NISPOM is an increasingly important part of the regulations surrounding work as a government contractor and is especially critical if you handle classified information. It’s also a lengthy and detailed part of the Federal Register and is complex enough that it often takes a specialist to know what’s important and what’s required. So, let’s talk about it. As with most aspects of the code of federal regulations, this can be lengthy and complex, so settle in; if there are any questions you have when all is said and done, let us know.
BLUF - Bottom Line Up Front
NISPOM is crucial for government contractors handling classified information. It provides a detailed framework for protecting classified data, applying to all contractors within the defense supply chain. NISPOM became part of the Code of Federal Regulations in 2021, increasing its enforceability. Changes include stricter reporting requirements, expanded applicability to contractors, and increased legal accountability. SEAD 3 complements NISPOM by adding security reporting obligations for cleared personnel. Ignyte offers assistance with compliance and security requirements.
What is NISPOM?
Prior to the Cold War, the Department of Defense maintained a series of policies and procedures that outlined what contractors, particularly prime contractors, would need to do in order to maintain security and protection for classified information.
Following the Cold War era, the government decided to start aggregating and codifying many of their more disparate and distributed policies. One area where they focused was on these Department of Defense regulations. The Executive Order 12829 issued in 1993 established the original National Industrial Security Program Operating Manual, known as NISPOM.
This manual helped to ensure that the defense industrial base protects classified information in effective ways, following a standardized procedure and framework. Every so often, NISPOM was changed to keep up with new technologies, new threats, new security best practices, and new concerns. Major changes took place in 2006 and in 2017. During this time, it was known as DoD 5220.22M.
Finally, in 2021, the government decided to convert the NISPOM framework from a DoD rule to part of the overall Code of Federal Regulations. Today, it lives under the designation 32 CFR part 117.
The final rule was established in February of 2021, though it is open to ongoing comment for future iterations of the manual. It became fully effective in August of 2021, which might sound like a very short window compared to many similar federal frameworks, but that’s largely due to there being little change between the pre-CFR and post-CFR versions of NISPOM. There were some changes, which we’ll cover a bit later, but by now, two years later, you’ll either have complied or lost your contracts.
Why does it matter that NISPOM changed from a DoD Rule to a part of the Federal Register? Essentially, the change means it applies more broadly to defense contractors, increases the accountability and oversight of the enactment of the regulations, and increases penalties for defying or failing to uphold its rules. In short, it’s taken more seriously.
Make no mistake: NISPOM is a lengthy and detailed framework. The PDF version is 65 pages of dense text, including everything from the history and establishment of NISP and NISPOM to the overall summary of the rule to all of the individual clauses and directives contained within. You can view that full PDF here if you wish.
In short, NISPOM governs the clearances, access, and security protocols for industrial and physical security in classified spaces.
What is the Goal of the NISPOM Rule?
The simple version is that NISPOM is meant to provide rules and a framework for defense contractors, with the goal of securing them both physically and digitally to protect classified information.
For a more itemized list of goals and purposes:
- NISPOM provides a set of security requirements for individuals with access to classified information to follow and uphold.
- NISPOM sets forth protocols for the handling of classified information and materials.
- NISPOM creates security measures in a framework for the use of digital systems and networks that interact with classified information.
- NISPOM establishes reporting requirements in the case of security violations or other incidents.
- NISPOM enumerates the consequences for non-compliance with the rule, including both willful and accidental non-compliance.
- NISPOM ensures that the defense industrial base is as secure as possible with regard to classified information.
- NISPOM lists the responsibilities of people involved in the defense supply chain, including contractors, grantees, and licensees, to ensure classified information is protected.
- NISPOM allows the DoD to enact oversight over defense contractors to ensure that they’re following proper security procedures when working with classified information or materials.
- NISPOM sets up a barrier to espionage and malicious activity in the defense industrial base.
- NISPOM helps ensure the overall security of national security information and interests, as well as the protection of sensitive information.
For the most part, this is all a lot of different ways of saying “NISPOM helps keep the DoD and its contractors secure against intrusion and attack.” It’s one part of a system of security frameworks including the newly-established CMMC, all meant to keep the government and its information protected in a hostile global environment.
To Whom Does NISPOM Apply?
NISPOM applies to all government prime contractors, secondary contractors, subcontractors, and other entities, including both cleared defense contractors and non-defense contractors. However, as it is focused entirely on classified (and above) information, contractors that only handle CUI or publicly-available information do not need to be concerned about NISPOM.
The scope of the Rule is centered around protecting classified information, so anyone who handles or has the potential to handle classified information needs to comply; anyone who does not can freely ignore it.
What Changed Between the DoD Regulation and Federal Rule?
When NISPOM was adopted as part of the Code of Federal Regulations, some changes were made to the document.
The biggest change was in importance. As a DoD manual, it was harder to enforce and had lower penalties. As a Federal Rule, it carries a lot more weight in terms of accountability and consequences. Before, failure to comply simply meant a loss of clearance; now, it can carry legal prosecution and criminal charges.
