32 CFR Part 117 NISPOM Rule

No. SEAD 3 is only one of the reporting requirements for a covered individual addressed in 32 CFR Part 117.  SEAD 3 is not a substitute for, nor does it cancel any existing reporting requirements. Other requirements for individuals under the NISP still include:

• Adverse information
• Insider threat
• Incident Reports
• SF-86 submissions (to include updates)
• Suspicious contacts
• Any other contractual government requirement (e.g. SCI and SAP)

While SEAD 3 establishes reporting requirements for covered individuals who have access to classified information or hold a sensitive position, the 32 CFR Part 117, "NISPOM" inclusion of SEAD 3 only applies to those contractor personnel who have been granted eligibility for access to classified information through the NISP, or are in the process of a determination for eligibility for access to classified information through the NISP. Reporting related to sensitive positions is not covered by the NISPOM's inclusion of SEAD 3. Any questions about SEAD 3 reporting required by a contractor's employee due to their position being designated as "sensitive," should be discussed with the government customer responsible for that position designation. (See Industrial Security Letter 2021-02 and the SEAD 3 webinar for more information on "covered individuals" under the NISP.)

First, remember that all covered individuals have foreign travel reporting requirements.  Second, the easiest way to determine when you should report foreign travel is to remember the one instance when you do not have to report foreign travel.  The only foreign travel you do not need to report in accordance with SEAD 3 is foreign travel that is in direct support of an established U.S. government contract with the ultimate customer being the U.S. (i.e. "official foreign travel"). If your foreign travel doesn't fit this description then it must be reported. There are a few additional things to keep in mind. Travel to Puerto Rico, Guam, or other U.S. possessions and territories is not considered foreign travel by SEAD 3 and need not be reported. Also, if you are mixing official foreign travel with unofficial foreign travel (e.g. visiting a relative or conducting other business that is not in direct support of an established government contract) then the unofficial foreign travel portion would have to be reported despite occurring before, during, or after official foreign travel.  Finally, if you are interested in more details on the following foreign travel related topics please visit ISL 2021-02, TABLE 4, p. 12.

• What do you report and when?
• Foreign travel pre-approval?
• Emergency foreign travel?
• Travel to Canada or Mexico?
• Deviations from submitted foreign travel itineraries?

***NOTE***: Based on the NISPOM Amendment dated August 19, 2021 foreign travel reporting responsive to SEAD 3 requirements by cleared contractors is not required to begin until August 24, 2022.  This delay is .to allow time for the modifications to DoD's Information Technology system to be completed. If a government contracting activity's (GCA) contract separately requires reporting or pre-approval of unofficial foreign travel (i.e., contains a provision requiring such reports other than by incorporating the NISPOM), the contractor should consult with the GCA on when and where to submit such reports and the procedures for obtaining pre-approval.

• Marriage, civil union, domestic partnerships (Reportable by TS and "Q" only)
• Cohabitation (Reportable by TS and "Q" only)
• Contact with someone from the media seeking or showing interest in classified information or information otherwise prohibited from public disclosure.  (FSOs see ISL 2021-02, Table 2, p. 8 for more details)
• Anyone who tries to obtain illegal or unauthorized access to classified information or to compromise or exploit you due to your position as a covered individual.

Reportable Due to Foreign Nationality

• Adoption of non-U.S. citizen children (Reportable by TS and "Q" only)
• Foreign national roommate (Reportable by TS and "Q" only)
• Contact with a foreign intelligence entity. (outside of official contact made under the direction of a U.S. government contract)
• A continuing relationship with a known foreign national that
  • Involves bonds of affection, intimate contact, or personal obligation, OR
  • Involves an exchange of personal information, meaning information of an intimate or personal nature and that is not reasonably expected to be accessible by the general public, nor that you would willingly release to the general public. Information excluded from this meaning includes:
    • Information, that as a member of the general public you would be expected to provide to enable a legal commercial transaction.
    • Information exchanged with a foreign national on the basis of being personable, not personal.
    • Information related to you that is exchanged on behalf of your employer to further a work-related matter.

Still confused? Visit "What Contacts and Relationships Should I Report Under SEAD 3?" under the Resource tab on the NISPOM Rule webpage for an exercise intended to help you decide if there is a contact or relationship that you should be reporting.

