What is GAO Report 26-107861?

GAO Report 26-107861, published April 27, 2026, audits the Defense Counterintelligence and Security Agency's (DCSA) oversight of cleared defense contractors under the National Industrial Security Program (NISP). The report documented 815 security violations identified across 4,600+ DCSA security reviews in fiscal year 2025, plus 1,032 open security vulnerabilities representing weaknesses in contractor security programs. It also flagged DCSA capacity constraints — only 25-30% of the cleared industrial base receives oversight in a given cycle, and industrial security funding has remained flat despite the violation pattern.

What is a 'data spill' in classified handling, and why does it represent 60% of violations?

A data spill is the unauthorized transfer of classified information to an information system, environment, or recipient not authorized to receive it at that classification level. In practice, this almost always means classified material moved to an unclassified system — an email sent at the wrong network level, a document saved to the wrong drive, a chat shared in the wrong channel. They dominate the violation count (~60%) because they're triggered by single user mistakes against control environments that don't reliably prevent the action. Solid architectural separation between classified and unclassified handling — physical, network, and procedural — reduces this category dramatically; weak separation produces the steady drumbeat of incidents that DCSA documents.

What's the most common 'improper storage' violation?

Three patterns dominate. First: classified material left in non-GSA-approved containers — typically when a project moves between rooms and someone uses a regular file cabinet temporarily. Second: SCIF containers left unsecured during shift changes, when the closing procedure is incomplete. Third: classified working papers left out on desks at end-of-day, especially in shared workspaces where the closing person assumed someone else would secure the area. All three are procedural-discipline failures rather than architectural ones — meaning they happen even in well-designed SCIFs when the personnel security education and end-of-day procedures aren't enforced consistently.

Are 815 violations a lot, or normal for the size of the cleared industrial base?

Context matters. DCSA reviewed approximately 4,600 contractors in FY2025, but the total cleared industrial base is roughly 12,000-13,000 facilities — DCSA's review capacity is approximately 25-30% of the population per year, per GAO. So the 815 violations come from a sampled cross-section, not the full DIB. Extrapolating: the full annual violation count across all cleared contractors is probably 2,500-3,300, with most never observed because they're at facilities not reviewed in that fiscal year. The 815 number is the floor, not the ceiling.

What does this mean for a contractor pursuing a first SCIF accreditation?

Three operational implications. First: design the program so violations are mechanically hard to commit, not just procedurally discouraged — separate networks at the architectural level, separate physical spaces with explicit transition controls, end-of-day procedures with mechanical gates rather than checklist self-attestation. Second: invest in personnel security education at the level it actually matters — quarterly drills, scenario-based training, named accountability for end-of-day closeout. Third: assume DCSA review is when violations get found, not when they happen — your internal monitoring program needs to surface incidents before DCSA does, both to remediate faster and to demonstrate program maturity at the next review.

DCSA 815 Contractor Security Violations — Analysis

The Government Accountability Office published Report 26-107861 on April 27, 2026 — an audit of how the Defense Counterintelligence and Security Agency oversees cleared defense contractors under the National Industrial Security Program. Most readers will absorb the headline (“815 violations across 4,600 reviews”) and move on. The breakdown of those 815 violations is more useful, because it shows where cleared-contractor security programs actually fail in practice — not where the framework documents say they should.

This article is for organizations operating SCIFs, SAPFs, or otherwise handling classified material under NISPOM. If you’re at the design phase of a first cleared facility, the violation distribution should shape your architecture decisions. If you’re operating a mature classified program, it’s a benchmark for where to expect incidents and what your continuous-monitoring should be looking for.

What the report actually documented

GAO’s headline numbers from FY2025:

4,600+ DCSA security reviews conducted across the cleared industrial base
815 security violations documented
1,032 open security vulnerabilities identified — programmatic weaknesses where contractor security programs fall short of NISPOM requirements but haven’t yet produced an actual violation
Industrial security funding has remained “relatively flat” while personnel-vetting funding increased
DCSA’s capacity covers approximately 25-30% of the cleared industrial base in a given fiscal year
As of September 2025, DoD had not added staff to industrial security reviews despite GAO’s prior recommendations

The 815 violations broke down by type:

Category	Share	What it means
Data spills	~60%	Classified material moved to a system, network, or recipient not authorized for that level
Improper storage	11.5%	Classified material stored in non-approved containers, unsecured during transitions, or left out at end-of-day
Access breach / unauthorized disclosure	6.5%	Classified information shared with personnel lacking proper clearance or need-to-know
Physical losses	6.3%	Classified material physically lost — courier failures, lost-and-found incidents, unaccounted documents
Improper physical transfers	5.6%	Classified material moved between facilities without proper courier procedures or destination authorization
Remaining	~10%	Uncategorized or under-investigation at time of GAO audit

The category distribution matters. Data spills dominate because they’re triggered by single human errors against systems that don’t mechanically prevent the action. The other categories represent more rigorous architectural and procedural failures, but they happen at one-fifth to one-tenth the rate.

