The NISPOM Rule


DCSA Releases ISL 2021-02, “SEAD 3," Clarification and Guidance on Reportable Activities for cleared contractors under DoD cognizance.  The ISL provides clarity on reporting requirements for all covered individuals who have access to classified information.  The ISL additionally advises that cleared contractors under DoD cognizance must implement the change in 32 Code of Federal Regulation Part 117, “National Industrial Security Program Operating Manual,” Rule effective August 24, 2021.

DoD has amended 32 CFR Part 117, the NISPOM Rule to extend the compliance date solely for reporting and pre-approval of unofficial foreign travel as prescribed in SEAD 3, until no later than 18 months from the effective date of the rule for those contractors under DoD security cognizance.  The reporting of the foreign travel component of SEAD 3 will begin August 24, 2022. 

Cleared industry under DoD cognizance should consult with their government customers for any additional foreign travel reporting requirements for those personnel who have SCI or SAP access and/or additional contractual reporting requirements.

DSCA will incorporate the assessment of compliance with the SEAD 3 reporting requirements with the exception of foreign travel as noted above, that begin on August 24, 2021, into scheduled assessments no earlier than March 1, 2022.

Resources for SEAD 3 implementation can be found on this webpage under the Resource and FAQ tabs below, and include Industry SEAD 3 Reporting Webinar Recording, SEAD 3 Frequently Asked Questions, and a SEAD 3 Reporting Desk Top Aid.  Click here to view the ISL.

Additional industrial security letter guidance for 32 CFR Part 117, NISPOM Rule (insider threat, SF-328, DISS, and consolidated article) that have been coordinated through the National Industrial Security Program Policy Advisory Committee (NISPPAC) continue to be processed and coordinated for issuance.  Cleared industry will be informed when they are approved and posted.

 

32 Code of Federal Regulation Part 117, NISPOM

On February 24, 2021, 32 CFR Part 117, “National Industrial Security Program Operating Manual (NISPOM)” became effective as a federal rule. Referred to as the “NISPOM rule,” it provides the contractor no more than six months from this effective date to comply with the requirements stipulated therein. The NISPOM rule replaces the NISPOM previously issued as a DOD policy (DOD 5220.22-M), which will be cancelled shortly after the allotted six-month implementation period ends. Until then, DOD 5220.22-M will remain in effect.

The rule implements policy, assigns responsibilities, establishes requirements, and provides procedures consistent with Executive Order 12829, “National Industrial Security Program;” Executive Order 10865, “Safeguarding Classified Information within Industry;” and 32 Code of Regulation Part 2004,“National Industrial Security Program.” That guidance outlines the protection of classified information that is disclosed to, or developed by, contractors of the U.S. Government.

To assist cleared industry in better understanding what is required for compliance, DCSA worked with the Center for Development of Security Excellence (CDSE) to develop a cross reference tool. The tool provides users the ability to select a link in the familiar NISPOM table of contents and takes them to the corresponding section of the NISPOM rule. It serves as a deskside aid enabling the transition from the DOD manual format to a federal rule format. The tool is found at https://www.cdse.edu/documents/toolkits-fsos/32CFR_Part117_NISPOM_Rule_Cross_Reference_Tool.xlsx

 

Changes in the Rule
Some of the changes in the Rule are intended to better align with national policy for the protection of Classified National Security Information, some are to address changes in law or regulations, and some are to enhance the protection of classified material that contractors access or possess.

