General Dynamics IT

Overview

General Dynamics Information Technology (GDIT) is the IT services division of General Dynamics Corporation, one of the largest U.S. defense contractors. Headquartered in Falls Church, Virginia, GDIT provides IT systems integration, cybersecurity, cloud computing, network operations, and mission systems support to U.S. defense and civilian government agencies. GDIT generates approximately $9 billion in annual revenue and employs over 30,000 people with security clearances across military installations, intelligence facilities, and federal agencies nationwide.

GDIT was formed through a series of acquisitions including the purchases of CSRA (Computer Sciences Corporation's government services division) and ManTech International's government IT business, making it one of the largest federal IT services contractors in the United States. The company is a subsidiary of General Dynamics Corporation, which also operates defense segments in combat systems (Abrams tanks), marine systems (Gulfstream aircraft), and mission systems.

As one of the largest IT service providers to the U.S. government, GDIT manages sensitive data for intelligence agencies, military services, civilian federal agencies, and law enforcement. The company supports some of the most significant federal IT programs, from VA electronic health records to DEA case management to NSA network operations, placing it in contact with some of the most sensitive government data categories.

GDIT's cybersecurity practice is particularly significant: the company both provides cybersecurity services to government agencies and, as a contractor itself, is a target of state-sponsored and criminal cyberattackers seeking access to government data through contractor networks.

Data Collection Practices

GDIT operates as a data processor and IT services provider for government agencies rather than a direct consumer data collector:

Intelligence community systems:

• NSA network operations and cybersecurity support
• DIA intelligence data management and analysis platforms
• DISA network monitoring and cybersecurity operations
• Classified IT systems management for intelligence agencies

Military systems:

• Army, Navy, and Air Force IT infrastructure management
• Military personnel records systems
• Logistics and supply chain data systems
• Combat support IT and communications

Civilian federal health data:

• VA health IT systems (supporting the VA electronic health records infrastructure)
• CMS Medicare and Medicaid data analytics
• Federal employee health program IT

Law enforcement data:

• DEA case management systems handling drug enforcement investigative data
• DHS/CBP border enforcement IT systems
• FBI IT infrastructure support
• State and local law enforcement IT (through GDIT's state/local government division)

Identity and access management:

• Biometric identity systems for government agencies
• Security clearance management IT systems
• Government identity verification and authentication platforms

Cloud migration services: GDIT manages cloud migration for multiple agencies, handling the transfer of legacy government data to modern cloud infrastructure, a process that creates significant transient exposure of sensitive data.

Known Clients & Government Contracts

Defense Intelligence Agency: GDIT supports DIA's IT infrastructure and intelligence data management systems, working with classified analytical tools and intelligence databases.

NSA: GDIT provides network operations, cybersecurity, and IT infrastructure support for NSA facilities and programs, some of which are classified.

DISA: As DISA's primary IT infrastructure is managed through a mix of in-house and contractor staff, GDIT has significant relationships with DISA including for NIPRNET and SIPRNET (classified military network) management support.

VA Electronic Health Records: GDIT is a key subcontractor and IT services provider in the VA's Cerner-based electronic health records modernization program, one of the largest federal IT programs, handling health records for over 9 million veterans.

DEA: GDIT provides case management systems and IT infrastructure for the Drug Enforcement Administration, handling sensitive criminal investigative data, informant information, and ongoing law enforcement operations.

DHS and CBP: Border security IT systems, data analytics, and network operations for Customs and Border Protection and other DHS components.

State Department: Embassy communications systems and State Department IT infrastructure, including some classified foreign affairs and intelligence-adjacent systems.

Privacy Incidents & Litigation

Phishing-Induced Breach (2020): In December 2020, GDIT disclosed a breach affecting payroll data for a number of federal agencies serviced through its HR management platform. A phishing attack compromised a vendor's SolarWinds-adjacent IT environment and led to unauthorized access to employee information stored in GDIT's systems. The breach included names, Social Security numbers, banking information, and personal details for federal employees across multiple agencies.

