NISPOM Compliance Checklist: The Complete Guide for Cleared Contractors

Every cleared contractor runs at least one self-inspection per year. That’s 32 CFR 117.7(h), and there’s no exception for small facilities, non-possessing FCLs, or the fact that you just had a DCSA security review last month.

The good news: if you work through a real checklist in advance, your self-inspection stops being a panic-inducing event and becomes a 90-minute walkthrough. The bad news: most of the checklists floating around the internet are either outdated (pre-2021, referencing the old DoD 5220.22-M), vague (“comply with Chapter 3”), or so long nobody finishes them.

This is the checklist I wish I’d had when I took my first FSO role. It’s organized the way DCSA actually inspects you — section by section, starting with the items most commonly found deficient — and it covers what 32 CFR Part 117 currently requires.

What NISPOM is now

The National Industrial Security Program Operating Manual is no longer a DoD directive. Since August 24, 2021 it’s codified as 32 CFR Part 117. The substance is largely the same, but a few practical differences matter for this checklist:

• Reporting requirements under 117.8 are now more prescriptive, particularly around adverse information and cyber incidents on covered contractor information systems.
• The Insider Threat Program is explicitly required under 117.7(b), not buried in a change notice.
• Continuous vetting under SEAD 3 and SEAD 4 is fully in effect — you don’t wait for a periodic reinvestigation anymore.
• Industrial Security Letters (ISLs) issued by DCSA remain binding even though the NISPOM is now a CFR rule.

Your Standard Practice Procedures (SPP) need to reflect the current rule. If yours still cites “NISPOM paragraph 1-300,” it’s out of date.

Who this checklist is for

You need this if:

• You’re the FSO at a facility holding an active FCL
• You’re preparing for a DCSA security review
• You’re running your annual self-inspection under 117.7(h)
• You just inherited an FSO role and want to know where the program actually stands
• You’re moving from non-possessing to possessing and need to understand the added safeguarding duties

You don’t need this if your facility doesn’t hold an FCL. The NISP only applies to cleared contractors.

How to use the checklist

Each section below lists the compliance items in the order DCSA typically reviews them. For each item:

1. Mark it compliant, deficient, or not applicable (non-possessing facilities skip safeguarding-only items)
2. If deficient, note the specific gap and the remediation action
3. If the evidence lives in a document, note the document name and location

Run it on a quarterly cadence if you can. Most FSOs can’t, which is fine — annually is the regulatory floor.

Section 117.7 — General responsibilities

• FSO appointed in writing. A letter on company letterhead, signed by a senior officer, naming the FSO and acknowledging the security responsibilities.
• ITPSO (Insider Threat Program Senior Official) appointed. Can be the FSO at most smaller facilities. Required under 117.7(b).
• Insider Threat Program documented. Written plan, training records, and a process for receiving and responding to insider-threat concerns.
• Insider Threat annual training documented for every cleared employee.
• Self-inspection completed within the last 12 months. Records retained for DCSA review.
• SPP current. Reviewed and updated within the past year, or after any significant program change.
• SPP signed by the FSO and a senior officer.
• SPP distributed or posted where cleared employees can access it.
• Key Management Personnel (KMP) list current in NISS. Every officer who has authority to affect security matters is listed.
• SF 328s on file for all KMPs.

Section 117.8 — Reporting requirements

• Adverse information reports submitted within one business day of discovery. Arrests, bankruptcies, foreign contacts of concern, substance issues, and similar items.
• Suspicious contact reports on file.
• Cyber incident reports submitted within 72 hours for incidents on covered contractor information systems.
• Security violation file maintained with each violation’s root cause, disposition, and any reports to DCSA.
• Change in status of KMPs reported (departure, new KMP added, change in citizenship status).
• Foreign visit requests processed through NISS.
• Employees briefed on SEAD 3 self-reporting requirements (foreign travel, foreign contacts, arrest, financial issues, mental health with a direct threat, drug involvement).

