On December 21, 2020, the Department of Defense (“DoD”) published a final rule in the Federal Register that codifies the National Industrial Security Program Operating Manual (“NISPOM”) in the Code of Federal Regulations (“CFR”) at 32 CFR part 117. The rule will become effective on February 24, 2021, giving contractors six months from the effective date to comply with the changes. Comments on the proposed change are due by February 19, 2021.[1]
Continue Reading The NISPOM is Becoming a Regulation & Contractors Have Six Months to Comply

Most companies are worried about external threats – things that are coming at their people, their group, their company, their government, all from an outside actor.  Like government’s with an eye on counter-intelligence, however, savvy businesses also realize that their employees can also pose a very real, internal threat.  While an insider breach is not necessarily a common event, when it does happen, it tends to happen on a large scale.  Last year, the FBI reported that when a malicious insider breach surfaced, it cost industry $412,000 per incident, on average.  Over ten years, the average loss per industry is $15 million.  And, unless you’ve been hiding under a rock, you know that the Government is not immune to insider breaches and the reputational impact to federal contractors resulting therefrom.  Exacerbating, or perhaps facilitating, this threat is the manner in which companies (and governments) store, transfer, and maintain vital company records and data.  With the right password and a $16 thumb drive, an intern can steal the corporate keys to the kingdom, and still be home in time for lunch.  Simply put, all employers face the risk of insider threats which are more perilous than ever in the computer age.  Recognizing that internal threats are real, the issue, then, is how to stop these threats from manifesting.  Learning from recent high-profile mistakes, the Government is trying to make sure its contractors stay ahead of the risk of an internal breach.
Continue Reading Cyber-Breach & NISPOM Conforming Change 2 – It’s What’s on the Inside That Counts

By Marko W. Kipa

We all now realize that, contrary to the pronouncements of certain pundits, the world is not economically flat.  But it is undeniable that its citizens and businesses are more economically connected than ever before. One manifestation of this interconnectedness is the increasing number of cross-border acquisitions of business enterprises. In most cases these transactions do not become the subject of public discussion or detailed government scrutiny.  But when foreign entities seek to purchase U.S. government contractors who perform classified national security work and therefore hold facility security clearances (“FCLs”), the U.S. Government is anxious to know, among other things, the extent to which the company is the subject of foreign ownership, control or influence (“FOCI”).  Being under FOCI can sound the death knell for a company’s ability to perform classified work, with consequent loss of business that may be critical to the company’s continued status as a going concern. But that outcome can often be avoided by development and submission of a FOCI mitigation plan which, if accepted either as submitted or modified, can enable the company to continue performance of national security work.
 Continue Reading Evaluating FOCI In The Context Of An M&A Transaction