800 Security Violations And 1,000 Open Vulnerabilities Found By DCSA At DOD Cleared Contractor Facilities In 2025

GAO Report GAO-26-107861

“GAO is making four recommendations to DOD, including that the department provide enhanced analytic tools for regional operators; assess the National Access Elsewhere Security Oversight Center (NAESOC) risk response effort; and ensure ongoing stakeholder feedback”.

______________________________________________________________________________________________________

“Fast Facts

DOD’s Defense Counterintelligence and Security Agency ensures that contractors are properly accessing and storing classified information. However, this agency conducts less than 40% of its required inspections of contractor facilities, which puts this classified information at risk.

This agency also struggles with things like a small workforce and an inadequate IT system. For example, its current IT system doesn’t have the analytic capabilities the agency would need to more easily identify risks and regional trends.

We made recommendations to help the agency address this and other issues to better protect national security information.

What GAO Found

In fiscal year 2025, the Defense Counterintelligence and Security Agency (DCSA) conducted over 4,600 security reviews. The agency also documented over 800 security violations (see figure) and over 1,000 open security vulnerabilities associated with cleared contractor facilities. To conduct its industrial security mission, DCSA relied on over 470 industrial security mission personnel and spent over $160 million in fiscal year 2025.

Defense Counterintelligence and Security Agency (DCSA) Documented 815 Security Violations by Category Type, Fiscal Year 2025

Note: Security violations are incidents where a contractor fails to comply with the National Industrial Security Program Operating Manual’s policies and procedures that could reasonably result in the loss or compromise of classified information. For example, data spills are when classified information appears, or “spills,” onto an unclassified system. Security vulnerabilities are identified weaknesses in a contractor’s industrial security program that could be exploited to gain unauthorized access to classified information or information systems accredited to process classified information.

DCSA has taken steps to manage risk with the industrial security mission. These include efforts to identify, assess, and respond to risk. However, DCSA has not addressed gaps to fully assess and respond to risks to its operational activities in line with DOD guidance on risk management. For example, DCSA has not identified and developed analytic capabilities to better support field operators’ assessments of risk at the regional level. With such capabilities, the agency could identify the most significant regional trends affecting its overall performance objectives.

Further, DCSA began an initiative in 2019—the National Access Elsewhere Security Oversight Center (NAESOC)—aimed at mitigating risk partly through the reduction of workload on regional officials. However, participants in all 12 of the focus groups GAO conducted reported on the center’s insufficient staffing, limited risk mitigation, and industry dissatisfaction. According to DCSA officials, the agency has not comprehensively assessed the NAESOC risk response effort, including identifying its resourcing needs and outcome-oriented performance goals. Doing so would be in line with DOD risk guidance to conduct regular assessments on risk responses.

Finally, DCSA identified challenges with its current industrial security data system of record and has begun developing a replacement. However, DCSA has not continuously engaged its end-users—DCSA regional and military department officials—throughout the development process, to include requirements development and other stages prior to testing. Without doing this, DCSA risks developing a replacement system with ongoing challenges.

Why GAO Did This Study

Foreign entities continue to attempt to illicitly obtain classified information and technology from industry thousands of times a year. DCSA, a Department of Defense (DOD) component, administers the DOD portion of the National Industrial Security Program (NISP), with the purpose of protecting classified information released to federal contractors, among others. DCSA has responsibility for ensuring that contractors properly access and store classified content for an estimated 90 to 95 percent of U.S. classified contracts across the federal government.

House Report 118-125 includes a provision for GAO to review DOD’s administration of the NISP. This report addresses (1) the funding, personnel, and training DCSA dedicates to perform its industrial security mission, and the extent to which DCSA (2) has managed risks within the NISP’s core operational activities and (3) is addressing challenges with the National Industrial Security System.

GAO reviewed documents and interviewed officials from DCSA, the military service components, and the National Archives and Records Administration. GAO also conducted a series of focus groups with 80 selected DCSA regional personnel who conduct industrial security operations.

