As industry comes up on the one-year anniversary of the publication of Change 2 to the National Industrial Security Program Operating Manual (NISPOM)[1], a number of implementation deadlines are drawing near. This blog post briefly highlights key industrial security program requirements for cleared contractors to focus on.

1. Insider Threat Program Training Implementation Deadlines

Change 2 requires cleared contractors to appoint an Insider Threat Program Senior Official (ITPSO)[2] and implement an “insider threat” program[3] that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat.[4] Insider threat employee awareness training is now required for all cleared employees before being granted access to classified information and annually thereafter.

  • The suspense for the completion of training for those cleared employees currently accessing classified information is May 31, 2017.
  • After May 31, 2017, all cleared contractor employees must complete the employee awareness training prior to having access to classified information, and thereafter annually.[5]

2. Transition to New RMF Assessment Process for Classified Information Systems

Change 2 added specific cybersecurity language to the NISPOM and completely overhauled Chapter 8 on Information System security to bring the NISPOM in line with other unclassified federal information system security requirements.

  • A senior management official at the cleared facility must certify annually to DSS in writing that a self-inspection of classified information systems has been completed.[6] These self-inspection reports must be available to DSS during the company’s next security vulnerability assessment following the self-inspection.
  • Contractors must implement certain DSS-provided information system security controls on classified information systems in order to detect activity indicative of insider threat behavior.[7]
  • The former DSS Office of the Designated Approving Authority (ODAA) been renamed the National Industrial Security Program Authorization Office (NAO). The ODAA Process Manual for the Certification and Accreditation of Classified Systems has been renamed the DSS Assessment and Authorization Process Manual (DAAPM) and revised to reflect the updated NISPOM Change 2 language on “authorizing” classified information systems.
    • An authorizing official[8] is responsible for issuing an operational authorization decision (an “Authorization to Operate” (ATO)) for cleared contractor information systems based on the results of security assessment activities and the implementation of security controls provided in the DAAPM.
  • Both the NISPOM and the DAAPM have replaced the legacy Certification and Accreditation (C&A) processes applied to information systems with the approach embodied in the NIST Risk Management Framework (RMF).[9]
    • Contractor classified information systems with a security authorization package submitted before August 2016 continue using the C&A process in the ODAA Process Manual.[10]
    • Going forward, all expiring authorizations and submissions of new security authorization packages for contractor classified information systems must transition to the RMF and follow the DAAPM.

3. Use of New Version of Standard Form (SF) 328 Certificate Pertaining to Foreign Interests

OPM has issued a new version of the Standard Form (SF) 328,[11] which is used to gauge whether a company is under Foreign Ownership, Control, or Influence (FOCI).[12] Revisions to the form include:

  • the removal of the prior requirement for application of a corporate seal;
  • a single witness to the contractor representative signing the SF 328 is now required; and
  • the government representative that is accepting the SF 328 may not act as the witness.

However, the ten (10) FOCI questions on the front of the form have not changed at all. A notice on the DSS website provides the following guidance to contractors for completing the new SF 328 in the Electronic Facility Clearance System (e-FCL):

ATTENTION e-FCL USERS: e-FCL system updated with revised SF 328

On April 5, 2017, DSS announced that the SF 328, “Certificate Pertaining to Foreign Interests,” supporting the National Industrial Security Program was revised with a new issuance date of March 2017, under

In the e-FCL system, the previous version of the SF 328 remains available to complete via digital form. Contractors should:

  1. Continue completing the digital form in e-FCL as the questions on the form have not changed, and
  2. Complete and upload a signed copy of the revised SF 328 as part of the Initial or Change Condition Package.

Note: The print button for the digital form has been temporarily disabled.

A link to the revised SF 328 will be available in the system in the coming weeks. In June 2017, the e-FCL’s digital SF 328 will be updated to the revised version, and the print button will be re-enabled.

If you have any questions, please contact your assigned ISR.

Although the changes to the form do not affect any existing SF 328s on file in e-FCL, going forward a company should be signing and submitting the new version of the SF 328 for any “Initial” or “Changed Conditions” submission.