NISPOM

The National Industrial Security Program Operating Manual (NISPOM) — now titled 32 CFR Part 117 — establishes the rules for how cleared defense contractors must protect classified information. It covers personnel security, physical security, information security, and the overall management of classified programs within contractor facilities.

While CMMC focuses on CUI (unclassified but sensitive information), NISPOM covers classified information at the Confidential, Secret, and Top Secret levels. Companies with facility clearances must comply with NISPOM requirements in addition to any CUI/CMMC requirements.

Why It Matters

If your company holds or pursues a facility clearance for classified work, NISPOM compliance is mandatory. Understanding the distinction between NISPOM (for classified) and CMMC (for CUI) helps you manage both compliance programs effectively.