NISPOM Reporting Requirements: What FSOs Must Report to DCSA and When

Half of the findings DCSA issues trace back to a single root cause: something happened, it should have been reported, and it wasn’t. Not because the FSO ignored it — but because the reporting obligation didn’t get recognized as a reporting obligation.

The reporting requirements under 32 CFR 117.8 are the most easily missed obligations in the NISPOM. They don’t announce themselves. An employee mentions their spouse is from a different country. A KMP retires quietly. An adverse information item shows up in a personnel file and sits there. Each of these can trigger a report. Each of them is easy to miss if you don’t have reporting built into your routine.

This is the working breakdown. The 13 categories, who reports what, the timelines that matter, and how to build a reporting program that DCSA will not find deficient.

Why reporting matters more than most FSOs think

Reporting is how the government maintains situational awareness of risk across the 12,000+ cleared facilities in the NISP. When you report a foreign contact, DCSA doesn’t just note it — they integrate it into continuous evaluation for your personnel and counterintelligence analysis for the community. When you report a KMP change, they update DISS and reassess your FCL’s governance.

A program that doesn’t report is a blind spot. The government can’t rely on you if they can’t see what’s happening at your facility. That’s why reporting deficiencies escalate quickly in findings — it’s not just a paperwork miss, it’s a trust issue.

Most small cleared contractors under-report not because they’re trying to hide things, but because:

• Adverse information sits in HR files that never cross the FSO’s desk
• Employees don’t know what they’re required to self-report under SEAD-3
• Foreign travel happens and no one connects it to a reporting obligation
• KMP changes happen in leadership transitions that nobody routes through security
• Cyber incidents are handled by IT without a reporting handoff to the FSO

Fix the handoffs, and you fix the reporting. The rest is writing things down.

The 13 categories under 117.8

The reporting requirements fall into 13 categories. Each has specific triggers and timelines. Here’s the working breakdown:

1. Adverse Information

Any information that reflects unfavorably on the trustworthiness of a cleared employee or applicant — criminal conduct, significant financial issues, foreign influence concerns, substance abuse, mental health concerns affecting judgment, patterns of rule violations, or security violations.

Who reports: FSO to DCSA through DISS (or the current reporting system).

Timeline: As soon as practicable after the FSO becomes aware — typically within days, not weeks.

Common miss: The FSO doesn’t see the HR disciplinary file. Build an HR-to-FSO handoff into your personnel security procedures.

2. Suspicious Contacts

Any contact that could be an attempt to obtain unauthorized access to classified information or otherwise compromise a cleared employee. Includes foreign nationals attempting to establish relationships, unusual information requests, suspicious online contacts, and recruitment attempts.

Who reports: Employee to FSO. FSO to DCSA.

Timeline: Employee reports to FSO immediately (same-day expectation). FSO reports to DCSA within the timeframe documented in the current DCSA guidance.

Common miss: Employees don’t recognize suspicious contacts. The annual briefing should include specific examples — LinkedIn “research opportunities” from obvious foreign intelligence accounts, “invitations” to foreign conferences with unusual access offered, etc.

3. Changes Affecting the FCL

Any change to the contractor’s organization that could affect the Facility Clearance — ownership changes, mergers, acquisitions, changes in senior management structure, bankruptcy, material changes in FOCI status.

Who reports: FSO to DCSA.

Timeline: Before the change takes effect when possible; otherwise as soon as practicable after.

Common miss: Corporate structure changes (especially in holding company arrangements) happen without security review. Establish a standing meeting with corporate counsel or M&A if your company grows through acquisition.

4. Changes in Key Management Personnel

Any addition, removal, or change in the KMP — officers, directors, senior executives covered under the FCL.

Who reports: FSO to DCSA.

Timeline: Before the change if possible; otherwise as soon as practicable after.

Common miss: A VP retires, a new CFO joins, nobody routes it through the FSO. Set up a quarterly check-in with HR on executive changes.

5. Foreign Ownership, Control, or Influence (FOCI)

Any event that could put the contractor under foreign ownership, control, or influence — a foreign investor taking an ownership stake, a foreign lender gaining material influence, a foreign national joining the board, significant foreign revenue changes.

Who reports: FSO to DCSA. Often requires legal coordination.

Timeline: As soon as practicable. Some FOCI events require prior approval.

Common miss: FOCI is complex and often has legal implications. Involve counsel and your Industrial Security Representative early.

6. Citizenship and Residency Changes

An employee’s change in citizenship or residency — naturalization, acquisition of a second citizenship, change in primary residence to a foreign country.

Who reports: Employee self-reports under SEAD-3 to FSO. FSO to DCSA.

Timeline: Employee reports as soon as practicable after the event. FSO reports to DCSA shortly after.

Common miss: Employees don’t volunteer the information. The annual briefing should specifically include dual citizenship and residency as reportable events.