The key changes include:

•Section 117.8(a); Reporting Requirements: Requires cleared contractors to submit reports pursuant to Security Executive Agent Directive (SEAD) 3 and DCSA guidance.
Section 117.15(e)(2); TOP SECRET Information Accountability: Provides guidance on processes for the accountability and management of TS material on accredited classified information systems based on DCSA approval of the contractor’s plan.
Section 117.15(d)(4); Intrusion Detection System (IDS) Installation: Allows the granting of Underwriters Laboratories UL-2050, “National Industrial Security Systems,” certification for intrusion detection systems (IDS) by a nationally recognized test laboratory, recognized by the Occupational Safety and Health Administration, which is in addition to the CSA-approved IDS, and those in accordance with Intelligence Community Directive 705, “Sensitive Compartmented Information Facilities.”
Section 117.7(b)(2); Senior Management Official (SMO): Addresses additional responsibilities for the senior management official (SMO) regarding their role in the contractor’s NISPOM compliance.
Section 117.15; Safeguarding: Directs cleared contractors to refer to 32 CFR Part 2001, for direction on requirements for the protection of classified national security information (CNSI) to ensure consistency with national policy. This change is in addition to CSA approval and compliance with intelligence community specification (ICS) 705.
Section 117.13(d)(5); Classified Information Retention: Clarifies for the contractor that upon completion of a classified contract, the ‘‘contractor must return all government provided or deliverable information to the custody of the government.”
 

Changes for Contractors

Section 117.9(m); Limited entity eligibility determination (Non-FOCI) and limited entity eligibility: Informs cleared industry about a new limited facility clearance which provides additional facility clearance eligibility tools for DCSA and the Government Contracting Activities specific to the requesting GCA’s classified information, and to a single, narrowly defined contract, agreement, or circumstance.
Section 117.11(d)(2)(iii)(A); National Interest Determination (NID): Informs cleared industry that NIDs may not be required for certain covered contractors operating under a Special Security Agreement and having ownership by a country designated as part of the National Technology Industrial Base (UK, Canada or Australia).
 
•Step 1: Download the 32 CFR Part 117 Cross Reference Tool from https://www.cdse.edu/catalog/industrial-security.html, and use it to discover how the sections familiar to you in DOD 5220.22-M (NISPOM) have mapped to the new rule, 32 CFR Part 117.
 
•Step 2: Familiarize yourself with the new rule’s language, paying close attention to the sections covering the key changes previously pointed out.
 
Step 3: Look forward to additional clarification and guidance provided in upcoming Industrial Security Letters (ISLs) addressing topics such as "32 CFR Part 117 Implementation," "SEAD 3 Reporting Requirements Implementation," "TS Accountability," and others.
 
Step 4: Take deliberate action to prepare during the 6 month implementation period by updating and enhancing your practices and procedures as necessary, and by ensuring that those in your organization affected by the NISPOM are aware of what will be expected of them under 32 CFR Part 117.

SEAD 3 REPORTING DESKTOP AID FOR CLEARED INDUSTRY

 

Video Series #4, UL-2050, Intrusion Detection System approvals

 

In this video, learn more about the changes in the NISPOM Rule related to UL-2050, Intrusion Detection System approvals, what are Nationally Recognized Testing Laboratories or NRTLs, and what does this mean for cleared contractors in the NISP. The audio/slide recording provides an overview of the changes.

 

Video Series #3, Senior Management Official Responsibilities in the National Industrial Security Program

"SMO Responsibilities in the NISP": In this video, the Critical Technology Protection staff discuss the responsibilities of the Senior Management Official (SMO) as outlined in 32 CFR Part 117 (NISPOM Rule).

 

Video Series #2, "SEAD 3 Reporting Requirements"

 

"SEAD 3 Reporting Requirements." In this video, DCSA's Jason Theriault and Candace Williams provide an overview of SEAD 3 reporting responsibilities under the National Industrial Security Program, and walk you through the facility security officer's use of the pending Industrial Security Letter to identify what needs to be reported and how to go about submitting these reports.

 

Video Series, NISPOM Rule

"Get Ready for the Rule." In this video, DCSA's Keith Minard offers a closer look at the NISPOM Rule changes and discusses how industry can prepare for a smooth transition.

