Skip to main content
Compliance Reference

32 CFR § 117.1

National Industrial Security Program Operating Manual (NISPOM)

Effective: Last amended: Last reviewed:

See your compliance status for this section

3-minute free audit. CFR-cited gap report. No signup.

Run free audit →

What does 32 CFR § 117.1 require?

32 CFR Part 117 is the NISPOM — the federal regulation governing how cleared contractors handle classified information for the DoD and other federal agencies. NISPOM applies if your facility holds a Facility Security Clearance (FCL) and/or your employees hold personnel clearances. Requirements: facility clearance process, personnel clearance process, classified information handling, security training, incident reporting, and IT system security for classified networks. While 32 CFR 117 covers CLASSIFIED information handling, the Cybersecurity Maturity Model Certification (CMMC) framework — administered by DoD — covers UNCLASSIFIED Controlled Unclassified Information (CUI) under DFARS 252.204-7012 and the NIST SP 800-171 controls. Defense contractors typically need both NISPOM compliance (if cleared) AND CMMC certification (Level 1/2/3 depending on contract requirements).

Regulation text (summary)

32 CFR Part 117 codified the National Industrial Security Program Operating Manual (NISPOM) as federal regulation effective February 24, 2021 (previously published as DoD 5220.22-M). NISPOM applies to contractor facilities cleared by the Defense Counterintelligence and Security Agency (DCSA) to handle classified information. Requirements cover facility security clearances, personnel security clearances, classification management, security education and training, security violations and incidents, and information system security. NISPOM operationalizes National Security Council security policies.

Read full regulation at eCFR.gov

Who must comply with 32 CFR § 117.1?

Contractor facilities cleared by DCSA to handle classified information for the federal government — primarily Department of Defense contractors but also Department of Energy, Intelligence Community, and other federal agencies. Approximately 12,000+ cleared facilities in the US. Additionally, contractors handling unclassified CUI under DFARS 252.204-7012 must comply with NIST SP 800-171 (and CMMC certification at the appropriate level by 2028 phased implementation).

What happens if you violate 32 CFR § 117.1?

Security violations under NISPOM trigger DCSA enforcement actions: facility clearance suspension or revocation, contract termination, and ineligibility for future cleared work. Severe violations can include criminal prosecution for unauthorized disclosure of classified information. CMMC non-compliance under DFARS 252.204-7012 can result in contract default, payment withholding, suspension/debarment, and False Claims Act exposure.

$50,000–$5,000,000

Penalty range

~380

Annual citations

+12.4%

YoY penalty trend

How to comply (implementation checklist)

  1. 1If handling classified: obtain Facility Security Clearance through DCSA sponsorship.
  2. 2Appoint a Facility Security Officer (FSO) and complete FSO training.
  3. 3Process personnel clearance requests through e-QIP and DCSA.
  4. 4Implement classified information handling per NISPOM Chapter 4.
  5. 5Conduct annual security education and refresher training.
  6. 6Report security violations within required timeframes.
  7. 7For classified IT systems, implement NISPOM Chapter 8 controls (now aligned with NIST SP 800-53).
  8. 8For unclassified CUI handling: implement NIST SP 800-171 controls (110 practices).
  9. 9Prepare for CMMC certification at the level required by your DoD contracts (1, 2, or 3).
  10. 10Maintain System Security Plans (SSP) and Plans of Action & Milestones (POA&M).
  11. 11Conduct annual CMMC self-assessment (or C3PAO assessment for Level 2+).

