On February 24, 2021, 32 CFR Part 117, “National Industrial Security Program Operating Manual (NISPOM)” became effective as a federal rule. Referred to as the “NISPOM rule,” it provides the contractor no more than 6 months from this effective date to comply with the requirements stipulated therein. The NISPOM rule replaces the NISPOM previously issued as a DoD policy (DoD 5220.22-M), which will be cancelled shortly after the allotted 6 month implementation period ends. Until then, DoD 5220.22-M will remain in effect.
The rule implements policy, assigns responsibilities, establishes requirements, and provides procedures consistent with Executive Order 12829, “National Industrial Security Program;” Executive Order 10865, “Safeguarding Classified Information within Industry;” and 32 Code of Regulation Part 2004, “National Industrial Security Program.” That guidance outlines the protection of classified information that is disclosed to, or developed by contractors of the U.S. Government.
To assist cleared industry in better understanding what is required for compliance, DCSA worked with the Center for Development of Security Excellence to develop a cross reference tool. The tool provides users the ability to select a link in the familiar NISPOM table of contents and takes them to the corresponding section of the NISPOM rule. It serves as a deskside aid enabling the transition from the DOD manual format to a federal rule format. The tool is found at https://www.cdse.edu/documents/toolkits-fsos/32CFR_Part117_NISPOM_Rule_Cross_Reference_Tool.xlsx
Changes in the Rule
Some of the changes in the Rule are intended to better align with national policy for the protection of Classified National Security Information, some are to address changes in law or regulations, and some are to enhance the protection of classified material that contractors access or possess.
The key changes include:
- Section 117.8(a); Reporting Requirements: Requires cleared contractors to submit reports pursuant to Security Executive Agent Directive (SEAD) 3 and DCSA guidance.
- Section 117.15(e)(2); TOP SECRET Information Accountability: Provides guidance on processes for the accountability and management of TS material on accredited classified information systems based on DCSA approval of the contractor’s plan.
- Section 117.15(d)(4); Intrusion Detection System (IDS) Installation: Allows the granting of Underwriters Laboratories UL-2050, “National Industrial Security Systems,” certification for intrusion detection systems (IDS) by a nationally recognized test laboratory, recognized by the Occupational Safety and Health Administration, which is in addition to the CSA-approved IDS, and those in accordance with Intelligence Community Directive 705, “Sensitive Compartmented Information Facilities.”
- Section 117.7(b)(2); Senior Management Official (SMO): Addresses additional responsibilities for the senior management official (SMO) regarding their role in the contractor’s NISPOM compliance.
- Section 117.15; Safeguarding: Directs cleared contractors to refer to 32 CFR Part 2001, for direction on requirements for the protection of classified national security information (CNSI) to ensure consistency with national policy. This change is in addition to CSA approval and compliance with intelligence community specification (ICS) 705.
- Section 117.13(d)(5); Classified Information Retention: Clarifies for the contractor that upon completion of a classified contract, the ‘‘contractor must return all government provided or deliverable information to the custody of the government.”
The key changes to government procedures that contractors should be aware of include:
- Section 117.9(m); Limited entity eligibility determination (Non-FOCI) and limited entity eligibility: Informs cleared industry about a new limited facility clearance which provides additional facility clearance eligibility tools for DCSA and the Government Contracting Activities specific to the requesting GCA’s classified information, and to a single, narrowly defined contract, agreement, or circumstance.
- Section 117.11(d)(2)(iii)(A); National Interest Determination (NID): Informs cleared industry that NIDs may not be required for certain covered contractors operating under a Special Security Agreement and having ownership by a country designated as part of the National Technology Industrial Base (UK, Canada or Australia).
What should you do to get ready?
- Step 1: Download the 32 CFR Part 117 Cross Reference Tool from https://www.cdse.edu/catalog/industrial-security.html, and use it to discover how the sections familiar to you in DOD 5220.22-M (NISPOM) have mapped to the new rule, 32 CFR Part 117.
- Step 2: Familiarize yourself with the new rule’s language, paying close attention to the sections covering the key changes previously pointed out.
- Step 3: Look forward to additional clarification and guidance provided in upcoming Industrial Security Letters (ISLs) addressing topics such as "32 CFR Part 117 Implementation," "SEAD 3 Reporting Requirements Implementation," "TS Accountability," and others.
- Step 4: Take deliberate action to prepare during the 6 month implementation period by updating and enhancing your practices and procedures as necessary, and by ensuring that those in your organization affected by the NISPOM are aware of what will be expected of them under 32 CFR Part 117.
Are you ready for the NISPOM Rule?
Click on graphic to launch video