NISPOM Compliance for Cleared Facilities

The National Industrial Security Program Operating Manual (NISPOM), codified in 32 CFR Part 117, is the governing document for the protection of classified information in the hands of private industry. It establishes the baseline requirements that defense contractors must meet to obtain and maintain a Facility Clearance (FCL) and perform classified work for the federal government.

The NISPOM is not a suggestion; it is a legally binding federal regulation. Violations can result in loss of the FCL, loss of classified contracts, and in cases of willful disclosure of classified information, criminal prosecution under 18 U.S.C. § 798 and the Espionage Act.

For many defense contractors—particularly small and mid-size businesses entering the classified space for the first time—the NISPOM can feel overwhelming. It is a dense, comprehensive document covering everything from personnel security procedures to physical construction standards for classified vaults.

This guide provides a practical overview of the NISPOM's key requirements, how the Defense Counterintelligence and Security Agency (DCSA) enforces them, and how to build a compliant industrial security program that protects your FCL, your contracts, and ultimately, the national security information entrusted to your organization.

Before a contractor can access classified information, the company itself must be cleared. The FCL is a formal determination by DCSA that the contractor facility is eligible for access to classified information at a specified level (Confidential, Secret, or Top Secret).

The FCL is not automatic. To obtain an FCL, the contractor must demonstrate a legitimate need (a government agency or prime contractor must sponsor the FCL), pass a facility inspection, clear key management personnel (KMPs), and appoint a qualified Facility Security Officer (FSO).

The FCL is tied to the company's legal structure and ownership. A change in ownership, particularly by a foreign entity, triggers a mandatory review and can result in the FCL being placed under a National Interest Determination (NID) or a Special Security Agreement (SSA). The FSO must immediately notify DCSA of any ownership changes, mergers, or acquisitions.

The NISPOM covers a vast range of topics. The following areas represent the core compliance requirements for most cleared contractors.

1. Personnel Security

Personnel security is the heart of the NISPOM. It governs the process for granting, maintaining, and revoking individual security clearances.

The "Need to Know" Principle: Having a security clearance does not automatically grant access to all classified information at that level. Access is further restricted by the "need to know" principle. An employee may only access classified information that is necessary for the performance of their specific duties. The FSO and supervisors are jointly responsible for enforcing this principle.

Reporting Requirements: The NISPOM places significant reporting obligations on both the employee and the FSO. Cleared employees must self-report to their FSO any of the following events: arrests, financial difficulties (e.g., filing for bankruptcy, wage garnishment), foreign travel, new foreign contacts, drug use, or any other information that could affect their security clearance eligibility. The FSO must then evaluate the information and report it to DCSA if it constitutes "adverse information."

Adverse Information Reporting: The FSO must report to DCSA any information that suggests a cleared employee may no longer meet the adjudicative guidelines for a clearance. This is a delicate responsibility that requires the FSO to balance the employee's privacy interests against the government's need to know. Failure to report adverse information is itself a NISPOM violation.

Continuous Evaluation (CE): Under the CE program, cleared employees' backgrounds are continuously monitored through automated checks of commercial databases, financial records, and public records. When a "trigger event" occurs (e.g., a new arrest, a bankruptcy filing), an alert is generated and reviewed. The FSO must have a process for responding to CE alerts in a timely manner.

2. Physical Security

The NISPOM establishes specific physical security requirements for storing and handling classified materials.

Approved Storage Containers: Classified materials must be stored in GSA-approved security containers (safes) or in accredited closed areas. The specific container required depends on the classification level and the volume of material. For Secret materials, a GSA-approved Class 6 filing cabinet with a three-position dial combination lock is the standard.

Closed Areas: A "closed area" is a room or space that meets specific construction and access control standards for storing classified materials. Requirements include solid walls, floors, and ceilings (floor-to-true-ceiling construction); a single access point with an approved lock; an intrusion detection system (IDS) connected to a central monitoring station; and access control limited to cleared personnel with a need to know.

Sensitive Compartmented Information Facilities (SCIFs): For contractors handling SCI, the physical security requirements are even more stringent. SCIFs must be constructed and accredited in accordance with Intelligence Community Directive (ICD) 705. This involves specific construction materials, acoustic controls (to prevent eavesdropping), and electronic security measures. SCIF accreditation is a lengthy, expensive process that requires coordination with the Cognizant Security Authority (CSA).

Combination Lock Management: Combinations to classified storage containers must be changed when a person with knowledge of the combination no longer requires access, when the combination may have been compromised, or at least annually. The FSO must maintain records of combination changes.

