DCSA Is Building a $163 Million NISS Replacement Without Asking the People Who Will Use It
In April 2024, DCSA began developing a replacement for NISS called NISS Increment 2, or NI2. The agency plans to spend approximately $163 million building it. NI2 is intended to deliver a multi-disciplinary risk picture across the defense industrial base, with role-based case management, automated communications, integrated analytics, and expanded access for government customers. Development is proceeding under an Agile methodology, which formally emphasizes early and continuous engagement with end users as a core principle of the approach.
The GAO found that DCSA has not followed that principle in any meaningful way for the components of NI2 that most directly affect the field personnel, military departments, and industry partners who will actually use the system.
DCSA wrote a user agreement for NI2 that specifies, among other things, that two or more users from each community should contribute to developing the Capability Needs Statement — the document that lays out requirements for the entire program. The agency did not comply with its own user agreement. When GAO conducted focus groups with DCSA regional officials in spring 2025, participants either were unaware that a replacement for NISS was under development or were aware but had not been contacted for input. Military department officials responsible for industrial security reported mixed awareness of NI2 as late as the fourth quarter of 2024, and those who were aware expressed a need for substantially more engagement. Defense industry representatives interviewed in March 2025 reported that industry had not been consulted on NI2 at all at that time.
The engagement that did occur was narrow and late. DCSA initially identified user representatives only from its own headquarters Office of Entity Vetting. External DOD stakeholders were not identified until spring 2025 — after development work had already begun — and their involvement focused on the first capability group, which addresses foreign ownership and control risk vetting rather than the core NISS replacement functions that regional operators depend on. The Air Force separately reported that during DCSA’s migration of the NISP Contract Classification System into NI2’s second capability group, there was no engagement during requirements development and insufficient advance communication before testing.
NI2 is planned in three capability groups. The first, focused on foreign ownership risk assessment, is projected to begin operating in early 2026. The third, which replaces the core elements of NISS including facility clearance and compliance data, is not scheduled for deployment until FY2028. DCSA officials told GAO in January 2026 that they had not yet started development on capability group three and therefore had not engaged users on it. The GAO’s concern is that the same pattern — deferred engagement, requirements set without user input, feedback solicited too late to matter — will produce a system that replicates the current frustrations of NISS rather than resolving them.
Regional personnel who experienced the original NISS deployment described the feedback collection process for that system as having occurred so close to rollout that their input was not incorporated. That institutional memory appears not to have changed DCSA’s development approach for the system meant to replace it.