7. Foreign Travel

Both official and personal foreign travel by cleared employees. The exact reporting expectations depend on destination, frequency, and current DCSA guidance, but the general rule is: cleared employees report foreign travel to the FSO before they go, and FSO reports to DCSA per guidance.

Who reports: Employee to FSO pre-travel. FSO to DCSA per current guidance.

Timeline: Employee pre-travel (typically 30 days before when practical). FSO reporting to DCSA depends on destination risk level and current ISLs.

Common miss: Personal travel to routine destinations (Europe, Canada, Mexico) is often under-reported. The rule is the same regardless of destination — build the habit of reporting every trip, not just the ones that seem “important.”

8. Loss, Compromise, or Suspected Compromise of Classified Information

Any event where classified information may have been compromised — missing documents, unauthorized disclosure, spillage to unclassified systems, lost classified devices, physical security breaches in approved areas.

Who reports: Employee to FSO immediately. FSO to DCSA with initial report typically within 24 hours.

Timeline: Immediate internal notification. Initial report to DCSA within a short window (typically 24 hours); formal report follows per DCSA procedure.

Common miss: “Suspected” is a low threshold. If you’re not sure whether something was compromised, the rule errs toward reporting. Don’t hold reports while you investigate — report, then investigate.

9. Cyber Incidents on Covered Contractor Information Systems

Cyber incidents affecting systems that process, store, or transmit covered defense information (CUI) or any classified information. Covered under DFARS 252.204-7012 and 117.8.

Who reports: FSO (coordinating with IT) to DoD DIBCS. Also to DCSA depending on the incident type.

Timeline: Initial report within 72 hours of discovery (DFARS requirement).

Common miss: IT handles cyber incidents and doesn’t loop in the FSO. The response team must include security oversight for any incident touching covered information. Document this in your incident response plan.

10. Violations of the NISP

Any security violation by your facility or employees — mishandling of classified material, access control breaches, procedural violations. Includes both violations you self-identify and violations DCSA identifies.

Who reports: FSO to DCSA. Internal violations are documented and reported per procedure.

Timeline: As soon as practicable after the FSO becomes aware.

Common miss: Minor procedural violations (a combination lock not changed on schedule, a visitor not properly escorted) often don’t get reported internally, let alone to DCSA. Build a violation tracking procedure into your SPP and log everything.

11. Changes in Storage Capability

Any change to the facility’s ability to safeguard classified material — new approved areas, decommissioned areas, changes in storage containers, major renovations affecting security.

Who reports: FSO to DCSA. Often requires DCSA pre-approval for new areas.

Timeline: Before the change when possible (new areas require prior approval); otherwise as soon as practicable.

Common miss: Renovations that affect security (changes to walls, doors, HVAC, power) without coordination with DCSA. Any renovation in or adjacent to an approved area needs a security review before work starts.

12. Inability to Safeguard Classified Information

Any situation where the contractor loses the ability to properly safeguard classified material — temporary closure of the facility, loss of cleared personnel, fire or flood affecting approved areas, equipment failures affecting security systems.

Who reports: FSO to DCSA.

Timeline: Immediate notification.

Common miss: Temporary situations (a cleared employee’s extended leave, a security system outage) that affect safeguarding are often treated as internal operational issues. If safeguarding is genuinely affected, the rule requires reporting.

13. Employee Information Changes

Changes to cleared employee information that affect the investigation or continuous vetting — marital status, new cohabitant, significant financial changes, foreign contacts, changes affecting personal reliability.

Who reports: Employee self-reports to FSO under SEAD-3. FSO updates personnel records and reports to DCSA as required.

Timeline: Employee reports as soon as practicable after the event. FSO processes per standard procedure.

Common miss: SEAD-3 requirements aren’t limited to “serious” changes. The list is broader than most employees realize. The annual refresher briefing should walk through specific scenarios.

Building the reporting program

A defensible reporting program has four components:

1. Employee awareness

Every cleared employee knows what they’re required to report under SEAD-3, how to report it, and how quickly. Annual training should cover specific scenarios, not just a bullet list of categories. Include:

• Foreign contacts at conferences and on social media
• Foreign travel, including personal travel to low-risk destinations
• Changes in marital status or cohabitant
• Financial events (bankruptcy, large debts, unusual income)
• Arrests and criminal matters
• Substance abuse and mental health treatment

The Security Briefing Slide Decks 4-pack includes initial and annual refresher decks with SEAD-3 scenarios built in.

2. Internal reporting channels

Named channels — not “tell the FSO” but specifically which email, phone number, or form. Include an anonymous option when practical. Document the channels in the SPP.

3. FSO tracking system

Every internal report and every DCSA report is logged. Date received, reporter, category, disposition, and whether escalated to DCSA. The log is a required artifact during the DCSA assessment.

