Skip to main content

Information Environment: DOD Needs to Address Security Risks of Publicly Accessible Information

GAO-26-107492 Published: Oct 07, 2025. Publicly Released: Nov 17, 2025.
Jump To:

Fast Facts

Massive amounts of traceable data about military personnel and operations now exist due to the digital revolution. When aggregated, these "digital footprints" can threaten military personnel and their families, operations, and ultimately national security.

The Department of Defense identifies publicly available data as a growing threat and has taken steps to inform service members of the risk. For example, a poster at DOD reads "Loose tweets sink fleets"--a modern take on a World War II-era slogan.

We found ways DOD could better assess the security risks and improve collaboration and training.

Our recommendations address these issues.

Digital Activity Generates Digital Footprints That Can Be Aggregated into A Digital Profile

Footprints over code

Highlights

What GAO Found

Digital activity from personal and government devices, online communications, and defense platforms such as ships and aircraft can generate volumes of traceable data, known as digital footprints. When these digital footprints are aggregated into a digital profile, they can threaten Department of Defense (DOD) personnel and their families, operations, and ultimately national security.

Figure: Digital Activity Generates Digital Footprints That Can Be Aggregated into A Digital Profile

Figure: Digital Activity Generates Digital Footprints That Can Be Aggregated into A Digital Profile

GAO determined that three of five offices under the Office of the Secretary of Defense (OSD) have issued policies and guidance on the risks associated with the public accessibility of DOD’s digital information. However, the policies and guidance are narrowly focused, do not include all stakeholders, and do not include all relevant security areas. As a cross-functional governance body that includes stakeholders across DOD, the Defense Security Enterprise Executive Committee is well-positioned to lead a department-wide collaborative assessment of policies and guidance on digital footprint and profile risks. Without such an assessment, DOD will have difficulty in determining whether risks are being sufficiently managed within the boundaries of their legal authorities. Also, DOD will face ever-increasing threats to personnel privacy and safety, mission success, and national security.

GAO also determined that 10 DOD components were not fully addressing two areas essential to reducing the risk of digital threats—training and security assessments.

  • Nine of ten components’ training materials did not consistently train personnel on risks of digital information in the public across all relevant security areas.
  • Eight of ten components did not conduct assessments of threats across the required security areas of force protection, insider threat, mission assurance, and operations security. Instead, most components focused assessment efforts solely on operations security.

GAO developed the notional threat scenarios below to exemplify how publicly accessible information about DOD operations and its personnel introduces risks across multiple security areas.

Risk to Personnel and Their Families

This scenario illustrates how a malicious actor could use digital information purchased from data brokers or collected from the web to identify and harm DOD personnel and their families.

Figure: Digital Footprints Can Be Aggregated to Expose DOD Personnel Data

Figure: Digital Footprints Can Be Aggregated to Expose DOD Personnel DataGraphical user interface, text AI-generated content may be incorrect.

Risk to Operations

This scenario illustrates how a malicious actor could use digital information—including DOD press releases, news sources, online activity, social media posts, and ship coordinates—to project the route of a vessel and disrupt naval carrier operations. When aggregated, this information could enable targeting the vessel with uncrewed systems or sabotaging the ship while in port.

Figure: Digital Footprints Can Be Aggregated to Disrupt Aircraft Carrier OperationsMap AI-generated content may be incorrect.Graphical user interface, text, application, chat or text message AI-generated content may be incorrect.

Why GAO Did This Study

Massive amounts of traceable data about military personnel and operations now exist due to the digital revolution. Public accessibility of this data enables malicious actors to exploit critical information and jeopardize DOD’s mission and the safety of its personnel.

Senate Report 118-58 and House Report 118-301 include provisions that GAO assess DOD’s efforts to mitigate national security risks and assess DOD components’ efforts to protect the digital footprint of DOD personnel. This report assesses the extent to which (1) OSD has taken action to reduce risks to DOD personnel and operations and (2) DOD components have conducted training and assessments to reduce risk to DOD personnel and operations. The report also describes security risks of publicly accessible data about DOD personnel and operations.

GAO focused on actions taken by five OSD offices and 10 select DOD components with security responsibilities—the five services and five other cognizant components such as U.S. Cyber Command and Space Force. GAO reviewed policies and documentation from these offices and components, and interviewed agency officials regarding actions taken to reduce information about DOD and its personnel being publicly accessible.

Recommendations

GAO is making 12 recommendations to DOD to assess its policies and guidance; collaborate to reduce risks; provide training on the digital environment and its associated risks across security areas; and complete required security assessments. DOD concurred with 11 of 12 recommendations and partially concurred with one. GAO maintains that all recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense The Secretary of Defense should ensure that the Defense Security Enterprise Executive Committee assesses existing departmental security policies and guidance to identify gaps associated with risks in the digital environment; and makes recommendations on updating policy and guidance to reduce the risks of digital information about DOD and its personnel being publicly accessible. In conducting this assessment, the executive committee should include all OSD offices that oversee security areas and the Assistant to the Secretary of Defense for Public Affairs. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should ensure that the Defense Security Enterprise Executive Committee improves collaboration across the department to reduce the risks of information about DOD and its personnel being publicly accessible. Collaboration should include all OSD offices that oversee security areas and the Assistant to the Secretary of Defense for Public Affairs. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should ensure that the Defense Security Enterprise Executive Committee reviews and assesses security training to ensure that digital profile issues are considered in all security areas—counterintelligence, force protection, insider threat, mission assurance, OPSEC, and program protection—and makes any appropriate recommendations for action to improve the representation of digital profile threats in security training across the department. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should ensure that U.S. Cyber Command provides security training to its workforce on threats in the security areas of counterintelligence, insider threat, and OPSEC. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Air Force The Secretary of the Air Force should ensure that the Air Force is conducting required assessments in the security areas of force protection, insider threat, and mission assurance. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Army The Secretary of the Army should ensure that the Army is conducting required assessments in the security areas of force protection, insider threat, and mission assurance. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should ensure that the Defense Counterintelligence and Security Agency is conducting required assessments in the security areas of force protection, insider threat, and mission assurance. (Recommendation 7)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should ensure that the U.S. Cyber Command is conducting required assessments in the security areas of force protection, insider threat, OPSEC, and mission assurance. (Recommendation 8)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should ensure that the Defense Intelligence Agency is conducting required assessments in the security areas of force protection, insider threat, OPSEC, and mission assurance. (Recommendation 9)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should ensure that the National Security Agency is conducting required assessments in the security areas of force protection, insider threat, OPSEC, and mission assurance. (Recommendation 10)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Navy The Secretary of the Navy should ensure that the Navy is conducting required assessments in the security areas of force protection, insider threat, OPSEC, and mission assurance. (Recommendation 11)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Air Force The Secretary of the Air Force should ensure that Space Force is conducting required assessments in the security areas of force protection, insider threat, OPSEC, and mission assurance. (Recommendation 12)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
See All 12 Recommendations

Full Report

View Full Report Online
Highlights Page (2 pages)
Full Report (63 pages)

GAO Contacts

Marisol Cruz Cain
Director
Information Technology and Cybersecurity
cruzcainm@gao.gov

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs
media@gao.gov

Public Inquiries

Contact Us

Topics

National Defense
Military intelligenceNational securityPrivacyPublic affairsSocial mediaMilitary forcesSecurity risksMilitary personnelWebsitesAircraft