The NISPOM Rule


DCSA Releases ISL 2021-02, “SEAD 3," Clarification and Guidance on Reportable Activities for cleared contractors under DoD cognizance.  The ISL provides clarity on reporting requirements for all covered individuals who have access to classified information.  The ISL additionally advises that cleared contractors under DoD cognizance must implement the change in 32 Code of Federal Regulation Part 117, “National Industrial Security Program Operating Manual,” Rule effective August 24, 2021.

DoD has amended 32 CFR Part 117, the NISPOM Rule to extend the compliance date solely for reporting and pre-approval of unofficial foreign travel as prescribed in SEAD 3, until no later than 18 months from the effective date of the rule for those contractors under DoD security cognizance.  The reporting of the foreign travel component of SEAD 3 will begin August 24, 2022. 

Cleared industry under DoD cognizance should consult with their government customers for any additional foreign travel reporting requirements for those personnel who have SCI or SAP access and/or additional contractual reporting requirements.

DSCA will incorporate the assessment of compliance with the SEAD 3 reporting requirements with the exception of foreign travel as noted above, that begin on August 24, 2021, into scheduled assessments no earlier than March 1, 2022.

Resources for SEAD 3 implementation can be found on this webpage under the Resource and FAQ tabs below, and include Industry SEAD 3 Reporting Webinar Recording, SEAD 3 Frequently Asked Questions, and a SEAD 3 Reporting Desk Top Aid.  Click here to view the ISL.

Additional industrial security letter guidance for 32 CFR Part 117, NISPOM Rule (insider threat, SF-328, DISS, and consolidated article) that have been coordinated through the National Industrial Security Program Policy Advisory Committee (NISPPAC) continue to be processed and coordinated for issuance.  Cleared industry will be informed when they are approved and posted.

 

32 Code of Federal Regulation Part 117, NISPOM

On February 24, 2021, 32 CFR Part 117, “National Industrial Security Program Operating Manual (NISPOM)” became effective as a federal rule. Referred to as the “NISPOM rule,” it provides the contractor no more than six months from this effective date to comply with the requirements stipulated therein. The NISPOM rule replaces the NISPOM previously issued as a DOD policy (DOD 5220.22-M), which will be cancelled shortly after the allotted six-month implementation period ends. Until then, DOD 5220.22-M will remain in effect.

The rule implements policy, assigns responsibilities, establishes requirements, and provides procedures consistent with Executive Order 12829, “National Industrial Security Program;” Executive Order 10865, “Safeguarding Classified Information within Industry;” and 32 Code of Regulation Part 2004,“National Industrial Security Program.” That guidance outlines the protection of classified information that is disclosed to, or developed by, contractors of the U.S. Government.

To assist cleared industry in better understanding what is required for compliance, DCSA worked with the Center for Development of Security Excellence (CDSE) to develop a cross reference tool. The tool provides users the ability to select a link in the familiar NISPOM table of contents and takes them to the corresponding section of the NISPOM rule. It serves as a deskside aid enabling the transition from the DOD manual format to a federal rule format. The tool is found at here.

 

Changes in the Rule
Some of the changes in the Rule are intended to better align with national policy for the protection of Classified National Security Information, some are to address changes in law or regulations, and some are to enhance the protection of classified material that contractors access or possess.

The key changes include:

•Section 117.8(a); Reporting Requirements: Requires cleared contractors to submit reports pursuant to Security Executive Agent Directive (SEAD) 3 and DCSA guidance.
Section 117.15(e)(2); TOP SECRET Information Accountability: Provides guidance on processes for the accountability and management of TS material on accredited classified information systems based on DCSA approval of the contractor’s plan.
Section 117.15(d)(4); Intrusion Detection System (IDS) Installation: Allows the granting of Underwriters Laboratories UL-2050, “National Industrial Security Systems,” certification for intrusion detection systems (IDS) by a nationally recognized test laboratory, recognized by the Occupational Safety and Health Administration, which is in addition to the CSA-approved IDS, and those in accordance with Intelligence Community Directive 705, “Sensitive Compartmented Information Facilities.”
Section 117.7(b)(2); Senior Management Official (SMO): Addresses additional responsibilities for the senior management official (SMO) regarding their role in the contractor’s NISPOM compliance.
Section 117.15; Safeguarding: Directs cleared contractors to refer to 32 CFR Part 2001, for direction on requirements for the protection of classified national security information (CNSI) to ensure consistency with national policy. This change is in addition to CSA approval and compliance with intelligence community specification (ICS) 705.
Section 117.13(d)(5); Classified Information Retention: Clarifies for the contractor that upon completion of a classified contract, the ‘‘contractor must return all government provided or deliverable information to the custody of the government.”
 

