815 Security Violations, 1,032 Open Vulnerabilities: Inside DCSA's FY2025 Compliance Data
The Defense Counterintelligence and Security Agency documented 815 security violations at cleared contractor facilities during fiscal year 2025 — incidents where contractors failed to comply with National Industrial Security Program Operating Manual policies in ways that could reasonably result in the loss or compromise of classified information. As of September 2025, approximately 70 percent of those violations had been closed, with the remainder still open and averaging about 101 days since initial reporting.
The dominant violation category by a wide margin was data spills — classified information appearing on unclassified systems — accounting for 58.9 percent of all violations. Improper storage was second at 11.5 percent, followed by access breach or unauthorized disclosure at 6.5 percent, physical loss at 6.3 percent, and improper physical transfer at 5.6 percent. The remaining 11.2 percent were categorized as other or pending determination. Most violations are self-reported by contractors rather than identified directly by DCSA personnel during reviews.
The average time to close a security violation in FY2025 was approximately 67 days. Roughly 60 percent were resolved within 60 days of initial reporting, while about 3 percent remained open beyond 200 days. DCSA personnel are responsible for following up with cleared contractors to verify that identified violations have been investigated and mitigated.
Open security vulnerabilities present a different and arguably more systemic picture. As of September 2025, DCSA had identified 1,032 open vulnerabilities — weaknesses in contractor security programs indicating noncompliance with NISPOM requirements that could be exploited to gain unauthorized access to classified information or classified IT systems. Five categories accounted for about 82 percent of the total: Procedures (22.4 percent), Security Training and Briefings (19.8 percent), Determination of Access to Classified Information (15.7 percent), Reporting Requirements (13.3 percent), and Information System Security (10.8 percent).
About 78 percent of open vulnerabilities had been unmitigated for 90 days or less at year-end, suggesting reasonable throughput on recent findings. But the pool itself is telling. DCSA’s own internal analysis found that for every year a security review is delayed, field personnel discover 1.5 to 2.5 times more vulnerabilities at the facility when they eventually arrive — meaning that the substantial portion of facilities going without timely reviews generates risk that is compounding, not static.
The security review pipeline that produces this data has itself been recovering from a near-total shutdown. DCSA completed only 49 reviews in FY2021 and 2,775 in FY2022, both depressed by the COVID-19 pandemic. Reviews reached 3,618 in FY2023, 4,692 in FY2024, and 4,634 in FY2025 — still a fraction of what would be required to cover the full population of facilities on schedule.