Chapter 7 may not apply to all facilities, while Chapters 5 and 6 cover universal security basics

Chapter by chapter, what actually applies to your site?

In the world of government contracts and security, the rules aren’t one-size-fits-all. The National Industrial Security Program Operating Manual (NISPOM) lays out a framework for how cleared facilities keep information safe. When you’re sitting in the FSO chair, you start to see a simple truth: some chapters feel universal, while others bend to how your particular operation is set up. A quick question—one you might hear in a briefing or on a training slide—illustrates that idea: which NISPOM chapters may not apply to every facility?

Let me explain with a straightforward snapshot.

What those chapters are really about

• Chapter 5: Safeguarding Classified Information. This is the backbone. No matter what you manufacture, study, or service, if you have access to classified material, you’re responsible for protecting it. That means proper handling, storage, transmission, and disposal. It also includes marking, control of access, and ensuring that even casual conversations don’t reveal sensitive data. In short, safeguarding is foundational.

• Chapter 6: Visits and Meetings Involving Classified Information. This chapter is about people—visitors, vendors, and partners—who come to your facility or participate in discussions that touch classified material. It covers how to verify individuals, limit access, and manage the environment so that sensitive information doesn’t slip out. It’s a practical, day-to-day concern because people are often the weakest link when security isn’t top of mind.

• Chapter 7: Subcontracting. This one gets a bit trickier. It focuses on prime contractors who oversee subcontractors handling classified information and the flow-down security requirements to those subcontractors. It explains how accountability for protecting classified information travels through the supply chain. Importantly, the matter of subcontracting depends on whether your particular facility actually uses subcontractors.

Why Chapter 7 may not apply to all facilities

Here’s the core point: Chapter 7 is conditional. If your facility operates entirely in-house and never engages a subcontractor for work involving classified information, you may not need to implement the Chapter 7-specific procedures. No subcontractors means no subcontracting oversight to manage. That’s not “slipping” on security; it’s simply a matter of scope. The NISPOM expects you to follow the rules that pertain to your actual activities.

Now contrast that with Chapter 5 and Chapter 6. Those two are broadly relevant to most cleared facilities because they address the environments where classified information exists and the people who encounter it. Regardless of whether you subcontract, you still need to safeguard information and manage visits and meetings. You don’t get to skip those just because you don’t work with outside contractors.

A practical view from the field

Imagine two different facilities to put this into a real-world frame.

• Small, in-house shop. This facility handles sensitive tasks, but all work is done by its own staff. There are occasional visitors—maybe a few technicians from a trusted partner—but no dedicated subcontracting arrangements. The FSO’s daily job still includes locking up sensitive materials, training staff on handling procedures, and supervising every visit. Chapter 5 keeps the information protected; Chapter 6 governs who’s allowed where and when. Chapter 7 sits on the shelf, untouched, simply because there’s no subcontractor to oversee.

• Medium-to-large operation with subcontractors. Here, the organization uses several subcontractors to perform portions of the work, and those subcontractors handle classified information too. Now Chapter 7 matters. The FSO must ensure that those subcontractors receive proper security clearances, that flow-down requirements are clear, and that oversight mechanisms are in place to prevent leaks or mishandling. Chapter 5 remains essential, and Chapter 6 keeps the same focus on visits and meetings—but with additional considerations, like the security posture of subcontractor sites and how information is exchanged during visits.

The human factor in visits and subcontracting

Security isn’t just a binder on a shelf. It’s people, processes, and the spaces where things happen. Let’s think about visits and meetings for a moment.

• Visits: Even a routine visit can become a risk if access isn’t controlled, if sensitive conversations drift into casual talk, or if a guest brings in documents without proper handling. The goal isn’t to scare people away; it’s to create an atmosphere where security is the default, not an afterthought. A clear sign-in process, visitor badges, escorted access where needed, and a quick debrief after meetings help keep conversations productive and safe.