Changes for Contractors

Section 117.9(m); Limited entity eligibility determination (Non-FOCI) and limited entity eligibility: Informs cleared industry about a new limited facility clearance which provides additional facility clearance eligibility tools for DCSA and the Government Contracting Activities specific to the requesting GCA’s classified information, and to a single, narrowly defined contract, agreement, or circumstance.
Section 117.11(d)(2)(iii)(A); National Interest Determination (NID): Informs cleared industry that NIDs may not be required for certain covered contractors operating under a Special Security Agreement and having ownership by a country designated as part of the National Technology Industrial Base (UK, Canada or Australia).
 
•Step 1: Download the 32 CFR Part 117 Cross Reference Tool from https://www.cdse.edu/Training/Industrial-Security/, and use it to discover how the sections familiar to you in DOD 5220.22-M (NISPOM) have mapped to the new rule, 32 CFR Part 117.
 
•Step 2: Familiarize yourself with the new rule’s language, paying close attention to the sections covering the key changes previously pointed out.
 
Step 3: Look forward to additional clarification and guidance provided in upcoming Industrial Security Letters (ISLs) addressing topics such as "32 CFR Part 117 Implementation," "SEAD 3 Reporting Requirements Implementation," "TS Accountability," and others.
 
Step 4: Take deliberate action to prepare during the 6 month implementation period by updating and enhancing your practices and procedures as necessary, and by ensuring that those in your organization affected by the NISPOM are aware of what will be expected of them under 32 CFR Part 117.

Video Series #6, Security in Depth

Security in Depth (SID) refers to the multiple layers of security used to safeguard an asset. These security measures function in concentric layers, much like an onion, utilizing a combination of different technologies and security operations to protect against physical threats and forced entries. At their best, these layers should deter, detect, delay and deny unauthorized intrusions. This video will help explain what SID is, why it is important, how to implement SID, and how it is approved. This video can be found here:

 

SEAD 3 REPORTING DESKTOP AID FOR CLEARED INDUSTRY

A change has been made that combines the desktop aid’s “Official” and “Unofficial” foreign contact reporting categories into a single category titled “Foreign Contacts.” A footnote containing hyperlinks to two resources concerning specific foreign contact reporting circumstances has been added as well.

Video Series #5, SEAD 3 Panel Question & Answers

In this video DCSA Critical Technology Directorate hosts a joint DCSA and Cleared Industry Panel to address industry questions associated with the implementation of SEAD 3 as outlined in 32 CFR Part 117, “the NISPOM Rule,” and the SEAD 3 Industrial Security Letter. The video is recommended viewing by Senior Management Officials, Key Management Personnel, Facility Security Officers, and key security staff.

 

Video Series #4, UL-2050, Intrusion Detection System approvals

 

In this video, learn more about the changes in the NISPOM Rule related to UL-2050, Intrusion Detection System approvals, what are Nationally Recognized Testing Laboratories or NRTLs, and what does this mean for cleared contractors in the NISP. The audio/slide recording provides an overview of the changes.

 

Video Series #3, Senior Management Official Responsibilities in the National Industrial Security Program

"SMO Responsibilities in the NISP": In this video, the Critical Technology Protection staff discuss the responsibilities of the Senior Management Official (SMO) as outlined in 32 CFR Part 117 (NISPOM Rule).

 

Video Series #2, "SEAD 3 Reporting Requirements"

 

"SEAD 3 Reporting Requirements." In this video, DCSA's Jason Theriault and Candace Williams provide an overview of SEAD 3 reporting responsibilities under the National Industrial Security Program, and walk you through the facility security officer's use of the pending Industrial Security Letter to identify what needs to be reported and how to go about submitting these reports.

 

Video Series, NISPOM Rule

"Get Ready for the Rule." In this video, DCSA's Keith Minard offers a closer look at the NISPOM Rule changes and discusses how industry can prepare for a smooth transition.

 

•Have questions about the Self-Inspection Handbook? Send questions to:dcsa.quantico.dcsa-hq.mbx.dcsa-mcb-quantico-dcsa-mailbox-ctp-sih@mail.mil

 

Upcoming Events

There are no upcoming events scheduled at this time.

