NISPOM Codifying, Guidance, Cleared Defense Contractors, and all those CFRs

The latest industry buzz is the “release of the new National Industrial Security Program Operating Manual (NISPOM)”. I’m putting air quotes in there, because an actual NISPOM has not been rewritten or re-released. There is no re-release of NISPOM, only a reorganization of the CFRs that duplicate National Industrial Security Program requirements. If you are expecting the release of a “new NISPOM”, such as a Change 3 or a total re-write, that has not occurred.

I encourage you to read further.

The genesis of all this buzz of a “new NISPOM” is listed here: https://www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf

Straight to the point

Conclusion:  No new NISPOM (just a few additions)

  •  32 CFR part 117 and 32 CFR part 2004 are redundant requirements
  • DoD will no longer publish the DoD Manual 5220.22, NISPOM as a DoD policy issuance in 32 CFR part 117.
  •  32 CFR part 2004, “National Industrial Security Program” is now the standing CFR
  • NISPOM Change 2 is still a requirement that Cleared Defense Contractor (CDC) must follow

Background

A quick read will review that there actually is no new NISPOM. This information just codifies (fancy legal term for: arrange (laws or rules) into a systematic code.) So, this is just a reorganization of laws to remove duplication and increase efficiency. What is unclear is that while the contractors are still required to follow the latest NISPOM, how the government communicates the NISPOM Change 2 requirement, when DoD Manual 5222.22 will no longer be published in its current form.

Streamlining requirements and one of the changes

I’ll focus on one of the most relevant and seemingly logical changes based on NISPOM roles.

You might know that the Director of National Intelligence (DNI) has had a large role in developing NISPOM. Primarily DNI oversees the protection of National Intelligence Information in the hands of the cleared defense contractors. Additionally, DNI has had executive roles In relation to the 2008 publication of E.O. 13467, “Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information.

DNI then became Security Executive Agent (SecEA), for the development, implementation, and oversight of effective, efficient, and uniform policies and procedures governing the conduct of investigations and adjudications for eligibility for access to classified information and eligibility to hold a sensitive position.

Later in December 2016, DNI issued Security Executive Agent Directive (SEAD) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position, to executive branch agencies or covered individuals with an effective date of June 12, 2017.

The SEAD 3 intent is to promote consistency in personnel security reporting requirements for all covered individuals. This ties in well to the DNI role in the NISPOM as well as the intent to strengthen the safeguarding of national security equities, such as national security information, personnel, facilities, and technologies.

In logical flow, it would just make sense that the NISPOM would include additional SEAD 3 requirements. 

Biggest Impact: Reporting based on 13 Adjudicative Criteria, SF-86, and SEAD 3  

SEAD 3 identifies required reporting of data elements that are contained in the Standard Form-86, “Questionnaire for National Security Positions” used in requesting security clearance requests. In other words, the guidance issued requires that cleared employees under NISP report information reflective of concerns in the 13 Adjudicative Criteria and other items listed in the SF-86. This has always been a NISPOM requirement. However, SEAD 3 requires these elements to be reported PRIOR to participation in such activities or otherwise as soon as possible following the start of their involvement. This doesn’t seem to be a new requirement, but an emphasis as many FSOs have been providing this requirement in security awareness training.

Now this may be an attention grabber

There is a strong argument that this requirement will raise the level of report in some benign situations such as foreign travel. Travel is usually a notification residing with the cleared defense contractor organization, but now may be a formal report to the cognizant security office or Defense Counterintelligence and Security Agency (DCSA). The SEAD 3 highlights that cleared employees obtain prior agency approval BEFORE conducting unofficial foreign travel.

This will require training, enforcement, and an actual reporting process from the cleared employee to DCSA. For example, DCSA should provide guidance for what should happen if a cleared employee plans a family cruise to Mexico and the Bahamas. How far in advance should the traveler request this approval, how do they request the approval, and how is the approval provided back to the CDC?

There are several other changes that don’t impact the majority of CDCs. There is clarification for those who are responsible TOP SECRET accountability, proscribed information, classified document retention, and those falling under FOCI. However, for the most part, these include clarifications and are potentially already being applied appropriately.

For more information on SEAD 3, check this out: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-3-awareness-briefing.pdf

What to do and not to do

Don’t wait for a new version of NISPOM…yet. While there is no “new NISPOM”, there are some clarifying comments. I recommend reviewing the clarifications included below to assess any changes that you might need to make in your security program to protect classified information.

I also recommend using current NISPOM for security training and ISP® and ISOC certification. Nothing has been changed, just “codified”.