SEAD 3 defines a foreign national as anyone who is not a U.S. citizen or a U.S. national.  This means that U.S. citizens with dual citizenship are not considered foreign nationals, and therefore do not need to be reported as foreign contacts. However, if the person is a spouse through marriage, civil union or domestic partnership, or a cohabitant as defined by SEAD 3, they are still reportable regardless of citizenship by those who are TS and "Q" eligible. (See ISL 2021-02, Table 3, p. 10)
Also, be aware that being designated as a "protected individual" as defined by 8 U.S. Code, Chapter 12, Sub-Chapter II, Part VIII, Section 1324b.(a)(3) does not necessarily mean reporting is not required under SEAD 3. For instance, having a Permanent Resident Card (or "green card") is included under the definition of a "protected individual," but does not meet the definition of a U.S. national and therefore such contacts must be reported if the nature of the relationship meets the criteria set forth in SEAD 3, namely that it is a CONTINUING RELATIONSHIP with a known foreign national and involves bonds of affection, intimate contact, personal obligation or the exchange of personal information.

Typically you would not have to report these individuals unless there existed a CONTINUING RELATIONSHIP involving BONDS OF AFFECTION, INTIMATE CONTACT, OR PERSONAL OBLIGATION (i.e. obligation beyond the work environment). Also contact with these individuals must be reported if the relationship expands outside the work environment and involves an EXCHANGE OF PERSONAL INFORMATION, particularly anything that combined with knowledge of your covered individual status might enable targeting of you by a foreign intelligence entity.. Bonds of affection, intimacy, and personal obligation should be relatively apparent in your assessment of the relationship you have with a foreign national with whom you work. However,critical thinking will be required by the covered individual to determine if a relationship with a foreign national from work involves an exchange of personal information that may be used in conjunction with knowledge of a covered individual's eligibility status to target them for compromise.

The DNI Worldwide Threat Assessment of the Intelligence Community report is located at:  https://www.dni.gov/files/documents/Newsroom/Testimonies/Final-2018-ATA---Unclassified---SASC.pdf Travel to the countries listed in the report constitute the requirement for a pre-travel brief as outlined in ISL 2021-02.

No. Cleared contractors under DOD cognizance do not need to keep track of unofficial foreign travel that occurs between now and August 24, 2022 when reporting is required to start.

Reporting criteria is based on the eligibility level of the cleared employee. For example, if the employee has Top Secret eligibility for access to classified information but is only currently accessing SECRET level classified information the covered individual is still required to report in accordance with SEAD 3's requirements for TS and "Q" covered individuals, along with the reporting for all covered individuals also required.

The reporting requirements of SEAD 3 for the purposes of the NISP apply only to cleared contractor personnel with eligibility for access to classified information. As a reminder though, you are still responsible for the requirements of the SF-86 regardless of SEAD 3.

SEAD 3 requires reporting of media contacts, other than for official purposes, where the media seeks access to classified information or other information specifically prohibited by law from disclosure, whether or not the contact results in an unauthorized disclosure.  For the purposes of SEAD 3 the media is defined as any person, organization, or entity, other than Federal, state, local, tribal, and Territorial governments:

• Primarily engaged in the collection, production, or DISSemination to the public of information in any form, which includes print, broadcast, film, and Internet; or
• Otherwise engaged in the collection, production, or DISSemination to the public of information in any form related to topics of national security, which includes print, broadcast, film, and Internet.

SEAD 3 provides the examples of an inheritance or winnings for an unusual infusion of assets. A "windfall" is another way to think of this; an unexpected gain (either monetary or something of monetary value) that is not intended to legally compensate you for a corresponding loss or sale of something.  For example, an insurance payment of $50,000 to cover flood damage to your house is not reportable as an "unusual" infusion because this is a "usual" occurrence given the circumstances of the flood and the corresponding insurance claim. Likewise, properly documented compensation resulting from the sale of personal assets (at a reasonable valuation) or receiving a bonus from your employer in recognition of the value of your performance do not constitute an "unusual" influx since this is simply transferring something of value that you already legally possess into monetary value.

