SAIC

Overview

Science Applications International Corporation (SAIC) is an American defense technology and IT services company headquartered in Reston, Virginia. Originally founded in 1969 by physicist J. Robert Beyster in La Jolla, California, SAIC grew into one of the largest employee-owned corporations in U.S. history before its 2006 IPO. In 2013, the company split into two publicly traded entities: the new SAIC retained defense and intelligence IT services, while the other entity was renamed Leidos.

SAIC generates annual revenues of approximately $7.5 billion and employs over 26,000 people, with the vast majority holding government security clearances. The company provides IT systems integration, cybersecurity, software development, logistics, and mission support to U.S. military services, intelligence agencies, and civilian government agencies.

SAIC's historical role in U.S. national security is substantial. The company has been involved in major signals intelligence programs, nuclear weapons laboratory IT systems, biometric identification databases, and the full range of defense IT infrastructure. Its predecessor (before the 2013 split) included what became Leidos, meaning SAIC's historical footprint in intelligence community IT is even larger than its current form suggests.

The company became the center of significant public attention in 2023 when a breach of DC Health Link, for which SAIC provided IT services, exposed the health insurance data of Members of Congress and their staff. The incident, affecting one of the most sensitive populations in U.S. government, triggered Congressional hearings and raised questions about security practices at major federal IT contractors.

Data Collection Practices

SAIC's data handling is centered on government-contracted data processing across defense, intelligence, and civilian federal agencies:

Intelligence community data systems:

• Signals intelligence support systems for NSA and affiliated agencies
• Defense intelligence data analytics for DIA
• Imagery intelligence (IMINT) processing tools for NGA
• CIA IT systems integration and data management

Military operations data:

• Battlefield command and control systems
• Logistics and supply chain tracking data
• Personnel records systems for military services
• Weapons systems integration data

Biometric data systems:

• ABIS (Automated Biometric Identification System) development and maintenance for DOD
• Afghan biometric databases (HIIDE devices deployed with military)
• Border security biometric systems
• Identity management databases for cleared personnel

Health data (federal health programs):

• DC Health Link IT operations (Congressional health insurance marketplace)
• Federal employee health benefits IT support
• Military health system data processing

Nuclear and energy data:

• DOE National Laboratory IT support
• Nuclear security systems data management
• NRC regulatory compliance IT systems

Known Clients & Government Contracts

NSA: SAIC has been one of NSA's longest-serving major contractors, providing systems integration, network management, and technology support for classified SIGINT programs. The company's work at NSA predates the Snowden disclosures and continues under new contract vehicles.

Defense Intelligence Agency: SAIC provides intelligence analysis tools, data management systems, and IT infrastructure for DIA, supporting all-source intelligence collection and analysis.

Army, Navy, Air Force, USMC, Space Force: SAIC provides IT modernization, cybersecurity, logistics systems, and specialized technology across all U.S. military services, making it a ubiquitous presence in military IT infrastructure.

DISA (Defense Information Systems Agency): SAIC supports DISA's critical role in military communications and IT infrastructure, including work on NIPRNET and SIPRNET (the classified military networks).

DOE National Laboratories: SAIC provides IT services to multiple DOE national laboratories including facilities with nuclear weapons research missions, handling some of the most sensitive technical data in the U.S. government.

DC Health Link: SAIC operated the DC Health Link health insurance marketplace, which serves Members of Congress, Congressional staff, and District government employees. The 2023 breach of this system exposed the health insurance enrollment data of elected officials and their families.

Privacy Incidents & Litigation

DC Health Link Congressional Data Breach (March 2023): A breach of DC Health Link, an ACA marketplace platform where SAIC provided IT operations, exposed health insurance enrollment data for thousands of Members of Congress, Congressional staff, and their family members. The compromised data included names, Social Security numbers, dates of birth, addresses, phone numbers, and detailed health plan enrollment information.

The breach was significant not only for its scope but for the sensitivity of who was affected: sitting Members of Congress, committee staff with security clearances, and executive branch officials enrolled through the District. Congressional hearings were held to examine how SAIC's operations failed to prevent the breach and what oversight of federal IT contractors existed.

