Monthly Newsletter

If you hold a U.S. government security clearance, you’ve probably heard the term “NISPOM.” But what exactly is it—and why should you care?

In 2021, the former DoD manual DoD 5220.22-M (NISPOM) was formally codified into federal regulation as 32 CFR Part 117, making it the authoritative rule governing the National Industrial Security Program. 32 CFR Part 117 is issued by the U.S. Department of Defense and applies to all contractors working with classified information under the National Industrial Security Program (NISP).

This rule implements policy, assigns responsibilities, establishes requirements, and provides procedures for the protection of classified information that is disclosed to, or developed by, U.S. Government contractors.

It prescribes industrial security procedures and practices to safeguard U.S. government classified information, including rules, requirements, restrictions, and other safeguards designed to prevent unauthorized disclosure of classified information and protect special classes of classified information.

In simple terms, the NISPOM is the rulebook that tells companies and individuals what they must do to properly protect classified information.

It covers things like:

• Who can access classified information, when they can access it, and where they can access it
• How classified information must be handled, stored, and transmitted
• Required security practices, procedures, and restrictions for contractors and their personnel
• Security training requirements
• Reporting requirements
• Insider threat program requirements

The 32 CFR Part 117 (NISPOM) Origin Story

The 32 CFR Part 117 (NISPOM) rule is based on a myriad of higher-level executive orders, laws, and federal regulations that govern how the U.S. protects national security information.

Here are a few of the key foundations:

The National Industrial Security Program (NISP): Executive Order 12829 established the National Industrial Security Program. This Executive Order:

• Created a uniform program to safeguard classified information released to contractors
• Assigned oversight responsibilities to federal agencies
• Required a standard set of rules for industry

32 CFR Part 117 (NISPOM) is the regulation that implements this Executive Order.

Executive Order 13526 on Classified National Security Information: The main authority for how classified information is handled across the federal government. This Executive Order:

• Defines what “classified information” is
• Establishes classification levels (Confidential, Secret, Top Secret)
• Sets rules for safeguarding and declassification

The NISPOM aligns industry practices with those government-wide rules.

Information Security Oversight Office (ISOO) – 32 CFR Part 2004: Establishes the authorities and responsibilities of the Information Security Oversight Office (ISOO), which operates under the National Archives and Records Administration (NARA). This regulation:

• Defines ISOO’s role in overseeing the government-wide security classification system
• Establishes its authority to issue and implement directives for classified national security information
• Provides oversight of how executive branch agencies protect classified information

32 CFR Part 2004 gives ISOO the authority to issue government-wide policy guidance which agencies, including the Department of Defense, implement through regulations such as 32 CFR Part 117.

Other Supporting Laws and Policies: The NISPOM also reflects requirements from other federal criminal laws related to espionage and unauthorized disclosure, personnel security standards, insider threat policy requirements, and information safeguarding laws.

Federal agencies turn executive orders and laws into enforceable rules through the Code of Federal Regulations (CFR). 32 CFR Part 117 is located in Title 32 (National Defense) of the CFR. Once published in the CFR, it became a binding federal regulation, not just guidance. That means compliance is legally required.

In short: Executive Orders set the direction → Federal agencies create regulations → 32 CFR Part 117 becomes the enforceable rule for industry.

How 32 CFR Part 117 (NISPOM) Applies to You

You don’t need to memorize the regulation. But you do need to understand how it affects you day-to-day. Below we have outlined a few key tenants of NISPOM requirements that apply to you:

Access is Based on “Need-to-Know”

• Just having a clearance does not mean you can access all classified information. You must have both: The proper clearance level AND a legitimate need-to-know.

Safeguarding Information

• Classified may not be accessed or discussed in unauthorized areas or on unauthorized devices
• Both you and your organization bear responsibility for protecting classified from unauthorized disclosure
• Both you and your organization are responsible for ensuring classified information is properly secured, marked, handled, and stored
• Failure to protect classified information can result in civil or criminal penalties
• You are required to complete security training annually
• Your organization is required to have a written Security Standard Practice Procedures (SPP) manual that is available to all company personnel
• You are responsible for ensuring that you understand any security requirements that apply to you

Reporting Requirements

• Your organization has many different types of reporting requirements
• You also have requirements for reporting relevant information about yourself and others
• You must complete training regarding your reporting requirements
• If you are unsure if you should report something, you must contact your organization’s FSO—When in doubt, Report it.