SEAD 3

1. DO THE SEAD 3 REPORTING REQUIREMENTS REPLACE OTHER NISP REPORTING REQUIREMENTS?

No. SEAD 3 is only one of the reporting requirements for a covered individual addressed in 32 CFR Part 117.  SEAD 3 is not a substitute for, nor does it cancel any existing reporting requirements. Other requirements for individuals under the NISP still include:

  • Adverse information
  • Insider threat
  • Incident Reports
  • SF-86 submissions (to include updates)
  • Suspicious contacts
  • Any other contractual government requirement (e.g. SCI and SAP)

 

2.WHO IS A “COVERED INDIVIDUAL” FOR THE PURPOSES OF SEAD 3 AND THE NISP?

While SEAD 3 establishes reporting requirements for covered individuals who have access to classified information or hold a sensitive position, the 32 CFR part 117, “NISPOM” inclusion of SEAD 3 only applies to those contractor personnel who have been granted eligibility for access to classified information through the NISP, or are in the process of a determination for eligibility for access to classified information through the NISP. Reporting related to sensitive positions is not covered by the NISPOM’s inclusion of SEAD 3. Any questions about SEAD 3 reporting required by a contractor’s employee due to their position being designated as “sensitive,” should be discussed with the government customer responsible for that position designation. (See Industrial Security Letter 2021-02 and the SEAD 3 webinar for more information on “covered individuals” under the NISP.)

3.AS A COVERED INDIVIDUAL, UNDER WHAT CIRCUMSTANCES MUST I REPORT FOREIGN TRAVEL IN RESPONSE TO SEAD 3 REQUIREMENTS?

First, remember that all covered individuals have foreign travel reporting requirements.  Second, the easiest way to determine when you should report foreign travel is to remember the one instance when you do not have to report foreign travel.  The only foreign travel you do not need to report in accordance with SEAD 3 is foreign travel that is in direct support of an established U.S. government contract with the ultimate customer being the U.S. (i.e. “official foreign travel”). If your foreign travel doesn’t fit this description then it must be reported. There are a few additional things to keep in mind. Travel to Puerto Rico, Guam, or other U.S. possessions and territories is not considered foreign travel by SEAD 3 and need not be reported. Also, if you are mixing official foreign travel with unofficial foreign travel (e.g. visiting a relative or conducting other business that is not in direct support of an established government contract) then the unofficial foreign travel portion would have to be reported despite occurring before, during, or after official foreign travel.  Finally, if you are interested in more details on the following foreign travel related topics please visit ISL 2021-02, TABLE 4, p. 12.

  • What do you report and when?
  • Foreign travel pre-approval?
  • Emergency foreign travel?
  • Travel to Canada or Mexico?
  • Deviations from submitted foreign travel itineraries?

***NOTE***: Based on the NISPOM Amendment dated August 19, 2021 foreign travel reporting responsive to SEAD 3 requirements by cleared contractors is not required to begin until August 24, 2022.  This delay is .to allow time for the modifications to DoD’s Information Technology system to be completed. If a government contracting activity’s (GCA) contract separately requires reporting or pre-approval of unofficial foreign travel (i.e., contains a provision requiring such reports other than by incorporating the NISPOM), the contractor should consult with the GCA on when and where to submit such reports and the procedures for obtaining pre-approval.

4.WHAT CONTACTS AND RELATIONSHIPS (FOREIGN AND U.S.) DOES SEAD 3 REQUIRE COVERED INDIVIDUALS TO REPORT?

Reportable Regardless of Nationality (Includes US Nationals)
  • Marriage, civil union, domestic partnerships (Reportable by TS and “Q” only)
  • Cohabitation (Reportable by TS and “Q” only)
  • Contact with someone from the media seeking or showing interest in classified information or information otherwise prohibited from public disclosure.  (FSOs see ISL 2021-02, Table 2, p. 8 for more details)
  • Anyone who tries to obtain illegal or unauthorized access to classified information or to compromise or exploit you due to your position as a covered individual.

Reportable Due to Foreign Nationality

  • Adoption of non-U.S. citizen children (Reportable by TS and “Q” only)
  • Foreign national roommate (Reportable by TS and “Q” only)
  • Contact with a foreign intelligence entity. (outside of official contact made under the direction of a U.S. government contract)
  • A continuing relationship with a known foreign national that
    • Involves bonds of affection, intimate contact, or personal obligation, OR
    • Involves an exchange of personal information, meaning information of an intimate or personal nature and that is not reasonably expected to be accessible by the general public, nor that you would willingly release to the general public. Information excluded from this meaning includes:
      • Information, that as a member of the general public you would be expected to provide to enable a legal commercial transaction.
      • Information exchanged with a foreign national on the basis of being personable, not personal.
      • Information related to you that is exchanged on behalf of your employer to further a work-related matter.

