Leidos

Overview

Leidos Holdings, Inc. is one of the largest American defense, intelligence, and civil government IT contractors, headquartered in Reston, Virginia. The company was spun off from Science Applications International Corporation (SAIC) in 2013, initially branded as Leidos after SAIC divided itself into two publicly traded companies. Leidos then acquired Lockheed Martin's IT and government services division (IS&GS) in 2016 for $4.6 billion, becoming one of the top U.S. government IT contractors.

With annual revenues exceeding $15 billion and over 47,000 employees, Leidos serves as a critical technology infrastructure provider for U.S. national security agencies including the NSA, DHS, DOD, and intelligence community. The company provides IT systems integration, cybersecurity, data analytics, and mission systems for classified and unclassified government programs.

Leidos operates across three primary business segments: Defense & Intelligence (classified national security programs), Civil (federal civilian agencies including DHS, FAA, VA), and Health (federal health IT including VA, CMS, and DHA). This broad footprint means Leidos processes some of the most sensitive government data in existence, intelligence community databases, health records for 9 million veterans, aviation security systems, and immigration enforcement data.

The company's role in the intelligence community is particularly significant. Leidos is among the top contractors supporting NSA IT infrastructure, providing systems engineering, network management, and technology integration for classified signals intelligence programs. This makes Leidos an integral component of U.S. surveillance infrastructure rather than a consumer-facing company.

Data Collection Practices

Leidos does not operate as a consumer data company, its data practices center on government-contracted data processing:

Intelligence community data processing:

• NSA systems integration: Leidos engineers design and maintain IT infrastructure processing classified signals intelligence data
• Network monitoring and cybersecurity tools for classified government networks
• Data analytics platforms processing intelligence community data
• Identity management systems for security clearance holders

Health data processing (Leidos Health):

• Veterans' health records through Veterans Affairs IT programs
• Defense Health Agency (DHA) electronic health record systems
• Medicare and Medicaid data analytics for CMS
• Health IT integration for federal civilian health programs

Border and transportation security:

• TSA airport screening technology and data systems
• DHS border security IT systems
• Immigration enforcement data processing
• Aviation security data management for the FAA

Classified program data: Leidos employees with Top Secret/SCI clearances process classified data across intelligence community programs whose specific nature is not publicly disclosed. The company employs a significant portion of the cleared U.S. civilian workforce.

Biometric data systems: Leidos has contracted to develop and maintain biometric identification systems for government agencies, including fingerprint, iris, and face recognition databases used for immigration enforcement and security screening.

Known Clients & Government Contracts

Leidos's government client list represents a cross-section of U.S. national security and federal civilian agencies:

NSA (National Security Agency): Leidos is one of NSA's primary IT contractors, providing infrastructure engineering, systems integration, and technology support for classified signals intelligence programs. NSA contracts represent some of the most sensitive in Leidos's portfolio.

DHS and its components: Leidos provides IT systems to Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), TSA, FEMA, and the Coast Guard. This includes data analytics, case management systems, and border security technology.

Department of Defense: Leidos contracts span the Army, Navy, Air Force, Space Force, and joint commands, providing logistics systems, battlefield IT infrastructure, cybersecurity, and intelligence support.

Veterans Affairs: Leidos Dynex (its health subsidiary) is a major contractor for VA health IT systems, managing electronic health records and clinical data systems for approximately 9 million veterans.

FAA: Leidos operates significant FAA air traffic control modernization programs, managing the NextGen aviation IT infrastructure that processes data for the entire U.S. national airspace.

NASA: Space mission operations, IT infrastructure, and data analytics for NASA programs including launch range safety systems.

Intelligence Community contractors: Beyond NSA, Leidos supports CIA, DIA, NRO, and NGA programs through classified contracts whose details are not publicly disclosed.

Privacy Incidents & Litigation

Health Data Breach via Diligent Boards (2024): In a notable incident, data managed by Leidos was exposed when Diligent Corporation (a board management software provider used by Leidos) suffered a breach. The exposed data included health-related information and documents processed through Leidos systems. This incident illustrated the supply chain risk in government IT contracting, data managed by a major federal contractor can be exposed through vulnerabilities at smaller third-party vendors.