Insider Threat Awareness

• Your organization is required to have a written Insider Threat Program that is available to all company personnel
• You are required to complete insider threat awareness training
• You are responsible for recognizing concerning behaviors and reporting potential insider threat concerns to your organization’s insider threat program senior official (ITPSO)

You don’t have to be a security expert—but you are personally responsible for taking your security training seriously, contacting your organization’s Facility Security Officer (FSO) if you have questions or concerns, and protecting classified information.

Why 32 CFR Part 117 (NISPOM) Matters

The NISPOM applies to all U.S. contractor facilities that have been granted authorization to access classified information (aka facility clearance or FCL) and the individuals that work for these organizations, even if you are not personally handling classified material right now.

When an organization is granted an FCL, they sign the DD Form 441 Department of Defense Security Agreement. By signing the DD-441, the organization agrees to follow all government security requirements for safeguarding classified information, and to ensure its personnel understand and comply with these requirements.

When an individual is granted a personnel security clearance (PCL), they don’t just receive permission to access classified information, they sign the SF-312 Classified Information Nondisclosure Agreement. The SF-312 is a life-long legal agreement. By signing it you agreed that you would:

• Protect classified information from unauthorized disclosure
• Follow all government rules for handling classified material
• Never disclose classified information without proper authorization
• Accept that violations could result in administrative, civil, or criminal penalties

32 CFR Part 117 (NISPOM) is one of the key regulations that defines what those responsibilities look like, in practice, for contractors and individuals. In other words:

• The DD-441 is the organization’s formal agreement to follow government security requirements.
• The SF-312 is your personal legal promise.
• The NISPOM explains how you keep that promise on the job.

Failing to follow these rules can result in:

• Suspension or revocation of your clearance
• Loss of employment
• Damage to national security
• Civil or criminal penalties that could include financial penalties and criminal prosecution

Understanding the NISPOM helps you know what is required of you as a person working for or with a cleared contractor facility. Think of the NISPOM as the official playbook for protecting national security information in industry. If you ever have questions, your Facility Security Officer (FSO) is your best resource.

Protecting classified information isn’t just a rule, it’s everyone’s responsibility.

Resources and Additional Learning

• 32 CFR Part 117 (NISPOM)
• DCSA.mil – The NISPOM Rule
• 32 CFR Part 2004 – National Industrial Security Program
• E.O. 13526 – Classified National Security Information
• E.O. 12829 – National Industrial Security Program

As always, if you have any questions…ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements.

Threat awareness is a critical part of annual security training. Effectively countering threats begins with understanding the threats the U.S faces every day.

Three key U.S. government assessments help us understand the scope, complexity, and persistence of threats confronting the United States: the Defense Counterintelligence and Security Agency (DCSA) Protecting U.S. Technologies in the Cleared Industrial Base; the Department of Homeland Security (DHS) Homeland Threat Assessment; and the Office of the Director of National Intelligence (ODNI) Annual Threat Assessment.

Taken together, these reports underscore a central reality: foreign adversaries, criminal networks, and extremist actors are increasingly interconnected, technologically enabled, and willing to exploit U.S. vulnerabilities across domains—from cyber and supply chains to public discourse and physical infrastructure.

DCSA: Targeting U.S. Technologies

DCSA’s Targeting U.S. Technologies report assesses how foreign intelligence entities (FIEs) and other adversaries target the U.S. cleared industrial base and informs us about foreign efforts to compromise technology, classified information, and personnel.

KEY FINDINGS

Rising Threat Volume: Cleared contractor facilities report tens of thousands of suspicious contacts annually, reflecting sustained and persistent attempts to illicitly access sensitive and classified information and technologies.

Targeted Technologies: The most frequently targeted technologies include software, electronics, and aeronautic systems—collectively accounting for over one-third of all reports. Adversaries also pursue microelectronics, AI tools, advanced materials, and export-controlled devices.