Recommendations

GAO is making four recommendations to DOD, including that the department provide enhanced analytic tools for regional operators; assess the NAESOC risk response effort; and ensure ongoing stakeholder feedback during the development of its new system of record. DOD concurred with the recommendations.

Recommendations for Executive Action

GAO Contacts

Joe Kirschbaum

Director

Defense Capabilities and Management

[email protected]

Media Inquiries

Sarah Kaczmarek

Managing Director

Office of Public Affairs

[email protected]

Public Inquiries

 Contact “

#Mali #Krieg

25. April 2026: Reihe koordinierter Angriffe an mehreren Orten in Mali. Kämpfer* der Jama’at Nusrat al-Islam wal-Muslimin (#JNIM) starteten Attacken in #Kati, #Sévaré, #Bamako, #Senou und #Mopti. Die Azawad Liberation Front (#FLA - #Tuareg) beanspruchte die Kontrolle über #Kidal und Teile von #Gao.

Hintergrundartikel zur Entwicklung des Bürger*innenkrieges seit 2012 und den Akteur*innen sowie zu den Attacken im April 2026 (Stand 26. April).

https://emrawi.org/?Krieg-in-Mali-Attacken-im-April-2026-3997

#LLRX #CyberSecurity @bespacific

Pete Recommends – Weekly highlights on cyber security issues, April 18, 2026

Five highlights from this week: How the Internet Broke Everyone’s Bullshit Detectors; They See Your #photos Agencies fall short on documenting AI acquisition best practices, #GAO says; US Government Fails to Unmask #Reddit User: #Privacy Legal Battle; and A new cybercrime platform called #ATHR can harvest credentials via fully automated voice #phishing attacks that use both human operators and AI agents for the social engineering phase.

Posted in: #AI #cybercrime Cybersecurity, Privacy, Social Media

https://www.llrx.com/2026/04/pete-recommends-weekly-highlights-on-cyber-security-issues-april-18-2026/

The Rehearsal State: When Governance Becomes Performance

There is a scene in every disaster movie where the official steps to the podium, adjusts the microphone, and assures the public that resources are being mobilized, plans are being activated, and the full weight of the institution is being brought to bear. The audience in the theater knows the official is lying or incompetent or both. The audience at home, watching the real version of the same press conference after the real hurricane or the real chemical spill, has no such certainty. They take the performance at face value. They go to bed believing the plan exists.

This is the rehearsal state: a condition of governance in which the appearance of institutional action has entirely replaced institutional action itself. Briefings substitute for deployments. Executive orders substitute for enforcement mechanisms. A task force substitutes for the task. What remains is an empty dramatic structure, all exposition and no second act, staged with professional lighting and delivered with the practiced cadence of competence.

The theatrical vocabulary is precise here and worth using. In dramatic structure, the second act is where conflict meets consequence. Characters act. Decisions produce outcomes. The machinery of the plot engages with material reality. A play that consists of nothing but first-act exposition, characters explaining what they intend to do, followed by a curtain call would be recognized instantly as a failure of craft. No audience would accept it. Yet this is the structural blueprint of contemporary American governance at nearly every level, and audiences accept it every day.

Consider FEMA’s operations following Hurricane Maria in Puerto Rico in 2017. The press briefings were immaculate. Officials appeared before cameras with updated death tolls, logistical summaries, and assurances of coordination with local authorities. A Government Accountability Office report published in 2018 found that FEMA had entered the disaster with a shortage of trained staff, inadequate supply contracts, and no workable distribution plan for an island territory. Some of those failures were structural and predated any individual decision to perform competence at a podium. That distinction matters, and it sharpens the argument: the briefing apparatus and the logistics apparatus operated on separate circuits, and only the briefing circuit ever worked. Briefings ran on schedule. Water did not arrive on schedule. Generators sat in mainland warehouses. An estimated 2,975 people died, many of them in the weeks and months after the storm, from causes that functioning logistics would have prevented. The performance of response was flawless. The response killed people.

