32 CFR Part 117 NISPOM Rule

The NISPOM Rule 

DCSA releases ISL 2021-02, SEAD 3: Clarification and Guidance on Reportable Activities for cleared contractors under DoD cognizance.  The ISL provides clarity on reporting requirements for all covered individuals who have access to classified information.  The ISL additionally advises that cleared contractors under DoD cognizance must implement the change in 32 Code of Federal Regulation Part 117, “National Industrial Security Program Operating Manual,” Rule effective August 24, 2021.

DoD has amended 32 CFR Part 117, the NISPOM Rule to extend the compliance date solely for reporting and pre-approval of unofficial foreign travel as prescribed in SEAD 3, until no later than 18 months from the effective date of the rule for those contractors under DoD security cognizance.  The reporting of the foreign travel component of SEAD 3 will begin August 24, 2022. 

Cleared industry under DoD cognizance should consult with their government customers for any additional foreign travel reporting requirements for those personnel who have SCI or SAP access and/or additional contractual reporting requirements.

DSCA will incorporate the assessment of compliance with the SEAD 3 reporting requirements with the exception of foreign travel as noted above, that begin on August 24, 2021, into scheduled assessments no earlier than March 1, 2022.

Resources for SEAD 3 implementation can be found on this webpage under the Resource and FAQ tabs below, and include Industry SEAD 3 Reporting Webinar Recording, SEAD 3 Frequently Asked Questions, and a SEAD 3 Reporting Desk Top Aid.  

Industrial Security Letter (ISL 2021-02)

Additional industrial security letter guidance for 32 CFR Part 117, NISPOM Rule (insider threat, SF-328, DISS, and consolidated article) that have been coordinated through the National Industrial Security Program Policy Advisory Committee (NISPPAC) continue to be processed and coordinated for issuance.  Cleared industry will be informed when they are approved and posted.

32 Code of Federal Regulation Part 117, NISPOM

On February 24, 2021, 32 CFR Part 117, “National Industrial Security Program Operating Manual (NISPOM)” became effective as a federal rule. Referred to as the “NISPOM rule,” it provides the contractor no more than six months from this effective date to comply with the requirements stipulated therein. The NISPOM rule replaces the NISPOM previously issued as a DOD policy (DOD 5220.22-M), which will be cancelled shortly after the allotted six-month implementation period ends. Until then, DOD 5220.22-M will remain in effect.

The rule implements policy, assigns responsibilities, establishes requirements, and provides procedures consistent with Executive Order 12829, “National Industrial Security Program;” Executive Order 10865, “Safeguarding Classified Information within Industry;” and 32 Code of Regulation Part 2004,“National Industrial Security Program.” That guidance outlines the protection of classified information that is disclosed to, or developed by, contractors of the U.S. Government.

To assist cleared industry in better understanding what is required for compliance, DCSA worked with the Center for Development of Security Excellence (CDSE) to develop a cross reference tool. The tool provides users the ability to select a link in the familiar NISPOM table of contents and takes them to the corresponding section of the NISPOM rule. It serves as a deskside aid enabling the transition from the DOD manual format to a federal rule format.

32 CFR Part 117 Cross Reference Tool

Changes in the Rule

Some of the changes in the Rule are intended to better align with national policy for the protection of Classified National Security Information, some are to address changes in law or regulations, and some are to enhance the protection of classified material that contractors access or possess.

The key changes include:

  • Section 117.8(a); Reporting Requirements: Requires cleared contractors to submit reports pursuant to Security Executive Agent Directive (SEAD) 3 and DCSA guidance.

  • Section 117.15(e)(2); TOP SECRET Information Accountability: Provides guidance on processes for the accountability and management of TS material on accredited classified information systems based on DCSA approval of the contractor’s plan.

