Monthly Newsletter

If you hold a U.S. government security clearance, you’ve probably heard the term “NISPOM.” But what exactly is it—and why should you care?

In 2021, the former DoD manual DoD 5220.22-M (NISPOM) was formally codified into federal regulation as 32 CFR Part 117, making it the authoritative rule governing the National Industrial Security Program. 32 CFR Part 117 is issued by the U.S. Department of Defense and applies to all contractors working with classified information under the National Industrial Security Program (NISP).

This rule implements policy, assigns responsibilities, establishes requirements, and provides procedures for the protection of classified information that is disclosed to, or developed by, U.S. Government contractors.

It prescribes industrial security procedures and practices to safeguard U.S. government classified information, including rules, requirements, restrictions, and other safeguards designed to prevent unauthorized disclosure of classified information and protect special classes of classified information.

In simple terms, the NISPOM is the rulebook that tells companies and individuals what they must do to properly protect classified information.

It covers things like:

• Who can access classified information, when they can access it, and where they can access it
• How classified information must be handled, stored, and transmitted
• Required security practices, procedures, and restrictions for contractors and their personnel
• Security training requirements
• Reporting requirements
• Insider threat program requirements

The 32 CFR Part 117 (NISPOM) Origin Story

The 32 CFR Part 117 (NISPOM) rule is based on a myriad of higher-level executive orders, laws, and federal regulations that govern how the U.S. protects national security information.

Here are a few of the key foundations:

The National Industrial Security Program (NISP): Executive Order 12829 established the National Industrial Security Program. This Executive Order:

• Created a uniform program to safeguard classified information released to contractors
• Assigned oversight responsibilities to federal agencies
• Required a standard set of rules for industry

32 CFR Part 117 (NISPOM) is the regulation that implements this Executive Order.

Executive Order 13526 on Classified National Security Information: The main authority for how classified information is handled across the federal government. This Executive Order:

• Defines what “classified information” is
• Establishes classification levels (Confidential, Secret, Top Secret)
• Sets rules for safeguarding and declassification

The NISPOM aligns industry practices with those government-wide rules.

Information Security Oversight Office (ISOO) – 32 CFR Part 2004: Establishes the authorities and responsibilities of the Information Security Oversight Office (ISOO), which operates under the National Archives and Records Administration (NARA). This regulation:

• Defines ISOO’s role in overseeing the government-wide security classification system
• Establishes its authority to issue and implement directives for classified national security information
• Provides oversight of how executive branch agencies protect classified information

32 CFR Part 2004 gives ISOO the authority to issue government-wide policy guidance which agencies, including the Department of Defense, implement through regulations such as 32 CFR Part 117.

Other Supporting Laws and Policies: The NISPOM also reflects requirements from other federal criminal laws related to espionage and unauthorized disclosure, personnel security standards, insider threat policy requirements, and information safeguarding laws.

Federal agencies turn executive orders and laws into enforceable rules through the Code of Federal Regulations (CFR). 32 CFR Part 117 is located in Title 32 (National Defense) of the CFR. Once published in the CFR, it became a binding federal regulation, not just guidance. That means compliance is legally required.

In short: Executive Orders set the direction → Federal agencies create regulations → 32 CFR Part 117 becomes the enforceable rule for industry.

How 32 CFR Part 117 (NISPOM) Applies to You

You don’t need to memorize the regulation. But you do need to understand how it affects you day-to-day. Below we have outlined a few key tenants of NISPOM requirements that apply to you:

Access is Based on “Need-to-Know”

• Just having a clearance does not mean you can access all classified information. You must have both: The proper clearance level AND a legitimate need-to-know.

Safeguarding Information

• Classified may not be accessed or discussed in unauthorized areas or on unauthorized devices
• Both you and your organization bear responsibility for protecting classified from unauthorized disclosure
• Both you and your organization are responsible for ensuring classified information is properly secured, marked, handled, and stored
• Failure to protect classified information can result in civil or criminal penalties
• You are required to complete security training annually
• Your organization is required to have a written Security Standard Practice Procedures (SPP) manual that is available to all company personnel
• You are responsible for ensuring that you understand any security requirements that apply to you

Reporting Requirements

• Your organization has many different types of reporting requirements
• You also have requirements for reporting relevant information about yourself and others
• You must complete training regarding your reporting requirements
• If you are unsure if you should report something, you must contact your organization’s FSO—When in doubt, Report it.