 

 

Upcoming Events

 

Register now, for the Security Executive Agent Directive 3, “Reporting Requirements for Personnel Who Access Classified Information or Those Who Hold a Sensitive Position,” Question and Answer Webinar.  DCSA Critical Technology Directorate will host a joint DCSA CTP and cleared industry panel to address industry questions associated with the implementation of SEAD 3 as outlined in Part 117 of Title 32 CFR, “the NISPOM Rule,” and the SEAD 3 Industrial Security Letter.  Cleared industry under DOD cognizance should email their questions to dcsa.quantico.dcsa-hq.mbx.policyhq@mail.mil.  Questions must be submitted by October 4, 2021, to allow time for coordination.  The webinar, as well as the questions and answers, will be recorded and posted to the DCSA NISPOM Rule webpage after the event.

Event:  Security Executive Agent Directive 3, “Reporting Requirements for Personnel Who Access Classified Information or Those Who Hold a Sensitive Position,” Question and Answer Webinar

Date:  October, 12, 2021

Time:  1-2 p.m. EDT

Registration Link: https://dcsa.acms.com/sead3webinar/event/registration.html

 

SEAD 3

1. WHO IS A COVERED INDIVIDUAL FOR THE PURPOSES OF SEAD 3 AND THE NISP?

For the purposes of the SEAD 3 implementation under 32 CFR part 117 covered individuals only include those contractors with eligibility for and access to classified information. Additional information on SEAD 3 is outlined in the Industrial Security Letter and in the SEAD 3 webinar.

2. FOR COVERED INDIVIDUALS THAT ARE NOT CLEARED, SHOULD REPORTS STILL BE SUBMITTED IN DISS, AND HOW?

SEAD 3 implementation under 32 CFR part 117 only applies to those eligible for access and personnel with access to classified information. Questions regarding reporting requirements for Uncleared contractors or sensitive positions should be addressed to the government customer.

3. IS THE REPORTING CRITERIA DETERMINED BY THE ACCESS LEVEL OR THE ELIGIBILITY LEVEL?

Reporting criteria is based on the eligibility level of the cleared employee, for example if the employee has TOP SECRET eligibility and SECRET access, the reporting should include the reportable activities for all cleared employees as well as those specific to those with TS and Q eligibility.

4. CAN YOU ADDRESS REPORTING DUAL CITIZENS AS FOREIGN CONTACTS?

Cleared U.S. Citizens who additionally are citizens of another country are considered primarily U.S. Citizens and reporting is not required. 32 CFR part 117 only applies to cleared persons, or those who are have eligibility for access to classified information. Uncleared personnel should seek guidance on reporting from their Government Customer.

5. WITH THE IMPLEMENTATION OF THE SEAD3 HOW WILL THIS AFFECT THE INSIDER THREAT PROGRAM (ITP)? ARE THEY REPORTED BOTH THROUGH DISS AND ITP?

Reporting for both SEAD 3 and Insider Threat requirements for Industry are both to be submitted through DISS.

6. DO SEAD 3 REPORTING REQUIREMENTS EXTEND TO SPOUSE AS WELL, SIMILAR TO QUESTIONS PHRASED ON THE SF86 THAT EXTEND TO "YOU OR YOUR SPOUSE"?

The reporting requirements of SEAD 3 for the purposes of the NISP apply only to cleared contractor personnel with eligibility and access to classified information.

7. ARE YOU ABLE TO PROVIDE MORE DETAIL ON THE "MEDIA CONTACT" REPORTING REQUIREMENT?

SEAD 3 requires reporting of media contacts, other than for official purposes, where the media seeks access to classified information or other information specifically prohibited by law from disclosure, whether or not the contact results in an unauthorized disclosure. For the purposes of SEAD 3 the media is defined as any person, organization, or entity, other than Federal, state, local, tribal, and Territorial governments:

  • Primarily engaged in the collection, production, or dissemination to the public of information in any form, which includes print, broadcast, film, and Internet; or
  • Otherwise engaged in the collection, production, or dissemination to the public of information in any form related to topics of national security, which includes print, broadcast, film, and Internet.

