DOD Has Known About the DCSA Workforce Gap for Years and Has Not Acted
The workforce shortfall in DCSA’s industrial security mission is not a new discovery. In June 2023, DCSA’s director sent a memorandum to the Under Secretary of Defense for Intelligence and Security documenting that the agency was resourced to conduct required oversight of only 25 to 30 percent of the cleared industrial base. The memorandum offered three investment options — a 100 percent option, a 70 percent option, and a 30 percent option — each projecting the additional security violations, vulnerabilities, and undetected threats that could be identified at varying staffing levels. The 100 percent option, DCSA’s recommended proposal, called for adding 230 Industrial Security Representatives, 164 Information Systems Security Professionals, 25 field office chiefs, and 17 ISSP Team Leads across the Future Years Defense Program.
As of September 2025 — more than two years after the memorandum — OUSD(I&S) officials confirmed to the GAO that none of the three investment options had been implemented. Officials stated that DCSA’s memorandum showed limited policy requirements or linkage to the industrial security mission, and that there was insufficient data or requirements to take further action. The DCSA director’s memorandum, in other words, was received and set aside.
DOD Instruction 5010.40 requires that for identified risks to strategic plans, a component should determine root causes, develop and implement specific risk response action plans, and establish clear accountabilities. Risk response is defined as a deliberate approach to accept, avoid, mitigate, or share risk in alignment with risk appetite. OUSD(I&S) has not met that standard. It has not accepted the risk formally, mitigated it through staffing increases, or shared it explicitly through policy changes that redistribute responsibility to the military departments.
OUSD(I&S) officials told GAO they are considering two possible responses: changing the periodicity requirements for security reviews so that certain facilities — particularly non-possessing ones — are reviewed less frequently, and shifting more industrial security responsibilities to the military departments. Both options are embedded in a planned update to DOD Manual 5220.32. As of January 2026, neither had been coordinated across the department, and the updated manual was not expected until sometime in 2026.
The practical consequences of inaction are not speculative. DCSA completed approximately one-third of required security reviews in FY2023. All twelve focus groups — every single group GAO conducted — reported that limited workforce numbers hinder the agency from meeting program requirements, and that an increased number of personnel would most directly reduce risk. Eleven of twelve groups, when asked to choose between more personnel and a better IT system as a risk mitigation, chose personnel. For every year a review is delayed, DCSA finds 1.5 to 2.5 times more vulnerabilities when it finally arrives. The compounding of unreviewed risk across thousands of facilities is the predictable result of a funding and staffing posture that has not materially changed in response to documented need.
The GAO’s second recommendation calls on the Secretary of Defense to ensure that OUSD(I&S) implements a risk response plan with specific actions — whether accepting, sharing, or mitigating the identified risk — and that those decisions be clearly documented. DOD concurred, committing to a comprehensive mission analysis with a defined timeline and a proposed implementation roadmap by December 31, 2026. Whether that commitment translates into action will determine the trajectory of a program that, by DCSA’s own account, currently leaves the majority of the cleared industrial base inadequately covered.