Specifically, SEAD 3 requires a covered individuals to report various behaviors and activities of other covered individuals that may be of potential security or counterintelligence concern. (See SEAD 3, Section F.3., p. 5) Therefore, reporting an employee's workplace behavior and activities in accordance with SEAD 3 is intended to occur when there is concern that such behavior or activity may impact the protection of classified information or other information specifically prohibited by law from disclosure. 

based solely on SEAD 3 (and not considering any other contractually applied requirements that may exist) the reporting would need to only occur once; whether submitted in DISS or directly to DCSA vetting risk operations (VRO) or the GCA. This reporting by the covered individual satisfies the reporting of the activity and appropriate information elements to any one of the cleared contractors under DoD cognizance that employs them. However, covered individuals should follow any additional reporting requirements of their government customer or servicing prime contractor.

If you become aware of any reportable activities for the covered individual who is new to your organization, contact the VRO who can advise you if the activity has already been reported.  VRO can be contacted using the e-mail address DCSA.ncr.DCSA-dvd.mbx.askvroc@mail.mil or toll free telephone number (888) 282-7682.

A.  Contractors should report criminal conduct (e.g. arrests) in DISS, then update the system with any disposition as it occurs.  Further, Appendix A of SEAD 3 addresses the data required for "arrests," as well as any disposition. 

All cleared contractors under DOD cognizance are required to have a Standard Practices and Procedures document prepared or updated by the contractor that outlines the implementation of SEAD 3 reporting requirements outlined in ISL 2021-02 and made available for review by DCSA during assessments.

All cleared contractors are required to have a primary and alternate account holder for DISS. The FSO should have the alternative account holder for DISS submit the report.

The first important difference is that the Mass Foreign Travel Tool enables FSOs to submit multiple cleared employees' unofficial foreign travel reporting in a single consolidated DISS report, while the Foreign Travel Wizard requires the FSO to submit a separate DISS report for each cleared employee who notifies the FSO of their unofficial foreign travel intentions. The Mass Foreign Travel Tool was developed to mitigate the administrative burden on FSOs facing potentially excessive unofficial foreign travel reporting due to the size of their organization's cleared workforce. That being said, any cleared contractor responsible for submitting unofficial foreign travel reporting into DISS can make use of the Mass Foreign Travel Tool if they wish. The decision as to which functionality to use for submission of unofficial foreign travel reporting into DISS is up to the contractor regardless of its size.

The second important difference between the Mass Foreign Travel Tool and the Foreign Travel Wizard is the DISS submission timelines. Submission of a cleared employee's unofficial foreign travel into DISS using the Foreign Travel Wizard is intended to take place prior to that specific employee's foreign travel. However, use of the Mass Foreign Travel Tool allows the FSO to submit a consolidated report of multiple cleared employees' unofficial foreign travel at intervals not to exceed 30 days.

For more information on using the foreign travel reporting functionality in DISS and the use of the bulk-upload tool by FSOs please see Updated Foreign Travel Reporting options in DISS.

Official foreign travel is defined as foreign travel by covered individuals that is in direct support of an established U.S. Government contract with the ultimate customer being the U.S. Government, whether as a prime contractor or a sub-contractor. Unofficial foreign travel is defined as all travel other than that defined by “official foreign travel,” and includes any foreign travel conducted before, during, or after official foreign travel, and that does not meet the criteria of “official foreign travel.” Refer to SEAD 3 for additional information..

No, visiting a foreign embassy on U.S. soil is not considered foreign travel for SEAD 3 reporting.
 
However, foreign contact reporting will apply if interactions with foreign nationals while visiting the embassy meet the unofficial foreign contact reporting criteria stated in SEAD 3 and further clarified in Industrial Security Letter 2021-02.

Continuing unofficial association refers to an ongoing relationship with known foreign nationals that involves deeper personal connections, such as bonds of affection, personal obligation, or intimate contact.  It covers relationships that are maintained over time, regardless of how the contact is established or maintained (e.g., in-person meetings, phone calls, letters, social media, or online communication).

Reportable instance involving an exchange of personal information with a foreign national refers to any interaction with a foreign national that meets the following criteria:

• The name and nationality of the foreign national are known by the covered individual during or after the exchange of personal information.
• The type of personal information shared by the covered individual with the foreign national is not reasonably anticipated to be publicly accessible or voluntarily disclosed to the public by the covered individual.
• Contact with the foreign national is recurring or expected to reoccur. 

