As industry comes up on the one-year anniversary of the publication of Change 2 to the National Industrial Security Program Operating Manual (NISPOM)¹, a number of implementation deadlines are drawing near. This blog post briefly highlights key industrial security program requirements for cleared contractors to focus on.

1. Insider Threat Program Training Implementation Deadlines

Change 2 requires cleared contractors to appoint an Insider Threat Program Senior Official (ITPSO)² and implement an “insider threat” program³ that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat.⁴  Insider threat employee awareness training is now required for all cleared employees before being granted access to classified information and annually thereafter.

• The suspense for the completion of training for those cleared employees currently accessing classified information is May 31, 2017.
• After May 31, 2017, all cleared contractor employees must complete the employee awareness training prior to having access to classified information, and thereafter annually.⁵

2. Transition to New RMF Assessment Process for Classified Information Systems

Change 2 added specific cybersecurity language to the NISPOM and completely overhauled Chapter 8 on Information System security to bring the NISPOM in line with other unclassified federal information system security requirements.

• A senior management official at the cleared facility must certify annually to DSS in writing that a self-inspection of classified information systems has been completed.⁶ These self-inspection reports must be available to DSS during the company’s next security vulnerability assessment following the self-inspection.
• Contractors must implement certain DSS-provided information system security controls on classified information systems in order to detect activity indicative of insider threat behavior.⁷
• The former DSS Office of the Designated Approving Authority (ODAA) been renamed the National Industrial Security Program Authorization Office (NAO). The ODAA Process Manual for the Certification and Accreditation of Classified Systems has been renamed the DSS Assessment and Authorization Process Manual (DAAPM) and revised to reflect the updated NISPOM Change 2 language  on “authorizing” classified information systems.
  • An authorizing official⁸ is responsible for issuing an operational authorization decision (an “Authorization to Operate” (ATO)) for cleared contractor information systems based on the results of security assessment activities and the implementation of security controls provided in the DAAPM.
• Both the NISPOM and the DAAPM have replaced the legacy Certification and Accreditation (C&A) processes applied to information systems with the approach embodied in the NIST Risk Management Framework (RMF).⁹
  • Contractor classified information systems with a security authorization package submitted before August 2016 continue using the C&A process in the ODAA Process Manual.¹⁰
  • Going forward, all expiring authorizations and submissions of new security authorization packages for contractor classified information systems must transition to the RMF and follow the DAAPM.

3. Use of New Version of Standard Form (SF) 328 Certificate Pertaining to Foreign Interests

OPM has issued a new version of the Standard Form (SF) 328,¹¹ which is used to gauge whether a company is under Foreign Ownership, Control, or Influence (FOCI).¹²  Revisions to the form include:

• the removal of the prior requirement for application of a corporate seal;
• a single witness to the contractor representative signing the SF 328 is now required; and
• the government representative that is accepting the SF 328 may not act as the witness.

However, the ten (10) FOCI questions on the front of the form have not changed at all.  A notice on the DSS website provides the following guidance to contractors for completing the new SF 328 in the Electronic Facility Clearance System (e-FCL):

ATTENTION e-FCL USERS: e-FCL system updated with revised SF 328

On April 5, 2017, DSS announced that the SF 328, “Certificate Pertaining to Foreign Interests,” supporting the National Industrial Security Program was revised with a new issuance date of March 2017, under

In the e-FCL system, the previous version of the SF 328 remains available to complete via digital form. Contractors should:

1. Continue completing the digital form in e-FCL as the questions on the form have not changed, and
2. Complete and upload a signed copy of the revised SF 328 as part of the Initial or Change Condition Package.

Note: The print button for the digital form has been temporarily disabled.

A link to the revised SF 328 will be available in the system in the coming weeks. In June 2017, the e-FCL’s digital SF 328 will be updated to the revised version, and the print button will be re-enabled.

Although the changes to the form do not affect any existing SF 328s on file in e-FCL, going forward a company should be signing and submitting the new version of the SF 328 for any “Initial” or “Changed Conditions” submission.

¹ Department of Defense (DoD) 5220.22-M  February 2006 (Incorporating Change 2, May 18, 2016).

² The ITPSO must be identified as Key Management Personnel (KMP) and must have a Personnel Security Clearance (PCL) at the level of the company’s Facility Security Clearance (FCL). NISPOM §1-202; §2-104.

³  Insider threat is defined as “the likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency’s obligations to protect classified national security information.” (NISPOM Appendix C)

⁴ NISPOM §1-202.

⁵ NISPOM §3-103b; DSS Industrial Security Letter (ISL) 2016-02 at page 4.

⁶ NISPOM §1-207b.

⁷ NISPOM §8-100d.

⁸ The term “authorizing official” (AO) has replaced the legacy term “designated approving authority” (DAA) in the NISPOM.  This change is consistent with other RMF changes to DoD cybersecurity publications.

⁹ National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Risk Management Framework.

¹⁰ However, the resulting ATO shall be no greater than 18 months and the contractor must develop a Plan of Action and Milestones (POA&M) for transitioning to the RMF.

¹¹ Issued under OMB Control Number 0704-0194 and expires on Sept. 30, 2019, unless the form is renewed prior to that date. Previous blank SF 328s are obsolete.

¹² Available from the GSA forms website here.