NISPOM Requirements

Summary of NISPOM requirements as per the online site.

  • SF-328 – Certificate of Foreign Interest. Requires as part of FCL submission. Document from GSA.gov here.

Acronym List

117.7 Procedures

  • Appointed security officials – SMO, FSO and ITPSO must
    • Undergo the same security training required for all contractor employees
    • Be designated in writing with their designation documented
    • Undergo a personnel security investigation and national security eligibility determintation for access to classified information
  • SMO:
    • Ensure the company maintains a system of security controls in accordance with requirements of this rule
    • Remain fully informed of facility classified operations
    • Make decisions based on classified threat report and thorough knowledge, understand and appreciation of the threat information and potential impacts caused by loss of classified information
    • Retian accountabilty for the management and operations of the facility without delegating that accountability to a subordinate manager
  • FSO:
    • Supervise and direct security measures necessary for implementing the applicable requirements of the NISPOM and related USG security requirements to protect classified information
    • Complete security training purusant to 117.12
  • ITPSO:
    • If the ITPSO is not also the FSO, the ITPSO will ensure the FSO is an integral member of the contractors insider thread program
    • The ITPSO will complete security training pursuant to 117.12
    • (Doesn’t apply to us) An entity family may choose to establish an entity family-wide insider threat program with one senior official appointed, in writing, to establish, and execute the program as the ITPSO. Each cleared entity using the entity-wide ITPSO must separately appoint that person as its ITPSO for that facility. The ITPSO will provide an implementation plan to the CSA for executing the insider threat program across the entity family.
  • (Doesn’t apply to us) ISSM: Contractors who are, or will be, processing classified information on an information system located at the contractor facility will appoint an employee to serve as the ISSM……
  • (Doesn’t apply to us) Employees performing security duties. Those employees whose official duties include performance of NISP-related security functions will complete security training tailored to the security functions performed. This training requirement also applies to consultants whose official duties include security functions
  • (Doesn’t apply to us) Other KMP: In addition to the SMO, the FSO, and the ITPSO, the contractor will include on the KMP list, subject to CSA concurrence, any other officials who either hold majority interest or stock in the entity, or who have direct or indirect authority to influence or decide issues affecting the management or operations of the contractor or issues affecting classified contract performance. The CSA may either:
    • Require these KMP to be determined to be eligible for access to classified information as a requirement for the entity’s eligibility determination or,Allow the entity to formally exclude these KMP from access to classified information. The entity’s governing board will affirm the exclusion by issuing a formal action (see table), and provide a copy of the exclusion action to the CSA. The entity’s governing board will document this exclusion action. (See exclusion requirements listed in NISPOM or FCL Handbook)Require these KMP to be determined to be eligible for access to classified information as a requirement for the entity’s eligibility determination or,Allow the entity to formally exclude these KMP from access to classified information. The entity’s governing board will affirm the exclusion by issuing a formal action (see table), and provide a copy of the exclusion action to the CSA. The entity’s governing board will document this exclusion action. (See exclusion requirements listed in NISPOM or FCL Handbook
    • Require these KMP to be determined to be eligible for access to classified information as a requirement for the entity’s eligibility determination or,
    • Allow the entity to formally exclude these KMP from access to classified information. The entity’s governing board will affirm the exclusion by issuing a formal action (see table), and provide a copy of the exclusion action to the CSA. The entity’s governing board will document this exclusion action. (See exclusion requirements listed in NISPOM or FCL Handbook)
  • Insider Threat Program – Establish and maintain an insider threat program to gather, integrate, and report relevant and available information indicative of a potential or actual insider threat.
  • Standard Practice and Procedures(not sure what any of this means) Contractor will implement all applicable provisions of this rule (NISPOM??) at each of its cleared facility locations. The contractor will prepare written procedures when the CSA determines them to be necessary to reasonably exclude the possibility of loss or compromise of classified information, and in accordance with additional CSA-provided guidance, as applicable.
  • Cooperation with Federal agencies – Cooperate with Federal agencies to conduct reviews and investigations
  • Security Training and Briefings – advise all cleared employees of their individual responsibility for classification management and for safeguarding classified information. Contractors will provide security training to cleared employees consisting of initial briefings, refresher briefings, and debriefings in accordance with § 117.12
  • Security Reviews – Government has the right to come in and review any time they want – see the NISPOM section for details. Also, contractor must conduct their own reviews, self inspections and report. The SMO must annually certify to the CSA, in writing, that a self-inspection has been conducted. other KMP have been briefed on the results of the self-inspection and appropriate corrective actions have taken place, and management fully supports the security program at the cleared facility.
    • It looks like they might review CUI procedures….
    • Reviews are split between USG reviews and contractor self reviews. Review NISPOM page for details.
  • Contractor working at USG locations (Applies to us) – Contractor must safeguard classified information according to host installation or agency
  • Hotlines – used to report suspected instances of infractions
  • Security Cognizance (no idea what this means)– CSA will inform contractors if oversight has been delegated to a CSO.
  • Rule interpretations. Contractors will forward requests for interpretations of this rule to their CSA in accordance with their CSA-provided guidance to supplement unique CSA mission requirements.
  • Waivers to rule – we can submit requests to waive portions of the NISPOM rule.
  • Complaints and suggestions – Forward NISP adminstration complaints and suggestions to the Director of the ISOO. They want you to send complaints and suggestions to CSA first.

