DCSA's Industrial Security Data System Is Slow, Unreliable, and Universally Disliked
The National Industrial Security System — NISS — is the web-based platform DCSA uses to manage and document the industrial security activities it performs across more than 12,500 cleared contractor facilities. It is also, by the consistent account of the officials who use it daily, a system that compounds the workload it is supposed to streamline.
The list of challenges documented by the GAO, drawn from focus groups with DCSA regional personnel, interviews with military department officials, and feedback from defense industry representatives, is extensive. NISS is slow, frequently timing out or failing to save work. It experiences significant periods of total unavailability. Its search functionality requires labor-intensive manual navigation through multiple records to surface information that should be readily queryable. It lacks trend reporting capabilities, forcing officials to export raw data and construct analytic products outside the system using workarounds. It does not interoperate reliably with other key systems — including the Enterprise Mission Assurance Support Service, the NISP Contract Classification System, and the Defense Information System for Security — meaning that data must frequently be manually re-entered across platforms. Information Systems Security Professionals reported that the lack of integration between NISS and the Enterprise Mission Assurance Support Service alone doubles or triples their workload on classified IT system oversight.
For military departments, the problem manifests as visibility. Departments holding classified contracts with cleared facilities have limited access to NISS compliance data for those facilities, hampering their ability to monitor the security status of contractors performing on their contracts. Workarounds exist, but they are exactly that.
Industry faces its own friction. Updating facility information in NISS — including ownership changes that contractors are required by regulation to report — can take a year to process through the system’s approval workflow. The system allows only one change condition to be submitted at a time, even though companies often experience multiple qualifying changes in a single year. The result is a compliance reporting process that is structurally ill-suited to the pace of business.
Navigation is described as uniformly difficult. The system lacks a back button. Documenting activities in NISS routinely takes longer than the underlying task being documented. One focus group participant described NISS as more of a logistical tracker than an analytic tool — a characterization that, given the tool’s actual capabilities, is not unfair.
DCSA began developing NISS in its current form years ago. Officials and focus group participants who participated in the pre-deployment feedback process for that system described the input collection as having occurred too close to rollout to influence the final product. That experience framed the concern raised in the GAO’s findings about the NISS replacement: that DCSA appears to be repeating the same error.