The latest industry buzz is the “release of the new National Industrial Security Program Operating Manual (NISPOM)”. I’m putting air quotes in there, because an actual NISPOM has not been rewritten or re-released. There is no re-release of NISPOM, only a reorganization of the CFRs that duplicate National Industrial Security Program requirements.
Conclusion: No new NISPOM (just a few additions)
· 32 CFR part 117 and 32 CFR part 2004 are redundant requirements
· DoD will no longer publish the DoD Manual 5220.22, NISPOM as a DoD policy issuance in 32 CFR part 117.
· 32 CFR part 2004, “National Industrial Security Program” is now the standing CFR
· NISPOM Change 2 is still a requirement that Cleared Defense Contractor (CDC) must follow
Background
A quick read will review that there actually is no new NISPOM. This information just codifies (fancy legal term for: arrange (laws or rules) into a systematic code.).
You might know that the Director of National Intelligence (DNI) has had a large role in developing NISPOM. Primarily DNI oversees the protection of National Intelligence Information in the hands of the cleared defense contractors. Additionally, DNI has had executive roles In relation to the 2008 publication of E.O. 13467, “Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information.
Biggest Impact: Reporting based on 13 Adjudicative Criteria, SF-86, and SEAD 3
SEAD 3 identifies required reporting of data elements that are contained in the Standard Form-86, “Questionnaire for National Security Positions” used in requesting security clearance requests. This doesn’t seem to be a new requirement, but an emphasis as many FSOs have been providing this requirement in security awareness training.
For more information on SEAD 3, check this out: https://www.dni.gov/files/NCSC/documents/Regulations/SEAD-3-awareness-briefing.pdf
Don’t wait for a new version of NISPOM…yet. While there is no “new NISPOM”, there are some clarifying comments.
I also recommend using current NISPOM for security training and ISP® and ISOC certification. Nothing has been changed, just “codified”.
Resources: