Federal Register: National Industrial Security Program

TL;DR

The Department of Defense is removing its duplicative National Industrial Security Program (NISP) regulations governing Foreign Ownership, Control, or Influence (FOCI) procedures for cleared contractors. This final rule eliminates DoD (Department of Defense)'s redundant oversight in favor of centralized administration by NARA's Information Security Oversight Office (ISOO), which already maintains authoritative NISP regulations. Cleared contractors operating under facility security clearances (FCLs) must now reference ISOO's 32 CFR Part 2004 as the sole regulatory authority for FOCI mitigation instruments, ownership reporting, and industrial security procedures. This consolidation does not change substantive FOCI requirements but eliminates regulatory duplication that has created compliance confusion.

Key Points

What happened: DoD published a final rule removing its NISP FOCI regulations (32 CFR Part 117) because they duplicate NARA ISOO's authoritative regulations at 32 CFR Part 2004, which govern all Executive Branch NISP implementation.
Who is affected: All cleared defense contractors holding facility security clearances (FCLs), particularly those with foreign ownership exceeding 5%, companies operating under Special Security Agreements (SSAs), Proxy Agreements, Voting Trust Agreements, or other FOCI mitigation instruments across DoD, DOE, NRC, and intelligence community contracts.
Timeline: The rule is effective immediately upon Federal Register publication. Contractors must immediately begin citing 32 CFR Part 2004 (ISOO regulations) rather than 32 CFR Part 117 (now-obsolete DoD regulations) in all compliance documentation, FSO procedures, and FOCI mitigation filings.
What contractors should do NOW: Audit all security procedures, compliance matrices, and proposal templates to replace references to 32 CFR Part 117 with 32 CFR Part 2004. Update Facility Security Officer (FSO) training materials, FOCI mitigation documentation, and DD Form 441 submissions to reflect the correct regulatory authority. Review your Secure Operations Guide (/insights/secure-operations-guide) and ensure your CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide) references are current.

Who Is Affected

Contractor Segments:

Cleared defense contractors with FCLs at Confidential, Secret, or Top Secret levels
Companies with foreign ownership, control, or influence requiring mitigation
Prime contractors and subcontractors performing classified work
Firms operating under SSAs, Proxy Agreements, or Voting Trust Agreements
Small businesses in the Defense Industrial Base (DIB) with security clearances

NAICS Codes (primary exposure):

336411 (Aircraft Manufacturing)
336414 (Guided Missile and Space Vehicle Manufacturing)
541330 (Engineering Services)
541512 (Computer Systems Design Services)
541715 (R&D in Physical, Engineering, and Life Sciences)
334511 (Search, Detection, Navigation Instruments)
336992 (Military Armored Vehicle Manufacturing)
541690 (Other Scientific and Technical Consulting)

Agencies:

Department of Defense (all components)
Department of Energy (NNSA classified programs)
Nuclear Regulatory Commission
Intelligence Community agencies (CIA, NSA, NGA, DIA, NRO)
Department of Homeland Security (classified programs)

Contract Vehicles:

How ready are you for CMMC?

Take our free readiness assessment. 10 questions, instant results, no email required until you want your report.

Check Your CMMC Readiness

GSA (General Services Administration) Schedule 70 (IT solutions with classified requirements)
OASIS/OASIS+ (particularly Pool 1 classified task orders)
SeaPort-NxG (Navy classified services)
ASTRO (Army classified IT)
Alliant 2 (classified mission support)
Agency-specific IDIQs with classified task orders

Frequently Asked Questions

Q: Does this rule change my company's FOCI mitigation requirements or obligations?

No. The substantive FOCI requirements remain identical. This rule only eliminates DoD's duplicative regulations in favor of NARA ISOO's authoritative version at 32 CFR Part 2004. Your SSA, Proxy Agreement, Voting Trust Agreement, or other FOCI mitigation instrument remains in full force. However, you must now cite 32 CFR Part 2004 as the regulatory authority in all documentation, not the obsolete 32 CFR Part 117. Your FSO should immediately update compliance matrices, security procedures, and training materials to reference the correct regulation.

Q: Will my Defense Counterintelligence and Security Agency (DCSA) field office change how they administer my FCL?

No. DCSA field operations remain unchanged. Industrial Security Representatives (ISRs) will continue conducting security reviews, processing SF-328 ownership changes, and administering FOCI mitigation instruments using the same procedures. The only difference is that DCSA now operates exclusively under ISOO's 32 CFR Part 2004 authority rather than maintaining parallel DoD regulations. Your ISR remains your primary point of contact for all FCL and FOCI matters.

Q: Do I need to refile my FOCI mitigation instrument or amend my DD Form 441?

Not solely because of this regulatory change. Existing FOCI mitigation instruments remain valid. However, if you submit new or amended FOCI documentation (ownership changes triggering SF-328 updates, SSA modifications, or new mitigation proposals), ensure all regulatory citations reference 32 CFR Part 2004. Proactively update your internal compliance documentation to avoid confusion during your next DCSA security review. Contractors should also review their CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide) to ensure ownership data systems properly track FOCI thresholds.