Primary Geographical Threat Sources: Entities from the East Asia and Pacific region and the Near East account for the largest share of reported incidents—roughly 62% of all targeting activity.

Evolving Collection Methods: Adversaries increasingly rely on non-traditional collectors, including business partnerships, academic collaboration, supply chains, cyber intrusions, and recruitment of insiders. These methods blur the line between legitimate interactions and covert collection.

Why does this matter? Technological superiority underpins U.S. military readiness and economic strength. Successful exploitation of cleared industry shortens adversary development timelines, erodes deterrence, and introduces long-term strategic risk.

DHS: Homeland Threat Assessment

The Department of Homeland Security (DHS) Homeland Threat Assessment (HTA) examines risks directly affecting the U.S. population and domestic systems—from terrorism to drug trafficking and critical infrastructure attacks.

TOP THREAT AREAS

Terrorism & Violent Extremism: The assessment finds that the overall terrorism threat is expected to remain high, driven by domestic sociopolitical dynamics and international conflicts. Lone actors and small cells continue posing the most immediate risks.

Illegal Drugs & Transnational Crime: Transnational criminal organizations trafficking illegal drugs—especially fentanyl and synthetic opioids—are a severe public safety and national risk.

Influence Operations & Transnational Repression: Foreign state actors use digital platforms and social networks to influence U.S. public opinion, target communities, and undermine trust in institutions.

Border & Immigration Security: While migrant encounters have declined, the risk of individuals posing security threats entering through irregular channels remains a focus of DHS screening and vetting efforts.

Critical Infrastructure Security: Cyber-attacks, physical threats, and preparation for disruptive operations against critical infrastructure persist as priority concerns. Nation-state actors such as China, Russia, and Iran remain principal threats.

DNI: Annual Threat Assessment

The Director of National Intelligence (DNI) Annual Threat Assessment provides a comprehensive evaluation of the most direct and serious threats to U.S. national security.

KEY TAKEAWAYS

Major State Adversaries:

• China is described as the most comprehensive military and cyber threat, with ambitions to expand regional power and surpass U.S. technological leadership, including in artificial intelligence.
• Russia is assessed as leveraging its ongoing war in Ukraine and maintaining capabilities that could heighten tensions with NATO.
• Iran continues to pursue regional influence with missile and proxy capabilities, though it is not currently rebuilding a nuclear weapons program.
• North Korea advances its strategic weapons and cyber capabilities, posing risks to U.S. allies and interests in the region.

Transnational Criminal Organizations (TCOs): Transnational criminal groups—especially drug cartels—are identified as immediate threats to public safety, with illicit fentanyl and synthetic opioids linked to tens of thousands of U.S. deaths.

Adversarial Cooperation: The assessment notes growing cooperation among these major adversaries, strengthening their collective capabilities and resilience against Western strategies.

Big Picture Threat Awareness

COMMON THEMES

Despite differing missions, the DCSA, DHS, and DNI assessments converge on several critical themes:

Threats are multi-domain: Cyber, economic, ideological, physical, and informational threats are deeply interconnected and reinforce one another.

Technology is both an asset and a vulnerability: AI, cyber tools, and global connectivity accelerate both innovation and exploitation.

State and non-state actors both matter: From sophisticated foreign intelligence services to lone extremists and criminal networks, adversaries exploit vulnerabilities at home and abroad.

Prevention depends on partnership: Effective risk mitigation requires coordination across government agencies, the defense industrial base, academia, private sector partners, and local stakeholders.

LOOKING AHEAD: EMERGING TECHNOLOGIES AND CHALLENGES

Emerging technologies are expected to remain the most attractive targets for adversaries. Artificial intelligence, microelectronics, quantum computing, space systems, advanced manufacturing, and critical software supply chains are increasingly sought after for their military, economic, and strategic value.

Protecting national security will require sustained vigilance, stronger partnerships, and adaptive security strategies across government and industry.