  • Section 117.15(d)(4); Intrusion Detection System (IDS) Installation: Allows the granting of Underwriters Laboratories UL-2050, “National Industrial Security Systems,” certification for intrusion detection systems (IDS) by a nationally recognized test laboratory, recognized by the Occupational Safety and Health Administration, which is in addition to the CSA-approved IDS, and those in accordance with Intelligence Community Directive 705, “Sensitive Compartmented Information Facilities.

  • Section 117.7(b)(2); Senior Management Official (SMO): Addresses additional responsibilities for the senior management official (SMO) regarding their role in the contractor’s NISPOM compliance.

  • Section 117.15; Safeguarding: Directs cleared contractors to refer to 32 CFR Part 2001, for direction on requirements for the protection of classified national security information (CNSI) to ensure consistency with national policy. This change is in addition to CSA approval and compliance with intelligence community specification (ICS) 705.

  • Section 117.13(d)(5); Classified Information Retention: Clarifies for the contractor that upon completion of a classified contract, the ‘‘contractor must return all government provided or deliverable information to the custody of the government.”

Changes for Contractors

  • Section 117.9(m); Limited entity eligibility determination (Non-FOCI) and limited entity eligibility: Informs cleared industry about a new limited facility clearance which provides additional facility clearance eligibility tools for DCSA and the Government Contracting Activities specific to the requesting GCA’s classified information, and to a single, narrowly defined contract, agreement, or circumstance.

  • Section 117.11(d)(2)(iii)(A); National Interest Determination (NID): Informs cleared industry that NIDs may not be required for certain covered contractors operating under a Special Security Agreement and having ownership by a country designated as part of the National Technology Industrial Base (UK, Canada or Australia).

Step 1: Download the 32 CFR Part 117 Cross Reference Tool from Industrial Security, and use it to discover how the sections familiar to you in DOD 5220.22-M (NISPOM) have mapped to the new rule, 32 CFR Part 117.

Step 2: Familiarize yourself with the new rule’s language, paying close attention to the sections covering the key changes previously pointed out.

Step 3: Look forward to additional clarification and guidance provided in upcoming Industrial Security Letters (ISLs) addressing topics such as "32 CFR Part 117 Implementation," "SEAD 3 Reporting Requirements Implementation," "TS Accountability," and others.

Step 4: Take deliberate action to prepare during the 6 month implementation period by updating and enhancing your practices and procedures as necessary, and by ensuring that those in your organization affected by the NISPOM are aware of what will be expected of them under 32 CFR Part 117.


Video Series #6, Security in Depth

Security in Depth (SID) refers to the multiple layers of security used to safeguard an asset. These security measures function in concentric layers, much like an onion, utilizing a combination of different technologies and security operations to protect against physical threats and forced entries. At their best, these layers should deter, detect, delay and deny unauthorized intrusions. This video will help explain what SID is, why it is important, how to implement SID, and how it is approved. This video can be found here:



A change has been made that combines the desktop aid’s “Official” and “Unofficial” foreign contact reporting categories into a single category titled “Foreign Contacts.” A footnote containing hyperlinks to two resources concerning specific foreign contact reporting circumstances has been added as well.

Video Series #5, SEAD 3 Panel Question & Answers

In this video DCSA Critical Technology Directorate hosts a joint DCSA and Cleared Industry Panel to address industry questions associated with the implementation of SEAD 3 as outlined in 32 CFR Part 117, “the NISPOM Rule,” and the SEAD 3 Industrial Security Letter. The video is recommended viewing by Senior Management Officials, Key Management Personnel, Facility Security Officers, and key security staff.


Video Series #4, UL-2050, Intrusion Detection System approvals


In this video, learn more about the changes in the NISPOM Rule related to UL-2050, Intrusion Detection System approvals, what are Nationally Recognized Testing Laboratories or NRTLs, and what does this mean for cleared contractors in the NISP. The audio/slide recording provides an overview of the changes.


Video Series #3Senior Management Official Responsibilities in the National Industrial Security Program

"SMO Responsibilities in the NISP": In this video, the Critical Technology Protection staff discuss the responsibilities of the Senior Management Official (SMO) as outlined in 32 CFR Part 117 (NISPOM Rule).


