If your business holds a U.S. security clearance — or is in the process of applying for one — take note of two big changes at the Defense Counterintelligence and Security Agency (DCSA). First, after more than 25 years, the National Industrial Security Program Operating Manual (NISPOM) is now being codified in the Code of Federal Regulations. Second, DCSA is replacing the Joint Personnel Adjudications System (JPAS) with the new Defense Information Security System (DISS).

NISPOM is now effective as a codified regulation.

In January 1995 — pursuant to Executive Order 12829 (Jan. 6, 1993) — the National Industrial Security Program (NISP) published the information-security manual that has guided the defense industry for the last quarter century. The NISPOM establishes standard procedures for securing classified information. With ever-increasing focus by the Department of Defense (DoD) on hardening the information security of its supply chain, the NISPOM has now been fully codified as a regulation.

A Final Rule codifying the NISPOM at 32 C.F.R. Part 117 took effect on February 24, 2021. Contractors must come into compliance by August 24, 2021. An upcoming Industrial Security Letter (ISL) will provide guidance on the Final Rule’s implementation.

The NISPOM outlines protections for classified information that is either disclosed to or developed by contractors, licensees, grantees, and certificate holders. The goal, of course, is to prevent unauthorized disclosure. Some of the key changes to the NISPOM, accompanying its codification, are:

• Reporting requirements – Cleared contractors must submit reports under Security Executive Agent Directive (SEAD) 3 and cognizant security agency (CSA) guidance.
• Limited facility clearance – Two new types of limited facility clearance (FCL) are available: limited entity eligibility for both (1) FOCI entities and (2) non-FOCI entities.
• NIDs – National Interest Determinations (NIDs) are not required for certain covered contractors operating under a Special Security Agreement (SSA) —those with ownership in countries of the National Technology and Industrial Base (NTIB) (United Kingdom, Canada or Australia).
• Top secret accountability – A CSA may make specific determinations on requirements for top secret accountability.
• IDSs – An Occupational Safety and Health Administration (OSHA) Nationally Recognized Testing Laboratory (NRTL) may certify intrusion detection systems as meeting UL-2050 standards.
• Safeguards – Cleared contractors should look to 32 C.F.R. Part 2001 for guidance on protecting classified national security information (CNSI).
• SMOs – The Final Rule clarifies the responsibilities of a Senior Management Official (SMO).
• Retention – On completion of a classified contract, contractors must return all government-provided or government-deliverable information to the custody of the government.

The DCSA is currently reviewing existing ISLs to determine those that will be retained, re-issued, and/or rescinded. DCSA will revise some NISP-related forms, including the SF-328 (Certificate Pertaining to Foreign Interests); DD Form 441 (Security Agreement); and DD Form 441-1 (Security Agreement Appendage).

JPAS retires on March 31, 2021.

JPAS is being replaced by the Defense Information Security System (DISS). This move is part of the new National Background Investigation Services (NBIS) system. DISS also implements the Trusted Workforce 2.0 continuous vetting policy. JPAS transitioned to a read-only mode on March 15, 2021, and will be fully retired on March 31, 2021.

Check back for here for updates.

These are both significant changes. Cleared contractors should work with their SMO, DCSA representative, and counsel to gain an understanding of and to achieve compliance with the requirements of NISPOM and DISS. We expect that DCSA will soon supplement these changes with additional guidance. We will continue to keep you updated.