Insider Threat Awareness

• Your organization is required to have a written Insider Threat Program that is available to all company personnel
• You are required to complete insider threat awareness training
• You are responsible for recognizing concerning behaviors and reporting potential insider threat concerns to your organization’s insider threat program senior official (ITPSO)

You don’t have to be a security expert—but you are personally responsible for taking your security training seriously, contacting your organization’s Facility Security Officer (FSO) if you have questions or concerns, and protecting classified information.

Why 32 CFR Part 117 (NISPOM) Matters

The NISPOM applies to all U.S. contractor facilities that have been granted authorization to access classified information (aka facility clearance or FCL) and the individuals that work for these organizations, even if you are not personally handling classified material right now.

When an organization is granted an FCL, they sign the DD Form 441 Department of Defense Security Agreement. By signing the DD-441, the organization agrees to follow all government security requirements for safeguarding classified information, and to ensure its personnel understand and comply with these requirements.

When an individual is granted a personnel security clearance (PCL), they don’t just receive permission to access classified information, they sign the SF-312 Classified Information Nondisclosure Agreement. The SF-312 is a life-long legal agreement. By signing it you agreed that you would:

• Protect classified information from unauthorized disclosure
• Follow all government rules for handling classified material
• Never disclose classified information without proper authorization
• Accept that violations could result in administrative, civil, or criminal penalties

32 CFR Part 117 (NISPOM) is one of the key regulations that defines what those responsibilities look like, in practice, for contractors and individuals. In other words:

• The DD-441 is the organization’s formal agreement to follow government security requirements.
• The SF-312 is your personal legal promise.
• The NISPOM explains how you keep that promise on the job.

Failing to follow these rules can result in:

• Suspension or revocation of your clearance
• Loss of employment
• Damage to national security
• Civil or criminal penalties that could include financial penalties and criminal prosecution

Understanding the NISPOM helps you know what is required of you as a person working for or with a cleared contractor facility. Think of the NISPOM as the official playbook for protecting national security information in industry. If you ever have questions, your Facility Security Officer (FSO) is your best resource.

Protecting classified information isn’t just a rule, it’s everyone’s responsibility.

Resources and Additional Learning

• 32 CFR Part 117 (NISPOM)
• DCSA.mil – The NISPOM Rule
• 32 CFR Part 2004 – National Industrial Security Program
• E.O. 13526 – Classified National Security Information
• E.O. 12829 – National Industrial Security Program

As always, if you have any questions…ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements.

Threat awareness is a critical part of annual security training. Effectively countering threats begins with understanding the threats the U.S faces every day.

Three key U.S. government assessments help us understand the scope, complexity, and persistence of threats confronting the United States: the Defense Counterintelligence and Security Agency (DCSA) Protecting U.S. Technologies in the Cleared Industrial Base; the Department of Homeland Security (DHS) Homeland Threat Assessment; and the Office of the Director of National Intelligence (ODNI) Annual Threat Assessment.

Taken together, these reports underscore a central reality: foreign adversaries, criminal networks, and extremist actors are increasingly interconnected, technologically enabled, and willing to exploit U.S. vulnerabilities across domains—from cyber and supply chains to public discourse and physical infrastructure.

DCSA: Targeting U.S. Technologies

DCSA’s Targeting U.S. Technologies report assesses how foreign intelligence entities (FIEs) and other adversaries target the U.S. cleared industrial base and informs us about foreign efforts to compromise technology, classified information, and personnel.

KEY FINDINGS

Rising Threat Volume: Cleared contractor facilities report tens of thousands of suspicious contacts annually, reflecting sustained and persistent attempts to illicitly access sensitive and classified information and technologies.

Targeted Technologies: The most frequently targeted technologies include software, electronics, and aeronautic systems—collectively accounting for over one-third of all reports. Adversaries also pursue microelectronics, AI tools, advanced materials, and export-controlled devices.

Primary Geographical Threat Sources: Entities from the East Asia and Pacific region and the Near East account for the largest share of reported incidents—roughly 62% of all targeting activity.

Evolving Collection Methods: Adversaries increasingly rely on non-traditional collectors, including business partnerships, academic collaboration, supply chains, cyber intrusions, and recruitment of insiders. These methods blur the line between legitimate interactions and covert collection.

Why does this matter? Technological superiority underpins U.S. military readiness and economic strength. Successful exploitation of cleared industry shortens adversary development timelines, erodes deterrence, and introduces long-term strategic risk.

DHS: Homeland Threat Assessment

The Department of Homeland Security (DHS) Homeland Threat Assessment (HTA) examines risks directly affecting the U.S. population and domestic systems—from terrorism to drug trafficking and critical infrastructure attacks.

TOP THREAT AREAS

Terrorism & Violent Extremism: The assessment finds that the overall terrorism threat is expected to remain high, driven by domestic sociopolitical dynamics and international conflicts. Lone actors and small cells continue posing the most immediate risks.

