GAO Finds Critical Gaps in DOD Industrial Security Program
A new Government Accountability Office report (GAO-26-107861) concludes that the Defense Counterintelligence and Security Agency faces persistent structural gaps in how it manages risk across the National Industrial Security Program — the framework through which the federal government extends classified contract work to private industry. The report, released April 2026, identifies failures in risk assessment tools, workforce planning, a troubled oversight center, and a data system replacement that has proceeded without meaningful input from the people who use it.
Foreign entities attempt to steal classified U.S. information and technology thousands of times annually. DCSA administers the DOD portion of the NISP on behalf of DOD components and 35 other federal agencies, covering an estimated 90 to 95 percent of U.S. classified contracts across the federal government. The agency oversees more than 12,500 cleared facilities and 5,500 classified IT systems in industry.
In fiscal year 2025, DCSA conducted over 4,600 security reviews, documented 815 security violations, and identified more than 1,000 open security vulnerabilities at cleared contractor facilities. To execute this mission, the agency deployed over 470 industrial security personnel at a cost exceeding $160 million.
The GAO’s core finding is that DCSA has taken some appropriate steps — it identifies risk, maintains a Safeguard prioritization tool, issues annual mission guidance, and has begun rebuilding its training pipeline — but has left significant gaps in both how it assesses risk and how it responds to the risks it has identified. On the response side, higher-level DOD leadership has been particularly passive: a 2023 DCSA proposal with three workforce investment options was submitted to the Under Secretary of Defense for Intelligence and Security and, as of late 2025, none of its options had been acted upon.
The GAO makes four recommendations to DOD, all of which the department concurred with. They address the need for enhanced regional analytic tools, a formal risk response plan for the workforce gap, a comprehensive assessment of the National Access Elsewhere Security Oversight Center, and continuous stakeholder engagement throughout the development of the NISS replacement system. DOD’s written responses to the first three recommendations included substantive implementation details. The fourth received only a one-word concurrence with no specifics.