Get into compliance with the new NISPOM requirements to avoid federal consequences.
32 Code of Federal Regulation (CFR) Part 117, aka the new version of the National Industrial Security Program Operating Manual (NISPOM), became effective as a federal rule on Feb. 24, 2021. With that shift came some key other changes, including the requirements of reporting for cleared employees and various standards for possessing facilities. In documents referencing NISPOM, the new federal rule is written as “32 CFR Part 117, NISPOM,” rather than the previous DOD 5220.22-M.
The biggest change is more than just its name—it is the switch from NISPOM being a DoD manual to now being a federal rule. Because of this, you can face greater consequences for not being in compliance, including legal prosecution, as this change gives the NISPOM more weight in court. When the NISPOM was a manual, the biggest consequence for not staying compliant was the potential loss of a facility clearance or personnel clearance.
Another major change is that the requirements for NISPOM can no longer be found in one compiled location. While the bulk of the information can be found in 32 CFR Part 117, some information is also located in Part 2001. The new rule also points cleared personnel to external documents, such as SEAD 3, for further information.
With this change, industrial security professionals are in danger of making the assumption that this is a transfer of the same requirements in a new format. However, there are significant changes for facilities that are both possessing classified information and non-possessing, and gaining familiarity with these changes is crucial to maintaining compliance.
The new regulations came with a grace period of six months to achieve compliance. As of Aug. 24, 2021, you need to be in full compliance or risk repercussions. This includes reporting anything that falls under the new requirements going back to Feb. 24, 2021. Below are the most important changes to the NISPOM that DCSA has identified.
One of the biggest changes is the reporting requirements for cleared personnel. These requirements are pulled from SEAD 3, which previously only applied to government employees, not industry. Now, anyone holding a personnel clearance (PCL) must report foreign travel, and those with higher level clearances will have to report foreign passports, marriages and bankruptcies, among other things. The DCSA released this Industrial Security Letter clarifying some of these requirements here.
You can read about these requirements in depth here. There is a compliance deadline of Aug. 24, so it’s key to familiarize yourself with these quickly and report anything dating back to February 2021. For reporting in advance of foreign travel, that deadline has been extended 12 months.
The NISPOM Rule has introduced even stricter standards for who can install your Intrusion Detection System (IDS). Previously, the requirement was your installer must be UL 2050-certified. Now, they must be a nationally recognized test laboratory (NRTL) recognized by the Occupational Safety and Health Administration (OSHA). Any NRTL-approved entity may complete your IDS installations.
This is in addition to the requirements for facilities following the ICD 705 Tech Spec requirements. You can also use an entity that’s been approved in writing by your Cognizant Security Authority (CSA).
Senior Management Official
The Senior Management Official (SMO) is an important role for both possessing and non-possessing facilities. This role was mentioned in the old NISPOM as someone who would certify to the CSA that a self-inspection has been conducted. In the new NISPOM, this role is now defined, and additional responsibilities have been added.
The SMO must be one of your employees and is responsible for your company’s strategy and policy. Their defined responsibilities include ensuring the contractor maintains a system of security controls; appointing the Facility Security Officer (FSO) and Insider Threat Program Senior Official (ITPSO); remaining fully informed of the facility’s classified operations; making decisions based on classified threat reporting and their knowledge of threat information caused by a loss of loss of classified information; and retaining accountability for the management and operations of the facility.
With this role becoming more clearly defined, it marks an emphasis on changing from a one-size-fits-all approach for compliance to a risk-based approach. This means there will be a greater accountability of the SMO to tailor their security to their program’s needs rather than just meeting the basic standards.
The section on safeguarding classified information now appears in Section 15 of Part 117, but it also directs contractors to 32 CFR Part 2001 for more information on requirements for safeguarding. This change fragments the information needed to understand, for example, how to construct a NISPOM Closed Area, now referred to as an “open storage area,” or how to destroy classified information. Whether there were significant changes to the requirements remains unclear, and when asked for clarification, the DCSA directed Adamo to this page on their website.
Classified Information Retention
For this change, the NISPOM Rule “Clarifies for the contractor that upon completion of a classified contract, the ‘contractor must return all government provided or deliverable information to the custody of the government,’” according to the DCSA website.
The DCSA also provided further answers to some frequently asked questions regarding the changes here.
Since NISPOM is now a federal rule with greater repercussions for not being compliant, understanding these requirements is key for any cleared personnel or facility. Adamo’s security experts can help your team navigate the new NISPOM Rule and get in compliance with our FSO services, which utilize a flat-rate pricing model. Contact us today to learn more about how we can help you and your team.