Codification of the NISPOM and replacement of JPAS
Two significant changes are underway by the Defense Counterintelligence and Security Agency (DCSA) – both of which require the immediate attention of businesses that hold a U.S. security clearance or are in the process of application for a clearance.
The first change is the codification of the National Industrial Security Program Operating Manual (NISPOM). As background, the NISPOM has been the key guidance for protecting classified and certain other controlled information in accordance with the National Industrial Security Program (NISP) as currently overseen by the DCSA.
The Department of Defense (DoD) published a Final Rule codifying the NISPOM on December 21, 2020, which became effective February 24, 2021. The Final Rule requires that contractors must implement changes no later than six months after the date the Final Rule is published (August 2021). The NISPOM is now codified at 32 CFR Part 117. Further guidance on the Final Rule’s implementation will be published in an Industrial Security Letter (ISL).
The Final Rule establishes requirements, policies and procedures in accordance with the NISP – which outlines the protection of classified information that is disclosed to, or developed by contractors, licensees, grantees, or certificate holders to prevent unauthorized disclosure.
Key changes include:
- Requirements for cleared contractors to submit reports pursuant to Security Executive Agent Directive (SEAD) 3 and cognizant security agency (CSA) guidance.
- An additional facility clearance tool for DCSA and government contracting activities (GCAs) as a limited entity eligibility specific to the requesting GCA’s classified information, and to a single, narrowly defined contract, agreement, or circumstance.
- Elimination of the requirement for National Interest Determinations (NIDs) for certain covered contractors operating under a special security agreement with ownership by countries designated as part of the National Technology and Industrial Base (United Kingdom, Canada or Australia).
- Determinations by a CSA with respect to requirements for top secret accountability.
- Permitting Intrusion Detection System (IDS) installation and UL-2050 certification by an Occupational Safety and Health Administration (OSHA) Nationally Recognized Testing Laboratory (NRTL).
- Directing cleared contractors to refer to 32 CFR Part 2001 for guidance on requirements for the protection of classified national security information (CNSI) to ensure consistency with national policy.
- Clarification of responsibilities for Senior Management Officials (SMO).
- Clarification that upon completion of a classified contract, the contractor must return all government provided or deliverable information to the custody of the government.
Significantly, for non-U.S. entities, the Final Rule also eliminates the requirement that entities under Foreign Ownership, Control, or Influence (FOCI) operating under a Special Security Agreement (SSA) attain a NID. Under the Final Rule, SSA entities covered by the NITB will be permitted to begin contract performance without first obtaining a NID.
The DCSA is currently reviewing existing ISLs to determine those that will be retained, re-issued, and/or rescinded. DCSA is also working on revisions to NISP-related forms, including the SF-328 – “Certificate Pertaining to Foreig-n Interests,” DD Form 441 – “Security Agreement,” and DD Form 441-1 – “Security Agreement Appendage.”
The second significant change by the DCSA is the retirement of the Joint Personnel Adjudications System (JPAS). JPAS is being replaced by the Defense Information Security System (DISS) as the next step toward deployment of the National Background Investigation Services (NBIS) and implementation of the Trusted Workforce 2.0 continuous vetting policy.
JPAS transitioned to a read-only mode on March 15, 2021, and will be fully retired on March 31, 2021. All updates to eligibility, access, and visit data must be completed in DISS prior to March 15.
Cleared contractors should work with their SMO, DCSA representative and counsel to assure their understanding and compliance with these significant changes. For other updates and alerts regarding national security law developments, subscribe to Bradley’s privacy blog Online and On Point.