Foreign adversaries try to steal classified U.S. information from cleared industry thousands of times every year. In fiscal year 2025 alone, the Defense Counterintelligence and Security Agency (DCSA) documented 815 security violations and 1,032 open security vulnerabilities across the cleared defense industrial base. That is the headline finding of GAO-26-107861, released in April 2026, and it is not a story about an oversight agency falling short. It is a story about what is happening inside contractor facilities — and what every cleared prime, sub, and JV partner needs to do about it before their facility becomes the next data point.
“Nearly 60% of the violations DCSA documented in FY25 were data spills. Eleven percent were improper storage. Six percent were access breaches or unauthorized disclosures. These are not abstract risks. They are losses of national-security information happening at cleared facilities right now.”
What GAO Actually Found
DCSA administers the Department of War (DoW) portion of the National Industrial Security Program (NISP), which protects classified information released to federal contractors. DCSA’s reach is not modest. The agency oversees more than 12,500 cleared facilities and roughly 5,500 classified IT systems in industry, covering an estimated 90 to 95 percent of all classified contracts across the federal government.
In fiscal year 2025, DCSA conducted more than 4,600 security reviews. The data those reviews produced is the part contractors should be reading carefully:
- 815 security violations — incidents where a contractor failed to comply with NISPOM in a way that could reasonably result in the loss or compromise of classified information.
- Nearly 60% were data spills — classified information appearing on unclassified systems.
- 5% were improper storage — classified material left or kept outside approved containers, rooms, or systems.
- 5% were access breaches or unauthorized disclosures — classified information reaching people without need-to-know or proper clearance.
- 3% were physical losses, and 5.6% were improper physical transfers.
- 1,032 open security vulnerabilities — identified weaknesses in contractor security programs that, in DCSA’s terms, “could be exploited to gain unauthorized access to classified information or information systems.” Common categories: procedures, security training and briefings, access determinations, reporting requirements, and information system security.
The threat environment behind those numbers is unambiguous. GAO catalogues the vectors adversaries use against cleared industry: cyberattacks, espionage, business-relationship exploitation, insider threats, academic exploitation, intellectual property theft, and supply-chain disruption. Industrial security, GAO concludes, is not a compliance function. It is “a national security control system embedded in the federal contracting process.”
Why This Should Worry Every Cleared Contractor
Three things stand out in the GAO findings, and each one shifts risk directly onto the contractor.
1. The oversight ratio is shrinking, not growing.
In 2023, DCSA officials acknowledged internally that they had funding to oversee only 25–30% of the cleared industrial base. By September 2025, DoW’s Office of the Under Secretary for Intelligence and Security had not pursued any of the proposed investment options and had not hired additional industrial security personnel. GAO also found that the National Access Elsewhere Security Oversight Center (NAESOC), created to lighten the regional workload, has been ineffective, with focus group participants citing staffing shortages, limited risk mitigation, and industry dissatisfaction.
The implication for contractors is direct: fewer DCSA touches per facility per year does not mean less scrutiny when scrutiny finally arrives. It means each visit carries more weight, and accumulated vulnerabilities have more time to compound between reviews. Self-discipline is no longer optional — it is the program.
2. DCSA is shifting toward analytics and risk-based oversight.
GAO’s recommendations, which DoW concurred with, push DCSA toward enhanced analytic tools, regional trend analysis, and a comprehensive risk response plan. Officials are also weighing changes to the periodicity of required security reviews and a possible shift of more industrial security work to the military departments. In practice, that means contractors should expect the next decade of oversight to be more data-driven, more comparative, and less forgiving of recurring weaknesses. Facilities that look like outliers on procedures, training, access determinations, or IS security will draw attention regardless of how quiet the last review cycle was.
3. The five violation categories are insider-threat indicators.
Read the FY25 violation breakdown the way a counter-insider-threat analyst reads it: data spills, improper storage, access breaches, physical losses, improper transfers. Every one of those categories is also a high-frequency Potential Risk Indicator (PRI) inside a mature C-InT program. Most are unintentional. Some are not. The contractor who cannot tell the difference, in near-real time, is the contractor who shows up in next year’s report.
How TMPC Helps Cleared Contractors Get Ahead of the Risk
TMPC, Inc. is a Tampa-based SBA 8(a), SDVOSB, and SDB federal contractor specializing in Counter-Insider Threat (C-InT), User Activity Monitoring (UAM), and industrial security program support. We help cleared contractors translate the gaps GAO just made public into a defensible, day-to-day operating posture — not a binder that comes off the shelf for the next DCSA visit.
The GAO report is structured around five violation types, four vulnerability themes, and an oversight gap. TMPC’s services map directly to all three, and we deploy them as right-sized engagements — assessment, build-out, embedded support, or full managed program — depending on what the contractor actually needs.
