[co-author: Paul Coyle]

The Department of Defense (DOD) is adding the National Industrial Security Program Operating Manual (NISPOM) to the Code of Federal Regulations (CFR). According to the final rule recently published in the Federal Register, the NISPOM will be codified at 34 CFR Part 117 effective February 24, 2021. Although the codification does not change current NISPOM requirements, the rule does make two significant changes related to industrial security. Upon codification, cleared entities will have six months to comply with the rule’s changes.

NISPOM

The NISPOM is issued and maintained in accordance with the National Industrial Security Program (NISP), which is the U.S. government’s integrated program for protecting classified information and U.S. economic and technological interests. The NISPOM is the operating manual governing the disclosure of classified information released by executive branch agencies and departments to government contractors, licensees, grantees, and certificate holders (collectively, “contractors”) as well as classified information developed by contractors. The NISPOM sets out procedures, requirements, and other safeguards to protect and prevent unauthorized disclosure across all classes of classified information. This rule simply relocates the NISPOM from DOD Manual DOD 5220.22-M to Title 34, Part 117 of the CFR.

SEAD 3 and NID Requirements

In addition to adding the NISPOM to the CFR, the rule makes two important changes regarding industry access to classified information.

First, the rule incorporates the requirements of Security Executive Agent Directive (SEAD) 3, ‘‘Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position.’’ SEAD 3 requires all contractor cleared personnel eligible for access to classified information to be aware of risks associated with such access and to report to the government on an ongoing basis specific information and activities that may adversely impact their clearance eligibility, including foreign contacts and foreign travel.

Second, the rule implements the provisions of Section 842 of the 2019 National Defense Authorization Act (NDAA), which removes the requirement for a covered National Technology and Industrial Base (NTIB) entity operating under a Special Security Agreement (SSA) to obtain a National Interest Determination (NID) as a condition for access to certain proscribed information (e.g., information classified as Top Secret). An SSA is one mechanism the U.S. government uses to mitigate security risks presented by U.S. entities operating under foreign ownership, control or influence (FOCI). This provision is limited to the small number of cleared entities whose ultimate parent and any intermediate parents are located in a foreign country that is part of the NTIB. In addition to the United States, the NTIB is currently comprised of the United Kingdom of Great Britain and Northern Ireland, Canada, and Australia. According to the rule, “this provision will allow covered NTIB entities to begin performing on contracts that require access to proscribed information without having to wait on a NID, and thus removing costly contract performance delays.”

Because this rule involves matters relating to public grants or contracts it is exempt from notice and comment procedures. Nevertheless, the DOD is seeking public comments, which are due by February 19, 2021.