Corporate governance replicates the same structure with its own scenography. Beginning around 2020, virtually every Fortune 500 company published a diversity, equity, and inclusion report. The reports featured full-color graphics, letters from the CEO, and quantified commitments. A 2023 analysis by the Washington Post examining SEC filings and internal workforce data found that, at most of the companies studied, the demographic composition of senior leadership had changed by less than two percentage points in three years. The reports were playbills. They described the production without performing it.

Municipal government may be the purest laboratory for studying the rehearsal state because the stage is small enough to see clearly. Any resident of a mid-size American city has attended, or heard accounts of, the community input session. A standardized format governs the proceedings: a gymnasium or auditorium, a panel table at the front, a sign-in sheet, a microphone on a stand for public comments, and a two-minute time limit per speaker. In most cases, the decision this session purports to inform, the zoning variance, the school closure, the budget reallocation, has already been made. Council members or planning commissioners will vote along predetermined lines regardless of what is said at the microphone. What the session provides is the documentation of input, a procedural receipt with no bearing on the outcome. It is a prop in a legal performance designed to satisfy procedural requirements for public participation. The residents who attend and speak and even weep at the microphone are extras in a production whose cast list was finalized before the doors opened.

The dramaturgical term for what these institutions are doing is blocking. In theater, blocking is the choreographed physical movement of actors on stage: where they stand, when they cross, how they position themselves relative to the furniture and to each other. Blocking creates the visual impression of action. A character who crosses downstage with urgency appears to be doing something even if the script gives them nothing to do. American institutional governance has become expert at blocking. Officials move to podiums. They sign documents in front of cameras and tour damaged neighborhoods in windbreakers. Between appearances, they sit at long tables with nameplates. Every movement is choreographed to produce the visual grammar of response, oversight, and authority. The blocking is superb, and it has to be, because there is no script beneath it.

This condition did not arrive overnight. Its roots are tangled with the professionalization of political communication that accelerated after Watergate, when officials learned that the appearance of transparency could substitute for transparency itself. The post-Watergate press conference, with its tabletop microphones and tabulated talking points, was designed as an antidote to secrecy. Within a decade it had become its own species of secrecy, a controlled performance environment in which information was released in calibrated doses, questions were managed through selection and repetition, and the physical staging of openness, the open room, the visible faces, the recorded transcript, masked the operational closure beneath it.

Bad governance is only the surface consequence of the rehearsal state. The deeper damage is a population rendered unable to distinguish governance from its simulation. When citizens have spent decades watching the same dramaturgical structure, the podium, the talking points, the earnest facial expression, the promise of follow-through, they lose the ability to ask whether anything happened after the cameras left. Performance becomes self-ratifying. An official held a press conference, so the public concludes the problem was addressed. A company published a report, so change must have occurred. A meeting was held, so the community was consulted.

This erosion of critical spectatorship is the precondition for something worse. Populations trained to accept the performance of governance as governance itself are structurally prepared to accept authoritarian spectacle as competence. A rally replaces the legislature. Signing ceremonies, staged with flags and witnesses and the slow exhibition of the signature itself, replace the statute. An appearance at the disaster site, the rolled sleeves, the handshake with the first responder, the squint into the middle distance, replaces the relief operation. Authoritarianism does not need to abolish democratic institutions if it can hollow them into stages. The rehearsal state is the advance work.

What would it mean to demand a second act? It would mean treating every institutional announcement as a first-act curtain, an interesting premise that requires development before it can be evaluated. After every press conference, citizens would need to ask what measurable outcome was promised within a defined timeframe. Corporate reports would be treated as promissory notes and audited with the same scrutiny applied to financial statements. And anyone walking into a community input session would carry a single question: has this body ever reversed a decision based on public comment, and if so, when?

The rehearsal state persists because it is comfortable for everyone involved. Officials prefer it because performance is easier than policy. Citizens go along because watching a performance requires less effort than monitoring an outcome. And the press cooperates because a press conference is a story, while the absence of follow-through is a silence that nobody assigns a reporter to cover. Breaking the rehearsal state requires an audience willing to sit through the first act and then refuse to applaud until the second act is performed. That is harder than clapping. It is also the minimum price of self-governance.