Signal allows you to add anyone to a conversation, without any requirement that they be vetted for security clearance, have a Common Access Card, or other centralized identity provider approval. Signal guarantees that you can't spoof the identity of a participant in a conversation (as long as you've verified their keys) but doesn't do anything to limit who you can add to a conversation. The cryptography is secure, but it's not intended for organizational use and doesn't support the sorts of centralized authentication that governments require. So it's not secure for those uses. The Washington Post is correct, but missing nuance.