4. Handoffs with other functions

• HR routes adverse information (disciplinary actions, terminations for cause) to the FSO
• Executive leadership routes KMP changes to the FSO
• Legal routes corporate events (acquisitions, FOCI issues) to the FSO
• IT routes cyber incidents to the FSO

Without these handoffs, the FSO is flying blind on reporting. With them, reporting becomes routine.

Reporting mechanics

The primary reporting system for personnel security and adverse information is DISS (Defense Information System for Security). For cyber incidents under DFARS 252.204-7012, reports go through the DoD DIBCS at dibnet.dod.mil. Other reports go through your Industrial Security Representative.

Always keep a copy. Every report you submit should have a corresponding entry in your FSO reporting log with:

• Date submitted
• Category
• Subject (employee, event, or change)
• Brief summary
• Submission method and confirmation (DISS entry number, email confirmation, etc.)
• Follow-up or closure if applicable

This log is the proof you’re running a reporting program, and it’s the first document DCSA will request during the assessment.

Common reporting mistakes

Waiting until “we know enough.” The rule is “as soon as practicable after aware.” Not “after we’ve investigated.” Report when you become aware; investigation continues in parallel.

Under-reporting foreign travel. Any foreign travel is reportable. Employees often filter “this is routine, not worth reporting.” Train them that the rule is the rule.

Adverse information in HR files. If it’s in an HR file and the FSO hasn’t seen it, reporting didn’t happen. Build the handoff.

KMP changes. A new board member, a retirement, a role change at the VP level. These are reportable, and they’re often invisible to the FSO unless HR or the executive team has a routing procedure.

Violations treated as internal. A procedural violation (“someone let a visitor into an approved area unescorted for 30 seconds”) is still a violation. Log it. Report per DCSA guidance.

“I’ll report it at the annual check-in.” There is no annual check-in for reporting. Each category has its own timeline, and most are measured in days or hours — not months.

What DCSA checks during an assessment

Expect the assessor to:

• Ask for your reporting log for the past 12–24 months
• Verify that reports correspond to documented events in personnel files, HR records, and corporate minutes
• Sample 2–3 recent events and verify they were reported on time
• Interview cleared employees on SEAD-3 awareness — “what would you report if…”
• Review the adverse information file and verify entries align with DISS submissions
• Verify KMP changes align with the current KMP list

If reports are missing but corresponding events exist in your files, that’s a reporting finding. If reports exist but aren’t logged, that’s a records finding. Both are common.

FAQs

What’s the difference between NISPOM reporting and SEAD-3 reporting?

NISPOM reporting is the contractor-level obligation under 117.8 — the FSO reports to DCSA. SEAD-3 reporting is the individual-level obligation — cleared employees self-report events to the FSO. They’re complementary. SEAD-3 feeds the contractor-level reporting system.

How quickly do we need to report adverse information?

“As soon as practicable after the FSO becomes aware.” In practice, this means within a few business days for routine adverse information, and within 24 hours for serious events (suspected compromise, suspicious contacts). Don’t wait for investigation to complete.

Do we report foreign travel before or after it happens?

Both, depending on destination and circumstance. Most routine foreign travel is reported before (typically 30 days in advance when practical). Emergency travel may be reported after. Current DCSA guidance outlines destination-specific expectations.

What if an employee refuses to self-report something?

Refusal to comply with SEAD-3 is itself adverse information and should be reported. It may also affect the employee’s continued eligibility for clearance.

How long do we keep reporting records?

Retention follows general personnel security records retention — while the employee is cleared plus the applicable DCSA retention period. Most FSOs retain indefinitely in the cleared employee file.

Is there a reporting threshold below which we don’t report?

No. There’s no de minimis exception. The rule captures events by category, not by magnitude. A “minor” KMP change is still a KMP change.

What if we’re not sure whether something is reportable?

Report it, or call your Industrial Security Representative and ask. The penalty for over-reporting is minimal (some administrative overhead). The penalty for under-reporting is a finding — and in serious cases, much worse.

What to do this week

• Pull your reporting log for the past 12 months. If it doesn’t exist, create one
• Audit your last 6 months of internal events (HR actions, KMP changes, foreign travel, reported suspicious contacts) against what was reported to DCSA
• Schedule handoff meetings with HR, executive leadership, legal, and IT to cement the reporting routing
• Review your annual briefing deck — does it cover all 13 categories with specific scenarios?
• Get the Standard Practice Procedures Template ($149) — it includes a pre-built Reporting Requirements table organized by category, timeline, and responsible party
• Or get the Complete DCSA Assessment Kit ($297) for the full documentation stack

The reporting program is the quiet engine of a cleared security program. When it runs, nobody notices. When it doesn’t, every finding gets worse. Build the handoffs, log every event, and treat “as soon as practicable” as days, not weeks.