8. IF A COVERED EMPLOYEE HAS FOREIGN FAMILIES AND FRIENDS, ARE ALL THIS REPORTED INDIVIDUALLY?

For the purposes of SEAD 3 an unofficial foreign contact is contact with a known or suspected intelligence entity or continuing association with known foreign nationals that involve bonds of affection, personnel obligation, or intimate contact; or any contact with a foreign national that involves the exchange of personnel information. The SEAD 3 Industrial Security Letter provides additional reporting guidance for contractors under DoD cognizance. Additional information on foreign contacts can be found in SEAD 3.

9. IF AN INDIVIDUAL IS NEW TO OUR ORGANIZATION, HOW WILL WE KNOW WHAT INFORMATION WAS ALREADY REPORTED IN DISS OR ON A SF86?

If you become aware of any reportable activities, contact the VROC who can advise if the activity has already been reported.

10. DO WE WAIT UNTIL A FINAL DISPOSITION REGARDING ARRESTS?

The reporting requirement in SEAD 3 is criminal conduct. Further the SEAD 3 in Appendix A addresses data required for “Arrests,” as well as any disposition. Contractors should report criminal conduct (Arrests) as well as update DISS with any disposition as it occurs.

11. SO, DOES THIS MEAN ALL CLEARED CONTRACTORS MUST HAVE A SPP?

Cleared contractors under DoD cognizance will be required to have an Standard Practices and Procedures document prepared or updated by the contractor that outlines the implementation of SEAD 3 reporting requirements. An SPP can be directed by DCSA to address written procedures for implementation of requirements of the NISPOM.

12. IF AN EMPLOYEE HAS TS ELIGIBILITY BUT IS CURRENTLY ONLY IN SECRET ACCESS - WOULD THEY REPORT BASED ON THEIR ELIGIBILITY OR THEIR CURRENT ACCESS?

The employee will report based on their TS eligibility.

13. DOES INDIVIDUALS WITH SECRET OR TS ELIGIBILITY BUT ONLY HAVE ACCESS TO SENSITIVE (NOT CLASSIFIED INFORMATION) INFORMATION HAVE TO COMPLY WITH SEAD 3 REPORTING REQUIREMENTS?

NISP SEAD 3 requirements do not apply to contractor employees whose investigations are for purposes other than access to classified information in the performance of a classified contract. For contractor employees with eligibility for purposes of other requirements outside the NISP that do not include access to classified information contact your government customer for reporting requirements.

14. IF WE AS THE FSO NEED TO MAKE A REPORT ON OURSELVES DO WE SEND THAT DIRECTLY TO OUR DCSA REP?

All cleared contractors are required to have a primary and alternate account holder for DISS. The FSO should have the alternative account holder for DISS submit the report.

 

NISPOM Rule Implementation

1. ARE PREVIOUS INDUSTRIAL SECURITY LETTERS (ISLS) INCORPORATED INTO THE NISPOM RULE (32 CFR PART 117) OR DO WE NEED TO USE THEM IN ADDITION TO THE NEW RULE?

Many of the ISLs providing CSA-guidance were incorporated into the NISPOM Rule. DCSA is working with Industrial Security Policy staff at the Office of the Under Secretary of Defense for Intelligence and Security (OUSD (I&S)) concerning new ISLs, revising and re-issuing current required guidance, and determining which ISLs need to be rescinded. DCSA will coordinate through the NISPPAC concerning new ISLs, as well as those revised and re-issued.

2. WILL YOU UPDATE THE NATIONAL INDUSTRIAL SECURITY SYSTEM (NISS) TO REFLECT NEW CITATION(S) FORMATTING WHEN ENTERING VULNERABILITIES?

Yes, efforts are underway to update NISS by August 2021.

3. WILL DOD UPDATE FORMS REFERENCING THE CURRENT NISPOM MANUAL (DOD 5220.22-M) WITHIN THE SIX MONTH IMPLEMENTATION PERIOD ALLOTTED TO CLEARED INDUSTRY?