Afghanistan HIIDE Biometric Database Loss (2021): Among the most consequential security incidents involving SAIC-developed systems was the loss of HIIDE (Handheld Interagency Identity Detection Equipment) devices and associated biometric databases during the chaotic U.S. withdrawal from Afghanistan. These devices, built under SAIC and other contracts, contained biometric data (fingerprints, iris scans, facial images) for tens of thousands of Afghan nationals who had worked with U.S. forces or been enrolled in U.S. government biometric programs.

The Taliban gained access to HIIDE devices and potentially the biometric database access credentials, creating immediate risks for Afghans enrolled in U.S. biometric systems who remained in Afghanistan. The incident illustrated the life-threatening consequences of inadequate data security planning for sensitive biometric collection programs in conflict zones.

False Claims Act Settlement (2014): SAIC agreed to pay $500 million to settle DOJ allegations that the company submitted false claims related to a New York City automated payroll system (CityTime) that was over-budget, behind schedule, and involved alleged overbilling. This settlement, one of the largest government contractor fraud settlements at the time, raised questions about SAIC's billing practices and management oversight.

Insider Threat and Clearance Incidents: SAIC, like other major intelligence community contractors, has managed multiple insider threat incidents involving security clearance holders. Some of these incidents have been publicly reported; others remain classified.

Threat Score Analysis

SAIC receives a composite threat score of 63/100, reflecting its deep intelligence community involvement and the Afghanistan biometric incident's severe human consequences:

• Data Collection (62/100): SAIC processes sensitive government data under contract, including classified intelligence data, biometric databases, nuclear program data, and Congressional health records. Data processing is in service of government clients rather than for SAIC's commercial use.

• Third-Party Sharing (42/100): Constrained by classification and contract requirements. The Afghanistan biometric device loss represents an unintended and catastrophic data disclosure, but not commercial sharing.

• Breach History (68/100): The DC Health Link Congressional breach and the Afghanistan biometric database loss are both significant. The Afghanistan incident's potential to endanger lives elevates this score. Multiple other incidents affecting cleared personnel and government data demonstrate systemic security challenges.

• Government Contracts (90/100): SAIC's entire business is national security and federal government contracting. Its involvement spans NSA, DIA, CIA, all military services, DOE, and civilian agencies. The breadth and depth of intelligence community involvement is among the highest of any contractor.

• Transparency (28/100): Classified program opacity is inherent. The DC Health Link incident response was criticized for delayed notification. SAIC's historical overbilling settlement raised questions about corporate integrity beyond security practices.

Weighted calculation: (62 * 0.25) + (42 * 0.25) + (68 * 0.20) + (90 * 0.15) + (28 * 0.15) = 15.5 + 10.5 + 13.6 + 13.5 + 4.2 = 57.3, adjusted to 63 due to the Afghanistan biometric database loss and its direct endangerment of human lives, and the Congressional health data breach's implications for the security of elected officials and their families.

Transparency & Accountability

SAIC's accountability framework is dominated by government oversight mechanisms rather than public transparency:

Congressional oversight of defense and intelligence contracting provides the primary accountability mechanism for SAIC's most sensitive programs. The House Armed Services Committee, Senate Intelligence Committee, and various inspector general offices conduct oversight of major contractor programs. The DC Health Link Congressional breach had the unusual effect of making Members of Congress directly affected by a contractor security failure, prompting unusually immediate Congressional attention.

SAIC publishes standard investor disclosures and limited capability documentation. The company has an established ethics and compliance program following its False Claims Act settlement, which required enhanced compliance measures. However, these programs operate primarily to satisfy government contract requirements rather than to address broader data privacy concerns.

The Afghanistan biometric incident illustrates a fundamental accountability gap in government contracting: when sensitive biometric databases built by contractors under military programs are lost during a chaotic withdrawal, there is no clear accountability mechanism for the life-threatening consequences to individuals enrolled in those databases. SAIC built the HIIDE systems and database structures, but the military made operational decisions about data protection during the withdrawal. Responsibility is diffuse across military commands, contractor teams, and policy-making levels.

SAIC's formal separation from its Leidos spinoff in 2013 created cleaner organizational boundaries, but both entities continue to operate deep in intelligence community infrastructure. Understanding SAIC's current activities requires understanding the full history of what was SAIC pre-2013, including significant classified programs whose existence cannot be publicly confirmed.