View Rule

This rule will codify the National Industrial Security Program Operating Manual (NISPOM) which prescribes specific requirements, restrictions, and other safeguards that are necessary to preclude unauthorized disclosure and control authorized disclosure of Federal Government classified information to contractors, licensees, or grantees. The NISPOM applies to the release of classified information during all phases of the contracting process, including bidding, negotiation, award, performance, and termination of contractors, the licensing process or the grant process, with or under the control of departments or agencies.

Statement of Need:

This rule ensures maximum uniformity and consistency of NISP security measures by contractors who support the executive branch to effectively protect and safeguard classified information through all phases of the contracting process for work that involves release of classified information by an agency to a contractor.

Summary of the Legal Basis:

Executive Order 12829, National Industrial Security Program, January 6, 1993, as amended, establishes the NISP, and requires the Secretary of Defense to issue and maintain the NISPOM with the concurrence of the other four NISP Cognizant Security Agencies (Department of Energy, Nuclear Regulatory Commission, Office of the Director of National Intelligence and the Department of Homeland Security) and in consultation with other federal agencies. 32 Code of Federal Regulations part 2004 National Industrial Security Program, May 7, 2018, establishes uniform standards for the NISP, and helps agencies implement requirements in Executive Order 12829, and also establishes agency responsibilities for implementing the insider threat provisions of Executive Order 13587 Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 7, 2011.

Alternatives:

No action. If there were no action, contractors would not have to protect classified information. There would be a loss of classified information to adversaries due to no protection requirements for classified information by contractors. There would be no requirements for the USG to assess and make determinations regarding eligibility by contractor entities or contractor personnel to access classified information. The USG would have no insight into insider threats from contractor personnel who have access to the USG’s most sensitive and critical programs. There would be an adverse impact on national security. The results of this alternative are not preferred.

Next Best Alternative. Each USG agency would establish a rule for contractor protection of classified information disclosed or released to contractors. Differing standards will result in inconsistent standards, confusion, and higher costs for compliance if a contractor has contracts requiring access to classified information with multiple USG agencies and has to comply with different agency requirements. Further, such an alternative would result in additional time needed for contractors to put in place mechanisms to meet multiple and differing sets of requirements. This inconsistency and confusion due to differing standards also increases the likelihood of loss of classified information and insider threats going undetected. The results of this alternative are not preferred.

The Preferred Alternative. This interim final rule provides a single statement of requirements for contractors to comply with for maximum uniformity and consistency, for the protection of classified information, to include the reporting of foreign travel and foreign contacts by cleared contractor personnel in accordance with Security Executive Agent policies. This interim final rule provides for the proper protection of classified information disclosed or released by U.S. agencies in all phases of the contracting, license or grant processes. This rule will prevent the theft of classified national security assets and information by adversaries and insider threats. This is the preferred alternative.

.

Anticipated Costs and Benefits:

This rule ensures uniform implementation of reporting requirements for cleared personnel, including contractors, to allow the USG to continuously monitor and vet a trusted workforce, protect classified information and preserve our nation's economic and technological interests in the face of persistent threats from adversaries seeking to denigrate the U.S.’s technological advantage. The costs are currently under review.

Risks:

Without this rule, the thousands of contractors and one million contractor personnel performing on contracts, agreements or licenses requiring access to classified information for the USG will not be aware of the risks and reporting requirements for foreign intelligence operations or terrorists activities directed against them in the United States (U.S.) or abroad. Without this rule, the USG faces an exceptionally elevated risk of the theft of classified information by adversaries, which will cause serious damage to the national security and permit insider threats to go undetected and undeterred at contractor facilities that provide services and technology to the USG for some of its most critical and sensitive programs.