On December 21, 2020, the Department of Defense (DoD) Office of the Undersecretary of Defense for Intelligence & Security published a Final Rule codifying the National Industrial Security Program Operating Manual (NISPOM)—currently published as part of DoD Manual 5220.22-M—in Title 34, Part 117 of the Code of Federal Regulations. The Final Rule became effective on February 24, 2021.
As many readers are likely aware, the NISPOM plays a key role in the National Industrial Security Program (NISP), the Government’s program for protecting classified information along with specific economic and technological data. See E.O. 12829 (Jan. 6, 1993) (establishing the NISP and ordering the Secretary of Defense to issue and maintain the NISPOM). In practice, the NISPOM establishes requirements and procedures for the protection of classified information disclosed to or developed by contractors (in addition to similar information disclosed to or developed by licensees, grantees, or certificate holders). Since 1995, the NISPOM has been part of DoD Manual 5220.22-M. The Final Rule relocates the NISPOM from DOD 5220.22-M and codifies it at 34 C.F.R. § 117.
Although the Final Rule does not enact any substantive changes to NISPOM requirements, other aspects of the Final Rule have more significant impact for certain contractors. For example:
Affected entities will have until August 24, 2021, to evaluate their existing classified contracts to determine if the Final Rule’s changes merit appropriate requests for equitable adjustments.
Despite the move from stand-alone document to codification, the NISPOM continues to provide a complex web of regulations for government contractors performing or seeking to perform classified contracts. With the ever-looming specter of False Claims Act allegations, investigations and potential litigation resulting from noncompliance with NISPOM regulations, contractors must be vigilant in ensuring continued adherence to relevant personnel and facility requirements.