Common misinterpretations

  • Misinterpretation: 'NISPOM and CMMC are the same.' Reality: NISPOM (32 CFR 117) governs CLASSIFIED information. CMMC governs unclassified CUI for DoD contracts. Contractors with classified work need both. Contractors with only unclassified CUI need only CMMC. The distinction is whether the information itself is classified.
  • Misinterpretation: 'NISPOM applies to all federal contractors.' Reality: NISPOM applies to facilities cleared to handle classified information. Federal contractors without classified work and without a Facility Security Clearance don't need NISPOM compliance — they may need DFARS / CMMC for unclassified CUI.
  • Misinterpretation: 'Personnel clearances last forever.' Reality: Personnel security clearances must be periodically reinvestigated — Secret clearances every 10 years, Top Secret every 5 years, more frequently for some access levels. The DCSA Continuous Evaluation program monitors clearance holders between formal reinvestigations.
  • Misinterpretation: 'CMMC Level 1 is automatic.' Reality: CMMC Level 1 requires 17 NIST SP 800-171 practices and an annual self-assessment. Level 2 requires 110 practices and (for most contracts) third-party assessment by a C3PAO. Level 3 adds higher-trust practices and DCMA evaluation. None are automatic.

Real enforcement examples

Anonymized from public regulatory enforcement summaries. Penalty amounts reflect assessed and final settled values where disclosed.

Defense contractor received DCSA facility clearance suspension in 2024 after multiple security violations including unauthorized removal of classified information by an employee. Contractor incurred ~$2.4M in lost contract revenue during the suspension period and $850K in remediation costs.

Source: DCSA enforcement summary, anonymized

How FileFlo handles 32 CFR § 117.1

FileFlo's compliance rule-pack DOD-32CFR117 automatically checks every document you upload against this regulation. Auto-detects document type, parses key fields, sets renewal alerts, and surfaces this section in your audit binder if a gap is found.

Run free audit covering this section →

Already evaluating? Start a 5-day free trial →

Frequently asked questions

What is NISPOM?

National Industrial Security Program Operating Manual — the federal regulation (32 CFR Part 117 since 2021) governing how cleared contractors handle classified information for federal agencies, primarily the DoD. Covers facility clearances, personnel clearances, classified information handling, training, and IT security for classified networks.

How is NISPOM different from CMMC?

NISPOM (32 CFR 117) governs CLASSIFIED information handling by cleared contractors. CMMC (Cybersecurity Maturity Model Certification) governs unclassified Controlled Unclassified Information (CUI) handling by DoD contractors under DFARS 252.204-7012. NISPOM = classified. CMMC = unclassified-but-sensitive. Defense contractors with classified work need both.

What are the CMMC levels?

Level 1 (Foundational): 17 NIST SP 800-171 practices; annual self-assessment. Level 2 (Advanced): 110 NIST SP 800-171 practices; third-party assessment by a C3PAO for most contracts. Level 3 (Expert): Level 2 plus enhanced practices; DCMA-led assessment. The contract requirement dictates the level.

What is a Facility Security Clearance (FCL)?

DCSA-issued clearance authorizing a contractor facility to possess and use classified information at a specified level (Confidential, Secret, Top Secret). Required for any contractor performing classified work. Sponsored by the cleared customer (typically a DoD agency or prime contractor with a contract requiring classified access).

Who is the Facility Security Officer (FSO)?

The contractor-designated individual responsible for the facility's security program. FSO is the primary point of contact with DCSA. Required for every cleared facility. Must complete DCSA-approved FSO training within specified timeframes after appointment.

What is NIST SP 800-171?

NIST Special Publication 800-171, 'Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.' Specifies 110 security controls for safeguarding CUI. The basis for CMMC Level 2 and DFARS 252.204-7012 requirements. Updated regularly; current version is Revision 3 (2024).

Related regulations

32 CFR 117.532 CFR 117.732 CFR 117.1032 CFR 117.15

Author

Chad Griffith

Founder + CEO, FileFlo · Defense + Aviation operations background

LinkedIn

Sources + reviewer

Primary source: eCFR.gov: 32 CFR § 117.1

Reviewed by Chad Griffith (Founder + CEO, FileFlo) on

Disclaimer: This page summarizes a federal regulation in plain English. FileFlo is not a law firm; this is not legal advice. The regulation text and primary sources at eCFR.gov are authoritative. Consult qualified counsel for advice specific to your operation.