Video Series #2, SEAD 3 Reporting Requirements


In this video, DCSA's Jason Theriault and Candace Williams provide an overview of SEAD 3 reporting responsibilities under the National Industrial Security Program, and walk you through the facility security officer's use of the pending Industrial Security Letter to identify what needs to be reported and how to go about submitting these reports.


Video Series, NISPOM Rule

"Get Ready for the Rule." In this video, DCSA's Keith Minard offers a closer look at the NISPOM Rule changes and discusses how industry can prepare for a smooth transition.



Upcoming Events

There are no upcoming events scheduled at this time.

Select a topic:

1. Do the SEAD 3 reporting requirements replace other NISP reporting requirements?

No. SEAD 3 is only one of the reporting requirements for a covered individual addressed in 32 CFR Part 117.  SEAD 3 is not a substitute for, nor does it cancel any existing reporting requirements. Other requirements for individuals under the NISP still include:

  • Adverse information
  • Insider threat
  • Incident Reports
  • SF-86 submissions (to include updates)
  • Suspicious contacts
  • Any other contractual government requirement (e.g. SCI and SAP)

2. Who is a "covered individual" for the purposes of SEAD 3 and the NISP?

While SEAD 3 establishes reporting requirements for covered individuals who have access to classified information or hold a sensitive position, the 32 CFR Part 117, "NISPOM" inclusion of SEAD 3 only applies to those contractor personnel who have been granted eligibility for access to classified information through the NISP, or are in the process of a determination for eligibility for access to classified information through the NISP. Reporting related to sensitive positions is not covered by the NISPOM's inclusion of SEAD 3. Any questions about SEAD 3 reporting required by a contractor's employee due to their position being designated as "sensitive," should be discussed with the government customer responsible for that position designation. (See Industrial Security Letter 2021-02 and the SEAD 3 webinar for more information on "covered individuals" under the NISP.)

3. As a covered individual, under what circumstances must I report foreign travel in response to SEAD 3 requirements?

First, remember that all covered individuals have foreign travel reporting requirements.  Second, the easiest way to determine when you should report foreign travel is to remember the one instance when you do not have to report foreign travel.  The only foreign travel you do not need to report in accordance with SEAD 3 is foreign travel that is in direct support of an established U.S. government contract with the ultimate customer being the U.S. (i.e. "official foreign travel"). If your foreign travel doesn't fit this description then it must be reported. There are a few additional things to keep in mind. Travel to Puerto Rico, Guam, or other U.S. possessions and territories is not considered foreign travel by SEAD 3 and need not be reported. Also, if you are mixing official foreign travel with unofficial foreign travel (e.g. visiting a relative or conducting other business that is not in direct support of an established government contract) then the unofficial foreign travel portion would have to be reported despite occurring before, during, or after official foreign travel.  Finally, if you are interested in more details on the following foreign travel related topics please visit ISL 2021-02, TABLE 4, p. 12.

  • What do you report and when?
  • Foreign travel pre-approval?
  • Emergency foreign travel?
  • Travel to Canada or Mexico?
  • Deviations from submitted foreign travel itineraries?

***NOTE***: Based on the NISPOM Amendment dated August 19, 2021 foreign travel reporting responsive to SEAD 3 requirements by cleared contractors is not required to begin until August 24, 2022.  This delay is .to allow time for the modifications to DoD's Information Technology system to be completed. If a government contracting activity's (GCA) contract separately requires reporting or pre-approval of unofficial foreign travel (i.e., contains a provision requiring such reports other than by incorporating the NISPOM), the contractor should consult with the GCA on when and where to submit such reports and the procedures for obtaining pre-approval.

