On December 21, 2020, the Department of Defense (DoD) Office of the Undersecretary of Defense for Intelligence & Security published a Final Rule codifying the National Industrial Security Program Operating Manual (NISPOM)—currently published as part of DoD Manual 5220.22-M—in Title 34, Part 117 of the Code of Federal Regulations. The Final Rule became effective on February 24, 2021.
As many readers are likely aware, the NISPOM plays a key role in the National Industrial Security Program (NISP), the Government’s program for protecting classified information along with specific economic and technological data. See E.O. 12829 (Jan. 6, 1993) (establishing the NISP and ordering the Secretary of Defense to issue and maintain the NISPOM). In practice, the NISPOM establishes requirements and procedures for the protection of classified information disclosed to or developed by contractors (in addition to similar information disclosed to or developed by licensees, grantees, or certificate holders). Since 1995, the NISPOM has been part of DoD Manual 5220.22-M. The Final Rule relocates the NISPOM from DOD 5220.22-M and codifies it at 34 C.F.R. § 117.
Although the Final Rule does not enact any substantive changes to NISPOM requirements, other aspects of the Final Rule have more significant impact for certain contractors. For example:
- The Final Rule also incorporates the requirements of Security Executive Agent Directive (SEAD) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position.” The SEAD 3 reporting requirements apply to contractor personnel accessing classified information under the NISP and engaging in specific activities that may adversely impact their continued national security eligibility, such as foreign travel. Among other requirements, contractors must collect foreign travel data from cleared employees, provide travel briefings to those cleared employees if applicable, and report the foreign travel activities of these employees. The Cognizant Security Agencies will analyze the reported activities to determine whether they constitute a threat to national security.
- The Final Rule also implements the provisions of Section 842 of the National Defense Authorization Act of 2019 affecting cleared entities. Section 842 eliminated the requirement that covered National Technology and Industrial Base (NTIB) entities (e.g., entities in the United States, Australia, Canada, and the United Kingdom) operating under a Special Security Agreement (SSA) pursuant to the NISP attain a National Interest Determination (NID) to access proscribed classified information, such as information classified as Top Secret. Prior to the change implemented by the Final Rule, all entities under Foreign Ownership, Control, or Influence (FOCI) cleared by an SSA were required to complete a NID before being granted access to proscribed information. Under the Final Rule, however, covered NTIB entities will be permitted to begin performance on contracts that require access to proscribed information without having to wait on a NID, thereby lessening potential performance delays and alleviating the burden on cleared entities operating under an SSA.
Affected entities will have until August 24, 2021, to evaluate their existing classified contracts to determine if the Final Rule’s changes merit appropriate requests for equitable adjustments.
Despite the move from stand-alone document to codification, the NISPOM continues to provide a complex web of regulations for government contractors performing or seeking to perform classified contracts. With the ever-looming specter of False Claims Act allegations, investigations and potential litigation resulting from noncompliance with NISPOM regulations, contractors must be vigilant in ensuring continued adherence to relevant personnel and facility requirements.