Yes, efforts are under way to update NISP related forms to reflect the NISPOM Rule.

4. WILL THERE BE AN UPDATED SELF INSPECTION HANDBOOK REFLECTING THE NEW NISPOM RULE?

Yes, a new Self Inspection handbook will align with the changes found in 32 CFR Part 117. We intended to release it in August 2021.

5. FOR TOP SECRET (TS) MATERIALS STORED IN A GSA-APPROVED SECURITY CONTAINER, IS THE INSPECTION BY A CLEARED EMPLOYEE EVERY TWO HOURS THROUGHOUT THE 24-HOUR DAY OR JUST DURING STAFF WORKING HOURS?

The use of cleared employees to inspect TS stored in a GSA-approved security container is required when container location is not occupied by cleared employees.

6. HOW DOES THE NIPSOM RULE’S (32 CFR PART 117) “OPEN STORAGE AREA” REQUIREMENTS AFFECT EXISTING “CLOSED AREA” APPROVALS?

In the new NISPOM Rule, the term “closed area” and its associated construction requirements is replaced by “open storage area” and its requirements found in 32 CFR Part 2001, “Classified National Security Information.” However, if your organization has an existing DCSA approval for a “closed area” under the requirements of the NISPOM Manual (DOD 5220.22-M), that closed area can remain in effect. If major changes occur, the “open storage area” requirements found in 32 CFR part 117 are required.

7. WILL THE SENIOR MANAGEMENT OFFICIAL (SMO) NEED TO RE-APPOINT FACILITY SECURITY OFFICERS (FSOS), INSIDER THREAT PROGRAM SENIOR OFFICIALS (INTPSOS), OR INFORMATION SECURITY SYSTEM MANAGERS (ISSMS) ALREADY SERVING IN THESE ROLES?

No, the SMO will only need to appoint in writing those cleared employees who assume those duties after the implementation date.

8. IS TRAINING REQUIRED FOR SENIOR MANAGEMENT OFFICIALS (SMOS) NOW THAT THEY HAVE PRESCRIBED RESPONSIBILITIES?

There is no dedicated training for SMOs. As a cleared employee performing security duties, he/she is required to complete commensurate training. In this respect, DCSA is planning a SMO specific webinar during July 2021. We’re also developing an information tool about responsibilities.

9. WILL DCSA PROVIDE ADDITIONAL INFORMATION ABOUT SEAD 3 REPORTING REQUIREMENTS?

DCSA will schedule webinars beginning in June 2021, to discuss SEAD 3 reporting requirements for cleared contractors under DOD cognizance. Additionally, an Industrial Security Letter (ISL) providing DOD specific guidance is under development.

 

Senior Management Official (SMO)

1. WHAT HAS CHANGED FOR SMOS FROM THE OLD NISPOM TO THE NEW RULE?

The role of the SMO has not changed from the old NISPOM to the new NISPOM Rule. The NISPOM Rule now provides more detailed information on the responsibilities of the SMO. It more clearly defines the SMO’s responsibilities with respect to ensuring the protection of classified information by their facility. It also makes very clear that the accountability for a SMO’s responsibilities cannot be delegated to anyone else.

2. THE NISPOM RULE REQUIRES THAT THE SMO DESIGNATES THE FACILITY SECURITY OFFICER (FSO) AND INSIDER THREAT PROGRAM SENIOR OFFICIAL (ITPSO) IN WRITING. IS THERE A REQUIREMENT TO RE-DESIGNATE PERSONNEL WHO ARE CURRENTLY IN THESE POSITIONS?

No, cleared contractors under DOD cognizance only need to designate in writing those who are appointed after the August 24, 2021 implementation date.

3. IS THE SMO REQUIRED TO BE ONSITE WHERE THE CLASSIFIED WORK IS BEING PERFORMED?

No, the SMO is not required to be on site where classified work is being performed. The SMO must have cognizance of the classified work being performed and be able to execute their responsibilities outlined in the NISPOM Rule.