Resources and Additional Learning

• DCSA Methods of Operation and Methods of Contact (MCMO)
• 2025 DNI Annual Threat Assessment
• 2025 DHS Homeland Threat Assessment
• DCSA Counterintelligence Trend Analysis Reports

As always, if you have any questions…ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements.

In today’s digital environment, information is one of our most valuable assets. It is also the most targeted. Protecting classified information and controlled unclassified information (CUI) is not just an IT responsibility; it is a shared obligation that applies to every employee, contractor, and partner within your organization.

Understanding What We Protect

Classified Information includes data formally designated as Confidential, Secret, or Top Secret and requires the highest levels of protection due to national security implications.

Controlled Unclassified Information (CUI) is sensitive information that is not classified but must be safeguarded under applicable laws, regulations, and government-wide policies. This includes personally identifiable information (PII), export-controlled data, proprietary information, certain technical or research data, and more.

Correctly identifying and marking information is the first step in ensuring it is protected appropriately.

Why Protection Matters

Threat actors are constantly seeking to exploit weak points—whether through phishing emails, unsecured devices, or improper data handling. A single lapse can result in:

• Legal and regulatory consequences
• Loss of trust with partners and stakeholders
• Operational disruptions
• Damage to national security or organizational mission

Regulatory Frameworks That Guide Our Security Practices

• 32 CFR Part 117 (NISPOM): Establishes requirements for safeguarding classified information within cleared contractor facilities, including personnel security, physical security, and information systems security.
• NIST: NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal systems and organizations.
• CMMC: Cybersecurity Maturity Model Certification builds upon NIST 800-171 and is required for many Department of Defense contracts.
• EAR (Export Administration Regulations): Controls the access, transfer, and dissemination of certain commercial and dual-use technologies, software, and technical data.
• ITAR (International Traffic in Arms Regulations): Governs the handling of defense-related technical data and restricts access to authorized U.S. persons.

Everyday Actions That Make a Difference

• Think before you click: Phishing remains one of the most common attack methods. Be cautious of unexpected emails, links, or attachments.
• Use approved systems: Store, transmit, and process Classified and CUI data only on authorized networks and devices.
• Limit and control access: Share information strictly on a need-to-know basis.
• Secure physical and digital workspaces: Lock screens when away, safeguard physical documents, and properly dispose of sensitive materials.
• Report incidents promptly: If you suspect a data spill, phishing attempt, or security incident, report it to your FSO immediately.

Why Reporting is Critical & How to Report Concerns

Report to your FSO, immediately, any actual or suspected incident involving Classified Information or Controlled Unclassified Information (CUI), including:

• Suspected or confirmed data spills or unauthorized disclosures
• Phishing emails, suspicious links, or social engineering attempts
• Lost, stolen, or compromised devices (laptops, mobile devices, removable media)
• Unauthorized access to systems, files, or facilities
• Improper storage, transmission, or marking of sensitive information
• Any situation where ITAR-controlled data may have been accessed by an unauthorized person

When in doubt, report the incident. Reporting a concern that turns out to be benign is always preferable to failing to report a real issue.

Resources and Additional Learning

• Information Protection Security Shorts
• Suspicious Emails
• Information Security Toolkit
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!

The holiday season is approaching quickly! While maintaining strong security practices should be a primary focus throughout the year, it is important to understand the increased threats during the holiday season.

The hustle, bustle, and general spirit of celebration that we experience during the holidays can lead to distraction and lower our guard. Unfortunately, criminals and our adversaries don’t slow their nefarious goals simply because we are busy, distracted, or nurturing kindness during the holidays. In fact, this gives them a better opportunity to exploit us.

Holiday OPSEC

OPSEC (Operations Security) is a five-step process used to identify and protect sensitive information from our adversaries:

1. Identify What Needs Protection
2. Analyze the Threat
3. Analyze Vulnerabilities
4. Assess Risk
5. Apply Countermeasures

These same concepts can, and should, be used to protect ourselves, our families, our homes, and our data during the holiday season.

Safety in Public and Crowded Places

• Situational awareness! No matter where you are, always be mindful of your surroundings.
• Have an exit plan and know how to contact the authorities if something goes sideways.
• If anything feels off, say something.
• Take care when carrying large amounts of cash. Look out for “shoulder surfers” looking to steal your credit card information.
• When out purchasing gifts, consider bringing items back to your vehicle as you shop and placing them in your trunk, out of sight.

Data Security

• Always follow all company and government data security protocols.
• Never use company-issued or government-furnished equipment for online shopping.
• Consider a personal VPN to help secure your data.
• Use strong passwords, change them frequently, and never share them with anyone.
• Whenever possible, use multi-factor authentication.

Online Shopping

• Know that scams and phishing are especially heightened during the holidays.
• Know how to identify safe and secure websites.
• Always follow safe and proper cybersecurity practices.
• Remember: If it sounds too good to be true, it probably is!

Securing Your Home During the Holidays

• Protect and control your house keys, door codes, and garage access codes with extreme caution.
• Keep a light on, even when you are not at home.
• Keep valuables out of sight.
• Consider a home security system and video surveillance system.
• Be wary of canvassers and anyone requesting access to your residence.
• Mind who is “hanging out” in your neighborhood and report any suspicious activity.
• Care what you share publicly and on social media.

Protect Your Home When You’re Gone

More than 80 million Americans travel 50+ miles from home during the holidays, leaving personal space vulnerable. Studies show that 40% of burglaries do not involve forced entry and most burglars are deterred by simple safeguards.

Secure your home:

• Lock every door and window, including your garage door
• Activate your home security system
• Put valuables in a safe or safety deposit box
• Remove “hidden” keys

Don’t make it look like you’re not home:

• Never post travel plans on social media
• Consider putting lights, TVs, or radios on intermittent timers
• Don’t leave trash and trash cans at the curb

Foreign Travel

If you are traveling outside the US, don’t forget to report it to your FSO! For most of us, all personal and professional foreign travel requires reporting. Ideally, foreign travel should be reported 30 days in advance of departure.

Resources and Additional Learning

• DLA Holiday Safety & Security
• CISA Online Shopper Safety
• CISA Cybersecurity Best Practices
• National Safety Council Holiday Safety

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!

Have you ever received a phishing email? If so, you have experienced an attempted cyber-attack.

Cyber threats are a very real and persistent risk to us all, both personally and professionally. Cyber-attack attempts happen every single day. They are low-risk, potentially high-reward, and advances in technology have made it easier than ever. No one is immune to a cyber-attack and everyone is a target.

Understanding Cyber Threats and Attacks

A cyber-criminal is any individual or group that uses technology to commit illegal acts, such as stealing data, conducting fraud, or disrupting services. They can be petty criminals, hackers, terrorists, foreign intelligence agents, or even a compromised insider.

A cyber-threat is any malicious act with the intent to steal data, disrupt digital systems, damage information, or gain unauthorized access to a computer network or sensitive data.

A cyber-attack is any deliberate attempt to access, damage, or disrupt a computer system, network, or digital device.

Common Types of Cyber-Attacks

• Phishing/Spear Phishing/Spoofing: Deceptive emails, messages, or websites designed to trick individuals into revealing sensitive information.
• Malware: Malicious software like viruses, worms, and spyware that can steal data, disrupt systems, or gain unauthorized access.
• Ransomware: A type of malware that encrypts a victim’s files and demands a ransom for the decryption key.
• Man-in-the-Middle (MitM) attacks: An attacker secretly intercepts and possibly alters communications between two parties.
• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS): Attacks that overwhelm a server or network, making it unavailable to its intended users.
• SQL Injection: A technique where attackers insert malicious code into a server’s database.
• Zero-Day Exploit: An attack that targets a vulnerability in software before the developers are aware of it.
• Password Attacks: Attempts to gain access to accounts by guessing passwords or using brute force methods.

What is the Goal of a Cyber-Attack?

