Agency That Vets Pentagon Contractors’ Security Isn’t Keeping Up With the Threat, Audit Finds


The Defense Security Service plans to shift to a risk-based approach, but needs to reach out to stakeholders, GAO says.

The Pentagon agency responsible for vetting contractors that handle classified information isn’t keeping up with the threat, according to an auditor’s report released Monday.

The Defense Security Service, or DSS, is responsible for vetting the security of over 12,000 contractor facilities, but could only accomplish about 60 percent of its workload during the 2016 fiscal year, according to the Government Accountability Office report.

That’s despite DSS’ own statement “that the United States is facing the most significant foreign intelligence threat it has ever encountered,” the report states.

DSS security reviews are broadly similar to the personal security clearances that government employees and contractors undergo and include issues such as a company’s foreign ties and risky past behavior.  

DSS announced plans to pilot a new methodology in late 2016 that involves prioritizing security reviews based on what information and technology are housed at a particular contractor and how likely foreign intelligence services are to try to steal it.

The new methodology also involves creating customized security plans for contractor facilities rather than relying on a one-size-fits-all model based on the National Industrial Security Program Operating Manual, a guide developed through an interagency process.

However, DSS hasn’t sufficiently outlined what resources it will need for this shift in strategy, the Government Accountability Office found. The agency also hasn’t described how it will collaborate with relevant groups, such as the U.S. intelligence agencies that will outline the most pressing threats and the contractors that will try to mitigate them, the office said.

“Until DSS identifies roles and responsibilities and determines how it will collaborate with stakeholders for the piloting effort, it will be difficult to assess whether the new approach is effective in protecting classified information,” the audit states.

The review comes as executive branch officials and lawmakers are increasingly concerned about foreign influence in government contractors’ supply chains. The Homeland Security Department ordered federal agencies to remove the Russian anti-virus Kaspersky from their systems in October and a defense policy bill, which became law in December, required the same of contractors.

Contractors have yet to complete that process and many were unaware they were using the Russian anti-virus, Homeland Security Sec. Kirstjen Nielsen told lawmakers earlier this month.

Several lawmakers have pushed for similar legislation to ban the Chinese telecoms ZTE and Huawei from U.S. government supply chains. The current house draft of a must-pass defense policy bill, however, only requires a study of the issue.