4. What contacts and relationships (foreign and U.S.) does SEAD 3 require covered individuals to report?

Reportable Regardless of Nationality (Includes US Nationals)
  • Marriage, civil union, domestic partnerships (Reportable by TS and "Q" only)
  • Cohabitation (Reportable by TS and "Q" only)
  • Contact with someone from the media seeking or showing interest in classified information or information otherwise prohibited from public disclosure.  (FSOs see ISL 2021-02, Table 2, p. 8 for more details)
  • Anyone who tries to obtain illegal or unauthorized access to classified information or to compromise or exploit you due to your position as a covered individual.

Reportable Due to Foreign Nationality

  • Adoption of non-U.S. citizen children (Reportable by TS and "Q" only)
  • Foreign national roommate (Reportable by TS and "Q" only)
  • Contact with a foreign intelligence entity. (outside of official contact made under the direction of a U.S. government contract)
  • A continuing relationship with a known foreign national that
    • Involves bonds of affection, intimate contact, or personal obligation, OR
    • Involves an exchange of personal information, meaning information of an intimate or personal nature and that is not reasonably expected to be accessible by the general public, nor that you would willingly release to the general public. Information excluded from this meaning includes:
      • Information, that as a member of the general public you would be expected to provide to enable a legal commercial transaction.
      • Information exchanged with a foreign national on the basis of being personable, not personal.
      • Information related to you that is exchanged on behalf of your employer to further a work-related matter.

Still confused? Visit "What Contacts and Relationships Should I Report Under SEAD 3?" under the Resource tab on the NISPOM Rule webpage for an exercise intended to help you decide if there is a contact or relationship that you should be reporting.

5. What about U.S. citizens with dual citizenship?

SEAD 3 defines a foreign national as anyone who is not a U.S. citizen or a U.S. national.  This means that U.S. citizens with dual citizenship are not considered foreign nationals, and therefore do not need to be reported as foreign contacts. However, if the person is a spouse through marriage, civil union or domestic partnership, or a cohabitant as defined by SEAD 3, they are still reportable regardless of citizenship by those who are TS and "Q" eligible. (See ISL 2021-02, Table 3, p. 10)
Also, be aware that being designated as a "protected individual" as defined by 8 U.S. Code, Chapter 12, Sub-Chapter II, Part VIII, Section 1324b.(a)(3) does not necessarily mean reporting is not required under SEAD 3. For instance, having a Permanent Resident Card (or "green card") is included under the definition of a "protected individual," but does not meet the definition of a U.S. national and therefore such contacts must be reported if the nature of the relationship meets the criteria set forth in SEAD 3, namely that it is a CONTINUING RELATIONSHIP with a known foreign national and involves bonds of affection, intimate contact, personal obligation or the exchange of personal information.

6. I work with foreign nationals in my job because they are part of my parent company and some are customers. Do I have to report these as foreign contacts?

Typically you would not have to report these individuals unless there existed a CONTINUING RELATIONSHIP involving BONDS OF AFFECTION, INTIMATE CONTACT, OR PERSONAL OBLIGATION (i.e. obligation beyond the work environment). Also contact with these individuals must be reported if the relationship expands outside the work environment and involves an EXCHANGE OF PERSONAL INFORMATION, particularly anything that combined with knowledge of your covered individual status might enable targeting of you by a foreign intelligence entity.. Bonds of affection, intimacy, and personal obligation should be relatively apparent in your assessment of the relationship you have with a foreign national with whom you work. However,critical thinking will be required by the covered individual to determine if a relationship with a foreign national from work involves an exchange of personal information that may be used in conjunction with knowledge of a covered individual's eligibility status to target them for compromise.

7. Where can I find the DNI Worldwide Threat Assessment of the Intelligence Community that identifies those countries referenced in the ISL 2021-02 as requiring a pre-travel briefing for any unofficial foreign travel?

The DNI Worldwide Threat Assessment of the Intelligence Community report is located at:  https://www.dni.gov/files/documents/Newsroom/Testimonies/Final-2018-ATA---Unclassified---SASC.pdf Travel to the countries listed in the report constitute the requirement for a pre-travel brief as outlined in ISL 2021-02.