3. Information Security

The NISPOM governs how classified information is created, marked, handled, transmitted, and destroyed.

Classification Markings: Classified documents must be properly marked with their classification level (e.g., "SECRET"), the reason for classification, and the declassification date or event. Each page of a classified document must be marked at the top and bottom. Improperly marked documents are one of the most common DCSA findings.

Transmission: Classified information cannot be sent through commercial channels (e.g., FedEx, regular email). It must be transmitted via approved government channels, such as the Defense Courier Service (DCS), or via encrypted government networks (e.g., SIPRNet). Contractors must establish documented procedures for receiving and dispatching classified materials.

Destruction: Classified materials must be destroyed using NSA-approved methods. For paper documents, this means cross-cut shredding to a specific particle size (1/32" x 1/2" or smaller). For electronic media, it means physical destruction or degaussing with an NSA-approved degausser. The FSO must maintain destruction records, including the date, the material destroyed, the method of destruction, and the names of the witnesses.

Spillage Response: If classified information is inadvertently introduced onto an unclassified system (a "spill"), the FSO is the first responder. They must immediately isolate the affected system, notify DCSA, and coordinate with the IT team and the ISSM to contain and clean the spill. The FSO must not attempt to "clean up" the spill without guidance from DCSA, as improper cleanup can destroy forensic evidence.

4. Information Systems Security

Chapter 8 of the NISPOM addresses the security of classified information systems (IS). This is where the NISPOM intersects with the Risk Management Framework (RMF) process.

Classified information systems must be accredited (authorized to operate) by DCSA before they can process classified information. The accreditation process involves developing a System Security Plan (SSP), implementing security controls based on the applicable NIST 800-53 baseline, and undergoing a DCSA inspection.

The FSO works closely with the Information System Security Manager (ISSM) to manage the accreditation of classified systems. The FSO is responsible for the administrative aspects (personnel access lists, visitor logs, physical security of the system), while the ISSM is responsible for the technical security controls.

5. Subcontracting

When a cleared prime contractor needs to share classified information with a subcontractor, the NISPOM requires specific procedures.

Verification: Before sharing classified information with a subcontractor, the prime's FSO must verify the subcontractor's FCL level and the individual clearances of the specific employees who will receive the information. This is done through DISS.

DD Form 254 (Contract Security Classification Specification): This is the critical document that governs classified subcontracts. The DD Form 254 specifies the classification level of the work, the specific classified information the subcontractor will receive, and the security requirements they must meet. The prime contractor is responsible for issuing the DD Form 254 to the subcontractor. A missing or incorrect DD Form 254 is a serious compliance failure.

One of the most significant additions to the NISPOM in recent years is the mandatory Insider Threat Program. Contractors with an FCL must establish a formal program to detect, deter, and mitigate insider threats—employees who may intentionally or unintentionally harm the company or the government through misuse of their authorized access.

The program must include a multi-disciplinary Insider Threat Working Group (ITWG), user activity monitoring on classified systems, training for all cleared employees on recognizing and reporting insider threat indicators, and documented procedures for investigating and reporting potential insider threats to DCSA.

Common insider threat indicators that employees are trained to recognize include: unexplained affluence, disgruntlement with the organization, unauthorized access to classified information, downloading large volumes of data, and unusual working hours.

DCSA inspects cleared contractor facilities to verify compliance with the NISPOM. The frequency of inspections is risk-based, but contractors with active classified programs can generally expect an inspection every 12 to 18 months.

The Inspection Process: A DCSA Industrial Security Representative (IS Rep) will arrive at the facility and conduct a review of the FSO's records, the physical security of the classified storage areas, the classified information systems, and the personnel security files. They will interview the FSO and may interview cleared employees.

Common Findings: The most common NISPOM violations found during inspections include incomplete visitor records, failure to report adverse information, improperly marked classified documents, outdated security briefings, deficiencies in the insider threat program, and improper combination lock management.

The Vulnerability Rating: After the inspection, DCSA assigns the facility a vulnerability rating: Satisfactory, Marginal, or Unsatisfactory. A "Marginal" or "Unsatisfactory" rating triggers a corrective action plan and increased oversight. Repeated "Unsatisfactory" ratings can lead to the suspension or revocation of the FCL.

The most effective NISPOM compliance programs go beyond checklists and procedures. They build a genuine culture of security awareness among all cleared employees.

