GAO Warns That Industrial Security Risk Management Needs Stronger Execution

In April 2026, the U.S. Government Accountability Office released Industrial Security: Improved Risk Management and Stakeholder Engagement Needed to Help DOD Address Mission Gaps, authored by GAO under the direction of Joseph Kirschbaum. The report evaluates how the Defense Counterintelligence and Security Agency administers the Department of Defense’s portion of the National Industrial Security Program, which protects classified information released to federal contractors. GAO’s central conclusion is direct: DCSA has built important tools and processes to oversee cleared industry, but gaps in risk analysis, staffing, risk response, and stakeholder engagement may limit the agency’s ability to protect classified information effectively.

The report is significant because DCSA is responsible for industrial security oversight across an estimated 90 to 95 percent of U.S. classified contracts. This mission matters not only to DOD, but also to the many civilian agencies that rely on DCSA for industrial security services. GAO notes that foreign entities continue to target U.S. classified information and sensitive technology through cyberattacks, espionage, business relationship exploitation, insider threats, academic exploitation, intellectual property theft, and supply-chain disruption. Against that threat environment, industrial security is not merely a compliance function. It is a national security control system embedded in the federal contracting process.

GAO found that DCSA devotes substantial resources to this mission. In fiscal year 2025, DCSA spent more than $160 million on industrial security activities, relied on more than 470 personnel, conducted more than 4,600 security reviews, documented 815 security violations, and identified more than 1,000 open security vulnerabilities. Many violations involved data spills, while common vulnerability categories included procedures, security training and briefings, access determinations, reporting requirements, and information system security. These findings show that the industrial base continues to face recurring weaknesses in the practical disciplines required to safeguard classified information.

GAO credited DCSA with taking meaningful steps to manage risk. These include annual industrial security mission guidance, facility-level risk scoring, workforce assessments, a redesigned training curriculum, and initiatives such as the National Access Elsewhere Security Oversight Center. However, GAO found that these efforts are not yet sufficient. One major gap is that DCSA lacks stronger analytic capabilities at the regional level. Regional personnel told GAO that existing tools are not sufficiently automated, user-friendly, or capable of producing meaningful trend analysis. This matters because risk does not appear uniformly across the industrial base. A region with a higher concentration of foreign ownership, control, or influence issues may need different tools and priorities than another region.

GAO also found that DCSA has not fully assessed whether NAESOC is achieving its intended risk-reduction purpose. NAESOC was created to shift oversight of lower-risk, non-possessing facilities away from regional operators so those operators could focus on more complex facilities. Yet GAO’s focus groups reported concerns about staffing, limited risk mitigation, and industry dissatisfaction. In GAO’s view, DCSA needs outcome-oriented goals and a more rigorous assessment of whether the initiative is actually reducing risk.

Finally, GAO raised concerns about DCSA’s replacement of the National Industrial Security System. DCSA recognizes that the current system has limitations, but GAO found that the agency has not continuously engaged key users throughout the replacement system’s development. That is a familiar failure mode in government technology modernization: building a system intended to solve operational problems without sufficiently incorporating the people who actually perform the work.

For federal contractors, the report is a reminder that classified contracting risk is increasingly data-driven, resource-constrained, and operational. Contractors should expect continued attention to facility security procedures, insider-threat programs, reporting discipline, information system controls, and timely remediation of vulnerabilities. GAO’s recommendations, which DOD concurred with, point toward a more analytic and risk-based oversight model. Contractors that build mature, evidence-based security programs now will be better positioned as DCSA’s oversight capabilities evolve.

Disclaimer:
This post is for general informational purposes only and does not constitute legal advice. Contractors should consult qualified counsel or security professionals regarding specific classified contracting, NISPOM, facility clearance, or DCSA compliance obligations.