How to Write Standard Practice Procedures (SPP) for Your Facility

The Standard Practice Procedures document is the one artifact every DCSA assessor opens first. It’s the written proof that your facility has a security program — not just a collection of habits and institutional memory. If your SPP is weak, every other finding hurts worse. If your SPP is solid, you’ve already cleared the highest bar in the assessment.

Most FSOs I talk to either inherited an SPP written in 2011 referencing the old NISPOM, or they have no SPP at all and an unread template someone emailed them three years ago. Neither situation is unusual. Neither is defensible.

This is the working guide. What an SPP is, what NISPOM requires, how to structure it, what each section should contain, and the specific things DCSA assessors look for when they read yours.

What an SPP is (and isn’t)

The SPP is your facility’s written security operating manual under 32 CFR Part 117. It describes how your specific facility implements the requirements of the National Industrial Security Program. It’s not a copy of the NISPOM. It’s not a generic security policy. It’s a document that says: here is what we do, here is who does it, and here is where the evidence lives.

Under 32 CFR 117.7(a)(3), every contractor with an FCL must “issue or develop written procedures, including a Standard Practice Procedures document, that implements NISP requirements.” The rule doesn’t give you a template. It gives you an outcome — your SPP has to cover what your facility actually does — and leaves the format to you.

That latitude is a trap. FSOs read “no prescribed format” and either copy a template verbatim without customizing it, or they skip the document entirely. Both choices show up as findings.

An SPP is not:

• A copy of the NISPOM or 32 CFR Part 117
• A one-page “we comply with all applicable requirements” letter
• Your Insider Threat Program documentation (that’s separate)
• Your self-inspection report
• Your annual security refresher slide deck

An SPP is:

• A facility-specific document that describes your procedures
• A reference tool for cleared employees (who should be briefed on it)
• The first document DCSA will request during an assessment
• Evidence that leadership has approved your security approach

Who needs an SPP

Every contractor with an FCL. Full stop.

Possessing facilities (those cleared to store classified material) need an SPP covering safeguarding, transmission, destruction, and all the physical and information security pieces. Non-possessing facilities still need an SPP — it’s just shorter, covering the requirements that apply without safeguarding.

If you’re a non-possessing facility, don’t skip this. A common pattern I’ve seen: FSO at a non-possessing facility assumes “we don’t handle classified here, we don’t need an SPP.” DCSA arrives. First document they ask for. First finding of the day.

What NISPOM requires the SPP to cover

The rule under 117.7(a)(3) is a one-liner, but between the NISPOM, applicable Industrial Security Letters, and DCSA practice, your SPP needs to address:

• Facility information (CAGE code, address, KMP list, FSO designation)
• FSO and ITPSO appointment letters and responsibilities
• Key Management Personnel (KMP) list
• Personnel security (clearance procedures, SF-312 execution, indoctrination and debriefing)
• Physical security (approved areas, access control, visitor controls)
• Information security (handling, marking, transmission, destruction of classified material)
• Insider Threat Program (can reference separate ITP documentation)
• Reporting requirements (the 13 categories under 117.8)
• Classified meetings and visits (if applicable)
• Subcontractor management (if you have cleared subcontractors)
• Self-inspection program
• Training (initial briefing, annual refresher)
• Cybersecurity basics (if you’re non-possessing; more if you’re possessing)

Your SPP doesn’t have to cover every one of these in depth — it has to cover them as applicable to your facility. A non-possessing FCL with no subcontractors doesn’t need a subcontractor management section. Mark it “Not Applicable” with a one-sentence explanation.

For the complete self-inspection view of what DCSA checks, see our NISPOM compliance checklist.

A working SPP structure

Different FSOs use different structures. The one below is what I’ve seen work cleanly in DCSA assessments. Twelve sections, each with a clear purpose. Adapt it to your facility.

Section 1 — Facility Information

Cover page with:

• Legal company name and DBA
• Facility address (primary cleared location)
• CAGE code
• Date of FCL grant
• FCL level (Secret, Top Secret)
• Non-possessing or possessing
• Document version and effective date
• Approval signatures (FSO, senior management official)

One page. Boring. Essential.

Section 2 — FSO and ITPSO Designations

The FSO designation letter and the ITPSO designation letter, both signed by the senior management official. Include the appointment date, the employee’s full name, and a brief responsibilities statement.

Don’t reference these letters and keep them in a separate binder. Put copies in the SPP. Every assessor will ask.

Section 3 — Key Management Personnel

A KMP list. Every officer, director, and senior executive who needs to be cleared under your FCL. Include name, title, clearance level, and clearance date.

Update this every time someone joins, leaves, or changes roles. A stale KMP list is a finding.

