Despite the Department of Defence investing $37 million since 2008 in upgrading the core IT systems at the agency responsible for assigning security clearance for a significant number of government employees and contractors, those systems still lack "reliability and functionality".
Problems remain with the Australian Government Security Vetting Agency's ePack2 system and PSAMS2 (Personnel Security Assessment Management System) — the former an online portal that manages individuals' applications for clearance and the latter a system that manages the vetting workflow — according to a report from the Australian National Audit Office.
Security vetting has been the domain of the AGSVA, which sits within Defence, since October 2010.
Prior to the creation of AGSVA, there were around 100 government entities assigning security clearances.
(A number of agencies, including the Australian Federal Police, the Department of Foreign Affairs and Trade and intelligence agencies outside Defence, still conduct their own vetting processes.)
The centralisation of security vetting was expected to make the process more efficient and deliver annual savings of $5.3 million for the government.
However in that respect, performance has been "mixed" the audit notes: An outcome that has its roots "in an inadequate policy proposal developed in 2009 by [the Attorney-General's Department] in consultation with Defence and the then Department of Finance and Deregulation, which did not effectively assess Defence’s capacity to deliver whole-of-government services with the resources proposed".
"AGSVA has been unable to meet agreed benchmark timeframes for processing security clearances since 2010, and despite investments in people, systems and processes, there has been no noticeable improvement in the timeliness of clearance processing," the audit concluded.
AGSVA commenced operations "on the back foot" with far fewer resources to carry out security vetting than were available for the task under the previous non-centralised arrangements and "without an appropriate management structure, documented procedures and adequate ICT systems".
ePack2, the successor to the ePack system used by the Defence Vetting Branch, was approved for production use only a fortnight before AGSVA began offering centralised security vetting for government agencies.
The system went into production with some 1508 documented defects.
The audit notes that despite updates to ePack2 since 2010, the system "continues to experience useability, compatibility and stability issues".
"The ePack system is the public face of AGSVA, but remains a frustrating and difficult system for individual users to navigate. This raises efficiency and productivity issues for customer entities and the vetting process as a whole," the report notes.
Defence had planned roll out an update of PSAMS (PSAMS2) by March 2010 but the decision to centralise security vetting in AGSVA blew out the timeline because the system needed to be able to manage clearances for additional organisations (including importing their clearance data) and support revised security levels.
The implementation of PSAMS2 ended up being delayed until December 2012.
The original budget to upgrade the two systems was $4.79 million. That blew out to $37.73 million: $5.63 million for ePack2 and $32.1 million for PSAMS2.
"Defence documentation indicates that shortcomings in ICT project planning, insufficient application of ICT expertise, staff turnover and major changes in project scope to deliver whole-of-government vetting functionality requirements, contributed to the problems experienced by the ICT upgrades and the substantial cost increases," the report notes.
Among the audit's recommendations are that Defence should develop "a clear pathway to achieve agreed timeframes for processing and revalidating security clearances"; the department indicated it agreed with the recommendation.