Facility Security Clearance (FCL) Guide

An FCL is granted to a legal entity (corporation, LLC, partnership, or sole proprietorship) — not to individuals. It represents the government's determination that the company has the physical security infrastructure, personnel security processes, and information security procedures necessary to protect classified information. Individual employees who need access to classified information receive Personnel Security Clearances (PCLs), but they can only access classified material at a facility that holds an FCL at the appropriate level.

A company needs an FCL when it will perform on a contract that requires access to classified information. The requirement is driven by the government customer — the contracting activity issues a DD Form 254 (Department of Defense Contract Security Classification Specification) that specifies the classification level and any special access requirements. Importantly, a company cannot self-sponsor for an FCL. It must have a legitimate need based on a government contract, pre-contract negotiation, or a prime contractor's subcontract involving classified access.

The sponsoring agency or prime contractor initiates the process by submitting a sponsorship letter to DCSA. Without sponsorship, DCSA will not process an FCL application. This creates a chicken-and-egg problem for companies seeking to enter the classified market: you need a contract to get an FCL, but many classified contracts require an existing FCL to bid. The practical solution is to identify a specific opportunity, work with the contracting officer or prime contractor to obtain sponsorship, and begin the clearance process in parallel with the procurement timeline.

The Defense Counterintelligence and Security Agency (DCSA), formerly the Defense Security Service (DSS), is the federal agency responsible for administering the National Industrial Security Program (NISP). DCSA processes FCL applications, conducts facility inspections, provides security education, and performs oversight of cleared contractor facilities.

The FCL process begins with sponsorship. Once DCSA receives a valid sponsorship request, the company is registered in the National Industrial Security System (NISS), formerly the Industrial Security Facilities Database (ISFD). The company then designates key management personnel (KMP) — typically senior officers, directors, and the FSO — who must submit SF-86 (Questionnaire for National Security Positions) forms for background investigation. All KMP must receive favorable personnel clearance determinations before the FCL can be granted.

DCSA conducts an initial security vulnerability assessment (SVA) to evaluate the facility's physical security measures, information systems security, and security management practices. The company must demonstrate compliance with the National Industrial Security Program Operating Manual (NISPOM) requirements appropriate to the clearance level sought. Once DCSA is satisfied that the facility meets all requirements, it grants the FCL and the company is listed in the NISS as a cleared facility.

Every cleared contractor facility must designate a Facility Security Officer (FSO) who serves as the primary point of contact with DCSA and is responsible for the day-to-day management of the facility's security program. The FSO must be a U.S. citizen, must hold a personnel clearance at or above the facility's FCL level, and must be a direct employee of the cleared contractor (not a consultant or subcontractor, though some exceptions exist for small companies).

FSO responsibilities include: processing personnel clearance requests and terminations in NISS, conducting initial security briefings for newly cleared employees, administering annual security refresher training, managing visit authorization requests, overseeing classified document control, reporting security incidents and suspicious contacts to DCSA, maintaining security documentation (Standard Practice Procedures, security classification guides), and preparing for DCSA security reviews. The FSO must complete the FSO Program Management for Possessing Facilities course (or equivalent) offered by the Center for Development of Security Excellence (CDSE) within the first year.

For smaller companies, the FSO role is often a collateral duty. However, as a company's classified portfolio grows, a dedicated full-time FSO becomes necessary. DCSA evaluates the adequacy of the FSO arrangement during security reviews, and a company with an overwhelmed part-time FSO will receive findings. Some companies hire cleared FSO consulting firms to supplement their in-house capability, though the primary FSO must remain a company employee.

The National Industrial Security Program Operating Manual (NISPOM), codified at 32 CFR Part 117 (effective February 2021, replacing the former DoD 5220.22-M), is the governing regulation for all cleared contractor facilities. It establishes the baseline security requirements that contractors must meet and maintain to retain their FCL. DCSA assesses compliance with the NISPOM during periodic security reviews.

Key NISPOM requirements include: physical security standards for classified storage and processing areas, personnel security clearance request and management procedures, classified information handling and safeguarding rules, reporting requirements for security incidents and adverse information, visitor control procedures, classification management and derivative classification training, foreign travel reporting, and the insider threat program requirements introduced by Conforming Change 2. The NISPOM also addresses information system security for systems that process classified information, though many of these requirements are further detailed in DCSA Assessment and Authorization (A&A) guidelines.

Foreign Ownership, Control, or Influence (FOCI) is one of the most significant barriers to obtaining an FCL. Under 32 CFR § 117.11, a company is considered under FOCI whenever a foreign interest has the power, direct or indirect, to direct or decide matters affecting the management or operations of the company in a manner that could result in unauthorized access to classified information or could adversely affect the performance of classified contracts.

FOCI factors include: foreign ownership of the company's stock or equity, foreign board members or officers, foreign creditors or debt holders, foreign contracts or business relationships, and any other relationship that gives a foreign interest influence over the company. DCSA evaluates FOCI using the SF-328 (Certificate Pertaining to Foreign Interests) submitted during the FCL application process and updated annually.

If FOCI is identified, the company must implement a FOCI mitigation instrument before an FCL can be granted. Mitigation options range from board resolutions (for minimal FOCI) to Voting Trust Agreements and Proxy Agreements (for companies with substantial foreign ownership), to Special Security Agreements (SSAs) that allow foreign-owned companies to maintain their FCL under government-appointed oversight. The most restrictive mitigation instruments effectively separate the foreign owner from access to classified information while allowing the business relationship to continue.

The FCL process timeline varies significantly based on the clearance level, the number of KMP requiring investigation, FOCI complexity, and DCSA's current processing workload. As a general guideline: a Secret-level FCL for a company with no FOCI issues and KMP who already hold personnel clearances can be completed in 3–6 months. A new Secret FCL where KMP require new Tier 3 investigations typically takes 6–12 months. A Top Secret FCL with new Tier 5 investigations can take 12–18 months or longer. Companies with FOCI issues requiring mitigation instruments should add 6–12 months for the FOCI resolution process.

The government does not charge fees for processing FCL applications or conducting KMP background investigations. However, the company incurs significant costs in preparing for and maintaining an FCL: physical security upgrades (security containers, access control systems, alarm systems, vault construction for TS), FSO compensation and training, security training programs, NISS and other IT system access, and ongoing compliance activities. Initial setup costs for a Secret-level FCL typically range from $10,000 to $50,000 depending on the facility and existing security infrastructure. Top Secret facilities with vault construction can cost $100,000 or more. Annual maintenance costs for security program operations typically run $25,000–$75,000 for small to mid-size contractors.