• Subcontracting: When subcontractors participate, you extend your security perimeter. Flow-down clauses ensure subcontractors follow the same safeguarding standards. Regular oversight visits, documented training, and clear notification channels for any security incidents are critical. The better the coordination, the smoother the project, and the lower the risk of a security slip.

What FSOs should know at a glance

If you’re charting the security landscape for your site, here’s a compact guide to keep on your radar.

• Do you have subcontractors handling classified information? If yes, Chapter 7 applies. If not, you won’t need to implement all of Chapter 7’s subcontractor-specific requirements, though some principles may still be relevant in spirit.

• Do you handle classified information on a regular basis? Then Chapter 5 is your non-negotiable baseline. It governs how you protect data, how you store it, and how you communicate it within safe channels.

• Do you host visits and meetings that involve classified information? Chapter 6 is in play. You’ll want robust access control, visitor screening, and clear procedures for safeguarding materials during meetings.

A few practical takeaways for FSOs

• Conduct a quick map of your facility’s activities. Do you rely on subcontractors for anything that involves classified data? If yes, map those relationships to Chapter 7 requirements, including flow-downs and oversight.

• Review your safeguarding plan annually. Even if you don’t have subcontractors, you’re still bound by Chapter 5. Make sure marking, storage, and handling procedures reflect current realities and technologies.

• Revisit the visitor management process. If your site sees frequent visits, a simple, consistent protocol makes life easier for everyone and reduces the chance of a slip.

• Keep a living security checklist. Things change—teams, contractors, and even the types of projects shift. A dynamic checklist helps you stay aligned with the latest guidance from the appropriate authorities.

A tangential moment you might appreciate

Security work often feels theoretical, but it’s very much about everyday decisions. Think about the hallway conversations you overhear or the quick share of a file over a coffee break. The moment you normalize cautious handling—before a visitor even steps through the door—you’re choosing security over convenience. It’s not a hard sell; it’s common sense that protects people, data, and reputations.

A note on nuance and nuance’s value

There’s a quiet elegance to the way NISPOM structures its chapters. Some rules are universal because they guard the core of what keeps sensitive information safe. Others are gated behind a facility’s particular choices—like whether you work with subcontractors. Recognizing that difference isn’t a sign of weakness; it’s a sign of thoughtful compliance.

If you manage a cleared facility, you’re already dealing with a living system: people come and go, contracts shift, and the information you protect isn’t stationary either. The best FSOs treat policy as a flexible partner—one that adapts to the work you do, not a rigid fence that tries to box you in.

A gentle reminder to keep the picture clear

• Chapter 5 remains a universal baseline for safeguarding. It covers the everyday realities of handling classified information.

• Chapter 6 remains universally relevant for controlling visits and meetings that touch sensitive material.

• Chapter 7 is conditional. It applies when your site or program uses subcontractors handling classified information.

Putting it all together

Security isn’t a checklist to be completed and forgotten. It’s a living practice that must reflect how you actually work. Some days you’ll lean more on safeguarding measures; other days you’ll focus on how visitors are managed or how contractor work is overseen. The common thread is that every facility has its own pattern, and the chapters you rely on should fit that pattern.

Take a moment to look at your own site’s security map. Which chapters actually drive your day-to-day? If Chapter 7 doesn’t touch your operations, that’s perfectly fine—but don’t overlook Chapter 5 and Chapter 6, especially if your work involves people or classified data at any scale. When you understand the real scope of your duties, you can build a security program that’s both solid and sensible.

Final thought

In security, clarity beats bravado. Knowing which rules apply—and why—lets you protect what matters without getting tangled in unnecessary procedures. The goal isn’t to reach for every chapter equally; it’s to apply the right chapters to your true operations. That’s how you keep a facility resilient, compliant, and ready for whatever comes through the door.

If you’re stewarding a cleared site, take a moment to inventory your subcontracting status, your visitor processes, and your safeguarding practices. A quick alignment now saves confusion later and keeps you focused on what really matters: keeping sensitive information safe, while enabling your team to do its work with confidence.