Section 117.9 — Facility Clearance

• FCL active and at the correct level (Confidential / Secret / Top Secret).
• DD Form 441 security agreement on file.
• Commitment of Security Responsibility on file.
• NISS entity information current: address, phone, KMPs, classified storage, IS authorization.
• FOCI questionnaire (SF 328) reviewed at least annually for material changes.
• Any FOCI mitigation instrument (SCA, SSA, Proxy) still valid and audited per its terms.

Section 117.10 — Personnel clearances

• Clearance records current in DISS.
• Every cleared employee has a documented need-to-know for their access level.
• Initial indoctrination (SF 312) executed before first access to classified.
• Access terminated in DISS when an employee leaves or no longer requires access.
• Debrief executed at termination (documented and retained).
• Continuous vetting enrollment confirmed in DISS for all cleared employees.

Section 117.12 — Security training

• Initial security briefing delivered to every newly cleared employee before first access.
• Annual refresher training delivered to every cleared employee in the past 12 months.
• Derivative classifier training completed for any employee who derivatively classifies (refreshed every 2 years).
• FSO training requirements satisfied — current FSO completed DCSA curriculum within one year of appointment.
• ITPSO training satisfied — documented completion of DCSA’s Insider Threat curriculum.
• Training records retained per SPP (typically 2 years after employee departure or clearance termination).
• Debriefing records retained.

Section 117.13 — Classification

• Original Classification Authority (OCA) guidance on file for every contract with classified output.
• DD Form 254 current for every active classified contract.
• Security Classification Guides (SCGs) on file and accessible.
• Derivative classification decisions sourced to an SCG or to classified source material.

Section 117.14 — Marking

• Classified documents marked correctly: banner lines, portion marks, classification authority block, declassification instructions, derived-from line.
• Transmittals marked correctly (highest classification of contents on cover).
• Electronic documents carry portion markings and proper banners.
• Working papers marked and either destroyed within 180 days or permanently marked.

Section 117.15 — Safeguarding (possessing facilities only)

• GSA-approved security containers in use for classified storage.
• Container combinations changed on installation, on departure of anyone with the combo, and at least annually.
• SF 700 on file for each container.
• SF 702 activity logs maintained on every container and closed area.
• SF 701 end-of-day checks documented.
• Classified reproduction controlled per SPP.
• Classified destruction methods approved (NSA/CSS-evaluated shredder, disintegrator, etc.).
• Receipt and transmission records maintained.
• Closed areas (if any) approved by DCSA with documentation.

Section 117.16 — Visits

• Outgoing visit requests submitted through DISS / NISS with need-to-know justification.
• Incoming visit certifications received before classified discussion.
• Visitor log maintained where required by SPP.

Section 117.17 — Subcontracting

• DD Form 254 issued to every classified subcontractor before they access classified.
• Subcontractor FCL verified in NISS.
• Classified bid packages controlled.

Section 117.18 — Information system security

• Any classified IS has a current Authority to Operate (ATO) issued by the government customer or DCSA.
• ISSM appointed in writing.
• System Security Plan (SSP) current and matches actual configuration.
• POA&M active for any unresolved findings.
• Removable media controlled per SSP.
• Audit logs reviewed on the cadence specified in the SSP.

How to run the actual self-inspection

Block 90 minutes on the calendar. Walk through the checklist in order, in the space where the program lives — not at your desk, but at the containers, in the SCIF, in the file cabinet holding the SPP. Take photos of evidence. For anything deficient, write a one-line corrective action with a date.

When you’re done, produce two documents:

1. The completed checklist itself, with deficiencies flagged
2. A self-inspection report summarizing the results, any deficiencies, corrective actions, and the date each action is expected to close

Retain both for at least the next self-inspection cycle. DCSA will ask for the most recent inspection and the one before it.

If you’d rather not build your own workbook, there’s a structured, fillable checklist with the same items organized by priority available at the NISP self-inspection checklist download.