Closing the data spill gap (≈60% of all violations)
- UAM deployment, tuning, and run support on classified and cross-domain systems, including detection logic that distinguishes accidental spillage from deliberate exfiltration so security teams aren’t drowning in low-value alerts.
- Spillage triage and remediation playbooks aligned to NISPOM, 32 CFR Part 117, and agency-specific reporting timelines — the timelines that determine whether an incident is contained or becomes a finding.
- Mobile Device UAM (MDUAM) — TMPC’s emerging capability for monitoring the device class most cleared programs treat as a blind spot.
Closing the storage, access, and transfer gaps (≈24% combined)
- Insider threat program build-out and assessment against the National Insider Threat Policy, NCSC minimum standards, DoW Instruction 3000.19, and the DCSA assessment criteria that produced the violation counts in this report.
- Access determination governance — formal, auditable processes for need-to-know, least-privilege, and role-based access to classified systems and material, with documented review cadence.
- Physical security and transfer controls reviewed against NISPOM Chapter 5 and the FY25 violation patterns DCSA is now flagging at the regional level.
Closing the vulnerability gaps DCSA listed by name
GAO and DCSA identified the most common vulnerability categories as procedures, security training and briefings, access determinations, reporting requirements, and information system security. TMPC delivers each as a discrete, contracted capability:
- Procedures: Insider threat plans, SOPs, and incident response procedures written to NISPOM, NCSC, and DoW standards — and built so a DCSA reviewer can find what they need without a guided tour.
- Training and briefings: Initial, annual, and refresher curricula for cleared employees, FSOs, ITPSOs, and supervisors, including targeted-violence and pathway-to-violence content where the threat picture warrants it.
- Access determinations: Documented adjudication and continuous evaluation workflows that survive audit.
- Reporting requirements: Adverse information, suspicious contact, foreign travel, cyber incident, and SF-86 update reporting flows tied to cleared workforce realities, not generic templates.
- Information system security: ISSM/ISSO support, RMF and eMASS package preparation, and CMMC Level 2 readiness — TMPC itself holds CMMC Level 2 with a 110/110 SPRS score, and our PQC readiness assessment and C3PAO preparation services help contractors meet the November 10, 2026 mandatory CMMC Level 2 deadline.
Vendor and supply-chain risk — the threat vector GAO called out by name
GAO explicitly lists supply-chain disruption and business-relationship exploitation as adversary tactics against cleared industry. TMPC’s Vendor Data Threat Mitigation framework is built specifically for this problem, mapped to NIST SP 800-171r2, NIST CSF 2.0, DoW Instruction 3000.19, NCSC guidance, and FASCSA. It gives prime contractors a defensible answer to the question DCSA and program offices are starting to ask: who has access to your data, who has access to theirs, and how would you know if that changed?
How engagements typically start
Most cleared contractors don’t need a full program rebuild — they need to know where the gaps are, in language a DCSA reviewer would use, and a credible plan to close them. TMPC engagements typically begin with a focused posture review against the exact violation and vulnerability categories cited in GAO-26-107861, followed by a prioritized remediation roadmap the contractor can execute internally, with TMPC support, or under a managed-services arrangement.
We can plug in as prime, subcontractor, or as a teammate under our PatriotWerx SBA Mentor-Protégé Joint Venture with RMC, depending on the contracting vehicle and set-aside structure that fits the customer.
The Bottom Line
The GAO report is not a warning shot. It is a baseline. 815 violations and 1,032 open vulnerabilities are now the public, congressionally cited starting point for FY26 oversight. DCSA is moving toward analytics, regional trend analysis, and risk-based prioritization with the personnel and funding it has, not the personnel and funding it asked for. Contractors who treat industrial security and insider threat as a checklist will be the ones whose facilities show up as outliers when those analytics come online.
Contractors who treat it as a program — built, monitored, exercised, and continuously improved — will not. TMPC was built to help cleared contractors operate at that standard, and the cost of getting ahead of the next GAO report is materially lower than the cost of being in it.
Sources
- S. Government Accountability Office, Industrial Security: Improved Risk Management and Stakeholder Engagement Needed to Help DOD Address Mission Gaps, GAO-26-107861, April 2026.
- Federal News Network, “GAO flags hundreds of classified contractor security violations,” April 2026.
- Bloomberg / Bloomberg Government, “US Companies Had 815 Classified Data Violations, GAO Finds,” April 24, 2026.
- ExecutiveGov, “GAO Flags Gaps in DCSA Industrial Security Oversight,” April 2026.
- S. GAO, Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation, GAO-26-107955, March 12, 2026.