32 CFR Part 117 (NISPOM)

If you hold a U.S. government security clearance, you’ve probably heard the term “NISPOM.” But what exactly is it—and why should you care?
 
In 2021, the former DoD manual DoD 5220.22-M (NISPOM) was formally codified into federal regulation as 32 CFR Part 117, making it the authoritative rule governing the National Industrial Security Program. 32 CFR Part 117 is issued by the U.S. Department of Defense and applies to all contractors working with classified information under the National Industrial Security Program (NISP).
 
This rule implements policy, assigns responsibilities, establishes requirements, and provides procedures for the protection of classified information that is disclosed to, or developed by, U.S. Government contractors.
 
It prescribes industrial security procedures and practices to safeguard U.S. government classified information, including rules, requirements, restrictions, and other safeguards designed to prevent unauthorized disclosure of classified information and protect special classes of classified information.
 
In simple terms,  the NISPOM is the rulebook that tells companies and individuals what they must do to properly protect classified information.
 
It covers things like:

• Who can access classified information, when they can access it, and where they can access it
• How classified information must be handled, stored, and transmitted
• Required security practices, procedures, and restrictions for contactors and their personnel
• Security training requirements
• Reporting requirements
• Insider threat program requirements

 
 
The 32 CFR Part 117 (NISPOM) Origin Story
 
The 32 CFR Part 117 (NISPOM) rule is based on a myriad of higher-level executive orders, laws, and federal regulations that govern how the U.S. protects national security information.
 
Here are a few of the key foundations:
 
The National Industrial Security Program (NISP): Executive Order 12829 established the National Industrial Security Program. This Executive Order:

• Created a uniform program to safeguard classified information released to contractors
• Assigned oversight responsibilities to federal agencies
• Required a standard set of rules for industry

 
32 CFR Part 117 (NISPOM) is the regulation that implements this Executive Order.
 
Executive Order 13526 on Classified National Security Information: The main authority for how classified information is handled across the federal government. This Executive Order:

• Defines what “classified information” is
• Establishes classification levels (Confidential, Secret, Top Secret)
• Sets rules for safeguarding and declassification

 
The NISPOM aligns industry practices with those government-wide rules.
 
Information Security Oversight Office (ISOO) - 32 CFR Part 2004: Establishes the authorities and responsibilities of the Information Security Oversight Office (ISOO), which operates under the National Archives and Records Administration (NARA). This regulation:

• Defines ISOO’s role in overseeing the government-wide security classification system
• Establishes its authority to issue and implement directives for classified national security information
• Provides oversight of how executive branch agencies protect classified information

 
32 CFR Part 2004 gives ISOO the authority to issue government-wide policy guidance which agencies, including the Department of Defense, implement through regulations such as 32 CFR Part 117.
 
Other Supporting Laws and Policies: The NISPOM also reflects requirements from other:

• Federal criminal laws related to espionage and unauthorized disclosure
• Personnel security standards
• Insider threat policy requirements
• Information safeguarding laws

 
Federal agencies turn executive orders and laws into enforceable rules through the Code of Federal Regulations (CFR). 32 CFR Part 117 is located in Title 32 (National Defense) of the CFR. Once published in the CFR, it became a binding federal regulation, not just guidance. That means compliance is legally required.
 
In short: Executive Orders set the direction → Federal agencies create regulations → 32 CFR Part 117 becomes the enforceable rule for industry.
 
 
How 32 CFR Part 117 (NISPOM) Applies to You

You don’t need to memorize the regulation. But you do need to understand how it affects you day-to-day. Below we have outlined are a few key tenants of NISPOM requirements that apply to you:
 
Access is Based on “Need-to-Know”

• Just having a clearance does not mean you can access all classified information. You must have both:
  The proper clearance level AND A legitimate need-to-know

