NISPOM Best Practices: Taking a Page from the FOCI Mitigation Playbook.
Too many small businesses working in the classified space seek to squeak by in terms of NISPOM compliance. They ask, “What are the minimum requirements?” This is the wrong question, and it evinces a risky approach to information security. Contractors should seek to implement best practices, such as standing up an internal function modeled after a Government Security Committee (GSC).
The GSC is a unique child of the NISPOM. Developed to mitigate the security risks posed by certain companies under Foreign Ownership Control or Influence (FOCI), the GSC exists to place key matters relating to security under the careful management of qualified US citizens. Towards this end, the GSC ensures that the contractor maintains policies and procedures to safeguard classified and export controlled information entrusted to it. See NISPOM, DoD 5220.22-M (2-306(b)). The GSC represents a NISPOM best practice designed to promote procedural excellence and ensure information security.
A GSC performs significant compliance functions. It provides senior management, the Facility Security Officer (FSO), any Technology Control Officer (TCO), and other stakeholders with a forum to review and implement information security solutions. It oversees compliance with U.S. export control laws and regulations. And it can investigate and report possible regulatory violations. Also, given the voluntary nature of the GSC outside of the FOCI context, companies have wide latitude to tailor the GSC to their unique circumstances. For example, a GSC could ensure compliance with a contractor’s broader regulatory obligations, such as those relating to business ethics, internal controls, due diligence, and training (i.e. FAR 52.203-13). In this form, a GSC becomes a fully functioning Government Security and Compliance Committee (GSCC), providing a focal point for enterprise-wide information security and regulatory compliance.
In addition to its principal function as a compliance tool, a GSC (or a GSCC) may have indirect benefits. The existence of an existing GSC may expedite FOCI mitigation in the event that a foreign entity wishes to invest in your company in the future, making it a more attractive investment target at the margin. And the existence of a GSC may serve as a discriminator in your next proposal, particularly when you are competing for a contract with significant security requirements.
Asking how to minimally comply with the NISPOM is asking the wrong question. The better question is, “How does my company demonstrate—to both our employees and our customers—our strong commitment to information security and compliance?” While designed specifically to mitigate FOCI, a GSC represents a flexible, NISPOM-endorsed best practice with considerable direct and indirect benefits.
