Security vetting involves the assessment of an individual’s suitability to hold a security clearance at a particular level. Australian Government employees and contractors require a security clearance to access classified resources, which can relate to Australia’s national security, economic and other interests. The security vetting and clearance process is an important risk mitigation activity intended to protect the national interest, which can also affect an individual’s employment and the business operations of entities if not managed effectively or in a timely manner.

The Australian Government Security Vetting Agency (AGSVA) is part of the Department of Defence and provides security clearance assessments as a whole-of-government service. In February 2014, Defence identified the need for long-term and potentially significant investment in ICT solutions because the existing system used by AGSVA to process security clearances, the Personnel Security Assessment Management System (PSAMS), did not have the ‘functionality needed for the future’. The February 2016 Defence Integrated Investment Program (IIP) subsequently outlined a need for ‘expanded security vetting’ as one of the ‘principal areas of focus’ for Defence.

The base capability of the new system was introduced on 28 November 2022. By February 2023, the extent of user issues experienced after the system ‘went live’ were the subject of parliamentary interest. This audit provides independent assurance to the Parliament on the effectiveness of Defence’s procurement and implementation of the new ICT system, now known as myClearance, and Defence’s remediation progress to date.

Key findings

• Defence’s procurement and implementation of the myClearance system to date has been partly effective. The full functionality of the system will not be delivered as key elements, including the continuous assessment, automated risk-sharing and enhanced interface functionalities, were de-scoped from the project in November 2023.
• Defence’s planning activities were largely effective. Early planning work in 2016 and 2017 focused on industry engagement and assessing the market’s ability to deliver and integrate the new IT system into Defence’s ICT environment. Work to refine the user and system requirements in mid-2018 was not informed by other government entities or stakeholders.
• Defence’s implementation of the myClearance system has been partly effective. Identified risks and issues were not resolved in a timely manner. Data cleansing and migration activities were not effective. Testing processes were truncated and were not conducted in line with agreed testing plans or Defence guidance.