Still confused? Visit "What Contacts and Relationships Should I Report Under SEAD 3?" under the Resource tab on the NISPOM Rule webpage for an exercise intended to help you decide if there is a contact or relationship that you should be reporting.

5. WHAT ABOUT U.S. CITIZENS WITH DUAL CITIZENSHIP?

SEAD 3 defines a foreign national as anyone who is not a U.S. citizen or a U.S. national.  This means that U.S. citizens with dual citizenship are not considered foreign nationals, and therefore do not need to be reported as foreign contacts. However, if the person is a spouse through marriage, civil union or domestic partnership, or a cohabitant as defined by SEAD 3, they are still reportable regardless of citizenship by those who are TS and “Q” eligible. (See ISL 2021-02, Table 3, p. 10)
Also, be aware that being designated as a “protected individual” as defined by 8 U.S. Code, Chapter 12, Sub-Chapter II, Part VIII, Section 1324b.(a)(3) does not necessarily mean reporting is not required under SEAD 3. For instance, having a Permanent Resident Card (or “green card”) is included under the definition of a “protected individual,” but does not meet the definition of a U.S. national and therefore such contacts must be reported if the nature of the relationship meets the criteria set forth in SEAD 3, namely that it is a CONTINUING RELATIONSHIP with a known foreign national and involves bonds of affection, intimate contact, personal obligation or the exchange of personal information.

6. I WORK WITH FOREIGN NATIONALS IN MY JOB BECAUSE THEY ARE PART OF MY PARENT COMPANY AND SOME ARE CUSTOMERS. DO I HAVE TO REPORT THESE AS FOREIGN CONTACTS?

Typically you would not have to report these individuals unless there existed a CONTINUING RELATIONSHIP involving BONDS OF AFFECTION, INTIMATE CONTACT, OR PERSONAL OBLIGATION (i.e. obligation beyond the work environment). Also contact with these individuals must be reported if the relationship expands outside the work environment and involves an EXCHANGE OF PERSONAL INFORMATION, particularly anything that combined with knowledge of your covered individual status might enable targeting of you by a foreign intelligence entity.. Bonds of affection, intimacy, and personal obligation should be relatively apparent in your assessment of the relationship you have with a foreign national with whom you work. However,critical thinking will be required by the covered individual to determine if a relationship with a foreign national from work involves an exchange of personal information that may be used in conjunction with knowledge of a covered individual’s eligibility status to target them for compromise.

7. WHERE CAN I FIND THE DNI WORLDWIDE THREAT ASSESSMENT OF THE US INTELLIGENCE COMMMUNITY THAT IDENTIFIES THOSE COUNTRIES REFERENCED IN THE ISL 2021-02 AS REQUIRING A PRE-TRAVEL BRIEFING FOR ANY UNOFFICIAL FOREIGN TRAVEL?

The DNI Worldwide Threat Assessment of the Intelligence Community report is located at:  https://www.dni.gov/files/documents/Newsroom/Testimonies/Final-2018-ATA---Unclassified---SASC.pdf Travel to the countries listed in the report constitute the requirement for a pre-travel brief as outlined in ISL 2021-02.

8. ALTHOUGH FOREIGN TRAVEL REPORTING IS NOT REQUIRED TO BEGIN UNTIL AUGUST 24, 2022 PER THE NISPOM RULE AMMENDMENT, DO CLEARED CONTRACTORS UNDER DOD COGNIZANCE NEED TO STILL KEEP TRACK OF UNOFFICIAL FOREIGN TRAVEL OCCURING UP UNTIL THEN FOR LATER INCLUSION IN DISS?

No. Cleared contractors under DoD cognizance do not need to keep track of unofficial foreign travel that occurs between now and August 24, 2022 when reporting is required to start.

9. IS THE REPORTING CRITERIA FOR A COVERED INDIVIDUAL DETERMINED BY THE ACCESS LEVEL OR THE ELIGIBILITY LEVEL?

Reporting criteria is based on the eligibility level of the cleared employee. For example, if the employee has TOP SECRET eligibility for access to classified information but is only currently accessing SECRET level classified information the covered individual is still required to report in accordance with SEAD 3’s requirements for TS and “Q” covered individuals, along with the reporting for all covered individuals also required.

