The Defense Department’s inconsistent security practices leave technical data about the nation’s missile defense system vulnerable to inside and outside threats, according to the agency auditor.

The ballistic missile defense system is designed to detect and intercept incoming missiles before they hit their intended targets. The system is made up of many elements, some run by the government and others by cleared contractors. The Defense Department keeps the system’s technical information—such as engineering data, algorithms and source codes—on its classified networks.

“The disclosure of technical details could allow U.S. adversaries to circumvent [ballistic missile defense system] capabilities, leaving the United States vulnerable to deadly missile attacks,” the Defense Department Office of Inspector General said in an audit.

The OIG found known network vulnerabilities that hadn’t been mitigated at three of the five facilities examined and intrusion detection capabilities that had not been implemented.

Inspectors also flagged several situations that a malicious insider could exploit. In general, the network administrators had poor access controls in place. They didn’t require multifactor authentication to access the system’s technical information, nor did they require written justification from users for elevated access. They also allowed users to save unencrypted data to removable drives without monitoring them.

“Unless the [redacted] enforces the encryption of removable media and monitors the type and volume of data transferred to and from removable media by individual users, they will be at increased risk of not protecting sensitive and classified [ballistic missile defense system] technical information from malicious users attempting to exfiltrate data that is critical to national security from [redacted],” the inspectors wrote.

Some of the problems were physical, such as failure to lock the server racks that housed technical information. “Leaving the server racks unlocked and failing to control access to the keys increases the risk that insiders could compromise or exfiltrate data even though they are authorized to be in the data center,” the report said.

Earlier this year, the OIG found inconsistencies when it examined security controls at contractor-run facilities that support the ballistic missile defense system.

The OIG had several recommendations including that chief information officers encrypt technical information stored on removable media, develop and implement a process to identify individuals who are authorized to use removable media as well as procedures to monitor the type and volume of data transferred; and assess gaps in security coverage and install security cameras to monitor personnel movements throughout their facilities.

The OIG did not receive comments on its draft report.