Insider Threat Incidents: As with other major intelligence community contractors, Leidos has faced insider threat incidents involving employees with security clearances. The Edward Snowden disclosure, while involving an NSA contractor (Booz Allen Hamilton was the direct employer), brought increased scrutiny to all major intelligence community contractors including Leidos. Subsequent incidents at various contractors have highlighted the challenge of insider threat management in cleared environments.

Export Control Investigations: Defense IT contractors including Leidos have faced export control scrutiny related to the international transfer of controlled technologies and the employment of foreign nationals in sensitive programs. These investigations reflect the tension between commercial pressures to hire globally and national security requirements to restrict technology access.

Classified Program Security Reviews: Multiple Leidos programs have undergone security reviews following incidents at partner agencies or contractors. These reviews are generally classified, but their existence reflects the systemic security risks inherent in large-scale intelligence community contracting.

Threat Score Analysis

Leidos receives a composite threat score of 64/100, weighted primarily by its deep intelligence community relationships and the sensitivity of data it processes:

• Data Collection (65/100): Leidos processes sensitive government data including intelligence community data, veteran health records, biometrics, and immigration enforcement data. However, data collection is under government contract rather than for Leidos's commercial purposes, the company is a data processor rather than a data collector in the consumer-facing sense.

• Third-Party Sharing (45/100): Data sharing is constrained by government contract terms and classification requirements. Leidos does not sell government-contracted data commercially. However, supply chain incidents (like the Diligent breach) demonstrate that data flow beyond intended boundaries remains a risk.

• Breach History (70/100): While Leidos has not suffered a catastrophic direct breach, the third-party exposure of health data in 2024, combined with the inherent security risks of processing classified intelligence community data, warrants a moderately elevated score. The consequences of any breach involving NSA or intelligence community data would be severe.

• Government Contracts (92/100): Leidos's entire business is government contracting with national security agencies. The company is one of the highest-value intelligence community IT contractors. Its role is not peripheral but central, NSA IT infrastructure, DHS border security systems, VA health records, representing the core of federal technology infrastructure.

• Transparency (30/100): Classified programs cannot be disclosed. Leidos publishes standard corporate reporting but cannot provide meaningful public transparency about its most sensitive activities by definition. The nature of intelligence community contracting is opacity.

Weighted calculation: (65 * 0.25) + (45 * 0.25) + (70 * 0.20) + (92 * 0.15) + (30 * 0.15) = 16.25 + 11.25 + 14.0 + 13.8 + 4.5 = 59.8, adjusted to 64 due to the classified intelligence community data processing dimension and the scale of sensitive federal data (veteran health records, immigration enforcement, aviation security) under Leidos's management.

Transparency & Accountability

Leidos operates in a regulatory environment that is fundamentally different from consumer-facing technology companies: the primary accountability mechanisms are government oversight (Congressional committees, inspectors general, classification authority), not public transparency.

The company publishes standard investor-facing corporate disclosures and some general capability information, but the most sensitive aspects of its work, intelligence community programs, classified systems, national security technology, are protected from public disclosure by classification authority.

This opacity is not a choice but a requirement. Leidos employees working on classified programs cannot disclose what they do. The company cannot describe specific intelligence community contracts or the data they process. External auditors cannot review classified program security practices.

The accountability mechanisms that do exist are institutional: Congressional oversight of intelligence budgets, inspector general reviews, security clearance management by ODNI, and internal security programs. These provide accountability to government but not to the public whose data (in the form of government records) Leidos processes.

The Leidos/Diligent data breach illustrates a specific accountability challenge: when a major federal contractor's data is exposed through a third-party vendor's breach, the accountability chain, vendor contracts, subcontractor management, notification obligations, can be inadequate for the sensitivity of data involved. The incident highlighted gaps in supply chain security standards for sensitive federal health data.

Leidos's status as a publicly traded company (NYSE: LDOS) provides investor-facing accountability mechanisms including financial disclosure and board oversight. However, investor interests do not necessarily align with privacy protection, revenue maximization through government contracts can create incentives that conflict with data minimization principles.