Ultimately, cyber-criminals want to obtain or steal information that can be sold or used to exploit an individual or organization. High value targets include:

• User login IDs and passwords
• Personally Identifiable Information (SSN, date of birth, addresses)
• Financial and Banking information
• Sensitive organizational documents
• Proprietary information
• Information regarding U.S. government funded contracts
• Classified, CUI, Sensitive, and Export-Controlled information and technology

Spotting a Cyber-Attack

Phishing/Spear Phishing indicators:

• Emails or messages that seem to be from a trusted source but are not
• Urgent and suspicious requests asking you to take immediate action
• Significant spelling or grammatical errors

Unusual System and Performance Issues:

• Slow performance, freezing, or frequent crashes
• Disabled security software
• Unknown software or browser toolbars appearing
• Constant pop-ups

Suspicious Network and Internet Activity:

• Abnormal network traffic or unexplained spikes in activity
• Your browser redirects you to unfamiliar websites
• Your contacts report receiving strange emails from your account
• Unauthorized access to systems or unauthorized data transmission

Applying Countermeasures to Protect Against a Cyber-Attack

All Personnel:

• Never use default passwords. Make your passwords complex, change them regularly, and don’t reuse them.
• Never share your passwords with anyone.
• Never open emails, attachments, or click links from unfamiliar sources.
• Report any suspicious or unusual issues with equipment or devices to your IT department immediately.
• Know what to report and who to report it to within your organization.

Management and IT Departments:

• Implement Defense-in-Depth: a layered defense strategy including technical, organizational, and operational controls.
• Update anti-virus software daily and download vendor security patches as soon as they are available.
• Monitor, log, analyze and report attempted and successful intrusions to your systems and networks.
• Train all personnel on proper cybersecurity procedures.
• Conduct frequent computer audits — ideally daily, at minimum weekly.

Why Reporting is Critical & How to Report Concerns

Personnel should report any suspected cyber-attack to the company’s IT department and their FSO immediately. Organizations that do business with the U.S. Government must report any cyber intrusion or attempted intrusion through proper USG channels. Cyber intrusions must be reported within 24 hours of occurrence!

Resources and Additional Learning

• Cyber Awareness Challenge
• CDSE Cybersecurity Shorts
• CISA Cyber Incident Reporting Act
• DoD Cyber Crime Center – Report a Cyber Incident
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!

Every federal contractor facility has access to U.S. government information, in some form or fashion. As such, every person that works for or with a federal contractor facility has a direct impact on the security of our country and the safety of our people and technology.

We must all be aware of the ways that our adversaries will attempt to exploit us to obtain information. We must know what suspicious contact looks like and how to report it.

What is Suspicious Contact?

Suspicious contact is any effort by any individual, regardless of nationality, to obtain illegal or unauthorized access to information or to compromise an individual, as well as all contacts with known or suspected intelligence officers from any country, or any contact which suggests the individual concerned may be the target of an attempted exploitation.

Suspicious Contact Tactics

Not all suspicious contact is obvious. Elicitation is the strategic use of conversation to extract information from people, without giving them the sense that they are being interrogated, to facilitate future targeting attempts.

Information collectors for foreign intelligence entities (FIE) commonly use elicitation to collect sensitive and/or classified information through what appears to be normal social or professional contact.

According to the DCSA and DNI reports, the top collection methods and contacts are:

Top Methods of Operation:

• Resume Submission *Number 1 method*
• RFI/Solicitation
• Exploitation of Business Activities
• Exploitation of Supply Chain
• Exploitation of Experts
• Exploitation of Cyber Operations

Top Methods of Contact:

• Email
• Resumes – Academic & Professional
• Web Form Submissions
• Social Networking Services
• Foreign Visits

Recognizing Suspicious Contact

Likely indicators of elicitation and suspicious contact include:

• Business contact requesting information outside the contract scope
• Hidden/obscured end use/end user data
• Offer of paid attendance at an overseas conference
• A casual acquaintance appears to know more about your work than expected
• A casual contact shows an unusual interest in your work, facility, personnel, or family details

Things you can do to reduce the risk of exploitation:

• Know what information you cannot share and be suspicious of those who seek such information
• Do not share anything the elicitor is not authorized to know, including personal information about yourself, your family, or your coworkers
• Be aware that outreach may occur via social media
• Plan tactful ways to deflect probing or intrusive questions
• Never feel compelled to answer any question that makes you feel uncomfortable

At the heart of it all: No matter where you are, no matter who you are communicating with…Care what you share and report suspicious interactions!