This means regular, engaging security training (not just annual PowerPoint slides), open communication channels for employees to report concerns without fear of retaliation, and visible leadership commitment to security. When employees understand why the rules exist—that they are protecting national security information that adversaries would use to harm the United States—they are far more likely to follow them.

NISPOM compliance is not optional for cleared defense contractors; it is the price of admission to the classified contracting world. The requirements are demanding, but they exist for a critical reason: to protect national security information from adversaries who would use it to harm the United States.

By appointing a competent, dedicated FSO, maintaining meticulous records, investing in proper physical security infrastructure, and fostering a genuine culture of security awareness among cleared employees, defense contractors can build a robust industrial security program that satisfies DCSA, protects their FCL, and earns the trust of their government customers.

[1] 32 CFR Part 117, National Industrial Security Program Operating Manual (NISPOM). https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-117 [2] Defense Counterintelligence and Security Agency (DCSA). Industrial Security. https://www.dcsa.mil/Industrial-Security/

One of the most important proactive compliance tools available to cleared contractors is the self-inspection program. The NISPOM requires cleared contractors to conduct periodic self-inspections of their industrial security program. Rather than viewing this as a bureaucratic obligation, smart FSOs use self-inspections as a genuine audit tool to identify and remediate vulnerabilities before DCSA arrives.

Frequency: DCSA recommends conducting self-inspections at least annually. However, for facilities with active classified programs and a high volume of cleared personnel, semi-annual self-inspections are a best practice.

Scope: The self-inspection should cover every element of the NISPOM that applies to the facility: personnel security records, physical security of classified storage areas, classified information system accreditation status, visitor records, classified material accountability, security education records, and the insider threat program.

The Self-Inspection Checklist: DCSA provides a self-inspection checklist on the NISS portal that FSOs can use as a starting point. The checklist maps directly to the NISPOM requirements and provides a structured framework for the review.

Documentation: The FSO must document the findings of the self-inspection and maintain the records for review by DCSA. If deficiencies are identified, the FSO must document the corrective actions taken and the dates of remediation. A self-inspection that identifies and corrects deficiencies demonstrates a mature, proactive compliance program—exactly what DCSA wants to see.

Reporting to DCSA: If the self-inspection reveals a significant NISPOM violation (e.g., a classified document that cannot be located, evidence of unauthorized access to classified materials), the FSO must report the violation to DCSA immediately. Proactive self-reporting of violations is treated far more favorably by DCSA than violations discovered during an official inspection.

Despite a contractor's best efforts, DCSA may take adverse action against a facility's clearance. Understanding the adverse action process and how to respond effectively is critical for protecting the company's ability to perform classified work.

Types of Adverse Actions:

• Letter of Concern (LOC): The least severe action. DCSA issues an LOC when they have identified a compliance deficiency that does not yet rise to the level of a formal violation. The FSO must respond with a corrective action plan.
• Notice of Intent to Revoke (NOIR): DCSA issues a NOIR when they have determined that the FCL should be revoked. The contractor has the right to respond and contest the revocation.
• Suspension: DCSA may suspend the FCL pending investigation of a serious security incident or compliance failure. A suspension immediately halts the contractor's ability to access classified information.
• Revocation: The most severe action. Revocation of the FCL terminates the contractor's ability to perform classified work. Revocation can be appealed through the Defense Office of Hearings and Appeals (DOHA).

Responding to Adverse Actions: When DCSA takes adverse action, the contractor should immediately engage legal counsel experienced in national security law. The response to a NOIR or suspension must be thorough, factual, and demonstrate that the contractor has taken concrete corrective actions to address the underlying deficiencies. A well-crafted response can often prevent a suspension from becoming a revocation.

NISPOM compliance is not optional for cleared defense contractors; it is the price of admission to the classified contracting world. The requirements are demanding, but they exist for a critical reason: to protect national security information from adversaries who would use it to harm the United States.

By appointing a competent, dedicated FSO, maintaining meticulous records, conducting rigorous self-inspections, investing in proper physical security infrastructure, and fostering a genuine culture of security awareness among cleared employees, defense contractors can build a robust industrial security program that satisfies DCSA, protects their FCL, and earns the trust of their government customers.

[1] 32 CFR Part 117, National Industrial Security Program Operating Manual (NISPOM). https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-117 [2] Defense Counterintelligence and Security Agency (DCSA). Industrial Security. https://www.dcsa.mil/Industrial-Security/ [3] Defense Office of Hearings and Appeals (DOHA). https://www.doha.osd.mil/