Category 1: Data spills (~60% of violations)

Data spills are the steady drumbeat of cleared-contractor security incidents. In practice they almost always look like this:

The cross-network email. A user reads classified material in their classified workstation, mentally summarizes it, switches to their unclassified workstation, and writes an email — and inadvertently includes a sentence that’s classified. Or sends a classified attachment they thought was unclassified. The spill propagates wherever that email reaches before detection.

The wrong-drive save. A contractor working in a SCIF saves a document to a network share that’s accessible from outside the SCIF — typically because the user thought they were on the classified network when they were actually on the corporate network. Or the document was correctly classified-network-only but a sync tool replicated it to the corporate environment.

The chat-channel mistake. Modern contractors use Slack/Teams/Mattermost for collaboration. Classified-handling personnel sometimes drop classified content into unclassified chat channels — pasting an excerpt, summarizing a finding, or attaching a document. Once it’s in the chat platform, every audit log, backup, and integration becomes part of the spill scope.

The PII / CUI overlap drift. Many contractor environments handle multiple data classifications — classified plus FOUO plus CUI plus PII. When the same engineering team works across data types, classification drift happens: material at one level gets handled with the discipline of a lower level. DCSA findings increasingly flag these mixed-handling environments.

The architectural insight from the violation rate: data spills happen at the system-design level, not the user-discipline level. A user with perfect intent makes mistakes; the question is whether the system catches them. Programs that rely on user training as the primary control produce data spills at the rate the GAO data shows. Programs that rely on architectural separation — physical air gaps, distinct networks with clear visual indicators of which network you’re on, mechanical gates between trust zones — produce data spills at a fraction of that rate.

The expensive lesson: GSA-approved storage helps; architectural separation helps more; mechanical gates that prevent the action when the user is in the wrong context help most. A contractor whose corporate email client visually identifies as classified or unclassified at all times (color-coded UI, network-aware client) has fewer data spills than one whose email client looks identical regardless of network.

Category 2: Improper storage (11.5%)

Three patterns dominate this category. All three are operational discipline failures rather than architectural ones — they happen in well-designed facilities when execution lapses.

Wrong-container storage during transitions. A project moves between rooms within a facility, or a contractor temporarily relocates a workspace during construction. Classified material gets stored in a regular file cabinet for “just a few days” — and then DCSA arrives. NISPOM requires GSA-approved containers for classified storage at all times. There is no “temporarily” exception; the spirit of the rule is that classified material is always either in approved storage or in active controlled use, with no in-between.

Unsecured-during-shift-change failures. SCIF closing procedures require specific actions: containers locked, alarms set, last-person-out attestation. The most common failure mode: containers left open during a shift change because the closing person assumed the next-shift person would handle it, or vice versa. Documented end-of-day procedures with named-individual accountability — not just role-based — eliminate most of this category.

Working-papers left out at end-of-day. Classified working papers (notes, drafts, printouts) accumulate during the day and must be either secured or destroyed at end-of-day. The most common violation: a working paper buried under other materials on a desk gets missed during closeout. End-of-day procedures that require empty desk attestation — not just “secured” attestation — catch this category.

The improvement path here is procedural discipline, not architectural change. The contractors whose programs survive long-tail DCSA reviews are the ones whose end-of-day procedure is treated with the same rigor as a code-deployment runbook.

Category 3: Access breach / unauthorized disclosure (6.5%)

This category covers classified information being shared with personnel who lack proper clearance, sufficient need-to-know, or required Special Access Program briefings. Patterns:

Need-to-know failures within cleared populations. A contractor with TS/SCI clearance is briefed on classified information from a program where they don’t have a specific need-to-know. Most often this happens informally — hallway conversation, unrelated meeting attendance, shared email distribution lists that include people outside the need-to-know population. Need-to-know discipline within a cleared population is structurally harder than clearance verification at access, because clearance is a static attribute and need-to-know is per-program.

SAP-program briefing failures. Special Access Programs require additional briefings beyond TS/SCI clearance. Bringing someone into a discussion of SAP material before they’re properly briefed is an unauthorized disclosure even if they’re cleared. SAPF environments typically have stricter access mechanisms specifically because the need-to-know population is tighter.

Visitor management failures. Bringing an external visitor into a SCIF when they don’t have proper clearance verification, or briefing a visitor on classified material before their visit was properly approved. Visitor management procedures are well-documented in NISPOM but execution varies — some contractors run visitor processing as an integrated part of their SCIF operations, others treat it as a security-officer side task.

Category 4: Physical losses (6.3%)

Physical losses are when classified material is unaccounted for. The trigger is usually accountability inventories — periodic counts of accountable classified materials — that come up short.

Patterns:

Courier failures. Classified couriers carrying material between facilities lose documents in transit. Sometimes literally lost (left in a vehicle, mislaid in a hotel, stolen during transport); sometimes administratively unaccounted for (transferred to the destination but never logged into receiving inventory).

