A look at what problems the new NISPOM tries to solve and what problems it creates
Since February 2006, government contractors who managed classified contracts relied heavily upon the foundational document for security: the National Industrial Security Program Operating Manual, aka NISPOM. The NISPOM, a DoD manual, was the document that guided the establishment and quality control for the security practices that rule over classified projects for commercial contractors. In 2021, the United States government redacted the NISPOM DoD manual and replaced it with 32 CFR Part 117, establishing it as a federal rule. Now that the rule has been rolled out and communicated to industry, security professionals have raised several questions about the change and its effects. Phillip Chance, senior security consultant at Adamo, shares his thoughts on the NISPOM change.
Why did the NISPOM move from a DoD manual to a federal rule?
I believe the new NISPOM improves accountability in two ways: First, the CFR establishes a new Senior Management Official (SMO) role that elevates the level of accountability for the security aspects of a defense contractor to new heights within a company, as the SMO cannot delegate their ultimate accountability for the safeguarding of national security information. They have new responsibility in the annual self-inspection, which means they must be aware of security measures and shortcomings in the facility and take steps to address vulnerabilities. In addition, moving the document from a DoD manual to a federal statute gives it more teeth in the court of law and can be more readily used to prosecute defense contractors who deliberately defied rules laid out within it. In my experience, as a manual, the only consequence an errant company could face would be the government withholding or suspending facility clearances.
From Rules to Risk
Essentially, when the NISPOM existed as a DoD manual, most companies would not use risk-based measures and practices to secure their programs. They would use a compliance method based on the NISPOM. In a compliance-based method, contractors essentially treat security and safeguarding as a checklist. They meet the rules as written, but this can lead to a complacent mentality, which can be a danger when it comes to protecting national security information. In contrast, a risk-based approach applies the compliance method as a foundation and in addition takes the unique needs of each facility into account. It determines the level of concern you should have based on vulnerabilities, the base requirements and the additional risk-based determinations are designed for and applied to your specific program.
Since 2014, I’ve seen that the government has been trying to shift the security mentality for industry from a compliance model, where NISPOM is used as a way to check boxes, to more of a risk-based model looking at your individual assets, threats and vulnerabilities. In this model, once threats and vulnerabilities are known, a value of the impact of a breach is assigned, and, based on that, the security team creates mitigation strategies. The new CFR furthers that method because it creates even more space for interpretation and situational application while drawing away from a templated approach.
Challenges that the new rule has created
The DoD manual NISPOM was well organized by chapter and topic related inside each chapter. If you were an FSO for a few years, you would be able to either memorize most of the NISPOM sections within each chapter or, at minimum, understand where to find everything, as it was logically laid out. The CFR, however, is split across dozens of regulations, and I’ve found in some cases you have to dig into two or even three regulations to find the answer you’re looking for. For example, If I want to know how to build an open storage space (previously known as a Closed Area in the DoD manual), I would, after learning the different nomenclature, find a reference in 32 CFR Part 117 that points to 2001.53. In the DoD manual, it was all contained in Chapter 5, Section 8 of the NISPOM. So what had been Chapter 5, Section 8 in the NISPOM is now under Title 32 Subtitle A Subchapter D Part 117, which points to 2001.53, which is Title 32 Subtitle B Chapter XX Part 2001 Subpart E 2001.53. In addition, the people in government roles who are releasing the information don’t seem to be emphasizing the fragmented nature of the document or to be well-equipped to answer questions about implementing it.
Lack of Clarity
The government hasn’t directly acknowledged the federal rule’s more fragmented nature, as compared to the DoD manual iteration. When 32 CFR Part 117 was released, the DCSA provided a cross-reference tool in the form of an Excel document that allowed you to find where items from the old NISPOM could be found in 32 CFR, but on DCSA’s website, that link no longer leads to that document as of this writing. Adamo has also reached out to DCSA to ask further questions and been redirected to this link, which hasn’t provided the answers we’ve been after.
Since the document set is much more challenging to navigate and more vague with more teeth for accountability, a vacuum has developed. In an age where the threats are reaching new heights and the consequences are tightened, the policy landscape increasing in complexity only perpetuates a state in which defense contractors lag in their ability to apply appropriate measures to protect classified information.
If you still have questions about the new NISPOM rule, let’s figure it out together! Send your questions to firstname.lastname@example.org. We’ll do our best to offer answers and clarity based on our understanding of and experience with the new NISPOM.
Phil Chance is the lead consultant at Adamo Security Group and is a subject-matter expert with more than 10 years of experience in multiple security disciplines.