HomeMission CentersCritical Technology Protection32 CFR Part 117 NISPOM Rule

The NISPOM Rule


 

32 Code of Federal Regulation Part 117, NISPOM

 

On February 24, 2021, 32 CFR Part 117, “National Industrial Security Program Operating Manual (NISPOM)” became effective as a federal rule. Referred to as the “NISPOM rule,” it provides the contractor no more than six months from this effective date to comply with the requirements stipulated therein. The NISPOM rule replaces the NISPOM previously issued as a DOD policy (DOD 5220.22-M), which will be cancelled shortly after the allotted six-month implementation period ends. Until then, DOD 5220.22-M will remain in effect.

The rule implements policy, assigns responsibilities, establishes requirements, and provides procedures consistent with Executive Order 12829, “National Industrial Security Program;” Executive Order 10865, “Safeguarding Classified Information within Industry;” and 32 Code of Regulation Part 2004,“National Industrial Security Program.” That guidance outlines the protection of classified information that is disclosed to, or developed by, contractors of the U.S. Government.

To assist cleared industry in better understanding what is required for compliance, DCSA worked with the Center for Development of Security Excellence (CDSE) to develop a cross reference tool. The tool provides users the ability to select a link in the familiar NISPOM table of contents and takes them to the corresponding section of the NISPOM rule. It serves as a deskside aid enabling the transition from the DOD manual format to a federal rule format. The tool is found at https://www.cdse.edu/documents/toolkits-Fsos/32CFR_Part117_NISPOM_Rule_Cross_Reference_Tool.xlsx.

 

Changes in the Rule
Some of the changes in the Rule are intended to better align with national policy for the protection of Classified National Security Information, some are to address changes in law or regulations, and some are to enhance the protection of classified material that contractors access or possess.

The key changes include:

•Section 117.8(a); Reporting Requirements: Requires cleared contractors to submit reports pursuant to Security Executive Agent Directive (SEAD) 3 and DCSA guidance.
Section 117.15(e)(2); TOP SECRET Information Accountability: Provides guidance on processes for the accountability and management of TS material on accredited classified information systems based on DCSA approval of the contractor’s plan.
Section 117.15(d)(4); Intrusion Detection System (IDS) Installation: Allows the granting of Underwriters Laboratories UL-2050, “National Industrial Security Systems,” certification for intrusion detection systems (IDS) by a nationally recognized test laboratory, recognized by the Occupational Safety and Health Administration, which is in addition to the CSA-approved IDS, and those in accordance with Intelligence Community Directive 705, “Sensitive Compartmented Information Facilities.”
Section 117.7(b)(2); Senior Management Official (SMO): Addresses additional responsibilities for the senior management official (SMO) regarding their role in the contractor’s NISPOM compliance.
Section 117.15; Safeguarding: Directs cleared contractors to refer to 32 CFR Part 2001, for direction on requirements for the protection of classified national security information (CNSI) to ensure consistency with national policy. This change is in addition to CSA approval and compliance with intelligence community specification (ICS) 705.
Section 117.13(d)(5); Classified Information Retention: Clarifies for the contractor that upon completion of a classified contract, the ‘‘contractor must return all government provided or deliverable information to the custody of the government.”
 

Changes for Contractors

Section 117.9(m); Limited entity eligibility determination (Non-FOCI) and limited entity eligibility: Informs cleared industry about a new limited facility clearance which provides additional facility clearance eligibility tools for DCSA and the Government Contracting Activities specific to the requesting GCA’s classified information, and to a single, narrowly defined contract, agreement, or circumstance.
Section 117.11(d)(2)(iii)(A); National Interest Determination (NID): Informs cleared industry that NIDs may not be required for certain covered contractors operating under a Special Security Agreement and having ownership by a country designated as part of the National Technology Industrial Base (UK, Canada or Australia).
 
•Step 1: Download the 32 CFR Part 117 Cross Reference Tool from https://www.cdse.edu/catalog/industrial-security.html, and use it to discover how the sections familiar to you in DOD 5220.22-M (NISPOM) have mapped to the new rule, 32 CFR Part 117.
 
•Step 2: Familiarize yourself with the new rule’s language, paying close attention to the sections covering the key changes previously pointed out.
 
Step 3: Look forward to additional clarification and guidance provided in upcoming Industrial Security Letters (ISLs) addressing topics such as "32 CFR Part 117 Implementation," "SEAD 3 Reporting Requirements Implementation," "TS Accountability," and others.
 
Step 4: Take deliberate action to prepare during the 6 month implementation period by updating and enhancing your practices and procedures as necessary, and by ensuring that those in your organization affected by the NISPOM are aware of what will be expected of them under 32 CFR Part 117.

 

Video Series #2, "SEAD 3 Reporting Requirements"

 

"SEAD 3 Reporting Requirements." In this video, DCSA's Jason Theriault and Candace Williams provide an overview of SEAD 3 reporting responsibilities under the National Industrial Security Program, and walk you through the facility security officer's use of the pending Industrial Security Letter to identify what needs to be reported and how to go about submitting these reports.

 

Video Series, NISPOM Rule

"Get Ready for the Rule." In this video, DCSA's Keith Minard offers a closer look at the NISPOM Rule changes and discusses how industry can prepare for a smooth transition.

 

 

Upcoming Events

•NCMS June Annual Seminar, "NISPOM Rule, Getting Ready for the Rule”
 

Upcoming Webinars

“Senior Management Official Responsibilities in the National Industrial Security Program”

OVERVIEW:  Please join the DCSA Critical Technology Protection Directorate staff on Adobe Connect in a discussion on the responsibilities of the Senior Management Official (SMO) as outlined in 32 CFR Part 117 (NISPOM Rule).  The webinar will focus on SMO roles and responsibilities, provide a brief overview of the NISPOM Rule, and the importance of the SMO during annual self-inspections.  The webinar is recommended for attendance by Senior Management Officials, Key Management Personnel, Facility Security Officers, and key security staff.  The webinar will include a question and answer session at the end.