Illegal Drugs & Transnational Crime: Transnational criminal organizations trafficking illegal drugs—especially fentanyl and synthetic opioids—are a severe public safety and national risk.

Influence Operations & Transnational Repression: Foreign state actors use digital platforms and social networks to influence U.S. public opinion, target communities, and undermine trust in institutions.

Border & Immigration Security: While migrant encounters have declined, the risk of individuals posing security threats entering through irregular channels remains a focus of DHS screening and vetting efforts.

Critical Infrastructure Security: Cyber-attacks, physical threats, and preparation for disruptive operations against critical infrastructure persist as priority concerns. Nation-state actors such as China, Russia, and Iran remain principal threats.

DNI: Annual Threat Assessment

The Director of National Intelligence (DNI) Annual Threat Assessment provides a comprehensive evaluation of the most direct and serious threats to U.S. national security.

KEY TAKEAWAYS

Major State Adversaries:

• China is described as the most comprehensive military and cyber threat, with ambitions to expand regional power and surpass U.S. technological leadership, including in artificial intelligence.
• Russia is assessed as leveraging its ongoing war in Ukraine and maintaining capabilities that could heighten tensions with NATO.
• Iran continues to pursue regional influence with missile and proxy capabilities, though it is not currently rebuilding a nuclear weapons program.
• North Korea advances its strategic weapons and cyber capabilities, posing risks to U.S. allies and interests in the region.

Transnational Criminal Organizations (TCOs): Transnational criminal groups—especially drug cartels—are identified as immediate threats to public safety, with illicit fentanyl and synthetic opioids linked to tens of thousands of U.S. deaths.

Adversarial Cooperation: The assessment notes growing cooperation among these major adversaries, strengthening their collective capabilities and resilience against Western strategies.

Big Picture Threat Awareness

COMMON THEMES

Despite differing missions, the DCSA, DHS, and DNI assessments converge on several critical themes:

Threats are multi-domain: Cyber, economic, ideological, physical, and informational threats are deeply interconnected and reinforce one another.

Technology is both an asset and a vulnerability: AI, cyber tools, and global connectivity accelerate both innovation and exploitation.

State and non-state actors both matter: From sophisticated foreign intelligence services to lone extremists and criminal networks, adversaries exploit vulnerabilities at home and abroad.

Prevention depends on partnership: Effective risk mitigation requires coordination across government agencies, the defense industrial base, academia, private sector partners, and local stakeholders.

LOOKING AHEAD: EMERGING TECHNOLOGIES AND CHALLENGES

Emerging technologies are expected to remain the most attractive targets for adversaries. Artificial intelligence, microelectronics, quantum computing, space systems, advanced manufacturing, and critical software supply chains are increasingly sought after for their military, economic, and strategic value.

Protecting national security will require sustained vigilance, stronger partnerships, and adaptive security strategies across government and industry.

Resources and Additional Learning

• DCSA Methods of Operation and Methods of Contact (MCMO)
• 2025 DNI Annual Threat Assessment
• 2025 DHS Homeland Threat Assessment
• DCSA Counterintelligence Trend Analysis Reports

As always, if you have any questions…ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements.

In today’s digital environment, information is one of our most valuable assets. It is also the most targeted. Protecting classified information and controlled unclassified information (CUI) is not just an IT responsibility; it is a shared obligation that applies to every employee, contractor, and partner within your organization.

Understanding What We Protect

Classified Information includes data formally designated as Confidential, Secret, or Top Secret and requires the highest levels of protection due to national security implications.

Controlled Unclassified Information (CUI) is sensitive information that is not classified but must be safeguarded under applicable laws, regulations, and government-wide policies. This includes personally identifiable information (PII), export-controlled data, proprietary information, certain technical or research data, and more.

Correctly identifying and marking information is the first step in ensuring it is protected appropriately.

Why Protection Matters

Threat actors are constantly seeking to exploit weak points—whether through phishing emails, unsecured devices, or improper data handling. A single lapse can result in:

• Legal and regulatory consequences
• Loss of trust with partners and stakeholders
• Operational disruptions
• Damage to national security or organizational mission

Regulatory Frameworks That Guide Our Security Practices

• 32 CFR Part 117 (NISPOM): Establishes requirements for safeguarding classified information within cleared contractor facilities, including personnel security, physical security, and information systems security.
• NIST: NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal systems and organizations.
• CMMC: Cybersecurity Maturity Model Certification builds upon NIST 800-171 and is required for many Department of Defense contracts.
• EAR (Export Administration Regulations): Controls the access, transfer, and dissemination of certain commercial and dual-use technologies, software, and technical data.
• ITAR (International Traffic in Arms Regulations): Governs the handling of defense-related technical data and restricts access to authorized U.S. persons.

