What Does the New NISPOM Rule Mean for Federal Contractors?

March 21, 2021

On December 21st, 2020, the Department of Defense (DoD) issued a final rule concerning the National Industrial Security Program Operating Manual (NISPOM). The rule not only incorporates NISPOM into the code of federal regulations (CFT), but it also introduces several new provisions. Most importantly for FSOs, NISPOM now includes the reporting requirements established by Security Executive Agent Directive (SEAD) Revision 3.

After going into effect on Feb. 24th of this year, federal contractors will have only six months (until August) to comply. In order to prepare, cleared entities must act quickly by familiarizing themselves with SEAD 3 alongside the latest updates to NISPOM. In this article, we will provide an overview of the new rule, what it changes and how FSOs can prepare.

The Last NISPOM Update

NISPOM – which regulates procedures for government contractors handling classified or controlled unclassified information (CUI) – is a 26-year-old document that has finally reached full maturity. Since it was released in 1995 as DoD Manual 5220.22, it has been updated several times under the same title with the last revision occurring in 2016.

Following the new rule which was submitted to the Federal Register on Dec. 21st, the DoD will no longer issue NISPOM update memorandums as it did in the past. Instead, organizations will have to consult CFR Volume 32, Part 117 for the latest version of the regulation. Fortunately, it will be accessible from the e-CFR website.

Significant Changes

Under the new rule, NISPOM has implemented provisions from Section 842 of the 2019 National Defense Authorization Act (NDAA). Understanding these provisions requires background: until recently, government contractors operating under a special security agreement (SSA) have been required to receive a national interest determination (NID) before they can access highly classified information.

Going forward, however, the NID requirement will be waived for covered National Technology and Industrial Base (NTIB) entities. These include organizations operating within countries that are friendly to the U.S, such as the United Kingdom, North Ireland, and Australia. Consequently, U.S allies will have fewer hoops to jump through while working on classified contracts.

Additional Changes

Other provisions in the latest NISPOM rule include:

  • Responsibilities for the Senior Management Official of a cleared organization
  • New limited entity facility eligibility determination (FCLs) both for companies subject to Foreign Ownership, Control, or Influence (FOCI) and those who are not (non-FOCI)
  • A requirement to return classified materials upon the completion of a classified contract
  • Internal controls for TOP SECRET information, ensuring the existence of procedures for accountability, need-to-know, and retention

For clearance holders, FSOs, and other security officers, the most significant addition is the implementation of SEAD 3, which expands the reporting requirements of cleared individuals.

SEAD 3 Explained

In 2017, the Director of National Intelligence (ODNI) announced a third revision to the Security Executive Agent Directive (SEAD) now known as SEAD 3. Under this directive, cleared personnel and non-cleared individuals occupying “sensitive positions” were required to file reports under a wide range of circumstances, including:

  • Sustained association with any foreign national, whether in real life or online
  • Adoption of children who are non-U.S citizens
  • New cohabitants (roommates/housemates/significant others)
  • Treatment for drug or alcohol-related issues
  • Any travel to a foreign country (along with a full itinerary)

Conversely, the task has largely fallen on FSOs to collect these reports and share them with a Cognizant Security Authority (CSA) who can then determine whether they represent a risk to national security. As of Feb. 24th, SEAD 3 will move to the status of federal law, and contractors will only have 6 months before compliance is enforced.

How to Prepare for the New NISPOM Rule

After August of 2021, contractors handling classified information as part of a federal contract will risk a negative security determination and administrative action if they have not implemented the reporting requirements of SEAD 3 and other NISPOM provisions.

Here’s what FSOs should do right now:

  1. Carefully review changes to NISPOM under 32 CFR 117; familiarize yourself with SEAD 3, and read our blog post that breaks down SEAD 3 reporting requirements.
  2. Evaluate your classified contracts and determine whether adjustments must be made to comply with NISPOM.
  3. Ensure that cleared personnel and affected personnel in sensitive positions are aware of reporting requirements and procedures.
  4. Provide channels and standard documentation to ease the burden of filing reports

Handle Reports Effortlessly with Portal Commander

MathCraft’s Portal Commander simplifies the life of FSOs by providing cleared individuals with all the tools they need to submit reports while organizing them in one place with data drill-down features for quick navigation. Features include:

  • Insider Threat Reporting
  • Foreign/Suspicious Contact Reporting
  • Foreign Travel Reporting
  • Anonymous reporting features
  • Up-to-date contact information for the DCSA, DHS, and CIA
  • And much more.

Today, insider threats remain one of the greatest risks for government agencies and contractors. Meeting SEAD 3 reporting requirements is not just a matter of compliance: it is also a safety issue for your organization and employees.

Save time, protect your organization and stay compliant. Contact us for a free demo!

Posted in Foreign Travel: SEAD 3, FSO, Industrial Security, Insider Threats, Portal Commander, Security Solutions