117.8 Reporting Requirements

  • Reporting
    • Events that have an effect on the company’s ability to have access to classified info or report an insider threat
    • Establish procedures to ensure employees with access to classified into that they are responsible to report breaches / improprieties
  • Reports are submitted to the FBI – Submit written reports to the nearest field office of the FBI
    • Initial may be by phone, but followed up with written
    • Notify CSA that a report was made
  • Reports to be submitted to the CSA –
    • Adverse Information – means “negatively reflects on the integrity or character of a cleared employee, that suggest his or her ability to safeguard classified information may be impaired” – coming to our attention
    • Suspicious contacts
    • Change in status of employees determined eligible for access to classified information
    • Citizenship by naturalization
    • Employee no longer wishes to be processed for clearance
    • Refusal to signe NDA (SF312)
    • Changed conditions affecting eligibility – see 117.8, #7 for details
    • (Doesn’t apply to us) Changes in storage capability
    • (Doesn’t apply to us) Inability to safeguard classified information
    • (Doesn’t apply to us) Unsatisfactory conditions of a prime or subcontractors
    • Dispositioned material previously terminated
    • Foreign classified contracts
    • Reporting of improper receipt of foreign government material
    • Reporting by subcontractor
  • Reports of loss, compromise, or suspected compromise. See 117.8 (d) for information
  • Culpability reports – establish and enforce policies for administrative and disciplinary actions against employees who break the rules
  • (Doesn’t apply to us) CDC (Cleared Defense Contractor) cyber incident reporting
    • This generally doesn’t apply to us, however, (f) #2, might as it talks about non-Federal systems processing unclassified information. (CUI??)
  • Reports to ISOO (Information Systems Security Officer) – not sure what this section means

117.9 Our Eligibility Determination for access to Classified Information

This section seems to be all about the CSA (Cognizant Security Agency) requirements to determine our eligibility for an FCL

117.10 Eligibility Determination for Employees to be Cleared

This section is all about the CSA requirements to clear employees under the FCL

117.11 FOCI (Foreign Ownership, Control, or Influence)

Guidelines around FOCI – doesn’t apply to us

117.12 Security Training and Briefings

  • We have to provide all cleared employees with security training and briefings
  • Training materials can come from CSA or other sources
  • Government provided briefings – CSA is responsible for providing initital security briefing to the FSO
  • FSO Training – We have to make sure FSO complete the training required. Training has to be completed within 6 months fo the CSA approval
  • (I don’t think this applies to us since we don’t hold classified information) Initial Security Briefings –
    We have to provide employees with initial security briefing that include:
    • Threat awareness including insider threat awareness
    • Counterintelligence awareness
    • Overview of the information security classification system
    • Reporting obligations and requirements, including insider threat
    • Cybersecurity training
    • Security procedures and duties applicable to the employee’s position requirements (e.g. marking and safeguarding of classified information) and criminal, civil, or administrative consequences that may result from the unauthorized disclosure of classified information, even though the individual has not yet signed an NDA
  • CUI Training – outside NISPOM requirements, but have to comply with CUI Requirements
  • Insider Threat Training – ITPSO has to ensure all personnel complete insider threat training. Requirements are listed here.
  • Derivative classification – (incorporating, paraphrasing, restating, or generating in new form information that has already been classified – don’t think this applies to us.
  • Information Security Systems – Internal systems, but doesn’t apply since not holding classified information
  • Temporary Help Suppliers – doesn’t apply
  • Refresher Training –
  • Debriefings – not sure if it applies if we don’t hold classified information

117.13 Classification

Doesn’t apply if we don’t hold classified information

117.14 Marking Requirements

Doesn’t apply if we don’t hold classified information

117.15 Safeguarding Classified Information

Doesn’t apply if we don’t hold classified information

117.16 Visits and Meetings

Don’t think this will apply to us

117.17 Subcontractors

Don’t think this will apply to us – this would apply to Leido, or us if we sub something out to someone else