Everyday Actions That Make a Difference

• Think before you click: Phishing remains one of the most common attack methods. Be cautious of unexpected emails, links, or attachments.
• Use approved systems: Store, transmit, and process Classified and CUI data only on authorized networks and devices.
• Limit and control access: Share information strictly on a need-to-know basis.
• Secure physical and digital workspaces: Lock screens when away, safeguard physical documents, and properly dispose of sensitive materials.
• Report incidents promptly: If you suspect a data spill, phishing attempt, or security incident, report it to your FSO immediately.

Why Reporting is Critical & How to Report Concerns

Report to your FSO, immediately, any actual or suspected incident involving Classified Information or Controlled Unclassified Information (CUI), including:

• Suspected or confirmed data spills or unauthorized disclosures
• Phishing emails, suspicious links, or social engineering attempts
• Lost, stolen, or compromised devices (laptops, mobile devices, removable media)
• Unauthorized access to systems, files, or facilities
• Improper storage, transmission, or marking of sensitive information
• Any situation where ITAR-controlled data may have been accessed by an unauthorized person

When in doubt, report the incident. Reporting a concern that turns out to be benign is always preferable to failing to report a real issue.

Resources and Additional Learning

• Information Protection Security Shorts
• Suspicious Emails
• Information Security Toolkit
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!

The holiday season is approaching quickly! While maintaining strong security practices should be a primary focus throughout the year, it is important to understand the increased threats during the holiday season.

The hustle, bustle, and general spirit of celebration that we experience during the holidays can lead to distraction and lower our guard. Unfortunately, criminals and our adversaries don’t slow their nefarious goals simply because we are busy, distracted, or nurturing kindness during the holidays. In fact, this gives them a better opportunity to exploit us.

Holiday OPSEC

OPSEC (Operations Security) is a five-step process used to identify and protect sensitive information from our adversaries:

1. Identify What Needs Protection
2. Analyze the Threat
3. Analyze Vulnerabilities
4. Assess Risk
5. Apply Countermeasures

These same concepts can, and should, be used to protect ourselves, our families, our homes, and our data during the holiday season.

Safety in Public and Crowded Places

• Situational awareness! No matter where you are, always be mindful of your surroundings.
• Have an exit plan and know how to contact the authorities if something goes sideways.
• If anything feels off, say something.
• Take care when carrying large amounts of cash. Look out for “shoulder surfers” looking to steal your credit card information.
• When out purchasing gifts, consider bringing items back to your vehicle as you shop and placing them in your trunk, out of sight.

Data Security

• Always follow all company and government data security protocols.
• Never use company-issued or government-furnished equipment for online shopping.
• Consider a personal VPN to help secure your data.
• Use strong passwords, change them frequently, and never share them with anyone.
• Whenever possible, use multi-factor authentication.

Online Shopping

• Know that scams and phishing are especially heightened during the holidays.
• Know how to identify safe and secure websites.
• Always follow safe and proper cybersecurity practices.
• Remember: If it sounds too good to be true, it probably is!

Securing Your Home During the Holidays

• Protect and control your house keys, door codes, and garage access codes with extreme caution.
• Keep a light on, even when you are not at home.
• Keep valuables out of sight.
• Consider a home security system and video surveillance system.
• Be wary of canvassers and anyone requesting access to your residence.
• Mind who is “hanging out” in your neighborhood and report any suspicious activity.
• Care what you share publicly and on social media.

Protect Your Home When You’re Gone

More than 80 million Americans travel 50+ miles from home during the holidays, leaving personal space vulnerable. Studies show that 40% of burglaries do not involve forced entry and most burglars are deterred by simple safeguards.

Secure your home:

• Lock every door and window, including your garage door
• Activate your home security system
• Put valuables in a safe or safety deposit box
• Remove “hidden” keys

Don’t make it look like you’re not home:

• Never post travel plans on social media
• Consider putting lights, TVs, or radios on intermittent timers
• Don’t leave trash and trash cans at the curb

Foreign Travel

If you are traveling outside the US, don’t forget to report it to your FSO! For most of us, all personal and professional foreign travel requires reporting. Ideally, foreign travel should be reported 30 days in advance of departure.

Resources and Additional Learning

• DLA Holiday Safety & Security
• CISA Online Shopper Safety
• CISA Cybersecurity Best Practices
• National Safety Council Holiday Safety

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!