Accessibility Tools

Skip to main content

Access World-Class NIST RMF Documentation with ASP Learn More

32 Code of Federal Regulation (CFR) Part 117, The New Version of the National Industrial Security Program Operating Manual (NISPOM)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

The switch from the National Industrial Security Program Operating Manual (NISPOM) being a DoD Manual to now a federal rule - effective February 24, 2021 - is significant indeed, and more than just a name change. With the codification came changes that essentially gave NISPOM more enforcement, authority, and overall accountability. 

Per DCSA, Referred to as the “NISPOM rule,” it provides the contractor no more than six months from this effective date to comply with the requirements stipulated therein. The NISPOM rule replaces the NISPOM previously issued as a DOD policy (DOD 5220.22-M), which is to be revoked shortly after the allotted six-month implementation period ends.

The rule implements policy, assigns responsibilities, establishes requirements, and provides procedures consistent with Executive Order 12829, “National Industrial Security Program;” Executive Order 10865, “Safeguarding Classified Information within Industry;” and 32 Code of Regulation Part 2004,“National Industrial Security Program.” That guidance outlines the protection of classified information that is disclosed to, or developed by, contractors of the U.S. Government.

Are you compliant with 32 Code of Federal Regulation Part 117, NISPOM?

For ensuring compliance, per DCSA, it is recommended to conduct the following:

  • Step 1: Download the 32 CFR Part 117 Cross Reference Tool from
  • Step 2: Familiarize yourself with the new rule’s language, paying close attention to the sections covering the key changes previously pointed out.
  • Step 3: Look forward to additional clarification and guidance provided in upcoming Industrial Security Letters (ISLs) addressing topics such as "32 CFR Part 117 Implementation," "SEAD 3 Reporting Requirements Implementation," "TS Accountability," and others.
  • Step 4: If not already, take immediate action to prepare during the 6 month implementation period by updating and enhancing your practices and procedures as necessary, and by ensuring that those in your organization affected by the NISPOM are aware of what will be expected of them under 32 CFR Part 11.

About Arlington

We are Arlington, Incorporated (Arlington), a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at