Why Reporting is Critical

It is NOT your job to determine if suspicious communications present a legitimate concern or threat. It IS your responsibility to simply report any suspicious interactions to your FSO. A good rule of thumb: If you have to say “No,” let your Facility Security Officer know.

You must report the following to your FSO immediately:

• Any suspicious emails, phone calls, or social interactions
• Any resumes received from foreign nationals applying to positions requiring U.S. citizenship or security clearance
• Any suspected elicitation attempts at conferences, conventions, seminars, or tradeshows
• If any person asks you questions that seem strange, probing, or obviously inappropriate

Resources and Additional Learning

• DNI 2025 Threat Assessment Report
• Identifying Suspicious Contact
• Suspicious Emails
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions, ask your FSO! FSO PROS® is here to help you navigate things to ensure you fulfill all requirements.

We may think it only happens in movies, but espionage is a very real threat. Spies are out there, they are targeting our nation’s most valuable information and technology, and they are more active than ever before.

The truth is that U.S. information and technologies are targeted every day. Advancements in technology have only made the modern day spy’s job easier. Every one of us plays a role in protecting our country and we must be vigilant.

What is Counterintelligence?

Counterintelligence is information gathered, and activities conducted to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities.

The goal of counterintelligence is to:

• Protect U.S. sensitive, controlled unclassified, and classified information and technology
• Protect our nation’s critical assets: our people, advanced technologies, and protected information
• Counter the activities of foreign spies
• Keep weapons of mass destruction from falling into the wrong hands

Are You a Potential Target?

In short, anyone that has, or could have, access to targeted information, knowledge of information systems, or security procedures, is a potential target to foreign intelligence services. This includes:

• Developers that research and develop leading technologies
• Information Systems Personnel with access to cleared facility networks
• Business Development Personnel supporting marketing and sales
• Human Resources and Recruiting Personnel
• Senior Managers and company owners
• Subject Matter Experts involved with targeted technology
• Administrative Staff with access to leadership calendars and proprietary information
• Anyone that has access to national defense information

MCMO (Methods of Contact and Methods of Operation)

Common collection methods include:

Requests for Information (RFI) and Solicitations: Attempts to collect protected information by asking, petitioning, requesting, or eliciting protected information, technology, or persons.

Exploitation of Business Activities: Attempts to establish or leverage relationships to obtain access to protected information. Most commonly through joint ventures, partnerships, mergers and acquisitions.

Exploitation of Cyber Operations: Attempts to compromise or risk confidentiality, integrity, or availability of targeted networks, applications, credentials, or data.

Exploitation of Experts: Requests for peer or scientific review, invites to participate in foreign conferences, requests to collaborate with foreign academic institutions.

Exploitation of Insider Access: Attempts by trusted insiders to exploit their authorized placement or access.

Resume Submission: Applications by foreign individuals seeking academic or professional placement that could facilitate access to protected information.

Surveillance: Observation of equipment, facilities, sites, or personnel associated with classified contracts.

Clearance Advertising is Prohibited

Organizations that have been granted facility clearance under the National Industrial Security Program (NISP) are bound by 32 CFR Part 117 (NISPOM), which states that a cleared contractor may not use its favorable entity eligibility determination for advertising or promotional purposes.

“Advertising” that a company has a facility clearance is strictly prohibited. You may never state that your organization is a cleared facility, nor include any facility clearance information in any public facing space.

Countermeasures

A strong countermeasures plan utilizes defensive, offensive, and investigative measures to both detect and deter threats. Countermeasures may include:

• Security Education and Counterintelligence Briefings
• Physical Security measures
• Cybersecurity measures
• Personnel Security measures and training
• Insider Threat Programs
• Supply Chain Security
• Technology Control Plans (TCPs)
• OPSEC Plans

Resources and Additional Learning

• DCSA CI MCMO Countermeasures Matrix
• Counterintelligence Awareness and Reporting Course for DOD
• Counterintelligence Tool Kit
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions, ask your FSO! FSO PROS is here to help you navigate things to ensure you fulfill all requirements.