4. ARE ALL KMP REQUIRED TO BE BRIEFED ON THE RESULTS OF THE SELF-INSPECTION?

Yes, the NISPOM Rule requires the SMO to certify that other KMP have been briefed on the results. DCSA deems the phrase “other KMP” to mean “all KMP,” which includes excluded KMP; i.e. those KMP who do not possess a personnel security clearance (PCL) due to an exclusion resolution. The designation of any individual or position as a KMP indicates that the person or position can influence the facility’s protection of classified information or performance on classified contracts, and therefore should be made aware of the results and recommendations of the facility self-inspection.

5. CAN ANYONE OTHER THAN THE SMO CERTIFY THE ANNUAL SELF-INSPECTION?

No, the NISPOM Rule requires the SMO to certify the Annual Self-Inspection. The certification is a demonstration of the SMO’s accountability for those responsibilities stated in the NISPOM Rule.

6. IF OTHER COMPANY MANAGERS, SECURITY STAFF, OR THOSE HOLDING NISP-RELATED POSITIONS IN RESPONSE TO A COMPANY UNDER FOREIGN OWNERSHIP, CONTROL OR INFLUENCE (FOCI) ARE MORE INVOLVED IN THE DAY-TO-DAY SECURITY OF THE FACILITY, WOULD THEY NOT BE BETTER SUITED TO BE THE SMO?

The NISPOM Rule identifies specific criteria that a person must satisfy to be designated as the SMO for a facility. Underlying this criteria is the need to possess the appropriate level of authority. The SMO is an employee who, based on the cleared entity’s governance documents, occupies a position in the entity with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility. While others, such as key management personnel (KMP), security staff, or those holding NISP-related positions in response to a company determined to be under FOCI, have key roles in the day-to-day security, operations or FOCI mitigation measures, these personnel often do not have overall authority over the facility to the degree required in the NISPOM rule.

7. WHAT ARE THE EXPECTATIONS DURING DCSA ASSESSMENTS FOR THE SMO TO BE AVAILABLE IF NOT ON SITE?

The SMO in most cases does not need to be on site during a DCSA assessment. DCSA industrial security representatives (ISRs) will determine if further engagement with the SMO is necessary based on interviews with other KMPs, security staff, and cleared employees during the assessment. It is always a good practice for the SMO, if available, to attend the introduction or exit brief whether in-person or virtually. The DCSA ISR normally communicates through the FSO for routine engagements with the cleared entity.

8. WHAT ABOUT A SMO WHOSE FACILITY’S CLEARED EMPLOYEES PERFORM AT OTHER CLEARED FACILITIES?

In cases where the entity’s cleared employees perform at other contractor or government locations, the SMO is responsible for NISPOM Rule requirements that apply to their cleared employees granted access to classified information. The other contractor or government location security staff has overall responsibility to ensure compliance with the NISPOM Rule requirements at their location.

9. DOES THE SMO NEED TO KNOW WHAT TYPES OF CLASSIFIED ACTIVITIES, IF ANY, ARE BEING SUPPORTED BY CLEARED EMPLOYEES PERFORMING AT OTHER CLEARED CONTRACTOR OR GOVERNMENT FACILITIES?

Yes, the NISPOM Rule, 32 CFR, Part 117 defines the SMO as someone with the authority to direct actions necessary for the safeguarding of classified information in the facility, even when the access to classified information by the facility’s employees is solely at other contractor facilities or U.S. government locations. The rule also states that the SMO is responsible for remaining fully informed of the facility’s classified operations. Additionally, the SMO is responsible for certifying a facility’s self-inspection, in which a review of the facility’s classified activities must take place even if that facility does not possess classified material but instead accesses classified at other locations, such as other contractor facilities or government locations.