8. Although foreign travel reporting is not required to begin until August 24, 2022 per the NISPOM rule ammendment, do cleared contractors under DOD cognizance need to still keep track of unofficial foreign travel occuring up until then for later inclusion in DISS?

No. Cleared contractors under DOD cognizance do not need to keep track of unofficial foreign travel that occurs between now and August 24, 2022 when reporting is required to start.

9. Is the reporting criteria for a covered individual determined by the access level or the eligibility level?

Reporting criteria is based on the eligibility level of the cleared employee. For example, if the employee has Top Secret eligibility for access to classified information but is only currently accessing SECRET level classified information the covered individual is still required to report in accordance with SEAD 3's requirements for TS and "Q" covered individuals, along with the reporting for all covered individuals also required.

10. Do SEAD 3 reporting requirements extend to a spouse as well, such as with questions on the SF-86 that are phrased to extend to "you or your spouse"?

The reporting requirements of SEAD 3 for the purposes of the NISP apply only to cleared contractor personnel with eligibility for access to classified information. As a reminder though, you are still responsible for the requirements of the SF-86 regardless of SEAD 3.

11. Are you able to provide more detail on the "media contact" reporting requirement?

SEAD 3 requires reporting of media contacts, other than for official purposes, where the media seeks access to classified information or other information specifically prohibited by law from disclosure, whether or not the contact results in an unauthorized disclosure.  For the purposes of SEAD 3 the media is defined as any person, organization, or entity, other than Federal, state, local, tribal, and Territorial governments:

  • Primarily engaged in the collection, production, or DISSemination to the public of information in any form, which includes print, broadcast, film, and Internet; or
  • Otherwise engaged in the collection, production, or DISSemination to the public of information in any form related to topics of national security, which includes print, broadcast, film, and Internet.


12. SEAD 3 requires reporting of any unusual infusion of assets of $10,000 or greater. What constitues an "unusual infusion of assets" in the context of this requirement?

SEAD 3 provides the examples of an inheritance or winnings for an unusual infusion of assets. A "windfall" is another way to think of this; an unexpected gain (either monetary or something of monetary value) that is not intended to legally compensate you for a corresponding loss or sale of something.  For example, an insurance payment of $50,000 to cover flood damage to your house is not reportable as an "unusual" infusion because this is a "usual" occurrence given the circumstances of the flood and the corresponding insurance claim. Likewise, properly documented compensation resulting from the sale of personal assets (at a reasonable valuation) or receiving a bonus from your employer in recognition of the value of your performance do not constitute an "unusual" influx since this is simply transferring something of value that you already legally possess into monetary value.

13. Does SEAD 3 require a covered individual to report on another covered individual?

Specifically, SEAD 3 requires a covered individuals to report various behaviors and activities of other covered individuals that may be of potential security or counterintelligence concern. (See SEAD 3, Section F.3., p. 5) Therefore, reporting an employee's workplace behavior and activities in accordance with SEAD 3 is intended to occur when there is concern that such behavior or activity may impact the protection of classified information or other information specifically prohibited by law from disclosure. 

14. So if a covered individual works for multiple cleared contractors, and therefore is "owned by" multiple SMOs, does that individual have to submit seperate SEAD 3 reporting to each cleared contractor?

based solely on SEAD 3 (and not considering any other contractually applied requirements that may exist) the reporting would need to only occur once; whether submitted in DISS or directly to DCSA vetting risk operations (VRO) or the GCA. This reporting by the covered individual satisfies the reporting of the activity and appropriate information elements to any one of the cleared contractors under DoD cognizance that employs them. However, covered individuals should follow any additional reporting requirements of their government customer or servicing prime contractor.

15. If an individual is new to an organization, how will the gaining organization know what information was already reported in DISS or on a SF-86?

If you become aware of any reportable activities for the covered individual who is new to your organization, contact the VRO who can advise you if the activity has already been reported.  VRO can be contacted using the e-mail address DCSA.ncr.DCSA-dvd.mbx.askvroc@mail.mil or toll free telephone number (888) 282-7682.

