32 CFR § 117.1 — National Industrial Security Program Operating Manual (NISPOM)
32 CFR — National Defense · DoD / DCSA
32 CFR Part 117 is the NISPOM — the federal regulation governing how cleared contractors handle classified information for the DoD and other federal agencies. NISPOM applies if your facility holds a Facility Security Clearance (FCL) and/or your employees hold personnel clearances. Requirements: facility clearance process, personnel clearance process, classified information handling, security training, incident reporting, and IT system security for classified networks. While 32 CFR 117 covers CLASSIFIED information handling, the Cybersecurity Maturity Model Certification (CMMC) framework — administered by DoD — covers UNCLASSIFIED Controlled Unclassified Information (CUI) under DFARS 252.204-7012 and the NIST SP 800-171 controls. Defense contractors typically need both NISPOM compliance (if cleared) AND CMMC certification (Level 1/2/3 depending on contract requirements).
Regulation summary
32 CFR Part 117 codified the National Industrial Security Program Operating Manual (NISPOM) as federal regulation effective February 24, 2021 (previously published as DoD 5220.22-M). NISPOM applies to contractor facilities cleared by the Defense Counterintelligence and Security Agency (DCSA) to handle classified information. Requirements cover facility security clearances, personnel security clearances, classification management, security education and training, security violations and incidents, and information system security. NISPOM operationalizes National Security Council security policies.
Who must comply
Contractor facilities cleared by DCSA to handle classified information for the federal government — primarily Department of Defense contractors but also Department of Energy, Intelligence Community, and other federal agencies. Approximately 12,000+ cleared facilities in the US. Additionally, contractors handling unclassified CUI under DFARS 252.204-7012 must comply with NIST SP 800-171 (and CMMC certification at the appropriate level by 2028 phased implementation).
What happens if violated
Security violations under NISPOM trigger DCSA enforcement actions: facility clearance suspension or revocation, contract termination, and ineligibility for future cleared work. Severe violations can include criminal prosecution for unauthorized disclosure of classified information. CMMC non-compliance under DFARS 252.204-7012 can result in contract default, payment withholding, suspension/debarment, and False Claims Act exposure.
Implementation checklist
- If handling classified: obtain Facility Security Clearance through DCSA sponsorship.
- Appoint a Facility Security Officer (FSO) and complete FSO training.
- Process personnel clearance requests through e-QIP and DCSA.
- Implement classified information handling per NISPOM Chapter 4.
- Conduct annual security education and refresher training.
- Report security violations within required timeframes.
- For classified IT systems, implement NISPOM Chapter 8 controls (now aligned with NIST SP 800-53).
- For unclassified CUI handling: implement NIST SP 800-171 controls (110 practices).
- Prepare for CMMC certification at the level required by your DoD contracts (1, 2, or 3).
- Maintain System Security Plans (SSP) and Plans of Action & Milestones (POA&M).
- Conduct annual CMMC self-assessment (or C3PAO assessment for Level 2+).
Common misinterpretations
- Misinterpretation: 'NISPOM and CMMC are the same.' Reality: NISPOM (32 CFR 117) governs CLASSIFIED information. CMMC governs unclassified CUI for DoD contracts. Contractors with classified work need both. Contractors with only unclassified CUI need only CMMC. The distinction is whether the information itself is classified.
- Misinterpretation: 'NISPOM applies to all federal contractors.' Reality: NISPOM applies to facilities cleared to handle classified information. Federal contractors without classified work and without a Facility Security Clearance don't need NISPOM compliance — they may need DFARS / CMMC for unclassified CUI.
- Misinterpretation: 'Personnel clearances last forever.' Reality: Personnel security clearances must be periodically reinvestigated — Secret clearances every 10 years, Top Secret every 5 years, more frequently for some access levels. The DCSA Continuous Evaluation program monitors clearance holders between formal reinvestigations.
- Misinterpretation: 'CMMC Level 1 is automatic.' Reality: CMMC Level 1 requires 17 NIST SP 800-171 practices and an annual self-assessment. Level 2 requires 110 practices and (for most contracts) third-party assessment by a C3PAO. Level 3 adds higher-trust practices and DCMA evaluation. None are automatic.
Frequently asked questions
What is NISPOM?
National Industrial Security Program Operating Manual — the federal regulation (32 CFR Part 117 since 2021) governing how cleared contractors handle classified information for federal agencies, primarily the DoD. Covers facility clearances, personnel clearances, classified information handling, training, and IT security for classified networks.
How is NISPOM different from CMMC?
NISPOM (32 CFR 117) governs CLASSIFIED information handling by cleared contractors. CMMC (Cybersecurity Maturity Model Certification) governs unclassified Controlled Unclassified Information (CUI) handling by DoD contractors under DFARS 252.204-7012. NISPOM = classified. CMMC = unclassified-but-sensitive. Defense contractors with classified work need both.
What are the CMMC levels?
Level 1 (Foundational): 17 NIST SP 800-171 practices; annual self-assessment. Level 2 (Advanced): 110 NIST SP 800-171 practices; third-party assessment by a C3PAO for most contracts. Level 3 (Expert): Level 2 plus enhanced practices; DCMA-led assessment. The contract requirement dictates the level.
What is a Facility Security Clearance (FCL)?
DCSA-issued clearance authorizing a contractor facility to possess and use classified information at a specified level (Confidential, Secret, Top Secret). Required for any contractor performing classified work. Sponsored by the cleared customer (typically a DoD agency or prime contractor with a contract requiring classified access).
Who is the Facility Security Officer (FSO)?
The contractor-designated individual responsible for the facility's security program. FSO is the primary point of contact with DCSA. Required for every cleared facility. Must complete DCSA-approved FSO training within specified timeframes after appointment.
What is NIST SP 800-171?
NIST Special Publication 800-171, 'Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.' Specifies 110 security controls for safeguarding CUI. The basis for CMMC Level 2 and DFARS 252.204-7012 requirements. Updated regularly; current version is Revision 3 (2024).
Cross-references: 32 CFR 117.5 · 32 CFR 117.7 · 32 CFR 117.10 · 32 CFR 117.15
FileFlo tracks documents required by this regulation automatically:
Connect your folder or Drive — FileFlo classifies every document, maps it to the CFR section it satisfies, and alerts you before any expiration becomes a citation. Starter $89/mo, Professional $299/mo. 5-day free trial.
Start the 5-day free trialAuthoritative source: eCFR.gov →