Definitions

NISP (National Industrial Security Program): Executive Branch program established by Executive Order 12829 to safeguard classified information released to contractors, licensees, and grantees of the U.S. Government. Administered by NARA's ISOO with oversight of agency implementation.
FOCI (Foreign Ownership, Control, or Influence): Situation where a cleared contractor's ownership, management, or operations could result in unauthorized access to classified information or adversely affect performance on classified contracts. Typically triggered when foreign ownership exceeds 5% or foreign nationals hold key management positions.
ISOO (Information Security Oversight Office): Office within the National Archives and Records Administration (NARA) responsible for implementing and monitoring Executive Branch compliance with classified information protection, including NISP oversight and policy development.
FCL (Facility Security Clearance): Administrative determination that a contractor facility is eligible for access to classified information at a specified level (Confidential, Secret, or Top Secret). Granted by DCSA after security review and requires continuous compliance with NISP requirements.
SSA (Special Security Agreement): FOCI mitigation instrument used when foreign ownership or control exists but the company can implement security measures (board resolutions, inside directors, technology control plans) to insulate classified work from foreign influence without divesting ownership.
32 CFR Part 2004: Code of Federal Regulations title containing NARA ISOO's authoritative NISP regulations, now the sole regulatory reference for all Executive Branch agencies including DoD. Supersedes agency-specific NISP regulations.
DCSA (Defense Counterintelligence and Security Agency): DoD agency responsible for administering the NISP for DoD and 30+ other federal agencies. Conducts security clearance investigations, grants FCLs, and monitors contractor compliance with industrial security requirements.

Intelligence Response

Cabrillo Signals War Room detected this Federal Register publication within minutes of NARA posting and automatically classified it as HIGH severity based on its impact to cleared contractors across the Defense Industrial Base. The platform's regulatory change monitoring continuously scans Federal Register, agency policy memoranda, and DCSA guidance to identify shifts in NISP, FOCI, CMMC, and other compliance frameworks that affect proposal strategy and capture positioning.

Immediate Platform Actions:

Cabrillo Signals Intelligence Hub should be configured to track follow-on guidance from DCSA, ISOO policy clarifications, and agency-specific implementation memoranda. Set up saved searches for solicitations requiring FCLs in your target NAICS codes (particularly 336411, 541330, 541512) to identify opportunities where updated FOCI compliance documentation may provide competitive advantage. The Intelligence Hub's agency tracking will flag when DoD components issue updated security requirements guides or DD Form 254 templates reflecting the new regulatory citations.

Proposal Studio (Proposal OS) compliance matrices must be updated immediately. The AI-powered compliance engine should be retrained to flag any proposal content citing 32 CFR Part 117 as outdated. Update your win theme library to emphasize your company's proactive regulatory compliance and FSO training on current ISOO regulations. The bid/no-bid decision engine should weight FOCI-related risk factors based on 32 CFR Part 2004 thresholds, particularly for opportunities requiring Top Secret FCLs or work with foreign-owned competitors.

Proposal Studio Workflow Tracker should trigger an immediate compliance audit gate for all active proposals involving classified requirements. Route to your FSO and Contracts Director for verification that Section L compliance matrices, organizational conflict of interest representations, and security capability narratives reference 32 CFR Part 2004. The audit-ready documentation feature ensures all regulatory citations are traceable to current authority.

Notification Chain:

Chief Security Officer / FSO — Must immediately update facility security procedures, FOCI mitigation documentation, and training materials. Responsible for coordinating with DCSA ISR to confirm no additional filings required.
Capture Managers — Need to audit active pursuits for outdated regulatory citations in compliance matrices, past performance narratives, and security capability descriptions. Must brief proposal teams on correct references.
Proposal Directors — Should update all proposal templates, boilerplate security sections, and compliance checklists to reflect 32 CFR Part 2004 as sole authority. Coordinate with FSO on updated security capability narratives.
Business Development VPs — Must understand that competitors may not have updated their compliance documentation, creating differentiation opportunity in proposals emphasizing current regulatory knowledge.
General Counsel / Contracts Director — Should review all teaming agreements, subcontractor flow-downs, and FOCI-related representations to ensure correct regulatory citations in future contract vehicles.

First 48-Hour Playbook:

Hour 0-4: FSO conducts emergency audit of all active FOCI mitigation instruments (SSAs, Proxy Agreements, Voting Trust Agreements) to identify documents citing 32 CFR Part 117. Capture team pulls all active proposals with classified requirements for compliance matrix review. Proposal Director freezes all security-related boilerplate until updates complete.

Hour 4-12: FSO drafts updated facility security procedures and FOCI compliance documentation referencing 32 CFR Part 2004. Proposal team updates compliance matrices for all active pursuits with submission deadlines within 30 days. Business Development reviews pipeline in Cabrillo Signals Match Engine to identify upcoming opportunities where security clearance capability is a discriminator.

Hour 12-24: General Counsel reviews teaming agreements and subcontractor flow-downs for regulatory citation updates. Proposal Director updates all templates in Proposal Studio library. FSO schedules training session for cleared employees on regulatory consolidation. Contracts Director coordinates with DCSA ISR to confirm no additional reporting required.

Hour 24-48: Capture Managers brief proposal teams on updated compliance approach and competitive positioning strategy. Business Development uses Cabrillo Signals Intelligence Hub to set up alerts for DCSA guidance updates and agency implementation memoranda. CFO reviews budget impact of any additional FSO training or compliance documentation updates. Executive leadership receives briefing on regulatory change and 30-day compliance verification plan.

---

Federal Register: National Industrial Security Program

Also in this intelligence package

TL;DR

Key Points

Who Is Affected

How ready are you for CMMC?

Frequently Asked Questions

Q: Does this rule change my company's FOCI mitigation requirements or obligations?

Q: Will my Defense Counterintelligence and Security Agency (DCSA) field office change how they administer my FCL?

Q: Do I need to refile my FOCI mitigation instrument or amend my DD Form 441?

Definitions

Intelligence Response

How ready are you for CMMC?

Continue reading

How ready are you for CMMC?