United States: DoD Codifies NISPOM, Formalizes Certain Personnel Reporting Requirements And Eases FOCI Burden

Highlights

• Effective Feb. 24, 2021, the National Industrial Security Program Operating Manual (NISPOM) will be codified in regulation.
• The rule implements the National Defense Authorization Act (NDAA) of 2019 provision allowing cleared companies operating under a Special Security Agreement to access proscribed information without a National Interest Determination.
• The public has until Feb. 19, 2021, to comment on the final rule, and U.S. cleared entities have until Aug. 24, 2021, to comply with all applicable changes.

In a final rule effective Feb. 24, 2021, the U.S. Department of Defense (DoD) codified the National Industrial Security Program Operating Manual (NISPOM) in Title 32, Part 117 of the Code of Federal Regulations.¹ Of primary concern to government contractors, licensees, grantees, or certificate holders, NISPOM is a manual that sets baseline procedures and imposes requirements for protecting classified information of the U.S. government.

Key takeaways for companies holding a U.S. facility security clearance or interested in operating in the government contracts space accessing classified information are as follows.

• In addition to codifying the NISPOM, DoD is also incorporating therein the Security Executive Agent Directive (SEAD) 3, ''Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position." The SEAD 3 reporting requirements will apply to contractor personnel 1) granted access to classified information through the National Industrial Security Program (NISP) and 2) engaging in specific activities that may adversely impact their continued national security eligibility (e.g., foreign travel, foreign contracts).
• The NISP Cognizant Security Agencies (CSAs) will be responsible for evaluating the reportable activities. The CSAs' objective is to determine whether a reported activity poses a potential national security threat and to take appropriate action.
• U.S. cleared entities have until Aug. 24, 2021 (i.e., six months from the final rule's effective date) to evaluate each existing classified contract and ensure compliance with the final rule.
• Importantly, the DoD's final rule also implements the provisions of Section 842 of the National Defense Authorization Act of 2019 (Pub. L. 115-232) affecting U.S. cleared entities under Foreign Ownership, Control or Influence (FOCI). The NDAA provision eliminated the requirement that covered National Technology and Industrial Base (NTIB) entities operating under a Special Security Agreement pursuant to the NISP attain a National Interest Determination as a condition for accessing Top Secret or other proscribed classified information. This rule implements the NDAA provision to alleviate some of the burden on cleared entities that operate under an SSA as the FOCI mitigation approved by the Defense Counterintelligence and Security Agency.

The final rule is open to comment by the public until Feb. 19, 2021. For assistance in submitting comments or for more information on the final rule and how it would impact your company, contact the authors or another member of Holland & Knight's  CFIUS and Industrial Security Team.

Footnotes

1 National Industrial Security Program Operating Manual (NISPOM), 85 Fed. Reg. 83,300 (Department of Defense, Dec. 21, 2020).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.