10. WILL DCSA AUDIT THE CORPORATE RESOLUTIONS TO ENSURE THAT THE SMO IS PROPERLY DESIGNATED?

Yes. DCSA may review the cleared facility’s governance documents, board meeting minutes, and other documents to validate that the entity’s designated SMO possesses sufficient authority to meet the criteria stated in the NISPOM Rule.

11. HOW DOES THE SMO MAKE DECISIONS ON CLASSIFIED THREAT REPORTING IF YOU ARE A NON-POSSESSING FACILITY?

If classified threat information is required to be shared with the cleared entity, DCSA will coordinate with the FSO.

12. WHAT IS THE DIFFERENCE BETWEEN AN SMO AND A KMP?

The SMO is a KMP but not all KMPs are the SMO.

  • KMP means the entity’s SMO, FSO, ITPSO, and all other entity officials who either hold majority interest or stock in, or have direct or indirect authority to influence or decide issues affecting the management or operations of, the entity or classified contract performance.
  • The NISPOM Rule defines the SMO as an entity employee occupying a position in the entity with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility.
  • See NISPOM Rule Definitions for more information on SMO and KMP.

13. ARE SMOS REQUIRED TO POSSESS AN ACTIVE CLEARANCE?

Yes, the SMO must be cleared to the level of the cleared entity’s facility clearance. As an example, if the cleared entity has a SECRET facility clearance (FCL), then SMO must be cleared to the level of the FCL.(i.e. SECRET)

14. IS THERE A REQUIREMENT FOR THE SMO TO COMPLETE TRAINING?

The SMO is only required to attend the same security related training as other cleared employees. It is advisable for the SMO to review the SMO Responsibilities webinar found under the Resource tab of the NISPOM Rule webpage.

15. IN THE CASE OF A VERY SMALL FACILITY, CAN THE SMO ALSO BE THE FSO AND OR ITPSO?

TYes, the SMO may hold other positions in the cleared entity that are required for an FCL. However, this is not always the case in reverse. In order for an FSO or ITPSO to be designated the facility’s SMO, that person must meet the criteria stipulated by the NISPOM Rule for the SMO role. (See Q&A #15 for more information)

16. DOES THE SMO NEED TO BE DESIGNATED IN WRITING?

The SMO is designated in writing by being listed on the KMP list uploaded into National Industrial Security System (NISS) by the entity. The assigned DCSA ISR validates the individual being designated as the SMO by reviewing the cleared entity’s governance

 

Halfway to NISPOM Rule Implementation

5/25/21 – May 24 marks the halfway point in the National Industrial Security Program Operating Manual (NISPOM) Rule implementation period, ending August 24, 2021. DCSA is here to help you “get ready for the rule.” In addition to changing from a DOD operating manual (5220.22-M) to a federal rule (32CFR Part 117), the NISPOM Rule includes a number of contractor requirements. DCSA has created and published resources to assist cleared industry in better understanding what is required for compliance. More than 5,000 users have visited the NISPOM Rule webpage, close to 2,000 people have watched the “Ready for the Rule” video, and more than 3,000 users have used the NISPOM Cross Reference Tool as a desk-side aid offering the ability to select a link in the familiar NISPOM table of contents and find the corresponding section of the NISPOM Rule.

DCSA is also soliciting questions about the NISPOM Rule and has posted Frequently Asked Questions (FAQs) to the NISPOM Rule webpage. NISPOM Rule FAQs address the top questions asked during engagements with cleared industry. An Industrial Security Letters (ISLs) about implementation of the NISPOM Rule and Security Executive Agent Directive (SEAD) 3 reporting requirements are under review with the National Industrial Security Program Policy Advisory Committee (NISPPAC) and will published soon. Additional ISLs are being prepared for coordination with the NISPPAC as we approach the implementation finish line. 

Check the NISPOM Rule webpage for updates, additional resources, and upcoming webinars, and continue to work with your industrial security representative as you prepare and implement NISPOM Rule changes.