The Government Accountability Office has identified deficiencies in the Defense Counterintelligence and Security Agency's oversight of classified information security across the defense industry.
U.S. adversaries are targeting government data. Find out how the Department of War, the FBI, the Department of Education and other agencies are addressing increasing threats at the Potomac Officers Club’s 2026 Cyber Summit on May 21. Leaders from across government and industry will be present to deliver keynote addresses, participate in panel discussions and forge new partnerships during networking sessions. Sign up here.
What Types of Security Violations Did GAO Find?
In a report published Friday, the congressional watchdog revealed that DCSA documented 815 violations and over 1,000 open vulnerabilities across contractor facilities based on more than 4,600 security reviews conducted in fiscal year 2025.
Nearly 60 percent of the violations were categorized as “data spills,” which means classified information appeared on an unclassified system. Meanwhile, 11.5 percent of the violations identified in the report involved improper storage of classified information.
Other violations include access breaches or unauthorized disclosures, physical losses and improper physical transfers.
In addition, DCSA reported 1,032 open vulnerabilities as of September 2025, reflecting weaknesses in contractor security programs that could be exploited to gain unauthorized access to classified information.
What Issues Did GAO Identify in DCSA's Industrial Data Security Oversight?
DCSA has taken steps to manage risk but has not fully aligned its efforts with DOW guidance, GAO said. For example, the agency does not use advanced analytic tools to help field operators assess regional risks and identify broader trends affecting mission performance.
The report also flagged shortcomings in the National Access Elsewhere Security Oversight Center, or NAESOC, an initiative launched in 2019 to reduce workload and mitigate risk. Focus group participants interviewed for the report shared that the center suffers from staffing shortages, limited risk mitigation and industry dissatisfaction. GAO noted that DCSA has not conducted a comprehensive assessment of the initiative’s performance or resource needs.
In addition, DCSA faces challenges with its current data system and has not consistently engaged end users during the development of a replacement platform. By not involving regional and military department officials in the development of its new industrial security data system of record, DCSA risks deploying a platform that resolves existing limitations.
GAO made four recommendations to address these issues:
- Develop enhanced analytic tools to improve regional risk assessments
- Implement a risk response plan to address workforce shortages
- Conduct a comprehensive evaluation of the NAESOC initiative
- Ensure continuous stakeholder engagement throughout the development of the new system
DOW concurred with all the recommendations.