Continue to apply the current NISPOM. As stated in the source CFA, contractors are expected to comply with Change 2 requirements. Eventually, there will either be a re-release or republishing of the NISPOM under a new title or an acceptance of the current publication.

************************************************************************

Additional reading: Clarifications of NISPOM requirements include the following:

§ 117.8: Reporting Requirements. § 117.8(a) General includes that contractors must submit reports pursuant to this rule, SEAD 3 and CSA guidance to supplement unique CSA mission requirements. SEAD 3 reporting establishes a single nationwide implementation plan for covered individuals, which for this rule provides reporting by contractors and their employees eligible for access to classified information. SEAD 3 requirements will be implemented for all contractor cleared personnel to report specific activities that may adversely impact their continued national security eligibility. Contractor cleared personnel must be aware of risks associated with foreign intelligence operations and/or possible terrorist activities directed against them in the United States and abroad, and have a responsibility to recognize and avoid personal behaviors and activities that adversely affect their national security eligibility. NISP CSAs shall conduct an analysis of such reported activities, such as foreign travel or foreign contacts, to determine whether they pose a potential threat to national security and take appropriate action. Contractors will be responsible for collecting the foreign travel data from cleared employees, providing pre- and post-travel briefings to those cleared employees when necessary, and tracking and reporting those foreign travel activities of its cleared employees through the CSA designated system of record for personnel security clearance data.

§ 117.9(m) Limited entity eligibility determination (Non-FOCI) and, § 117.11(e) Limited entity eligibility determination due to FOCI. In accordance with 32 CFR part 2004, “NISP Directive,” provisions for granting two new types of limited entity facility clearance eligibility determinations (FCLs) to meet government requirements for narrowly scoped requirements for a companies to access classified information.

 § 117.11(d)(2)(iii)(A) Requirement for National Interest Determinations (NIDs): This paragraph provides for the implementation of the provisions of Section 842 of Public Law 115-232, which was effective on October 1, 2020, and eliminates requirements for a covered NTIB entity operating under an SSA to obtain a NID for access to proscribed information: Top Secret, Special Access Program, Communications Security, Sensitive Compartmented Information, and Restricted Data. This provision will allow covered NTIB entities to begin performing on contracts that require access to proscribed information without having to wait on a NID, and thus removing costly contract performance delays.

 § 117.15(e)(2) TOP SECRET Information: Permits specific determinations by a CSA with respect to requirements for TOP SECRET accountability (e.g., the CSA can determine that TOP SECRET material stored in an electronic format on an authorized classified information system does not need to be individually numbered in series provided the contractor has in place controls in place to address accountability, need to know and retention). As stated in this paragraph: “. . . Contractors will establish controls for TOP SECRET information and material to validate procedures are in place to address accountability, need to know and retention, e.g., demonstrating that TOP SECRET material stored in an electronic format on an authorized classified information system does not need to be individually numbered in series. These controls are in addition to the information management system and must be applied, unless otherwise directed by the applicable CSA, regardless of the media of the TOP SECRET information, to include information processed and stored on authorized information systems. Unless otherwise directed by the applicable CSA, the contractor will establish the following additional controls . . .”

§ 117.15(d)(4) Installation: Clarifies that an Intrusion Detection System (IDS) shall be installed by a Nationally Recognized Testing Laboratory (NRTL)-approved entity to make it clear that any NRTL-approved entity may do such

Start Printed Page 83305

installations. “The IDS will be installed by a NRTL-approved entity or by an entity approved in writing by the CSA . . .”

 § 117.7(b)(2) Senior Management Official: Clarifies responsibilities of the Senior Management Official of each cleared entity to better reflect the critical role and accountability of this position for entity compliance with the NISPOM. This change further emphasizes the essential role of the Senior Management Official with the entity\’s security staff to ensure NISPOM compliance.

§ 117.13(d)(5) Clarifies to the contractor that upon completion of a classified contract, the “contractor must return all government provided or deliverable information to the custody of the government. Such clarification ensures the contractor is not retaining official government records without specific authorization from the government customer. “(i) If the GCA does not advise to the contrary, the contractor may retain copies of the government material for a period of 2 years following the completion of the contract. The contract security classification specification, or equivalent, will continue in effect for this 2-year period. (ii) If the GCA determines the contractor has a continuing need for the copies of the government material beyond the 2-year period, the GCA will issue a final contract security classification specification, or equivalent, for the classified contract and will include disposition instructions for the copies

Leave a Comment

newsletter

Click here to sign up for the Newsletter