Answers to frequently asked questions about 32 CFR Part 117
The National Industrial Security Program Operating Manual (NISPOM) went through a major change in February of 2021. The document, which was formally a DoD manual, is now a federal rule known as 32 CFR Part 117. This also came with new definitions for a major role and changes in some requirements.
How does a federal rule differ from a DoD manual?
Now that NISPOM is a federal rule, there is increased accountability for defense contractors who deliberately defy its rules, as the document now holds more weight in the court of law.
What are the major changes to the new NISPOM rule?
The DCSA listed five notable changes from the manual to the rule. One was the reporting requirements, which have been pulled from Security Executive Agent Directive (SEAD) 3. These include reporting foreign travel, marriages, adoptions and more. They have also added new responsibilities for the Senior Management Official (SMO), introduced new standards for Intrusion Detection System (IDS) installation, moved the information regarding safeguarding, and added a clarification on policy for classified information retention. You can read more about these changes here.
The organization of the document has also changed significantly. The majority of the information once found in the old NISPOM can be found in 32 CFR Part 117, but it is more fragmented than before. For example, some information about safeguarding that used to be self-contained in the NISPOM DoD manual is now found in Part 2001.
What are the IDS requirements?
Intrusion Detection Systems (IDS) shall be installed by a Nationally Recognized Testing Laboratory (NRTL) approved entity or an entity approved in writing by the CSA. Any NRTL-approved entities may do these installations. The NISPOM refers to the IDS standards from the ICD 705 Technical Specifications, which specifies installers must be UL 2050-certified.
These can be found at 117.15(d)(4)-(d)(4)(v).
What’s different for a SMO?
SMOs, or Senior Management Officials, now have clarified responsibilities meant to emphasize the accountability this role should be held to. According to 32 CFR: “SMO is the contractor’s official responsible for the entity policy and strategy.” They hold ultimate authority, including the authority to direct actions necessary to safeguard information.
The full list of SMO responsibilities can be found at 117.7(b)(2), and you can read more about the SMO role here.
When did it take effect?
The new NISPOM rule came into effect February 24, 2021, and cleared facilities had to be in compliance by August 24, 2021. However, the compliance deadline for the reporting requirements has been pushed until August 24, 2022.
What are open storage areas?
Open storage areas, previously known as closed areas under the former manual, are a type of facility built and accredited to store government Secret and Top Secret information when it cannot be stored inside an approved Government Services Administration (GSA) safe.
The requirements for open storage areas can be found in 32 CFR Part 2001, specifically in Part 2001.53.
Why was this change made?
While the DCSA hasn’t released an explicit reason, we theorize it has to do with the government’s ongoing attempt to change defense contractor’s security approach from compliance-based to risk-based. This means trying to get contractors to not just meet the minimum required standards for their site security and treat security as a checklist, but rather to use compliance as a foundation and take their unique facility needs and risks into account. The key is breaking the habit of being complacent when it comes to security. This is evidenced by things like the addition of clear SMO responsibilities and the switch from a DoD manual to the federal rule.
Have there been any updates since the new rule was released?
At this time, there haven’t been any Industrial Security Letters (ISLs) adding further information or clarification to the document, but we will update this blog post if that changes. The DCSA has released a series of videos on the rule, which cover a general overview of the rule, reporting requirements, SMO responsibilities and IDS approvals.