Date:  Tuesday, August 10, 2021

Time: 1 p.m. Eastern Time

Length: 30 minutes

Link will be available on the DCSA website prior to webinar.

 

1. ARE PREVIOUS INDUSTRIAL SECURITY LETTERS (ISLS) INCORPORATED INTO THE NISPOM RULE (32 CFR PART 117) OR DO WE NEED TO USE THEM IN ADDITION TO THE NEW RULE?

Many of the ISLs providing CSA-guidance were incorporated into the NISPOM Rule. DCSA is working with Industrial Security Policy staff at the Office of the Under Secretary of Defense for Intelligence and Security (OUSD (I&S)) concerning new ISLs, revising and re-issuing current required guidance, and determining which ISLs need to be rescinded. DCSA will coordinate through the NISPPAC concerning new ISLs, as well as those revised and re-issued.

2. WILL YOU UPDATE THE NATIONAL INDUSTRIAL SECURITY SYSTEM (NISS) TO REFLECT NEW CITATION(S) FORMATTING WHEN ENTERING VULNERABILITIES?

Yes, efforts are underway to update NISS by August 2021.

3. WILL DOD UPDATE FORMS REFERENCING THE CURRENT NISPOM MANUAL (DOD 5220.22-M) WITHIN THE SIX MONTH IMPLEMENTATION PERIOD ALLOTTED TO CLEARED INDUSTRY?

Yes, efforts are under way to update NISP related forms to reflect the NISPOM Rule.

4. WILL THERE BE AN UPDATED SELF INSPECTION HANDBOOK REFLECTING THE NEW NISPOM RULE?

Yes, a new Self Inspection handbook will align with the changes found in 32 CFR Part 117. We intended to release it in August 2021.

5. FOR TOP SECRET (TS) MATERIALS STORED IN A GSA-APPROVED SECURITY CONTAINER, IS THE INSPECTION BY A CLEARED EMPLOYEE EVERY TWO HOURS THROUGHOUT THE 24-HOUR DAY OR JUST DURING STAFF WORKING HOURS?

The use of cleared employees to inspect TS stored in a GSA-approved security container is required when container location is not occupied by cleared employees.

6. HOW DOES THE NIPSOM RULE’S (32 CFR PART 117) “OPEN STORAGE AREA” REQUIREMENTS AFFECT EXISTING “CLOSED AREA” APPROVALS?

In the new NISPOM Rule, the term “closed area” and its associated construction requirements is replaced by “open storage area” and its requirements found in 32 CFR Part 2001, “Classified National Security Information.” However, if your organization has an existing DCSA approval for a “closed area” under the requirements of the NISPOM Manual (DOD 5220.22-M), that closed area can remain in effect. If major changes occur, the “open storage area” requirements found in 32 CFR part 117 are required.

7. WILL THE SENIOR MANAGEMENT OFFICIAL (SMO) NEED TO RE-APPOINT FACILITY SECURITY OFFICERS (FSOS), INSIDER THREAT PROGRAM SENIOR OFFICIALS (INTPSOS), OR INFORMATION SECURITY SYSTEM MANAGERS (ISSMS) ALREADY SERVING IN THESE ROLES?

No, the SMO will only need to appoint in writing those cleared employees who assume those duties after the implementation date.

8. IS TRAINING REQUIRED FOR SENIOR MANAGEMENT OFFICIALS (SMOS) NOW THAT THEY HAVE PRESCRIBED RESPONSIBILITIES?

There is no dedicated training for SMOs. As a cleared employee performing security duties, he/she is required to complete commensurate training. In this respect, DCSA is planning a SMO specific webinar during July 2021. We’re also developing an information tool about responsibilities.

9. WILL DCSA PROVIDE ADDITIONAL INFORMATION ABOUT SEAD 3 REPORTING REQUIREMENTS?

DCSA will schedule webinars beginning in June 2021, to discuss SEAD 3 reporting requirements for cleared contractors under DOD cognizance. Additionally, an Industrial Security Letter (ISL) providing DOD specific guidance is under development.

 

Halfway to NISPOM Rule Implementation

5/25/21 – May 24 marks the halfway point in the National Industrial Security Program Operating Manual (NISPOM) Rule implementation period, ending August 24, 2021. DCSA is here to help you “get ready for the rule.” In addition to changing from a DOD operating manual (5220.22-M) to a federal rule (32CFR Part 117), the NISPOM Rule includes a number of contractor requirements. DCSA has created and published resources to assist cleared industry in better understanding what is required for compliance. More than 5,000 users have visited the NISPOM Rule webpage, close to 2,000 people have watched the “Ready for the Rule” video, and more than 3,000 users have used the NISPOM Cross Reference Tool as a desk-side aid offering the ability to select a link in the familiar NISPOM table of contents and find the corresponding section of the NISPOM Rule.

DCSA is also soliciting questions about the NISPOM Rule and has posted Frequently Asked Questions (FAQs) to the NISPOM Rule webpage. NISPOM Rule FAQs address the top questions asked during engagements with cleared industry. An Industrial Security Letters (ISLs) about implementation of the NISPOM Rule and Security Executive Agent Directive (SEAD) 3 reporting requirements are under review with the National Industrial Security Program Policy Advisory Committee (NISPPAC) and will published soon. Additional ISLs are being prepared for coordination with the NISPPAC as we approach the implementation finish line. 

Check the NISPOM Rule webpage for updates, additional resources, and upcoming webinars, and continue to work with your industrial security representative as you prepare and implement NISPOM Rule changes.