10. DO SEAD 3 REPORTING REQUIREMENTS EXTEND TO A SPOUSE AS WELL, SUCH AS WITH QUESTIONS ON THE SF-86 THAT ARE PHRASED TO EXTEND TO "YOU OR YOUR SPOUSE"?

The reporting requirements of SEAD 3 for the purposes of the NISP apply only to cleared contractor personnel with eligibility for access to classified information. As a reminder though, you are still responsible for the requirements of the SF-86 regardless of SEAD 3.

11. ARE YOU ABLE TO PROVIDE MORE DETAIL ON THE "MEDIA CONTACT" REPORTING REQUIREMENT?

SEAD 3 requires reporting of media contacts, other than for official purposes, where the media seeks access to classified information or other information specifically prohibited by law from disclosure, whether or not the contact results in an unauthorized disclosure.  For the purposes of SEAD 3 the media is defined as any person, organization, or entity, other than Federal, state, local, tribal, and Territorial governments:

  • Primarily engaged in the collection, production, or dissemination to the public of information in any form, which includes print, broadcast, film, and Internet; or
  • Otherwise engaged in the collection, production, or dissemination to the public of information in any form related to topics of national security, which includes print, broadcast, film, and Internet.

 

12. SEAD 3 REQUIRES REPORTING OF ANY UNUSUAL INFUSION OF ASSETS OF $10,000 OR GREATER. WHAT CONSTITUES AN “UNUSUAL INFUSION OF ASSETS” IN THE CONTEXT OF THIS REQUIREMENT?

SEAD 3 provides the examples of an inheritance or winnings for an unusual infusion of assets. A “windfall” is another way to think of this; an unexpected gain (either monetary or something of monetary value) that is not intended to legally compensate you for a corresponding loss or sale of something.  For example, an insurance payment of $50,000 to cover flood damage to your house is not reportable as an “unusual” infusion because this is a “usual” occurrence given the circumstances of the flood and the corresponding insurance claim. Likewise, properly documented compensation resulting from the sale of personal assets (at a reasonable valuation) or receiving a bonus from your employer in recognition of the value of your performance do not constitute an “unusual” influx since this is simply transferring something of value that you already legally possess into monetary value.

13. DOES SEAD 3 REQUIRE A COVERED INDIVIDUAL TO REPORT ON ANOTHER COVERED INDIVIDUAL?

Specifically, SEAD 3 requires a covered individuals to report various behaviors and activities of other covered individuals that may be of potential security or counterintelligence concern. (See SEAD 3, Section F.3., p. 5) Therefore, reporting an employee’s workplace behavior and activities in accordance with SEAD 3 is intended to occur when there is concern that such behavior or activity may impact the protection of classified information or other information specifically prohibited by law from disclosure. 

14. SO IF A COVERED INDIVIDUAL WORKS FOR MULTIPLE CLEARED CONTRACTORS, AND THEREFORE IS “OWNED BY” MULTIPLE SMOS, DOES THAT INDIVIDUAL HAVE TO SUBMIT SEPERATE SEAD 3 REPORTING TO EACH CLEARED CONTRACTOR?

based solely on SEAD 3 (and not considering any other contractually applied requirements that may exist) the reporting would need to only occur once; whether submitted in DISS or directly to DCSA vetting risk operations (VRO) or the GCA. This reporting by the covered individual satisfies the reporting of the activity and appropriate information elements to any one of the cleared contractors under DoD cognizance that employs them. However, covered individuals should follow any additional reporting requirements of their government customer or servicing prime contractor.

15. IF AN INDIVIDUAL IS NEW TO AN ORGANIZATION, HOW WILL THE GAINING ORGANIZATION KNOW WHAT INFORMATION WAS ALREADY REPORTED IN DISS OR ON A SF-86?

If you become aware of any reportable activities for the covered individual who is new to your organization, contact the VRO who can advise you if the activity has already been reported.  VRO can be contacted using the e-mail address dcsa.ncr.dcsa-dvd.mbx.askvroc@mail.mil or toll free telephone number (888) 282-7682.

16. DO WE REPORT BEING ARRESTED OR WAIT UNTIL A FINAL DISPOSITION?

A.  Contractors should report criminal conduct (e.g. arrests) in DISS, then update the system with any disposition as it occurs.  Further, Appendix A of SEAD 3 addresses the data required for “arrests,” as well as any disposition. 

17. ARE ALL CLEARED CONTRACTORS REQUIRED TO HAVE A STANDARD PRACTICE AND PROCEDURES (SPP) FOR SEAD 3 IMPLEMENTATION?

All cleared contractors under DoD cognizance are required to have a Standard Practices and Procedures document prepared or updated by the contractor that outlines the implementation of SEAD 3 reporting requirements outlined in ISL 2021-02 and made available for review by DCSA during assessments.

