Alert 10.01.20
DoD Issues Interim Rule Implementing CMMC Cyber Rules for all DoD Contractors
Once CMMC has been rolled out, nearly all DoD contractors will need to be assessed by a third party for the issuance of a CMMC Certificate.
Alert
Alert
01.07.21
The Department of Defense (DoD) recently issued a final rule adding the National Industrial Security Program Operating Manual (NISPOM) to the Code of Federal Regulations (CFR), effective February 24, 2021. The NISPOM is the U.S. government manual establishing requirements for the protection of classified information disclosed to or developed by contractors, licensees, grantees or certificate holders (collectively referred to as contractors) to prevent unauthorized disclosure of such information. The NISPOM was first published in 1995 as part of DoD Manual 5220.22. The final rule explains that the DoD will no longer issue DoD Manual 5220.22.
In addition to codifying the existing NISPOM, the final rule also incorporates the requirements of SEAD 3, ‘‘Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position.’’ Among other things, SEAD 3 requires contractors to collect foreign travel data from cleared employees, provide pre- and post-travel briefings to those cleared employees when necessary, and report the foreign travel activities of these employees through the Cognizant Security Agency designated system of record for personnel security clearance data.
Another notable feature of the final rule is its implementation of provisions of Section 842 of the 2019 National Defense Authorization Act (NDAA) that affect certain cleared entities that are under Foreign Ownership, Control or Influence (FOCI). As one means of mitigating security risk, the U.S. government enters into Special Security Agreements (SSAs) with cleared entities that are under FOCI. Before passage of the 2019 NDAA, such entities were required to obtain a National Interest Determination (NID) as a condition for access to certain classified information. This can be a costly and burdensome requirement. The final rule eliminates the NID requirement for certain cleared entities operating under an SSA whose parent entities are located in a country that is part of the National Technology and Industrial Base (NTIB), such as the United Kingdom, Canada, Northern Ireland and Australia. Although this change will impact only a limited number of cleared entities, those entities will likely view this as a positive change that eliminates burden and expense and allows such entities to pursue opportunities without additional delay.
The final rule will go into effect on February 24, 2021. The DoD is accepting public comment until February 19, 2021. Under the final rule, cleared entities will have six months from the effective date (i.e., until August 2021) to evaluate each existing classified contract, determine if the new final rule has any impact on the existing contract, and discuss whether an equitable adjustment should be made to the contract.