The incident occurred during the same period as the massive SolarWinds supply chain compromise, and while GDIT's breach was separate, it highlighted the vulnerability of contractor IT environments to sophisticated phishing and supply chain attacks.

DEA Sensitive Case Data Risks: GDIT's management of DEA case management systems creates significant inherent risk, criminal informant identities, ongoing investigation details, and law enforcement operational data are stored in systems GDIT manages. Any breach of these systems could compromise ongoing investigations, endanger informants, or enable criminal organizations to obtain intelligence about law enforcement activities.

VA Health Records Program Delays and Security Reviews: The VA EHR modernization program (Oracle Cerner, with GDIT as key IT subcontractor) has been plagued by implementation problems, with multiple program pauses, inspector general reviews, and Congressional investigations. Security reviews have identified gaps in the protection of veteran health data during migration and deployment phases.

Subcontractor Security Chain Issues: As a major IT integrator, GDIT relies on extensive subcontractor networks. Security incidents at GDIT subcontractors have resulted in data exposures affecting government clients, a recurring pattern in large government IT contracting where accountability diffuses across contractor and subcontractor layers.

Threat Score Analysis

GDIT receives a composite threat score of 65/100, reflecting its dominant government contract portfolio and the sensitivity of federal data it processes:

• Data Collection (63/100): GDIT processes sensitive government data across intelligence, military, health, and law enforcement categories under contract. The data processed is extraordinarily sensitive in aggregate, but GDIT is a processor rather than a commercial collector.

• Third-Party Sharing (40/100): Data sharing is constrained by classification and contract requirements. However, GDIT's extensive subcontractor ecosystem creates data flow chains that extend beyond direct GDIT control.

• Breach History (65/100): The 2020 phishing breach affecting federal employee payroll data demonstrates real security vulnerabilities. DEA case data and VA health records represent categories where breaches could have severe human consequences beyond financial harm.

• Government Contracts (93/100): GDIT's entire business is government contracting. Its portfolio spans NSA, DIA, DISA, all military services, VA, DEA, DHS, and State Department. The breadth and sensitivity of contracts is among the highest of any government IT contractor.

• Transparency (30/100): Classified program opacity is inherent. Corporate disclosures are standard. No meaningful public transparency about specific government data practices is possible or required.

Weighted calculation: (63 * 0.25) + (40 * 0.25) + (65 * 0.20) + (93 * 0.15) + (30 * 0.15) = 15.75 + 10.0 + 13.0 + 13.95 + 4.5 = 57.2, adjusted to 65 due to the breadth of sensitive government data managed (intelligence, health, law enforcement, military), the DEA case data sensitivity, and the demonstrated phishing vulnerability affecting federal employee data across multiple agencies.

Transparency & Accountability

General Dynamics IT's accountability framework operates through the standard mechanisms of large government IT contracting: Congressional oversight, inspector general reviews, security auditor assessments, and contract compliance monitoring.

The company publishes standard corporate disclosures for General Dynamics (NYSE: GD) as a publicly traded company. GDIT-specific operational transparency is limited by the classified nature of significant portions of its work.

The VA EHR program provides a concrete example of accountability mechanisms in action: the program's repeated problems, cost overruns, and patient safety concerns triggered multiple OIG investigations, Congressional hearings, and program reviews. These mechanisms exposed issues but have not resolved the fundamental challenges in managing large-scale federal health IT programs with multiple contractor layers.

GDIT's 2020 breach response illustrated how contractor data incidents differ from corporate data incidents: notification obligations flow from GDIT to affected agencies, which then notify affected individuals, creating accountability chains that can delay notification and diffuse responsibility.

The company's cybersecurity practice represents an interesting accountability tension: GDIT is contracted to provide cybersecurity services to government agencies, making it simultaneously a vendor of security services and a potential attack vector. Sophisticated adversaries targeting government data have strong incentives to compromise contractor networks, and GDIT's breadth of government access makes it a high-value target. The adequacy of GDIT's own security, relative to the sensitivity of data it accesses, is subject to government security reviews but not public scrutiny.