Action Kit: NISP FOCI Regulation Removal

Event: National Industrial Security Program (NISP) Foreign Ownership, Control, or Influence (FOCI) Regulation Consolidation

Severity: HIGH

Impact Area: Facility Security Clearances, FOCI Mitigation, Industrial Security Compliance

---

Immediate Actions (This Week)

• [ ] Identify all active Facility Clearance (FCL) documentation referencing the now-obsolete DoD (Department of Defense) NISP FOCI regulations and flag for review
• [ ] Notify your Facility Security Officer (FSO) and legal counsel about the regulatory consolidation to NARA/ISOO authority
• [ ] Review current FOCI mitigation instruments (Proxy Agreement, Voting Trust Agreement, Special Security Agreement, or Board Resolution) to ensure they reference the correct regulatory authority
• [ ] Check all pending FCL applications or renewals to verify they cite NARA's 32 CFR Part 2004 rather than the obsolete DoD regulation
• [ ] Audit internal security policies and procedures for references to the removed DoD NISP FOCI rule and create a remediation list

Short-Term Actions (30 Days)

• [ ] Update all facility security documentation including security plans, FOCI mitigation agreements, and FSO manuals to reflect NARA/ISOO as the sole regulatory authority
• [ ] Conduct FSO training session on the regulatory consolidation and ensure understanding of the single-source NARA framework
• [ ] Review and update contract security classification guides (DD Form 254) templates to remove obsolete regulatory citations
• [ ] Coordinate with Defense Counterintelligence and Security Agency (DCSA) field representatives to confirm your facility's FOCI posture remains compliant under the consolidated framework
• [ ] Update proposal boilerplate language related to facility clearances, FOCI status, and industrial security compliance to reference current regulations
• [ ] Revise employee security training materials to eliminate confusion between duplicate regulatory frameworks

Long-Term Actions (90+ Days)

• [ ] Establish quarterly compliance reviews with legal and security teams to monitor NARA/ISOO guidance updates and ensure ongoing alignment
• [ ] Integrate the consolidated NISP framework into your annual security self-inspection program and DCSA vulnerability assessment preparation
• [ ] Develop a regulatory change management protocol for future NISP updates, ensuring cross-functional teams (contracts, legal, security, capture) receive coordinated briefings
• [ ] Evaluate whether your FOCI mitigation structure remains optimal under the streamlined regulatory environment; consult with DCSA and legal counsel if restructuring could reduce administrative burden
• ] **Build a centralized regulatory reference library** within your [Secure Operations Guide (/insights/secure-operations-guide) framework that automatically updates when NARA publishes NISP amendments

---

Compliance Checklist

This regulatory consolidation requires verification that your facility security posture aligns with the single authoritative source (NARA 32 CFR Part 2004):

• [ ] Facility Clearance (FCL) documentation cites NARA 32 CFR Part 2004, not obsolete DoD regulations
• [ ] FOCI mitigation instruments (SSA, Proxy, Voting Trust, Board Resolution) reference current NARA authority
• [ ] Certificate Pertaining to Foreign Interests (SF-328) submissions reflect accurate regulatory framework
• [ ] Security classification guides (DD Form 254) and contract clauses cite correct NISP regulations
• [ ] Insider Threat Program documentation aligns with NARA's NISP requirements for FOCI entities
• [ ] Employee security briefings and training materials updated to eliminate obsolete regulatory references
• [ ] Subcontractor flow-down clauses for classified work reference the consolidated NARA framework
• [ ] Annual DCSA self-inspection checklists updated to reflect single regulatory source
• [ ] Corporate governance documents (for FOCI-mitigated entities) align with NARA's current NISP standards
• [ ] Proposal compliance matrices for classified solicitations cite accurate industrial security regulations

For contractors handling Controlled Unclassified Information (CUI (Controlled Unclassified Information)) alongside classified work, ensure your CUI-Safe CRM Guide (/insights/cui-safe-crm-guide) protocols remain distinct from NISP requirements while maintaining complementary security postures. Review the CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide) to confirm your cybersecurity framework supports both NISP facility clearance requirements and DFARS (Defense Federal Acquisition Regulation Supplement) 7012/CMMC obligations.

---

Resources

• NARA 32 CFR Part 2004 (Authoritative NISP FOCI Regulation): Federal Register Final Rule (https://www.federalregister.gov/documents/2020/12/21/2020-27931/national-industrial-security-program)
• DCSA NISP Central Page: https://www.dcsa.mil/is/nisp/ (https://www.dcsa.mil/is/nisp/)
• ISOO NISP Implementation Guidance: https://www.archives.gov/isoo/security-classification-forms (https://www.archives.gov/isoo/security-classification-forms)
• DoD Removed Regulation (Historical Reference): 32 CFR Part 117 (now obsolete)
• SF-328 Certificate Pertaining to Foreign Interests: GSA (General Services Administration) Forms Library (https://www.gsa.gov/forms)

---

How Cabrillo Club Automates This

Cabrillo Signals War Room detected this NISP regulatory consolidation within minutes of Federal Register publication and delivered this briefing to your dashboard. The War Room continuously monitors DoD, NARA, DCSA, and ISOO sources for industrial security policy changes, ensuring your team never misses critical updates that affect facility clearances or FOCI compliance. When regulatory duplications are removed like this, War Room flags the change as HIGH severity and cross-references your active contracts requiring facility clearances.

Cabrillo Signals Intelligence Hub is already tracking all DoD and IC agencies with active classified solicitations on SAM.gov (System for Award Management). Configure a saved search for opportunities requiring facility clearances (NAICS codes 541330, 541512, 541715, 336411, and others in your portfolio) to receive instant alerts when new RFPs appear that will require updated FOCI compliance documentation. The Intelligence Hub correlates this regulatory change with contract vehicles like GSA OASIS, SEWP, and agency-specific classified IDIQs where your FCL status is a competitive differentiator.

Proposal Studio (Proposal OS) automatically updates your compliance matrix templates to reference NARA 32 CFR Part 2004 instead of obsolete DoD regulations. When you respond to classified solicitations, Proposal OS pulls your current FCL status, FOCI mitigation structure, and DCSA inspection history from your past performance library to generate accurate organizational capability statements. The AI-powered drafting engine ensures your security posture narrative aligns with the consolidated NISP framework, eliminating the risk of citing outdated regulatory authorities in Section L compliance responses.

Proposal Studio Workflow Tracker routes this regulatory change notification to your FSO, contracts director, and legal counsel through the 9-gate capture workflow. When you enter Gate 3 (Solution Development) for classified opportunities, Workflow Tracker automatically triggers a compliance checkpoint to verify your DD Form 254 templates and security classification guides reference current NARA regulations. The audit-ready documentation package includes timestamped evidence that your team reviewed and implemented this regulatory consolidation before proposal submission.

Explore these features in your Cabrillo Club dashboard to ensure your facility security compliance stays ahead of regulatory changes. Navigate to War Room > Policy Alerts to review the full regulatory impact analysis, or visit Intelligence Hub > Saved Searches to configure automated monitoring for classified opportunities where your updated NISP compliance creates competitive advantage.

---