NISPOM is also now more distributed. It makes reference to certain external documents, such as Part 2001 and SEAD 3, which can now be altered and updated on their own without requiring a full review of the NISPOM rule to do so.
The transition expanded the scope of NISPOM from previously applying only to government employees to now applying to contractors. Anyone with a personnel clearance now has to report things like foreign travel, and there are rules surrounding marriages and adoptions as well. Foreign passports must be reported, foreign bankruptcies must be reported, and more; anything that can potentially influence a person and be exploited by foreign governments or threats needs to be reported.
NISPOM also now requires that facilities under its purview have a Senior Management Official as an employee, who is the one responsible for guiding NISPOM compliance and who is accountable for its implementation.
One final difference is that NISPOM, as a federal rule, actually removed several sections that were present in the DoD manual. These sections, subparts B and C of part 117, were removed because they duplicated requirements from another part of the code of federal regulations. This helps avoid situations where one is updated, and another is not, causing conflicts. The requirements are still in place; they just stem from a different part of the code of federal regulations now, namely 32 CFR part 2004.
What is Contained in NISPOM as a Rule?
Let’s talk about the general overviews, provisions, and requirements established by NISPOM as a federal rule. This is, by necessity, a brief overview; for a full breakdown, you can contact us directly, read the federal rule itself, or consult with another third-party contractor. Generally, information in NISPOM can be broken down into these groups.
General provisions. NISPOM, as a Rule, contains all of the general requirements that are placed on any organization with a clearance and any individuals with a clearance regarding classified information. This includes the establishment and maintenance of a security program, security policies for individuals, physical security requirements, the establishment of threat detection and counterintelligence systems, and more.
Security clearance information. NISPOM is effectively a manual about how to manage and handle security clearances, including what it requires to get one, how to maintain one, what happens if a disqualifying event happens, how to lose one, and when they expire and need to be renewed.
This also includes personnel security clearance management information. If you’ve ever needed to know what information is up for review in a background check for a security clearance, what kinds of investigations happen, and what measures need to be taken, it’s all outlined in NISPOM.
Physical security information. For any facility that handles classified information, NISPOM outlines what is required to ensure physical security, access control, and verification for those facilities. It also enumerates more specific information about handling equipment that accesses classified information, as well as how to safeguard classified information against unauthorized access, alteration, or destruction. In the case of even higher-security areas or sites, it lays out higher standards as well.
Operational policies and actions. NISPOM covers everything that needs to be in place, procedure-wise, for the handling of classified information with care. It’s all about safeguarding classified information, preventing unauthorized disclosure or access, restricting unauthorized destruction, and detecting, reporting, and counteracting intrusion.
FOCI. Foreign Ownership and Control restrictions in NISPOM outline what an entity needs to do to ensure foreign-owned entities don’t have access to classified information and, more importantly, aren’t in a position to influence decisions related to how that information is handled; after all, with sufficient influence, a threat wouldn’t need the information itself to disrupt its use.
Subcontracting information. As mentioned previously, NISPOM, as a rule, applies to contractors and subcontractors now, not just government employees. When a facility handling classified information has to subcontract to someone and let that entity handle classified information, NISPOM provides safeguards, requirements, and insurance that the subcontractor must meet the same level of security obligations.
Transition management. In the event of a facility or contractor closing, classified information can’t be left in the lurch; it needs to be properly handled, and the transition from one business to another, from one contractor to another, or a return to the source must be properly handled. Regulations exist for how to return or destroy classified information properly.
SEAD 3
Above, we offhandedly mentioned that part of NISPOM now references other documents, one of which is SEAD 3. What is it?
SEAD 3 is the third version of the Security Executive Agent Directive. SEAD 3 is a reporting requirement for all cleared personnel in sensitive positions, as well as all individuals with active national security clearance. It’s a special continuing security obligation, and it’s an added burden for cleared personnel to maintain education, recognition, avoidance, and counterintelligence for threats.
SEAD 3 is similar in many ways to “mandatory reporting” requirements in other industries.
Effectively, it says that if you have a security clearance, you have to report things such as:
- Unofficial foreign travel.
- Foreign contacts.
- The actions of other covered individuals you witness.
- Attempted exploitation, coercion, or blackmail.
- Arrests and bankruptcies.
- Alcohol or drug treatment.
- Financial anomalies.
- Foreign roommates, cohabitants, or marriage.
Reporting has to be done pre-travel, post-travel when you return, whenever you witness a reportable event, or when a reportable event happens to you.
This is all just another set of requirements on those with security clearances, meant to ensure that there are no sources of foreign influence on individuals with access to classified information, or that if there are, those influences can be monitored and counteracted.
How Ignyte Can Help With NISPOM
NISPOM is very high in terms of requirements, accountability, and complexity.
At Ignyte, we’re used to offering our help for various security frameworks and compliance throughout the government contractor chain and the private sector. We’re always available for questions and discussions if you would like to contact us for a chat. You can also use the Ignyte Platform to help maintain documentation for compliance purposes.
If you have any questions in general that we can answer publicly, you can also feel free to ask them at any time; we may even cover them in future blog posts. Let us know how we can help ensure you’re safe and compliant to continue your government contracts!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.