18. IF WE AS THE FSO NEED TO MAKE A REPORT ON OURSELVES DO WE SEND THAT DIRECTLY TO OUR DCSA INDUSTRIAL SECURITY REPRESENTATIVE?

All cleared contractors are required to have a primary and alternate account holder for DISS. The FSO should have the alternative account holder for DISS submit the report.

 

NISPOM Rule Implementation

1. ARE PREVIOUS INDUSTRIAL SECURITY LETTERS (ISLS) INCORPORATED INTO THE NISPOM RULE (32 CFR PART 117) OR DO WE NEED TO USE THEM IN ADDITION TO THE NEW RULE?

Many of the ISLs providing CSA-guidance were incorporated into the NISPOM Rule. DCSA is working with Industrial Security Policy staff at the Office of the Under Secretary of Defense for Intelligence and Security (OUSD (I&S)) concerning new ISLs, revising and re-issuing current required guidance, and determining which ISLs need to be rescinded. DCSA will coordinate through the NISPPAC concerning new ISLs, as well as those revised and re-issued.

2. WILL YOU UPDATE THE NATIONAL INDUSTRIAL SECURITY SYSTEM (NISS) TO REFLECT NEW CITATION(S) FORMATTING WHEN ENTERING VULNERABILITIES?

Yes, efforts are underway to update NISS by August 2021.

3. WILL DOD UPDATE FORMS REFERENCING THE CURRENT NISPOM MANUAL (DOD 5220.22-M) WITHIN THE SIX MONTH IMPLEMENTATION PERIOD ALLOTTED TO CLEARED INDUSTRY?

Yes, efforts are under way to update NISP related forms to reflect the NISPOM Rule.

4. WILL THERE BE AN UPDATED SELF INSPECTION HANDBOOK REFLECTING THE NEW NISPOM RULE?

Yes, a new Self Inspection handbook will align with the changes found in 32 CFR Part 117. We intended to release it in August 2021.

5. FOR TOP SECRET (TS) MATERIALS STORED IN A GSA-APPROVED SECURITY CONTAINER, IS THE INSPECTION BY A CLEARED EMPLOYEE EVERY TWO HOURS THROUGHOUT THE 24-HOUR DAY OR JUST DURING STAFF WORKING HOURS?

The use of cleared employees to inspect TS stored in a GSA-approved security container is required when container location is not occupied by cleared employees.

6. HOW DOES THE NIPSOM RULE’S (32 CFR PART 117) “OPEN STORAGE AREA” REQUIREMENTS AFFECT EXISTING “CLOSED AREA” APPROVALS?

In the new NISPOM Rule, the term “closed area” and its associated construction requirements is replaced by “open storage area” and its requirements found in 32 CFR Part 2001, “Classified National Security Information.” However, if your organization has an existing DCSA approval for a “closed area” under the requirements of the NISPOM Manual (DOD 5220.22-M), that closed area can remain in effect. If major changes occur, the “open storage area” requirements found in 32 CFR part 117 are required.

7. WILL THE SENIOR MANAGEMENT OFFICIAL (SMO) NEED TO RE-APPOINT FACILITY SECURITY OFFICERS (FSOS), INSIDER THREAT PROGRAM SENIOR OFFICIALS (INTPSOS), OR INFORMATION SECURITY SYSTEM MANAGERS (ISSMS) ALREADY SERVING IN THESE ROLES?

No, the SMO will only need to appoint in writing those cleared employees who assume those duties after the implementation date.

8. IS TRAINING REQUIRED FOR SENIOR MANAGEMENT OFFICIALS (SMOS) NOW THAT THEY HAVE PRESCRIBED RESPONSIBILITIES?

There is no dedicated training for SMOs. As a cleared employee performing security duties, he/she is required to complete commensurate training. In this respect, DCSA is planning a SMO specific webinar during July 2021. We’re also developing an information tool about responsibilities.

9. WILL DCSA PROVIDE ADDITIONAL INFORMATION ABOUT SEAD 3 REPORTING REQUIREMENTS?

DCSA will schedule webinars beginning in June 2021, to discuss SEAD 3 reporting requirements for cleared contractors under DOD cognizance. Additionally, an Industrial Security Letter (ISL) providing DOD specific guidance is under development.

