The Defense Counterintelligence and Security Agency documented 815 security violations at cleared contractor facilities during fiscal year 2025 — incidents where contractors failed to comply with National Industrial Security Program Operating Manual policies in ways that could reasonably result in the loss or compromise of classified information. As of September 2025, approximately 70 percent of those violations had been closed, with the remainder still open and averaging about 101 days since initial reporting.

The Defense Counterintelligence and Security Agency spent $163.2 million on its industrial security mission in fiscal year 2025, a sharp jump from $102.8 million in FY2023 and the highest figure in the five-year period the GAO examined. But the spending increase tells only part of the story — and the more revealing part lies in where the money and personnel did not go.

From FY2021 through FY2024, total industrial security personnel remained essentially flat, ranging between 394 and 412. The FY2025 count of 479 represents a 19 percent increase over FY2024, but 42 of the 76 new positions were added at headquarters — partly to support a statutory expansion of DCSA’s entity vetting mission, not to put more boots on the ground for security reviews. Regional field personnel grew from 319 in FY2021 to 329 in FY2025, an increase of roughly 3 percent over four years.

In April 2024, DCSA began developing a replacement for NISS called NISS Increment 2, or NI2. The agency plans to spend approximately $163 million building it. NI2 is intended to deliver a multi-disciplinary risk picture across the defense industrial base, with role-based case management, automated communications, integrated analytics, and expanded access for government customers. Development is proceeding under an Agile methodology, which formally emphasizes early and continuous engagement with end users as a core principle of the approach.

The National Industrial Security System — NISS — is the web-based platform DCSA uses to manage and document the industrial security activities it performs across more than 12,500 cleared contractor facilities. It is also, by the consistent account of the officials who use it daily, a system that compounds the workload it is supposed to streamline.

The list of challenges documented by the GAO, drawn from focus groups with DCSA regional personnel, interviews with military department officials, and feedback from defense industry representatives, is extensive. NISS is slow, frequently timing out or failing to save work. It experiences significant periods of total unavailability. Its search functionality requires labor-intensive manual navigation through multiple records to surface information that should be readily queryable. It lacks trend reporting capabilities, forcing officials to export raw data and construct analytic products outside the system using workarounds. It does not interoperate reliably with other key systems — including the Enterprise Mission Assurance Support Service, the NISP Contract Classification System, and the Defense Information System for Security — meaning that data must frequently be manually re-entered across platforms. Information Systems Security Professionals reported that the lack of integration between NISS and the Enterprise Mission Assurance Support Service alone doubles or triples their workload on classified IT system oversight.

One of the more precise findings in the GAO’s April 2026 industrial security report is that DCSA has built risk assessment capabilities at the national level while leaving its regional operators without meaningful tools to analyze risk in their own portfolios. The gap matters because the facilities within each of DCSA’s four regions — Mid-Atlantic, Eastern, Central, and Western — have substantially different characteristics, and national-level trend data does not capture the distinctions that should drive local prioritization.

The workforce shortfall in DCSA’s industrial security mission is not a new discovery. In June 2023, DCSA’s director sent a memorandum to the Under Secretary of Defense for Intelligence and Security documenting that the agency was resourced to conduct required oversight of only 25 to 30 percent of the cleared industrial base. The memorandum offered three investment options — a 100 percent option, a 70 percent option, and a 30 percent option — each projecting the additional security violations, vulnerabilities, and undetected threats that could be identified at varying staffing levels. The 100 percent option, DCSA’s recommended proposal, called for adding 230 Industrial Security Representatives, 164 Information Systems Security Professionals, 25 field office chiefs, and 17 ISSP Team Leads across the Future Years Defense Program.

A new Government Accountability Office report (GAO-26-107861) concludes that the Defense Counterintelligence and Security Agency faces persistent structural gaps in how it manages risk across the National Industrial Security Program — the framework through which the federal government extends classified contract work to private industry. The report, released April 2026, identifies failures in risk assessment tools, workforce planning, a troubled oversight center, and a data system replacement that has proceeded without meaningful input from the people who use it.

The National Access Elsewhere Security Oversight Center was established by DCSA in 2019 with a reasonable premise: take the roughly 5,000 cleared facilities that do not possess classified information onsite — about 40 percent of the entire National Industrial Security Program — and consolidate oversight of them in a centralized unit, freeing regional field operators to focus on more complex, higher-risk possessing facilities. After six years, the consensus among DCSA’s own field personnel is that the center has not delivered on that premise.