Common DCSA findings (and how to avoid them)

Across DCSA security reviews in the last few years, the same handful of findings show up again and again.

1. SPP not updated. The facility’s SPP references old NISPOM paragraphs or doesn’t reflect a change — new contract type, new classified system, new closed area. Fix: review the SPP annually and after every material change. Track it in a living document with a revision history.

2. Adverse information not reported. The FSO knew about an employee arrest three weeks before reporting it. 117.8 requires reporting within one business day of discovery. Fix: train HR, legal, and managers to route anything that sounds adverse straight to the FSO the day it surfaces.

3. Insider Threat Program under-documented. The program exists in practice but there’s no written plan, no evidence of training, and no indicator list. Fix: a two-page written ITP plus a training record log is the minimum DCSA wants to see.

4. Initial briefing missing. Employees accessed classified before their SF 312 briefing was on file. Fix: make the SF 312 and initial briefing a blocking step in onboarding — no badge or system account until both are executed.

5. Annual refresher training incomplete. One or two employees always slip the window. Fix: set a recurring training month, track completion in a shared log, escalate non-completers to the hiring manager.

6. Classified marking errors. Missing portion marks, wrong classification authority block, wrong declassification instructions. Fix: require derivative classifiers to use a marking template and run a quarterly sample review.

7. Combination changes missed. Someone with the combo left, and the combination wasn’t changed. Fix: include combination change in the termination checklist.

How to fix gaps

When the checklist turns up deficiencies — and it will — work through them in this order:

1. Safety first. Anything affecting classified information directly (missing marking, uncontrolled reproduction, open containers) gets fixed today.
2. Reporting gaps next. If there’s an unreported adverse information item or an overdue cyber incident report, submit it now. Self-reporting late is better than not at all.
3. Documentation third. SPP updates, training logs, appointment letters. These take longer to clean up but don’t represent an active security exposure.
4. Process fourth. If the same gap keeps recurring, redesign the workflow so compliance is the default. This is where the job stops being reactive.

Each gap fix goes in the self-inspection report with a target close date. Ideally everything is closed before the next self-inspection; at minimum, closure is tracked and evidenced.

What a mature SPP looks like

Your SPP is the document every other part of the program references. A mature SPP includes: the organization’s security policy statement, the FSO and ITPSO appointments, descriptions of each procedure (indoctrination, briefing, marking, safeguarding, reporting), training requirements, and the self-inspection methodology. It should be specific enough that a new FSO could run the program from the SPP alone.

If you want the structure, step by step, it’s laid out in the Standard Practice Procedures guide.

Frequently asked questions

How often does NISPOM require a self-inspection? At least once every 12 months per 32 CFR 117.7(h). Quarterly is better practice at facilities with active classified work.

Does a non-possessing FCL need to do all of this? Most of it. You skip safeguarding items (117.15), most of 117.14 marking, and classified IS items (117.18). You still run the full reporting, training, PCL, and SPP program.

Can DCSA show up without notice? DCSA typically schedules security reviews in advance. Unannounced visits happen but they’re rare. The point of the self-inspection isn’t to prepare for a surprise — it’s to catch and fix gaps before a scheduled review.

Is the checklist the same for every DoD customer? The NISPOM applies the same way regardless of customer. Individual contracts can layer additional security requirements on top via the DD 254. Check the DD 254 for each active contract.

What’s the penalty for a finding? Most findings result in a corrective action plan. A pattern of findings or a serious single finding (loss of classified, FOCI not reported) can put the FCL in jeopardy and, in extreme cases, cause suspension or revocation.

Next steps

If you just ran through the checklist and have a page of deficiencies, you’re where most FSOs are the first time they run it honestly. Take the list, write the fix for each one, put the dates on a calendar, and close them one at a time. The job isn’t to be perfect — it’s to have a program that catches its own problems and fixes them before DCSA does.

If you want the same checklist in a fillable workbook you can bring into a DCSA review, grab the self-inspection checklist download.