 

Senior Management Official (SMO)

1. WHAT HAS CHANGED FOR SMOS FROM THE OLD NISPOM TO THE NEW RULE?

The role of the SMO has not changed from the old NISPOM to the new NISPOM Rule. The NISPOM Rule now provides more detailed information on the responsibilities of the SMO. It more clearly defines the SMO’s responsibilities with respect to ensuring the protection of classified information by their facility. It also makes very clear that the accountability for a SMO’s responsibilities cannot be delegated to anyone else.

2. THE NISPOM RULE REQUIRES THAT THE SMO DESIGNATES THE FACILITY SECURITY OFFICER (FSO) AND INSIDER THREAT PROGRAM SENIOR OFFICIAL (ITPSO) IN WRITING. IS THERE A REQUIREMENT TO RE-DESIGNATE PERSONNEL WHO ARE CURRENTLY IN THESE POSITIONS?

No, cleared contractors under DOD cognizance only need to designate in writing those who are appointed after the August 24, 2021 implementation date.

3. IS THE SMO REQUIRED TO BE ONSITE WHERE THE CLASSIFIED WORK IS BEING PERFORMED?

No, the SMO is not required to be on site where classified work is being performed. The SMO must have cognizance of the classified work being performed and be able to execute their responsibilities outlined in the NISPOM Rule.

4. ARE ALL KMP REQUIRED TO BE BRIEFED ON THE RESULTS OF THE SELF-INSPECTION?

Yes, the NISPOM Rule requires the SMO to certify that other KMP have been briefed on the results. DCSA deems the phrase “other KMP” to mean “all KMP,” which includes excluded KMP; i.e. those KMP who do not possess a personnel security clearance (PCL) due to an exclusion resolution. The designation of any individual or position as a KMP indicates that the person or position can influence the facility’s protection of classified information or performance on classified contracts, and therefore should be made aware of the results and recommendations of the facility self-inspection.

5. CAN ANYONE OTHER THAN THE SMO CERTIFY THE ANNUAL SELF-INSPECTION?

No, the NISPOM Rule requires the SMO to certify the Annual Self-Inspection. The certification is a demonstration of the SMO’s accountability for those responsibilities stated in the NISPOM Rule.

6. IF OTHER COMPANY MANAGERS, SECURITY STAFF, OR THOSE HOLDING NISP-RELATED POSITIONS IN RESPONSE TO A COMPANY UNDER FOREIGN OWNERSHIP, CONTROL OR INFLUENCE (FOCI) ARE MORE INVOLVED IN THE DAY-TO-DAY SECURITY OF THE FACILITY, WOULD THEY NOT BE BETTER SUITED TO BE THE SMO?

The NISPOM Rule identifies specific criteria that a person must satisfy to be designated as the SMO for a facility. Underlying this criteria is the need to possess the appropriate level of authority. The SMO is an employee who, based on the cleared entity’s governance documents, occupies a position in the entity with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility. While others, such as key management personnel (KMP), security staff, or those holding NISP-related positions in response to a company determined to be under FOCI, have key roles in the day-to-day security, operations or FOCI mitigation measures, these personnel often do not have overall authority over the facility to the degree required in the NISPOM rule.

7. WHAT ARE THE EXPECTATIONS DURING DCSA ASSESSMENTS FOR THE SMO TO BE AVAILABLE IF NOT ON SITE?

The SMO in most cases does not need to be on site during a DCSA assessment. DCSA industrial security representatives (ISRs) will determine if further engagement with the SMO is necessary based on interviews with other KMPs, security staff, and cleared employees during the assessment. It is always a good practice for the SMO, if available, to attend the introduction or exit brief whether in-person or virtually. The DCSA ISR normally communicates through the FSO for routine engagements with the cleared entity.

8. WHAT ABOUT A SMO WHOSE FACILITY’S CLEARED EMPLOYEES PERFORM AT OTHER CLEARED FACILITIES?

In cases where the entity’s cleared employees perform at other contractor or government locations, the SMO is responsible for NISPOM Rule requirements that apply to their cleared employees granted access to classified information. The other contractor or government location security staff has overall responsibility to ensure compliance with the NISPOM Rule requirements at their location.

9. DOES THE SMO NEED TO KNOW WHAT TYPES OF CLASSIFIED ACTIVITIES, IF ANY, ARE BEING SUPPORTED BY CLEARED EMPLOYEES PERFORMING AT OTHER CLEARED CONTRACTOR OR GOVERNMENT FACILITIES?

