DoD’s System to Protect Classified Information Held by Contractors Is Under Strain

The National Industrial Security Program (NISP) relies on DCSA to certify and continuously assess more than 12,500 cleared facilities and 5,500 classified IT systems. Established under NIST and the Committee on National Security Systems, the program’s risk‑management model is designed to detect and remediate security gaps before they can be exploited. However, the sheer scale of the contractor base, combined with a modest budget of roughly $160 million, strains DCSA’s capacity to meet its 12‑ to 18‑month inspection cycle.

GAO’s latest assessment highlights three critical weaknesses. First, DCSA completed only 4,600 inspections in FY 2025, leaving a large portion of facilities unchecked. Second, the majority of reported violations—about 60%—are simple data‑spills, indicating pervasive human‑error issues that could be mitigated with better training and oversight. Third, the agency’s reliance on legacy spreadsheets and fragmented IT tools hampers trend analysis, making it difficult to prioritize high‑risk sites. Despite these challenges, DCSA resolves identified issues in an average of 67 days, showing operational competence once a problem is flagged.

The implications extend beyond compliance paperwork. As cyber threats intensify, any lapse in industrial‑base security can expose classified designs, supply‑chain vulnerabilities, and ultimately compromise U.S. defense capabilities. GAO recommends a multi‑pronged approach: adopt a risk‑based assessment framework to focus resources on high‑value facilities, invest in modern analytics platforms for real‑time monitoring, and consider delegating certain inspections to military services with appropriate training. Addressing these gaps will not only improve DCSA’s inspection throughput but also reinforce the overall resilience of the defense industrial ecosystem.