 
Safeguarding Information

• Classified may not be accessed or discussed in unauthorized areas or on unauthorized devices
• Both you and your organization bear responsibility for protecting classified from unauthorized disclosure
• Both you and your organization are responsible for ensuring classified information is properly secured, marked, handled, and stored
• Failure to protect classified information can result in civil or criminal penalties
• You are required to complete security training annually
• If you have security clearance, you are required to complete security training and briefings commensurate with your involvement with classified, prior to access and annually thereafter
• Your organization is required to have a written Security Standard Practice Procedures (SPP) manual that is available to all company personnel
• You are responsible for ensuring that you understand any security requirements that apply to you

 
Reporting Requirements

• Your organization has many different types of reporting requirements
• You also have requirements for reporting relevant information about yourself and others
• You must complete training regarding your reporting requirements
• If you are unsure if you should report something, you must contact your organization’s FSO—When in doubt, Report it.

 
Insider Threat Awareness

• Your organization is required to have a written Insider Threat Program that is available to all company personnel
• You are required to complete insider threat awareness training
• You are responsible for recognizing concerning behaviors and reporting potential insider threat concerns to your organization’s insider threat program senior official (ITPSO)

 
You don’t have to be a security expert—but you are personally responsible for taking your security training seriously, contacting your organization’s Facility Security Officer (FSO) if you have questions or concerns, and protecting classified information.
 
 
Why 32 CFR Part 117 (NISPOM) Matters

The NISPOM applies to all U.S. contractor facilities that have been granted authorization to access classified information (aka facility clearance or FCL) and the individuals that work for these organizations, even if you are not personally handling classified material right now.
 
When an organization is granted an FCL, they sign the DD Form 441 Department of Defense Security Agreement. By signing the DD-441, the organization agrees to follow all government security requirements for safeguarding classified information, and to ensure its personnel understand and comply with these requirements.
 
When an individual is granted a personnel security clearance (PCL), they don’t just receive permission to access classified information, they sign the SF-312 Classified Information Nondisclosure Agreement. The SF-312 is a life-long legal agreement. By signing it you agreed that you would:

• Protect classified information from unauthorized disclosure
• Follow all government rules for handling classified material
• Never disclose classified information without proper authorization
• Accept that violations could result in administrative, civil, or criminal penalties

 
32 CFR Part 117 (NISPOM) is one of the key regulations that defines what those responsibilities look like, in practice, for contractors and individuals. In other words:

• The DD-441 is the organization’s formal agreement to follow government security requirements.
• The SF-312 is your personal legal promise.
• The NISPOM explains how you keep that promise on the job.

 
Failing to follow these rules can result in:

• Suspension or revocation of your clearance
• Loss of employment
• Damage to national security
• Civil or criminal penalties that could include financial penalties and criminal prosecution

 
Understanding the NISPOM helps you know what is required of you as a person working for or with a cleared contractor facility. It helps cleared individuals honor the agreement that they signed, and it protects you, your career, and your country.
 
Think of the NISPOM as the official playbook for protecting national security information in industry. If you ever have questions, your Facility Security Officer (FSO) is your best resource.
 
Protecting classified information isn’t just a rule, it’s everyone’s responsibility.
 
Resources and Additional Learning
32 CFR Part 117 (NISPOM)
DCSA.mil – The NISPOM Rule
32 CFR part 2004 - National Industrial Security Program
E.O. 13526 - Classified National Security Information
E.O. 12829 - National Industrial Security Program
E.O. 10865 - Safeguarding Classified Information within Industry
E.O. 13587 - Structural Reforms To Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
E.O. 13691 - Promoting Private Sector Cybersecurity Information Sharing
E.O. 12333 - United States Intelligence Activities
42 U.S.C. 2011 - Title 42 The Public Health and Welfare
50 U.S.C. Ch. 44 - Title 50, Chapter 44 National Security Act of 1947, as amended
Public Law 108-458 - Intelligence Reform and Terrorism Prevention Act of 2004
E.O. 12866 - Regulatory Planning and Review
E.O. 12968 - Access to Classified Information
E.O. 13563 - Improving Regulation and Regulatory Review
 
 
As always, if you have any questions...ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements. As security professionals, we are here to help you navigate all things security and ensure you fulfill all security requirements.