Yes, the NISPOM Rule, 32 CFR, Part 117 defines the SMO as someone with the authority to direct actions necessary for the safeguarding of classified information in the facility, even when the access to classified information by the facility’s employees is solely at other contractor facilities or U.S. government locations. The rule also states that the SMO is responsible for remaining fully informed of the facility’s classified operations. Additionally, the SMO is responsible for certifying a facility’s self-inspection, in which a review of the facility’s classified activities must take place even if that facility does not possess classified material but instead accesses classified at other locations, such as other contractor facilities or government locations.

10. WILL DCSA AUDIT THE CORPORATE RESOLUTIONS TO ENSURE THAT THE SMO IS PROPERLY DESIGNATED?

Yes. DCSA may review the cleared facility’s governance documents, board meeting minutes, and other documents to validate that the entity’s designated SMO possesses sufficient authority to meet the criteria stated in the NISPOM Rule.

11. HOW DOES THE SMO MAKE DECISIONS ON CLASSIFIED THREAT REPORTING IF YOU ARE A NON-POSSESSING FACILITY?

If classified threat information is required to be shared with the cleared entity, DCSA will coordinate with the FSO.

12. WHAT IS THE DIFFERENCE BETWEEN AN SMO AND A KMP?

The SMO is a KMP but not all KMPs are the SMO.

  • KMP means the entity’s SMO, FSO, ITPSO, and all other entity officials who either hold majority interest or stock in, or have direct or indirect authority to influence or decide issues affecting the management or operations of, the entity or classified contract performance.
  • The NISPOM Rule defines the SMO as an entity employee occupying a position in the entity with ultimate authority over the facility’s operations and the authority to direct actions necessary for the safeguarding of classified information in the facility.
  • See NISPOM Rule Definitions for more information on SMO and KMP.

 

13. ARE SMOS REQUIRED TO POSSESS AN ACTIVE CLEARANCE?

Yes, the SMO must be cleared to the level of the cleared entity’s facility clearance. As an example, if the cleared entity has a SECRET facility clearance (FCL), then SMO must be cleared to the level of the FCL.(i.e. SECRET)

14. IS THERE A REQUIREMENT FOR THE SMO TO COMPLETE TRAINING?

The SMO is only required to attend the same security related training as other cleared employees. It is advisable for the SMO to review the SMO Responsibilities webinar found under the Resource tab of the NISPOM Rule webpage.

15. IN THE CASE OF A VERY SMALL FACILITY, CAN THE SMO ALSO BE THE FSO AND OR ITPSO?

TYes, the SMO may hold other positions in the cleared entity that are required for an FCL. However, this is not always the case in reverse. In order for an FSO or ITPSO to be designated the facility’s SMO, that person must meet the criteria stipulated by the NISPOM Rule for the SMO role. (See Q&A #15 for more information)

16. DOES THE SMO NEED TO BE DESIGNATED IN WRITING?

The SMO is designated in writing by being listed on the KMP list uploaded into National Industrial Security System (NISS) by the entity. The assigned DCSA ISR validates the individual being designated as the SMO by reviewing the cleared entity’s governance

 

Halfway to NISPOM Rule Implementation

5/25/21 – May 24 marks the halfway point in the National Industrial Security Program Operating Manual (NISPOM) Rule implementation period, ending August 24, 2021. DCSA is here to help you “get ready for the rule.” In addition to changing from a DOD operating manual (5220.22-M) to a federal rule (32CFR Part 117), the NISPOM Rule includes a number of contractor requirements. DCSA has created and published resources to assist cleared industry in better understanding what is required for compliance. More than 5,000 users have visited the NISPOM Rule webpage, close to 2,000 people have watched the “Ready for the Rule” video, and more than 3,000 users have used the NISPOM Cross Reference Tool as a desk-side aid offering the ability to select a link in the familiar NISPOM table of contents and find the corresponding section of the NISPOM Rule.

DCSA is also soliciting questions about the NISPOM Rule and has posted Frequently Asked Questions (FAQs) to the NISPOM Rule webpage. NISPOM Rule FAQs address the top questions asked during engagements with cleared industry. An Industrial Security Letters (ISLs) about implementation of the NISPOM Rule and Security Executive Agent Directive (SEAD) 3 reporting requirements are under review with the National Industrial Security Program Policy Advisory Committee (NISPPAC) and will published soon. Additional ISLs are being prepared for coordination with the NISPPAC as we approach the implementation finish line. 

Check the NISPOM Rule webpage for updates, additional resources, and upcoming webinars, and continue to work with your industrial security representative as you prepare and implement NISPOM Rule changes.