16. Do we report being arrested or wait until a final disposition?

A.  Contractors should report criminal conduct (e.g. arrests) in DISS, then update the system with any disposition as it occurs.  Further, Appendix A of SEAD 3 addresses the data required for "arrests," as well as any disposition. 

17. Are all cleared contractors required to have a Standard Practice and Procedures (SPP) for SEAD 3 implementation?

All cleared contractors under DOD cognizance are required to have a Standard Practices and Procedures document prepared or updated by the contractor that outlines the implementation of SEAD 3 reporting requirements outlined in ISL 2021-02 and made available for review by DCSA during assessments.

18. If we as the FSO need to make a report on ourselves do we send that directly to our DCSA industrial security representative?

All cleared contractors are required to have a primary and alternate account holder for DISS. The FSO should have the alternative account holder for DISS submit the report.

19. As an FSO when I need to submit unofficial foreign travel reports into DISS for my organization's cleared employees, how does using the mass foreign travel tool (aka foreign travel bulk-upload tool) differ from using the foreign travel wizard?

The first important difference is that the Mass Foreign Travel Tool enables FSOs to submit multiple cleared employees' unofficial foreign travel reporting in a single consolidated DISS report, while the Foreign Travel Wizard requires the FSO to submit a separate DISS report for each cleared employee who notifies the FSO of their unofficial foreign travel intentions. The Mass Foreign Travel Tool was developed to mitigate the administrative burden on FSOs facing potentially excessive unofficial foreign travel reporting due to the size of their organization's cleared workforce. That being said, any cleared contractor responsible for submitting unofficial foreign travel reporting into DISS can make use of the Mass Foreign Travel Tool if they wish. The decision as to which functionality to use for submission of unofficial foreign travel reporting into DISS is up to the contractor regardless of its size.

The second important difference between the Mass Foreign Travel Tool and the Foreign Travel Wizard is the DISS submission timelines. Submission of a cleared employee's unofficial foreign travel into DISS using the Foreign Travel Wizard is intended to take place prior to that specific employee's foreign travel. However, use of the Mass Foreign Travel Tool allows the FSO to submit a consolidated report of multiple cleared employees' unofficial foreign travel at intervals not to exceed 30 days.

For more information on using the foreign travel reporting functionality in DISS and the use of the bulk-upload tool by FSOs please see Updated Foreign Travel Reporting options in DISS.

Halfway to NISPOM Rule Implementation

5/25/21 – May 24 marks the halfway point in the National Industrial Security Program Operating Manual (NISPOM) Rule implementation period, ending August 24, 2021. DCSA is here to help you “get ready for the rule.” In addition to changing from a DOD operating manual (5220.22-M) to a federal rule (32CFR Part 117), the NISPOM Rule includes a number of contractor requirements. DCSA has created and published resources to assist cleared industry in better understanding what is required for compliance. More than 5,000 users have visited the NISPOM Rule webpage, close to 2,000 people have watched the “Ready for the Rule” video, and more than 3,000 users have used the NISPOM Cross Reference Tool as a desk-side aid offering the ability to select a link in the familiar NISPOM table of contents and find the corresponding section of the NISPOM Rule.

DCSA is also soliciting questions about the NISPOM Rule and has posted Frequently Asked Questions (FAQs) to the NISPOM Rule webpage. NISPOM Rule FAQs address the top questions asked during engagements with cleared industry. An Industrial Security Letters (ISLs) about implementation of the NISPOM Rule and Security Executive Agent Directive (SEAD) 3 reporting requirements are under review with the National Industrial Security Program Policy Advisory Committee (NISPPAC) and will published soon. Additional ISLs are being prepared for coordination with the NISPPAC as we approach the implementation finish line. 

Check the NISPOM Rule webpage for updates, additional resources, and upcoming webinars, and continue to work with your industrial security representative as you prepare and implement NISPOM Rule changes.