The NISPOM is Becoming a Regulation & Contractors Have Six Months to Comply
On December 21, 2020, the Department of Defense (“DoD”) published a final rule in the Federal Register that codifies the National Industrial Security Program Operating Manual (“NISPOM”) in the Code of Federal Regulations (“CFR”) at 32 CFR part 117. The rule will become effective on February 24, 2021, giving contractors six months from the effective date to comply with the changes. Comments on the proposed change are due by February 19, 2021.
The NISPOM establishes various requirements and standard procedures for the protection of classified information disclosed to or developed by government contractors. It was first published in 1995 as DoD Manual 5220.22, and was intermittently updated through the years including (most recently) via Conforming Change 1 on March 28, 2013, and NISPOM Change 2 on May 21, 2016. In addition to adding the NISPOM to the CFR, the new rule will incorporate the requirements of Security Executive Agent Directive (“SEAD”) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position” (available here), and will implement the provisions of Section 842 of the 2019 National Defense Authorization Act (“NDAA”) (Public Law 115-232) (both of which are discussed below).
Incorporating Requirements of SEAD 3
SEAD 3 requires all contractor cleared personnel to report certain activities and information to their agency head or designee. The new NISPOM rule “provides for a single nation-wide implementation plan which will […] include SEAD 3 reporting by all contractor cleared personnel to report specific activities that may adversely impact their continued national security eligibility, such as reporting of foreign travel and foreign contacts.” Cognizant Security Agencies are then required to review and analyze each reported activity to determine whether it poses a threat to national security, and to take appropriate action if necessary.
Implementing Section 842 of the 2019 NDAA
Section 842 of the 2019 NDAA requires removal of national interest determination requirements for certain National Technology and Industrial Base (“NTIB”) entities. In accordance with Section 842, the new NISPOM rule will ensure that any entity located in the United States (1) whose ultimate parent company is located in friendly countries like the United Kingdom, Australia, or Canada, and (2) that is subject to foreign ownership, control, or influence (“FOCI”) requirements, will no longer have to obtain a national interest determination as a condition for access to “proscribed information.” Proscribed information includes Top Secret information, communications security information, restricted data, special access program information, and sensitive compartmented information. See Section 842(c)(2) of the 2019 NDAA. Removal of this requirement is intended to eliminate costly contract performance delays by allowing covered NTIB entities from friendly countries to begin performing on contracts that require access to proscribed information without having to wait on a national interest determination.
In addition to the changes detailed above, the new NISPOM rule will remove 32 CFR part 117, subparts B and C because they are duplicative of 32 CFR part 2004, which includes regulations on Implementation and Oversight, Administration, and Operations of the National Industrial Security Program. Once the new NISPOM rule becomes effective, DoD no longer will publish the NISPOM as a DoD policy memorandum. Notably, the new NISPOM rule will add the following provisions, which currently are not in the NISPOM:
117.7(b)(2) Senior Management Official. This section clarifies the responsibilities of the Senior Management Official of each cleared entity to better reflect the critical role and accountability of the cleared entity.
117.8 Reporting Requirements. This section includes the SEAD 3 reporting requirements and single nationwide implementation plan, discussed above.
117.9(m) Limited entity eligibility determination (Non-FOCI). This subsection creates a new type of limited entity facility eligibility determination (“FCLs”) for companies that are not subject to foreign ownership, control, or influence..
117.11(e) Limited entity eligibility determination due to FOCI. This subsection creates a new type of limited entity FCLs for companies that are subject to foreign ownership, control, or influence.
117.11(d)(2)(iii)(A) Requirement for National Interest Determinations. In accordance with Section 842 of the 2019 NDAA, this section eliminates requirements for a covered NTIB entity operating under a special security agreement to obtain a national interest determination for access to proscribed information.
117.13(d)(5), Return of Classified Materials. This subsection clarifies that upon completion of a classified contract, the contractor must return all U.S. Government provided or deliverable information to the custody of the U.S. Government.
117.15(e)(2) TOP SECRET Information. This section permits the Cognizant Security Agency to make specific determinations with respect to TOP SECRET accountability, and requires contractors to establish internal controls for TOP SECRET information and material to validate that procedures are in place for accountability, need to know, and retention.
117.15(d)(4) Installation. This section clarifies that an Intrusion Detection System must be installed by a Nationally Recognized Testing Laboratory-approved entity.
All government contractors dealing with classified information should take the time to familiarize themselves with the new NISPOM rules. Contractors will have six months from the effective date to comply with these changes. While there are not major changes from the legacy NISPOM requirements, there are some. As such, contractors should review their classified contracts, determine the impact of the new NISPOM rule, and consider discussing the possibility of an equitable adjustment with their Government Contracting Activity if the new rules will result in additional compliance costs.
 We note there was no interim rule with an opportunity for comment, as typically seen with new regulations. But, DoD explains “[t]his rule directly involves matters relating to public grants or contracts, and is therefore expressly exempt from notice and comment procedures under 5 U.S.C. 553(a)(2). […] Although DoD has determined that an exception to the notice and comment requirements of § 553 applies, it still seeks public comments on this rule. Thereafter, DoD will consider comments received on this rule in determining whether to make any changes in a subsequent rule.” 85 Fed. Reg. 83300, 83309-10 (proposed Dec. 21, 2020), available at https://www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf.