ICD 705 POA&M Rescission:
Less Certainty, Not Less Compliance
For U.S. government contractors working in classified environments, secure facilities are a critical part of doing business. Many classified programs require work to be performed in a Sensitive Compartmented Information Facility (SCIF)—a highly secure space designed to protect sensitive intelligence and national security information from unauthorized access.
Recent changes to the government's compliance process for SCIFs have raised questions across the contractor community. Specifically, the National Counterintelligence and Security Center (NCSC) has rescinded the Plan of Action & Milestones (POA&M) requirement under Intelligence Community Directive (ICD) 705, the standard that governs the design, construction, and accreditation of SCIFs.
The change affects how organizations plan for compliance, but it does not eliminate the ongoing need to meet evolving security requirements.
What’s Changed?
The memo, issued May 4, 2026, removes a compliance planning mechanism that many contractors had used to guide real estate, capital investment, and SCIF modernization decisions around a broadly accepted 2028 timeline. However, it does not change the expectation that secure facilities will continue to evolve to meet increasingly stringent security requirements, nor does it change the likelihood that both new and existing SCIFs will ultimately need to meet those standards.
ICD 705 version 1.5.1 remains the governing baseline. At the same time, the NCSC has been explicit that a revised version is forthcoming, and that currently accredited facilities will not be insulated from future requirements. The rescission is best understood as a transition between versions of the standard—not a departure from it.
What This Means for Contractors
In our opinion, the immediate impact is not less accountability. It is less certainty around timing.
Instead of a single government-wide milestone, compliance expectations are increasingly being driven by individual programs and sponsors based on mission requirements. In practice, compliance expectations continue to advance, just without a uniform deadline.
Several realities remain unchanged:
- ICD 705 version 1.5.1 is still in effect.
- A revised standard is anticipated.
- Existing accredited facilities may be subject to future requirements.
- SCIF delivery timelines remain unchanged.
- Delaying investment today can create schedule and cost challenges later.
Based on what we are seeing in the market, most contractors with active classified programs are continuing to move forward rather than waiting for additional regulatory clarity. Many are advancing SCIF delivery, expansion, and upgrade efforts based on pipeline visibility and operational needs.
That reflects a fundamental reality: delivering accredited secure space still takes time. In most cases, planning, construction, and accreditation require 12 to 24 months or longer. Organizations making decisions today are effectively making decisions about program readiness one to two years from now.
A Familiar Pattern
This cycle is not new.
Previous requirements in the cleared environment have followed a similar path: initial mandate, recalibration, and eventual reassertion through updated standards and program-level enforcement.
In those moments, early movers maintained greater control over cost, schedule, and site selection. Organizations that waited often faced compressed timelines, increased competition for resources, and fewer options.
The POA&M rescission represents a similar inflection point.
The Strategic Implication
While the rescission reduces near-term uniformity, it increases the importance of strategic planning.
Contractors must now align real estate and capital decisions more closely with program pipelines, sponsor expectations, and anticipated regulatory change. The absence of a fixed mandate does not eliminate risk—it shifts where that risk sits.
We believe the takeaway is straightforward: this is not a pause in compliance. It is a shift in how compliance expectations will be established and how quickly they may be applied.
Organizations that recognize that distinction will retain flexibility and control. Those that defer action may find themselves reacting later under tighter timelines, with fewer options and higher costs.