325 (Washington, D.C.: May 9, 2025). Most of these agencies receive continuous vetting services from DCSA, but some receive continuous vetting services through a separate IT system owned by ODNI.
[24]We have two ongoing reviews of continuous vetting: one examining continuous vetting in the intelligence community and the other examining it across the executive branch. We expect to issue reports on the results of both reviews in fall 2026.
[25]GAO, Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Program Costs, GAO‑20‑195G (Washington, D.C.: March 2020).
[26]GAO, Schedule Assessment Guide: Best Practices for Project Schedules, GAO‑16‑89G (Washington, D.C.: December 2015) and Agile Assessment Guide: Best Practices for Agile Adoption and Implementation, GAO‑24‑105506 (Washington, D.C.: November 2023).