DoD Codifies NISPOM and Incorporates Other Industrial Security Changes

By: Derrick Kyle, Associate
Date: 01/19/2021

Readers involved in the defense industry who deal with classified information will be familiar with the National Industrial Security Program Operating Manual (“NISPOM”), the manual that establishes procedures for government contractors to manage and safeguard classified information in their possession during the performance of contracts, programs, bids, and research and development projects.

On December 21, 2020, the Department of Defense (“DoD”) published a final rule with request for comments (the “Final Rule”),[1] effective on February 24, 2021, codifying NISPOM in Title 32, Part 117 of the Code of Federal Regulations (“CFR”). In addition to codifying the NISPOM, the Final Rule makes other changes relevant to industrial security.

Codifying Regulations

Executive Order 12829, issued on January 6, 1993, established the National Industrial Security Program (“NISP”) and required the Secretary of Defense to issue and maintain the NISPOM. Starting in 1995, the NISPOM was issued as part of DoD Manual 5220.22.

With the codification of the NISPOM in the CFR, the NISPOM will no longer be published in DoD Manual 5220.22. This portion of the Final Rule does not change the current requirements of the NISPOM, but the announcement of the relocation is important for government contractors, licensees, grantees, or certificate holders (collectively the “contractors”) subject to the NISP. Other aspects of the Final Rule have more tangible impacts on government contractors and are discussed in greater detail below. Government contractors will have six months after codification, or August 24, 2021, to review classified contracts and comply with the additional changes from the Final Rule.

SEAD 3 Requirements

The Final Rule incorporates the requirements of the Security Executive Agent Directive (“SEAD”) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position.” Generally, SEAD 3 applies to “covered individuals,” which include persons who have been granted access to classified information or hold sensitive positions that perform work for or on behalf of 1) the federal executive branch (not including the President or Vice President), 2) the federal legislative or judicial branches (not including members of Congress, Justices of the Supreme Court, or Federal judges appointed by the President), or 3) a state, local, tribal, or private sector entity, as defined in Executive Order 13549 (not including governors of states or territories).

Covered individuals are not limited to government employees and include all persons (apart from the above exclusions) who have access to classified information or who hold sensitive positions. Covered individuals also include government contractor employees. For the Final Rule, SEAD 3 applies only to contractor personnel that have been cleared to receive classified data through the NISP.

SEAD 3 requires reporting by cleared individuals of identified data elements that relate to specific activities that may adversely impact their continued national security eligibility. Such activities include those related to foreign travel and foreign contacts. For example, SEAD 3 requires covered individuals to obtain agency approval prior to unofficial foreign travel. Cognizant Security Agencies (“CSAs”) shall conduct an analysis of such reported activities to determine whether they constitute a threat to national security.

Incorporation of Section 842 of NDAA

The Final Rule also implements provisions of Section 842 of the National Defense Authorization Act of 2019 (“NDAA”) that likewise affect government contractors. Section 842 removes the requirement for National Technology and Industrial Base (“NTIB”) entities (i.e., entities in the industrial bases of the United States and Australia, Canada, and the United Kingdom) operating under a special security agreement to obtain a national interest determination (“NID”) to access “proscribed information.” “Proscribed information” is information that is:

  • Classified at the level of top secret;
  • Communications security information (excluding controlled cryptographic items when un-keyed or utilized with unclassified keys);
  • Restricted Data (as defined in section 11 of the Atomic Energy Act of 1954, as amended (42 United States Code (U.S.C.) 2014));
  • special access program information under section 4.3 of E.O. 13526 (75 FR 707; 50 U.S.C. 3161 note) or successor order; or
  • designated as sensitive compartmented information, as defined in Intelligence Community Directive 703, “Protection of National Intelligence, Including Sensitive Compartmented Information.”

Prior to the change implemented by the Final Rule, all entities under foreign ownership, control, or influence (“FOCI”) that are cleared by a special security agreement (“SSA”) were required to complete an NID before being granted access to proscribed information. An SSA is one of the mechanisms employed by the U.S. Government to mitigate national security risks posed by FOCI to an acceptable level, as determined by the CSA.

This provision in the Final Rule has limited effect because it only applies to NTIB entities under FOCI. However, this is an important change for covered NTIB entities because it will allow them to begin performing on contracts that require access to proscribed information without having to wait on an NID, removing contract performance delays.

The DoD is accepting public comment on the Final Rule until February 19, 2021. If you would like to submit a public comment or need assistance understanding the changes from the Final Rule, please do not hesitate to contact the attorneys at Torres Law.


[1] National Industrial Security Program Operating Manual (NISPOM), 85 Fed. Reg. 83,300 (Dec. 20, 2020), available at