.

Personal information encompasses any data that can be utilized to identify an individual.  This includes, but is not limited to, their name, date of birth, social security number, or passport number.  Additionally, personal information may encompass details concerning the individual’s family, friends, employment, or financial information.

No, reporting of limited or casual public contact with foreign nationals is not required absent any other reporting requirement in SEAD 3.

Following initial reporting, updates regarding continuing unofficial association with known foreign nationals shall occur only if and when there is a significant change in the nature of the contact that meets the criteria outlined in SEAD 3 and clarified in the industrial security letter 2021-02.

 Contractors under the security cognizance of the DoD are required to report unofficial foreign contacts to their company’s Facility Security Officer.

The date and time of the contact, the purpose of the contact, the name of the foreign national, the affiliation of the foreign national, and the nature of the contact.

Failing to report unofficial foreign contact for contractors under the security cognizance of the DoD could result in disciplinary action, up to and including the loss of your security clearance.

The purpose of unofficial foreign contact reporting is to enhance national security by identifying and assessing potential risks posed by interactions with foreign nationals, particularly for those occupying sensitive positions or who have access to classified information.  By reporting such contacts, authorities can monitor and evaluate any potential threats to national security and take appropriate measures to safeguard sensitive information.

Foreign contact reporting under SEAD 3 includes reporting of unofficial contact with a known or suspected foreign intelligence entity.  It also requires reporting continuing association with known foreign nationals that involve bonds of affection, personal obligation, or intimate contact; or any contact with a foreign national that involves the exchange of personal information, and this contact is re-occurring or expected to re-occur.  This reporting requirement is based on the nature of the relationship regardless of how or where the foreign national contact was made or how the relationship is maintained.  Refer to the SEAD 3 Reporting Exercise Job Aid for additional information..

Many of the ISLs providing CSA-guidance were incorporated into the NISPOM Rule. DCSA is working with Industrial Security Policy staff at the Office of the Under Secretary of Defense for Intelligence and Security (OUSD (I&S)) concerning new ISLs, revising and re-issuing current required guidance, and determining which ISLs need to be rescinded. DCSA will coordinate through the NISPPAC concerning new ISLs, as well as those revised and re-issued.

Yes, efforts are underway to update NISS by August 2021.

Yes, efforts are under way to update NISP related forms to reflect the NISPOM Rule.

Yes, a new Self Inspection handbook will align with the changes found in 32 CFR Part 117. We intended to release it in August 2021.

The use of cleared employees to inspect TS stored in a GSA-approved security container is required when container location is not occupied by cleared employees.

In the new NISPOM Rule, the term "closed area" and its associated construction requirements is replaced by "open storage area" and its requirements found in 32 CFR Part 2001, "Classified National Security Information." However, if your organization has an existing DCSA approval for a "closed area" under the requirements of the NISPOM Manual (DOD 5220.22-M), that closed area can remain in effect. If major changes occur, the "open storage area" requirements found in 32 CFR Part 117 are required.

No, the SMO will only need to appoint in writing those cleared employees who assume those duties after the implementation date.

There is no dedicated training for SMOs. As a cleared employee performing security duties, he/she is required to complete commensurate training. In this respect, DCSA is planning a SMO specific webinar during July 2021. We're also developing an information tool about responsibilities.

DCSA will schedule webinars beginning in June 2021, to discuss SEAD 3 reporting requirements for cleared contractors under DOD cognizance. Additionally, an Industrial Security Letter (ISL) providing DOD specific guidance is under development.

The role of the SMO has not changed from the old NISPOM to the new NISPOM Rule. The NISPOM Rule now provides more detailed information on the responsibilities of the SMO. It more clearly defines the SMO's responsibilities with respect to ensuring the protection of classified information by their facility. It also makes very clear that the accountability for a SMO's responsibilities cannot be delegated to anyone else.

No, cleared contractors under DOD cognizance only need to designate in writing those who are appointed after the August 24, 2021 implementation date.