Section 4 — Personnel Security

Your procedures for:

• Determining whether an employee needs a clearance
• Initiating investigations (Subject form, fingerprints, interim determinations)
• SF-312 execution and retention
• Initial security briefings (the specific content)
• Annual security refresher briefings
• Debriefings on termination, transfer, or clearance revocation
• Adverse information reporting (what triggers, who reports, how)

Include the specific forms and who owns each step. “The FSO processes clearance paperwork” is not procedure — it’s a description. “Within five business days of a new-hire offer letter acceptance, HR forwards Form X to the FSO, who initiates Subject Form Y through DISS” is procedure.

Section 5 — Physical Security

For possessing facilities: approved areas, container specifications, combination management (SF-700 tracking, quarterly combination changes if required), access control, perimeter security, visitor controls.

For non-possessing facilities: much shorter. Access control to the facility, visitor procedures for cleared visitors, reference to the policy that you do not store classified material on premises.

Include your approval letters for any approved areas. Include your GSA-approved container specifications. Include the KMP designated to maintain combinations.

Section 6 — Information Security

Handling, marking, classification challenges, transmission (couriers, approved electronic transmission), reproduction, destruction. Cover each information type you actually handle — confidential, secret, top secret as applicable.

If you never transmit classified material, say so. If you never reproduce it, say so. Don’t copy template language about methods you don’t use — it invites the assessor to ask about methods you haven’t implemented.

Section 7 — Insider Threat Program

You can either document the full ITP here or include a one-page summary and reference a standalone ITP Program document. Most FSOs do the latter — the ITP has grown enough that it’s cleaner as a separate document.

Either way, the SPP must state:

• That you have an ITP
• That the ITPSO has been designated
• How insider threat training is delivered
• How concerns are received, tracked, and responded to
• Reference to the standalone ITP documentation (if separate)

Our Insider Threat Program Template Kit includes the program policy, referral form, annual assessment, and tracking log as separate deliverables.

Section 8 — Reporting Requirements

The 13 reporting categories under 117.8 — adverse information, suspicious contacts, changes in KMP, foreign travel, cyber incidents, loss or compromise, foreign ownership or control changes, material changes affecting the FCL, and the rest.

For each, document:

• The triggering event
• Who reports (FSO to DCSA; employee to FSO)
• The reporting mechanism (DISS, secure email, phone)
• The timeline (initial report, follow-up)

A summary table works well here. Every assessor will check this section against a handful of scenarios (“if an employee travels to China for personal reasons, what happens?”).

Section 9 — Classified Meetings and Visits

Procedures for hosting classified meetings (visitor authorization letters through DISS, cleared conference room procedures, note-taking rules) and for your personnel attending classified meetings elsewhere.

If you don’t host classified meetings, say so. If you don’t send personnel to them, say so.

Section 10 — Subcontractor Management

If you sponsor or hold DD Form 254s for cleared subcontractors, document:

• DD 254 preparation and flowdown
• Subcontractor FCL verification
• Visit authorizations
• Termination procedures

If you have no cleared subcontractors, a single sentence is enough.

Section 11 — Self-Inspection Program

Under 117.7(h), every FCL must conduct an annual self-inspection. Document:

• Who conducts it (typically the FSO, sometimes supplemented by a second reviewer)
• The cadence (at least annually)
• The documentation (a written self-inspection report)
• Correction of findings (tracked to closure)

If you use a formal checklist — the NISPOM Self-Inspection Checklist is built for exactly this — reference it here and keep completed versions on file.

Section 12 — Training

• Initial briefing content (what every new cleared employee is briefed on)
• Annual refresher briefing content
• Insider threat training (often combined with the refresher)
• Training records retention

Keep a training log. Every briefing, every employee, every year. Signed.

Common mistakes I see in SPPs

A few patterns trip up contractors more than others. Fix these and your SPP reads ten years younger.

Outdated references. Citations to “NISPOM paragraph 1-300” or “DoD 5220.22-M.” The NISPOM has been 32 CFR Part 117 since August 2021. If your SPP still cites the DoD manual, it’s showing the assessor exactly how long it’s been since you opened it.

Generic template language. “The Facility Security Officer shall ensure that all cleared employees receive appropriate security training at regular intervals.” That’s a restatement of the rule, not your procedure. Replace it with: “The FSO delivers initial briefings using the approved slide deck within five business days of a new hire’s start date. Annual refresher briefings occur in September, using the refresher deck updated for the current year’s threat trends.”

Missing or stale signatures. An SPP without a current signature page is an SPP that nobody has formally approved. Review and re-sign annually. Date it.

