Key Takeaways
- The Defense Counterintelligence and Security Agency (DCSA) documented 815 security violations by cleared defense contractors in fiscal year 2025, with nearly 60 % classified as data spills.
- More than 1,000 open security vulnerabilities were identified, highlighting widespread non‑compliance with National Industrial Security Program Operating Manual (NISPOM) requirements.
- Funding and staffing for DCSA’s industrial security mission have remained flat, limiting oversight to roughly 25‑30 % of the cleared industrial base despite growing threats.
- Field operators cite inadequate analytic tools and resources, urging the development of enhanced regional risk‑assessment capabilities to prioritize high‑risk contractors.
- Initiatives such as the National Access Elsewhere Security Oversight Center (NAESOC) have proven ineffective, suffering from staffing shortfalls, limited impact, and industry dissatisfaction.
- Pentagon intelligence leaders are considering policy shifts—including altering review frequency and transferring more industrial‑security responsibilities to the military departments—to alleviate DCSA’s workload.
- GAO recommends improving analytic capabilities for field staff, creating an industrial‑security risk‑response plan, and conducting a comprehensive evaluation of NAESOC to strengthen oversight.
Overview of GAO Findings on Contractor Security Violations
The Government Accountability Office (GAO) released a report evaluating the Defense Counterintelligence and Security Agency’s (DCSA) efforts to ensure that cleared defense contractors protect classified information. According to GAO, DCSA performed more than 4,600 security reviews during fiscal year 2025 and recorded 815 distinct security violations. The breakdown of these incidents revealed that data spills constituted the largest share, accounting for nearly 60 % of all violations. Improper storage followed at 11.5 %, while unauthorized disclosures or access breaches made up 6.5 %, physical losses represented 6.3 %, and improper physical transfers comprised 5.6 %. The remaining violations were either uncategorized or still under investigation at the time of the report.
Scale and Nature of Open Security Vulnerabilities
Beyond documented violations, GAO noted that DCSA’s reviews identified 1,032 open security vulnerabilities across the contractor base. These vulnerabilities reflect identified weaknesses in contractors’ security programs and indicate non‑compliance with procedures outlined in the National Industrial Security Program Operating Manual (NISPOM). The persistence of such gaps suggests that many contractors continue to operate with insufficient safeguards despite repeated oversight efforts. GAO emphasized that addressing these vulnerabilities is critical, as they provide potential entry points for foreign adversaries seeking to exfiltrate sensitive defense information.
Resource Constraints Limiting DCSA Oversight
GAO highlighted a significant mismatch between the expanding threat landscape and the resources allocated to DCSA’s industrial security mission. While funding and personnel for personnel vetting and other priorities have risen in recent years, the budget dedicated to industrial security has remained relatively flat. In 2023, DCSA officials reported that available funding permitted oversight of only 25‑30 % of the cleared industrial base. A memorandum cited by GAO showed that officials had proposed new investment options to expand staffing and funding for the industrial‑security program, but those proposals had not been acted upon by September 2025. Consequently, DCSA’s capacity to conduct comprehensive reviews is hampered, leaving a substantial portion of contractors with limited or periodic scrutiny.
Challenges Faced by Field Operators
Field operators tasked with conducting on‑site security assessments told GAO that they are constrained not only by manpower shortages but also by limited analytical capabilities. DCSA currently possesses national‑level risk‑assessment tools, but operators expressed a need for enhanced analytic tools tailored to regional contexts. Such tools would enable them to detect localized threat patterns, prioritize high‑risk contractors, and allocate scarce resources more effectively. GAO’s report noted that in an environment of constrained resources, improved analytics could significantly bolster the agency’s ability to assess and mitigate risks before they materialize into actual security incidents.
Evaluating the National Access Elsewhere Security Oversight Center (NAESOC)
In an attempt to alleviate workload pressures on regional industrial‑security officials, DCSA established the National Access Elsewhere Security Oversight Center (NAESOC). The center was intended to advise and assist facilities deemed lower‑risk—those that do not handle classified information or possess classified IT systems. However, GAO’s evaluation found NAESOC to be largely ineffective. Participants in twelve focus groups reported insufficient staffing, limited effectiveness in risk mitigation, and overall industry dissatisfaction with the center’s responsiveness. The lack of a comprehensive assessment of NAESOC’s structure, processes, and outcomes has prevented DCSA from identifying corrective actions or determining whether the initiative should be revised, expanded, or terminated.
Potential Policy Shifts Within the Department of Defense
Recognizing the persistent challenges facing DCSA, Pentagon intelligence leaders informed GAO that they are reviewing possible policy changes. Among the options under consideration are adjustments to the periodicity of required security reviews—potentially extending intervals for low‑risk contractors while increasing frequency for higher‑risk entities—and a reallocation of responsibilities whereby military departments would assume a larger share of industrial‑security oversight. Such shifts aim to reduce the burden on DCSA while ensuring that critical security functions remain covered. Officials affirmed that they align with GAO’s recommendations to improve analytic tools for field operators, develop a coordinated industrial‑security risk‑response plan, and conduct a thorough evaluation of NAESOC.
GAO’s Recommendations for Strengthening Industrial Security
The GAO report concluded with a set of actionable recommendations designed to bolster DCSA’s industrial‑security mission. First, the agency should invest in and deploy enhanced analytic capabilities at the regional level, allowing field operators to identify and act upon emerging threat trends specific to their geographic areas. Second, DCSA ought to formulate an industrial‑security risk‑response plan that outlines clear procedures for prioritizing and mitigating identified vulnerabilities across the contractor base. Third, a comprehensive assessment of NAESOC must be undertaken to determine its staffing needs, effectiveness, and overall value; based on that assessment, the center should either be reformed, replaced, or discontinued. Implementing these steps, GAO argues, would improve the agency’s ability to safeguard classified information despite resource constraints and an increasingly aggressive foreign‑intelligence environment.
Implications for National Security and Contractor Accountability
The findings underscore a pressing national‑security concern: as adversaries attempt to steal classified data from industry “thousands of times per year,” the current oversight framework may be insufficient to detect and prevent breaches in a timely manner. The high proportion of data spills points to weaknesses in how contractors handle, transmit, and store sensitive information, suggesting a need for stronger technical controls, better employee training, and more rigorous auditing procedures. If DCSA cannot expand its oversight coverage due to funding limits, alternative models—such as increased self‑assessment by contractors, third‑party audits, or shared responsibility with military services—may be necessary to close the gap. Ultimately, ensuring the integrity of the defense industrial base hinges on aligning resources, policies, and technology with the evolving threat landscape.
Conclusion
The GAO’s review of DCSA’s industrial‑security activities reveals both progress and persistent challenges. While the agency continues to conduct thousands of security reviews each year, the predominance of data spills, the existence of over a thousand open vulnerabilities, and resource limitations highlight areas requiring immediate attention. By adopting GAO’s recommendations—enhancing regional analytic capabilities, forming a risk‑response plan, and rigorously evaluating initiatives like NAESOC—DCSA can improve its ability to protect classified information, thereby strengthening the overall security posture of the nation’s defense contractors. Continued vigilance, adaptive policies, and adequate investment will be essential to counteract the relentless attempts of foreign actors to exploit weaknesses within the defense industrial base.