No, the SMO is not required to be on site where classified work is being performed. The SMO must have cognizance of the classified work being performed and be able to execute their responsibilities outlined in the NISPOM Rule.

Yes, the NISPOM Rule requires the SMO to certify that other KMP have been briefed on the results. DCSA deems the phrase "other KMP" to mean "all KMP," which includes excluded KMP; i.e. those KMP who do not possess a personnel security clearance (PCL) due to an exclusion resolution. The designation of any individual or position as a KMP indicates that the person or position can influence the facility's protection of classified information or performance on classified contracts, and therefore should be made aware of the results and recommendations of the facility self-inspection.

No, the NISPOM Rule requires the SMO to certify the Annual Self-Inspection. The certification is a demonstration of the SMO's accountability for those responsibilities stated in the NISPOM Rule.

The NISPOM Rule identifies specific criteria that a person must satisfy to be designated as the SMO for a facility. Underlying this criteria is the need to possess the appropriate level of authority. The SMO is an employee who, based on the cleared entity's governance documents, occupies a position in the entity with ultimate authority over the facility's operations and the authority to direct actions necessary for the safeguarding of classified information in the facility. While others, such as key management personnel (KMP), security staff, or those holding NISP-related positions in response to a company determined to be under FOCI, have key roles in the day-to-day security, operations or FOCI mitigation measures, these personnel often do not have overall authority over the facility to the degree required in the NISPOM rule.

The SMO in most cases does not need to be on site during a DCSA assessment. DCSA industrial security representatives (ISRs) will determine if further engagement with the SMO is necessary based on interviews with other KMPs, security staff, and cleared employees during the assessment. It is always a good practice for the SMO, if available, to attend the introduction or exit brief whether in-person or virtually. The DCSA ISR normally communicates through the FSO for routine engagements with the cleared entity.

In cases where the entity's cleared employees perform at other contractor or government locations, the SMO is responsible for NISPOM Rule requirements that apply to their cleared employees granted access to classified information. The other contractor or government location security staff has overall responsibility to ensure compliance with the NISPOM Rule requirements at their location.

Yes, the NISPOM Rule, 32 CFR, Part 117 defines the SMO as someone with the authority to direct actions necessary for the safeguarding of classified information in the facility, even when the access to classified information by the facility's employees is solely at other contractor facilities or U.S. government locations. The rule also states that the SMO is responsible for remaining fully informed of the facility's classified operations. Additionally, the SMO is responsible for certifying a facility's self-inspection, in which a review of the facility's classified activities must take place even if that facility does not possess classified material but instead accesses classified at other locations, such as other contractor facilities or government locations.

Yes. DCSA may review the cleared facility's governance documents, board meeting minutes, and other documents to validate that the entity's designated SMO possesses sufficient authority to meet the criteria stated in the NISPOM Rule.

If classified threat information is required to be shared with the cleared entity, DCSA will coordinate with the FSO.

The SMO is a KMP but not all KMPs are the SMO.

• KMP means the entity's SMO, FSO, ITPSO, and all other entity officials who either hold majority interest or stock in, or have direct or indirect authority to influence or decide issues affecting the management or operations of, the entity or classified contract performance.
• The NISPOM Rule defines the SMO as an entity employee occupying a position in the entity with ultimate authority over the facility's operations and the authority to direct actions necessary for the safeguarding of classified information in the facility.
• See NISPOM Rule Definitions for more information on SMO and KMP.

Yes, the SMO must be cleared to the level of the cleared entity's facility clearance. As an example, if the cleared entity has a SECRET facility clearance (FCL), then SMO must be cleared to the level of the FCL.(i.e. SECRET).

The SMO is only required to attend the same security related training as other cleared employees. It is advisable for the SMO to review the SMO Responsibilities webinar found under the Resources tab of the NISPOM Rule webpage.

Yes, the SMO may hold other positions in the cleared entity that are required for an FCL. However, this is not always the case in reverse. In order for an FSO or ITPSO to be designated the facility's SMO, that person must meet the criteria stipulated by the NISPOM Rule for the SMO role.

The SMO is designated in writing by being listed on the KMP list uploaded into National Industrial Security System (NISS) by the entity. The assigned DCSA ISR validates the individual being designated as the SMO by reviewing the cleared entity's governance.