Why It Matters
The federal agency responsible for ensuring that thousands of defense contractors properly handle classified information is completing less than 40 percent of its required inspections. That means that the bulk of contractor facilities storing or accessing America's military secrets are going uninspected, sometimes for years, while the agency tasked with overseeing them lacks the staff, the technology, and the regional tools to close the gap.
A new report from the Government Accountability Office, published April 24, lays out in stark terms how the Defense Counterintelligence and Security Agency is failing to meet its core mission, and how the Department of Defense has known about the problem for years without taking meaningful corrective action.
A Broken Inspection System
The Defense Counterintelligence and Security Agency, known as DCSA, operates under the National Industrial Security Program, the governing framework established by Executive Order 12829 that regulates how defense contractors access and store classified material. DCSA is responsible for inspecting those contractor facilities to ensure compliance. According to the GAO report, it is conducting fewer than four in ten of the inspections it is required to perform.
Analysis cited by k4i.com found that for every year a review is delayed, DCSA inspectors discover between 1.5 and 2.5 times more vulnerabilities when they finally arrive. The longer the gap, the deeper the exposure.
Workforce Shortfalls
The most direct cause of the inspection shortfall is a staffing problem that DCSA's own personnel have flagged repeatedly. Focus groups of DCSA employees consistently identified personnel shortages as their top concern, according to the k4i.com analysis of the agency's operations. The workforce is too small to cover the portfolio it is assigned to oversee.
What makes this particularly striking is the spending trajectory alongside it. DCSA's industrial security spending reached $163 million in fiscal year 2025, a significant surge, yet field staffing levels barely moved. More money flowed in, but the inspectors did not follow.
Technology Issues
The workforce problem is compounded by an IT infrastructure that the GAO report describes as inadequate. DCSA's Industrial Security Data System, the platform field personnel rely on to manage their caseloads and document findings, has been described as slow, unreliable, and widely disliked by the people who use it daily. A replacement initiative has not resolved the frustration.
The combination of too few inspectors and tools that impede rather than assist their work creates a compounding operational drag that the GAO found DCSA has not adequately addressed.
Security Risk Management Gaps
The GAO report draws a meaningful distinction between what DCSA has built at the national level and what is actually available to the people doing the work in the field. At the national level, DCSA has developed analytic tools, including a prioritization system called Safeguard, that help identify which contractor facilities pose the highest risk and should be inspected first.
But regional operators, the personnel actually managing inspection portfolios across the country, lack equivalent analytic tools to assess risk within their own geographic areas. That gap means the risk-based prioritization that should be guiding which facilities get inspected when is not consistently reaching the people making those decisions on the ground.
The GAO acknowledges that DCSA has taken some steps in the right direction. The agency issues annual mission guidance, has begun rebuilding its training pipeline, and conducts some level of national risk identification. The report characterizes these efforts as insufficient given the scale of the mission gaps.
DOD's Inaction
Perhaps the most pointed finding in the GAO report is not the inspection shortfall itself, but the history behind it. The Department of Defense has been aware of DCSA's workforce gap for years. According to reporting by k4i.com, that awareness has not translated into corrective action at the scale the problem demands.
That pattern, a known deficiency that persists without resolution, is precisely the kind of institutional failure that congressional oversight is designed to surface. The GAO report's framing, calling for "improved risk management and stakeholder engagement," signals that the agency's problems are not simply operational. They reflect a failure to engage the right people, inside and outside DCSA, in building solutions.
The Political Stakes
The defense industrial base encompasses thousands of companies, from large prime contractors to small specialized firms, all of which may handle classified technical data, weapons specifications, or intelligence-adjacent information. When the agency responsible for verifying that classified information security protocols are being followed cannot get to the majority of facilities it is supposed to inspect, the exposure is systemic.
Espionage targeting the defense industrial base is not a theoretical concern. Nation-state actors, particularly China and Russia, have demonstrated sustained interest in penetrating contractor networks to obtain military technology and intelligence. A security inspection regime operating at less than 40 percent capacity is not a minor administrative shortcoming. It is a structural vulnerability in one of the country's core national security frameworks.
GAO's Recommendations
The full report, available at gao.gov, contains specific recommendations directed at DOD and DCSA. The report's title signals the two central areas: risk management practices need to be strengthened, and stakeholder engagement, meaning coordination with contractors, regional personnel, and oversight bodies, needs to improve. The GAO's recommendations carry weight because agencies are required to respond to them and report on implementation progress formally.
Access the Legis1 platform for comprehensive political news, data, and insights.