What is an FCL
An FCL is needed for any government contractor facility where operations will either require access or need to create classified information. Obtaining this clearance involves your company having a legitimate need to access classified information. There are also different clearance levels: classified, secret and top secret. Your legitimate need will be established with a form known as a Department of Defense 254, or DD 254. This form is provided by the agency or contractor who is sponsoring your FCL. If this is a temporary need, your company will not continue to hold an FCL once the contract expires.
Any cleared facility needs a Facility Security Officer (FSO) overseeing it. They will lead the charge in obtaining the FCL, and once the facility is cleared, they will be in charge of ensuring it meets the requirements set in 32 CFR Part 117, National Industrial Security Program Operating Manual, or NISPOM.
When in the process of obtaining an FCL, you can receive an interim FCL which will allow you to operate as a cleared facility before the process is fully completed. This is given when there is no evidence of issues that arise during the investigation into your company that would raise concern about your organization’s ability to protect classified information. You may face some restrictions if you have an interim clearance while awaiting your final clearance. For example, if you have a secret or confidential level clearance, you cannot access NATO information.
When you are trying to obtain or already have an FCL, you will work closely with your local Defense Counterintelligence Security Agency representative, or DCSA rep. They can be a great resource for any problems you run into or questions you need answers to. Their goal is to ensure you're correctly protecting the information you have access to and meeting NISPOM requirements. The DCSA also offers an FCL Orientation Handbook which will walk you through the process to obtain an FCL.
Once you receive your clearances, then you’ll need to follow through on all required security measures. Your DD 254 outlined your company’s specific security requirements, which are based on the extent to which you will be dealing with the classified information. If you’ll only be accessing classified information at another contract facility or government activity, you likely won’t need any physical security and only basic network security requirements. However, if you’ll be generating, receiving and storing classified information, you will likely need to build a secure room (such as a Closed Area, now known as an Open Storage Area, or a SCIF, depending on the specific security requirements) and create a whole slew of processes and procedures to protect, destroy, disseminate and control classified information.
Your DCSA rep understands that if the government has engaged you for a classified effort, it’s because they recognize the value of your company to national security. The DCSA rep will therefore work to get your facility cleared as quickly as possible. While the FCL Orientation Handbook advertises a 45-day clearance process, in our experience, the process can take six months or even up to a year, depending on the complexity of your facility. However, the more prepared you are to compile your sponsorship package, the smoother and faster the process will go.
What is a PCL
Anyone in your facility who will be working with classified information needs to hold a Personnel Clearance (PCL). They can be held by both full-time and contracted employees working for a company holding an FCL. Like FCLs, you can have a classified, secret or top secret level clearance depending on the highest level of information you deal with. To obtain a PCL, you need to have a “need to know,” or a specific need to access classified information for your work. Cleared companies can hire employees already holding a PCL or hire someone who will have to go through the clearance process, which can take several months.
The process to obtain a PCL will be initiated by the FSO when that need to know is determined. The company FSO will initiate the process and send you a login to the Electronic Questionnaires for Investigations Processing (e-QIP) online system. You have 30 days to log in, after which you will use e-QIP to fill out Standard Form (SF) 86.
The SF 86 is a large form and some of the questions may require you to do some research. We recommend setting some time daily to complete it, as it tends to take a couple weeks to gather all the information necessary. The form requires you to list every place you’ve lived in the last 10 years, every place you’ve been employed and background on members of your family. You also need to include information on people who can verify your past residences and employment history who aren’t members of your family. Along with the SF 86, you need to submit fingerprints. Your FSO will help you on timing the submission of these correctly, as your fingerprints will expire in the system after 120 days and the SF 86 expires after 90 days if you haven’t completed it, so you want to make sure these are submitted at a similar time so neither expires before the other is ready.
Once you submit your form and fingerprints and they’re received by the Vetting Risk Operations Center (VROC), the waiting game begins as they conduct their investigation and verify the information you provided. The time it takes for the investigation will vary depending on factors such as if you made any mistakes or left anything out of your form, how much information needs to be verified, and if you have a criminal past. In total, the process to obtain a PCL takes four months on average.
Keep in mind that lying on this form is never a good idea; you will be caught, and it will impact your ability to obtain a clearance. It’s also a federal crime that can result in up to five years in prison. Having a criminal record also doesn’t necessarily prevent you from being able to obtain a clearance. The investigation is looking at you as a whole person and trying to determine if you can be trusted with classified information. One incident from your past will not necessarily disqualify you, but it may increase the investigation time.
Once you receive either an interim or full clearance, you will receive your initial briefing, be read into the program you’re working on and fill out the SF 312, an NDA which will give you official access to the program. If you have further clearances, like an SCI, those will require another briefing.
You also have to make sure to maintain your PCL. If you leave your cleared position, you have 12-18 months to find another position with a need to know to continue to hold a PCL. If you hold a contracted position, it’s wise to find your next cleared job before your current contract is up so you don’t risk your PCL expiring from too long of a break.
While holding your PCL, you need to follow the reporting requirements laid out in the NISPOM, including reporting marriages, major financial changes and any foreign travel. You will be enrolled in continuous evaluation and be reevaluated every five years. Your employer will also provide an annual refresher briefing to keep security information fresh in your mind.
Your PCL can be put at risk based on your behavior both in and out of work. Major breaches in security requirements, like unauthorized disclosure of classified information or insider threat activities, can result in an investigation and loss of PCL, as can a pattern of more minor security breaches. Alcohol and substance abuse can put your PCL at risk, but if you report it and choose to seek treatment, you’re far more likely to be able to keep your PCL.
Important Roles
For cleared facilities, there are a number of roles that are crucial to keeping things functioning and in compliance.
FSO
The Facility Security Officer is a crucial position for establishing and maintaining an FCL. Depending on the size of the company, this could be a full-time position or added responsibilities for an existing employee. The FSO must be a U.S. citizen and undergo approximately 40 hours of STEPP training (Security Training, Education and Professionalization Portal).
The FSO acts as a liaison between their company and the security agency they hold a contract with. The FSO must closely follow the NISPOM and make sure their facility remains in compliance with the requirements from it. They are also responsible for managing all of the company’s PCLs. They submit people for clearances and initiate investigations. They also lead the education and trainings for their organization.
Your FSO does need to be an employee of your company, but many of the FSO responsibilities can be outsourced in order to assist your FSO or free them up to focus on other responsibilities if they’re wearing multiple hats. Smaller companies with less than 100 cleared employees are more likely to outsource, though larger companies can also save money by outsourcing aspects of their program.
The DCSA rep will want to speak to the FSO of record regardless if responsibilities are outsourced. The consulting company can help prepare the FSO for meetings or evaluations with DCSA. The FSO will also have to be the one to sign any documentation where an FSO signature is required rather than whoever the work is outsourced to. Beyond that, a consultant can help with pretty much all FSO responsibilities.
A capable FSO is crucial for the operation of a cleared facility, but for many organizations who can’t hire a full-time employee to fill the role, there can be too much to juggle. If you need support in trainings, managing PCLs, or creating an insider threat program, consider getting help from Adamo’s FSO support services.
ITPSO
The Insider Threat Program Senior Official runs the company’s insider threat program, which is required for all organizations holding an FCL. They are appointed by the Senior Management Official. In some organizations, the FSO will also serve as the ITPSO, though the working group requires a minimum of two people to serve on it, so they would need an additional employee to join the working group.
The ITPSO must complete the insider threat STEPP training within 30 days of appointment. They’re also responsible for drafting an insider threat program company policy, which outlines their responsibilities within the company, training requirements for themselves and employees, and what information needs to be reported regarding insider threats.
SMO
The SMO is the Senior Management Official. This is a high-ranking member of leadership at the company with “ultimate authority over the facility’s operations and authority to direct actions necessary for the safeguarding of classified information,” according to the NISPOM Rule. This will be someone like the CEO or president.
The SMO holds the same responsibilities regardless of the size of the company. Their overreaching responsibility is to ensure the facility maintains its security in accordance with the NISPOM Rule. They appoint the FSO and ITPSO for the company and work in tandem with those employees to ensure compliance.
