ScoutGet the App

Contractor Data Violations Spike

- The Government Accountability Office said on April 24 that the Defense Counterintelligence and Security Agency logged 815 security violations and more than 1,000 open vulnerabilities at cleared contractor facilities in fiscal 2025. - The audit said DCSA conducted more than 4,600 security reviews, used over 470 industrial-security staff and spent more than $160 million, yet still left major gaps in regional risk analysis and oversight. - DCSA oversees security for roughly 90% to 95% of U.S. classified contracts, making contractor lapses a government-wide exposure rather than a narrow Pentagon problem. (gao.gov)

The Government Accountability Office said the Pentagon’s contractor-security watchdog logged 815 violations and more than 1,000 open vulnerabilities in fiscal 2025. (gao.gov) (bloomberg.com) The watchdog is the Defense Counterintelligence and Security Agency, or DCSA, which checks whether contractors that handle classified work store, access and protect that material correctly. (gao.gov) (bloomberg.com) GAO said DCSA carried out more than 4,600 security reviews in fiscal 2025, using more than 470 industrial-security personnel and spending more than $160 million on the mission. (gao.gov) A security violation is an incident in which a contractor breaks National Industrial Security Program rules in a way that could lead to the loss or compromise of classified information. GAO said one example is a data spill, when classified material appears on an unclassified system. (gao.gov) An open security vulnerability is different: it is a weakness in a contractor’s security program that could be exploited to gain unauthorized access to classified information or classified systems. (gao.gov) The report did not just count incidents. GAO said DCSA had not fully closed gaps in how it assesses and responds to risk across its industrial-security operations, including a lack of analytic tools to help field staff spot regional trends. (gao.gov) GAO also examined a DCSA initiative launched in 2019 called the National Access Elsewhere Security Oversight Center, or NAESOC. Participants in all 12 GAO focus groups reported insufficient staffing, limited risk reduction and dissatisfaction from industry. (gao.gov) According to Bloomberg, DCSA is responsible for protecting classified information tied to an estimated 90% to 95% of U.S. classified contracts across the federal government. That makes the findings larger than a single-agency compliance problem. (bloomberg.com) GAO said DCSA has started developing a replacement for its current industrial-security data system after identifying problems with the existing system of record. (gao.gov) The report’s bottom line is narrow and concrete: thousands of contractor reviews still produced hundreds of violations, more than 1,000 unresolved weaknesses and a warning that DCSA’s own risk tools are not keeping up. (gao.gov)

Get your own daily briefing

Scout delivers personalized news, insights, and conversations tailored to your role and industry.

Download on the App Store

Shared from Scout - Be the smartest in the room.