On Dec. 2, the Department of Defense (DoD) Office of the Inspector General (OIG) published an unclassified version of a report on the incident that has come to be known as “Signalgate.” The report concerns Secretary of Defense Pete Hegseth’s use of a personal device and the encrypted messaging app Signal to share sensitive information with other officials—and the editor-in-chief of The Atlantic, who was added to the group chat—about an impending military strike in Yemen.
On March 24, 2025, The Atlantic published the first in a series of articles containing material from the group chat, including screenshots of Signal messages between cabinet-level officials discussing the authorization and operational details of the strikes, which took place on March 15. Hegseth, then National Security Advisor Michael Waltz, and other cabinet members, including the administration’s two most senior intelligence officials, discussed matters including the number of aircraft involved in the attack, the kinds of munitions dropped, specific times for the attack, and targets on the ground, according to The Atlantic.
OIG published its report on the incident alongside a companion report offering recommendations for the handling of sensitive information on “non-DoD controlled electronic messaging systems.” The OIG conducted its evaluation of the incident from April through October 2025, collecting information and documents and conducting interviews with current and former DoD personnel to identify “the factual circumstances and adherence to policies and procedures surrounding the Secretary’s reported use of Signal to conduct official government business from approximately March 14 through March 16, 2025.”
In a previous article on Just Security, Ryan Goodman analyzed the criminal laws that could apply to Signalgate. This fell outside of the scope of the OIG report, which did “not try to identify whether any person violated criminal laws.” Instead, the report assessed whether Hegseth and other DoD officials “complied with DoD policies and procedures for the use of the Signal commercial messaging application for official business” in “compliance with classification and records retention requirements.” The report’s findings and the recommendations raise a number of questions that lawmakers should address.
OIG Report Findings and Recommendations
The OIG found that Hegseth, who declined to be interviewed, shared sensitive, non-public information from a USCENTCOM briefing in the Signal group just hours before the United States conducted strikes in Yemen. In doing so, the report says, “the Secretary’s actions did not comply with DoD Instruction 8170.01, which prohibits using a personal device for official business and using a nonapproved commercially available messaging application to send nonpublic DoD information.”
The OIG explicitly stated that the information shared in the group could have created a risk to U.S. forces, contradicting a written statement by Hegseth.
Although the Secretary wrote in his July 25 statement to the DoD OIG that “there were no details that would endanger our troops or the mission,” if this information had fallen into the hands of U.S. adversaries, Houthi forces might have been able to counter U.S. forces or reposition personnel and assets to avoid planned U.S. strikes. Even though these events did not ultimately occur, the Secretary’s actions created a risk to operational security that could have resulted in failed U.S. mission objectives and potential harm to U.S. pilots.
The report also found that Hegseth and his office failed to retain the messages as required by federal law, since some of the messages were “auto-deleted before preservation.” DoD was only able to provide “a partial transcript of the Signal messages based on screenshots taken from the Secretary’s personal cell phone on March 27, but this record did not include a significant portion of the Secretary’s conversations disclosed by The Atlantic,” according to the report. The OIG therefore “relied on The Atlantic’s version of the Signal group chat.”
The report also detailed procedural issues with the classification of operational information in USCENTCOM communications, including a lack of appropriate markings on certain communications.
With regard to Hegseth’s failure to comply with DoD instructions on the use of a personal device and non-approved commercial app for the conduct of official business, the OIG did not make a recommendation, asserting that “the use of Signal to send sensitive, nonpublic, operational information is only one instance of a larger, DoD-wide issue.” The single actionable recommendation from the OIG evaluation is that USCENTCOM should review its classification procedures and “ensure that clear requirements are communicated” for marking classified information.
The companion report included a number of other recommendations. It suggests that the DoD should take efforts to remove the incentive for personnel to use apps such as Signal by providing better official alternatives, that it should conduct department-wide cybersecurity training, and that senior leadership should receive training and “a knowledge assessment” on the use of mobile devices and applications. The DoD Chief Information Officer agreed with most of the recommendations, but quibbled with creating new department-wide training, arguing they would be expensive and “redundant” to existing efforts.
Questions Lawmakers Should Ask Now
The OIG report raises questions, including about its drafting and scope. For instance, while Appendix A of the report stipulates that it “does not try to identify whether any person violated criminal laws,” two pages later it says OIG “obtained support from the Administrative Investigations and Defense Criminal Investigative Service Components in the DoD OIG,” which “advised and assisted the project team with analysis of potential criminal conduct and taking recorded and sworn testimony from DoD officials.” Was the inquiry truly limited in its scope, or did OIG implicitly conduct a criminal-adjacent investigation without stating so? Was any material left out of the report that would have been important for Congress or the public to know?
Regardless, the OIG report is far from the “total exoneration” claimed by Hegseth and his aides. Rep. Don Bacon (R-NE) told CNN’s Brianna Keilar that claims the report exonerated Hegseth are “total baloney,” while Sen. Jim Himes (D-CT) told CBS News’ Face the Nation that his Republican colleagues are expressing concern over the findings. But when asked if he would use Signal again, the Secretary told a Fox News correspondent on Saturday that he does not “live with any regrets.”
Given bipartisan concern over the issue, Congress should pursue a more substantial inquiry into the incident, and look into the “DoD-wide issue” that the OIG report says stems from the use of Signal. Perhaps there are legislative solutions. Congress could write a law to require DoD to deploy a secure messaging application to reduce the incentive to use consumer apps, or more clearly codify consequences for senior officials—including Cabinet members—who violate electronic communications or records laws.
That might create accountability for a future Secretary of Defense. It would at least put the same degree of accountability in place for the civilian leader of the military as for his subordinates. As The Atlantic’s Goldberg put it on Friday:
I try not to express my personal views from this chair, but since Signal Gate happened on my phone, let me say that the most disturbing aspect of this whole episode is that if any other official at the Department of Defense and certainly any uniform military officer shared information 1 in 100th as sensitive as Hegseth and others shared on an insecure messaging app, without even knowing that the editor-in-chief of The Atlantic was on the chat, they would be fired or court-martialed for their incompetence.
Perhaps such common sense is insufficient to serve in place of a rule. Congress has the opportunity now to use the OIG report as the starting point to consider what should happen next. If it fails to do so, then the report will be filed away as the endpoint Hegseth claims it is.