Lost-and-found incidents. A document is misfiled within a facility — placed in the wrong container, locked in the wrong storage. Until inventory reconciliation finds it, it’s reported as lost. Some “losses” are eventually recovered; the violation persists in the record because the period of unaccountability counts.

End-of-life document handling. Classified materials being prepared for destruction sometimes go missing between the office and the destruction facility. The chain of custody must be unbroken from creation through destruction; gaps produce loss reports.

The architectural lesson: classified inventory rigor is as important as access control. Many contractors invest heavily in access control and lightly in periodic inventory reconciliation. The DCSA violation pattern suggests inventory rigor deserves more weight than it usually gets.

Category 5: Improper physical transfers (5.6%)

Closely related to physical losses but distinct: improper transfers are when classified material moves between facilities or systems without proper procedures, even if it’s not lost.

Receiving facility not authorized. Classified material is transferred to a destination that doesn’t have proper accreditation for the material’s classification level. The transfer might be administratively complete on paper but the destination shouldn’t have received it.

Courier procedure violations. Classified couriers traveling without proper documentation, moving materials outside approved transport routes, or using unapproved transportation modes (commercial flights without special procedures, for example).

Cross-jurisdictional violations. Moving classified material between coalition partners, between US government agencies, or between contractors and government facilities sometimes requires specific cross-jurisdictional procedures. Skipping or incompletely executing those procedures is a violation even when the material reaches its destination intact.

What the 1,032 open vulnerabilities represent

Distinct from the 815 violations, GAO documented 1,032 open security vulnerabilities — weaknesses in contractor security programs and instances of non-compliance with NISP procedures that haven’t yet produced an observed violation but represent latent risk.

These are the operational equivalents of CMMC POA&M items: known gaps that the contractor and DCSA both see, with remediation pending. The relevant insight is the ratio: 1,032 vulnerabilities to 815 violations, roughly 1.27 vulnerabilities per violation. Cleared contractors are aware of more potential failure modes than they’ve yet experienced — but the violation count itself indicates the awareness isn’t enough to prevent the events.

The DCSA capacity constraint

The most consequential context in the GAO report isn’t the violation count itself — it’s that DCSA can only review approximately 25-30% of the cleared industrial base in any given fiscal year. The remaining 70-75% of facilities don’t get a DCSA review in that cycle. They might get one the following year, or the year after.

This has three implications for cleared contractors:

First, the 815 violation number is a substantial undercount of actual industry violations. Extrapolating to the full DIB, the real annual violation count is probably 2,500-3,300 — most never observed because they happened at facilities not reviewed in that year.

Second, your contractor’s risk of being reviewed in any given year is moderate, not high. Many cleared contractors plan their security program rigor for “the year DCSA arrives” and let it slip in years between. The pattern works for accountability but produces violation tail risk: when DCSA does arrive, they often find issues that accumulated during the lighter years.

Third, the absence of recent DCSA observation doesn’t mean the program is operating well. Internal continuous monitoring matters more than DCSA review cadence — the programs that handle eventual review well are the ones that surface their own incidents internally and remediate before DCSA arrives.

The funding-flatness signal

GAO noted that industrial security funding has remained “relatively flat” while personnel vetting funding increased meaningfully. This is a forward-looking signal more than a current-state observation: DCSA is unlikely to expand industrial security review capacity materially in FY26 or FY27. The 25-30% review coverage will hold or possibly decline.

For contractors, the operating implication: your internal security program is the primary control on classified-handling violations. DCSA review is a sampled audit, not a continuous oversight regime. The programs that produce the lowest violation rates are the ones that internalize all of NISPOM compliance as their own continuous-monitoring obligation rather than treating DCSA visits as the compliance bar.

Where Fortinetics’s view comes in

Reading the GAO data category by category, the pattern that emerges is consistent with what we see in cleared engagements: programs whose violation rates are low share a small set of architectural and procedural traits. Networks with mechanical separation between classified and unclassified contexts — not just policy separation. End-of-day procedures with named-individual accountability and empty-desk attestation, not just role-based attestation. Inventory reconciliation that treats accountability counts as production-grade engineering work, not as a security-officer side task. Visitor management as an integrated operational discipline rather than a per-event task.

The GAO data also confirms a pattern we’ve written about: the contractor with the cleanest DCSA review record is the one whose internal monitoring would have caught any violations before DCSA did. That’s the operating posture our SCIF and SAPF advisory engagements aim for, not the “pass the audit” posture.

If you’re operating a cleared facility — SCIF, SAPF, or LAF — and the GAO violation distribution is making you wonder how your program would look against it, book a 30-minute scoping call. We’ll walk through your specific program against the violation pattern, honestly. If your program is already in shape, we’ll say so.

What 815 cleared-contractor security violations actually look like — and what causes them