An IT contractor who had access to email servers for United States House of Representatives members worked without a background check, according to a report from security and risk management publication CSO. The contractor, Imran Awan, is currently facing fraud charges and a class-action lawsuit.
Emails leaked as part of the 2016 Democratic National Committee (DNC) hack indicate Awan was a go-to source when members of the House of Representatives needed IT assistance. Reps would contact Awan if they forgot their passwords. The CSO article indicates roughly 80 members of Congress had contact with Awan over the years.
Given this role and its inherent access to sensitive information, Awan appeared to be in line to obtain a government security clearance—or at least undergo a thorough background check. According to CSO, workers who are members of the “Congressional administrative staff” are not required to obtain national security clearances but are expected to undergo background checks. The Committee on House Administration guidelines include a section concerning shared staff—the category into which Awan would fit—and the vetting expectations for those employees.
Based on Congressional guidelines, Awan should have at least passed a “Capitol Police Criminal History Records Check.” This type of check would be the equivalent of a state criminal history check for the District of Columbia. The CSO article does not mention whether Congressional administrative staff are supposed to have any screenings beyond this criminal check—such as criminal searches outside of Washington, D.C., employment verification checks, or identity checks.
Why was Awan’s background check overlooked? The answer might be found in the wording of the Committee on House Administration guidelines. The guidelines state “it is recommended that Member and Committee offices” request a background check for shared employees due to the sensitive information those employees often access during their work. “Recommended” is the key word in that sentence: Congressional departments are not technically required to conduct background checks on shared administrative staff.
When authorizing someone to provide IT services, a House member can conduct the background check, but they can also check a box that says, “I have verified that a trustworthiness determination has been made on behalf of this shared resource by another Member.” In other words, if another member has already run a background check on a “shared resource,” that member can offer an attestation of trustworthiness for the resource.
Evidence shows many Congress members used this method to approve Awan to provide IT resources. However, no one could identify who initially attested to Awan’s trustworthiness, which means no one can verify a background check ever took place.
Awan is currently under investigation for bank fraud and potential involvement in a “cyber breach operation” during his time as a Congressional aide. There have also been accusations that Awan accessed information or servers he shouldn’t have, something that may have been prevented had he been required to pass a background check.