No document version control. Version 1.0 dated 2019 tells the assessor nothing has changed in six years. Version 3.2 dated last quarter tells them you maintain it.

Section-by-section copy from the NISPOM. If an assessor can find entire paragraphs lifted from 32 CFR Part 117, that’s a red flag — not because copying is illegal, but because it means you described the rule instead of your implementation of the rule.

“As applicable” with nothing specified. “The FSO will handle foreign travel reporting as applicable.” What does “applicable” mean? Document the trigger. Document the process. Document the timeline.

No cross-references to evidence. When the SPP says “employees receive annual insider threat training,” the assessor will ask to see the records. Point to where they live. “Training logs are maintained in the FSO’s secure file cabinet, organized by year.” Now the assessor can verify.

What DCSA assessors actually check

A DCSA assessor reading your SPP is looking for:

• Is it current? Version, date, signatures. If the effective date is more than two years old, expect scrutiny.
• Is it specific to this facility? Do the procedures match what they’ll observe on the walkthrough? A policy that says “visitors sign in at the reception desk” had better match a visitor log at a reception desk.
• Does it cover what the rule requires? The assessor has a mental checklist. If your SPP doesn’t address adverse information reporting, foreign travel, or insider threat, that’s a finding.
• Does it reference evidence? For every claim (“we conduct annual self-inspections”), can they find the corresponding artifact (the actual report)?
• Is leadership bought in? The signature page tells them whether this is the FSO’s private document or the company’s committed procedure.

Assessors don’t expect perfection. They expect a document that demonstrates you understand your obligations and have a written plan for meeting them. If you can show a thoughtful, facility-specific, current SPP, you’ve cleared the hardest bar.

How long should an SPP be?

Long enough to cover what applies. Short enough that someone can actually read it.

For a non-possessing facility: 15–25 pages is typical. For a small possessing facility: 30–50 pages. For a mid-size possessing facility with multiple approved areas and subcontractors: 60–100 pages. For a large facility with classified meetings, foreign engagements, and multi-site operations: 100+ pages, often with appendices.

If your SPP is 200 pages and nobody has read it, it’s worse than a 25-page SPP that leadership signs and employees can cite.

Getting started without starting from scratch

Writing an SPP from scratch is a three-to-six-month project. It doesn’t have to be.

The Standard Practice Procedures Template is a 12-section SPP with fill-in fields, NISPOM references on every page, KMP tables, a reporting requirements table, and a training schedule — structured the way DCSA reviews it. Fill in your facility details, delete the sections that don’t apply, add your specific procedures, and you have a defensible SPP in a week instead of a quarter.

If you need the entire documentation stack — SPP plus the self-inspection checklist, ITP kit, and required briefing decks — the Complete DCSA Assessment Kit bundles all four core products.

FAQs

How often should we update the SPP?

At minimum, annually — review and re-sign even if nothing has changed. Update whenever you have material changes (new KMP, new approved areas, revised procedures, new subcontractor relationships, regulatory updates).

Does the SPP need to be signed by the CEO?

It needs to be signed by a senior management official. At small companies that’s often the CEO. At larger contractors it may be a VP of Operations or a General Counsel. The signer needs the authority to commit the company to the procedures — not just the FSO.

Can we use a digital-only SPP?

Yes. Nothing in NISPOM requires paper. A controlled PDF with digital signatures, stored on a secure system, is fine. Just make sure the document is accessible when DCSA asks for it, and that version control is enforced.

Do non-possessing facilities really need an SPP?

Yes. 32 CFR 117.7(a)(3) applies to every contractor with an FCL, possessing or not. The content is shorter for non-possessing facilities, but the requirement is the same.

Can the SPP reference other documents instead of including everything inline?

Yes, and for complex programs this is good practice. You can reference the standalone ITP document, separate training procedures, or a classified contract security library. Just make sure the referenced documents exist, are current, and are accessible.

Who reads the SPP?

Your cleared employees should be briefed on the parts that affect them. Your leadership signs it. Your DCSA assessor reads it first during any assessment. Your successor (whoever becomes FSO after you) will read it on day one.

What to do this week

• Pull up your current SPP. If the effective date is more than 18 months old, schedule a review this quarter
• Check for references to “NISPOM paragraph” or “DoD 5220.22-M” — these are immediate rewrites
• Verify every policy claim points to the actual evidence (training log, KMP list, self-inspection report)
• If you don’t have an SPP, download the Standard Practice Procedures Template ($149) and build one this month
• For the complete documentation set, get the Complete DCSA Assessment Kit ($297)

A solid SPP is the foundation every other NISPOM document sits on. If yours is strong, the rest of your program looks stronger by association. If it’s weak, every other finding costs more. Fix this one first.