The SMO also plays a major role in the facility’s annual self-inspection. They will write the letter to your DCSA rep that outlines what vulnerabilities were found during the inspection and what the company will be doing to address them.
DCSA Rep
Your Defense Counterintelligence and Security Agency Representative, or DCSA Rep, also known as the Industrial Security (IS) Rep, is an agent who works with the FSO in a professional partnership to ensure the safeguarding of classified information. They will run inspections and are also a great resource when you have questions related to NISPOM requirements or industry changes. They are automatically assigned to your company once you are approved for a clearance and will be located in one of 43 field locations.
Closed Areas/Open Storage Areas
Open Storage Areas, previously known as Closed Areas prior to the NISPOM change from a DoD Manual to a federal rule, are spaces built and accredited to store secret and top secret information when the material cannot be stored inside a Government Services Administration (GSA) approved safe. This is likely material that can’t fit in a GSA safe. For instance, this could be classified parts of an aircraft that the facility is working on.
An Open Storage Area cannot store Secure Compartmented Information (SCI) or Special Access Program (SAP) information, as those need to be stored in a SCIF or SAPF. These types of facilities have even higher requirements than Open Storage Areas and have to follow a different set of requirements, the ICD 705 Technical Specifications.
The NISPOM doesn’t specify what materials to use when constructing an Open Storage Area but each component, such as doors, walls and windows must meet a minimum standard. For the accreditation process, the most important thing is that you have a justification for the space. The FSO will work with the DCSA Rep to begin the process. Your rep will do a walkthrough of the space once it’s built in order to approve the space. They will need to approve your physical security measures, Intrusion Detection System (IDS) and your Access Control System (ACS). Your alarms will also need to be installed by a Nationally Recognized Testing Laboratory.
Without a background in construction or familiarity with the NISPOM requirements, building an Open Storage Area can be a daunting and difficult endeavor. Don’t leave your accreditation up to chance; trust the experts from Adamo to get it done right the first time. Our consultants will partner with your team and help guide you through the process.
Inspections and Reviews
There are a few different inspections and reviews your facility will need to undergo, including a self-inspection, security review, Security Monitoring Action (SMA), and a Targeted Engagement Action (TEA).
Self-inspections are an annual occurrence and an important part of maintaining your FCL. The goal of them is to discover any vulnerabilities your facility has, from physical security weaknesses to gaps in employees’ security knowledge. The Self-Inspection Handbook will work as a guide for you during this. It supplies checklists that outline topics like reporting requirements or standards for security equipment, and you check off if you do or don’t meet these requirements.
Self-inspections are typically run by the FSO, though the Assistant FSO can step up to conduct the inspection if need be. The SMO is responsible for writing a letter to the company’s DCSA Rep that outlines the findings from the inspection and what the company plans on doing to address them. After you conduct your self-inspection, the DCSA Rep will schedule and conduct their security review, after which you will have 90 days to fix any vulnerabilities they find.
A security review is a scheduled period of time where the DCSA Rep will set up time with the FSO to discuss policies and procedures, clearances, potential vulnerabilities and updates to the industry systems. These reviews take place roughly every 12 to 18 months and can take anywhere from a few hours to two days depending on the size of the company. The rep will also speak with both cleared and uncleared personnel and the SMO while making their visit to make sure personnel have the necessary knowledge and the SMO is up to date with what the security program is doing.
Once the security review is completed, the rep will give the FSO a score that will break down which areas are commendable and where vulnerabilities might be present. The possible scores in order are superior, commendable, satisfactory, marginal and unsatisfactory. If your facility receives a marginal or unsatisfactory score, the facility faces the potential to lose their FCL and any contracts that deal with classified information. Your overall score can only be as high as the lowest rating, so if one score is satisfactory and all others are commendable or superior, the overall score will only be satisfactory.
An SMA is also organized and conducted by your rep and is a type of security review. It is typically conducted annually over the phone. The FSO will send the company’s policies and procedures prior to the meeting, and the rep will confirm with the FSO that everything is compliant with the set policies. The call typically lasts an hour or two, and the rep will prepare questions and give recommendations for any changes they feel need to be made. Any vulnerability detected during this meeting will need to be addressed within 30 days.
The DCSA Rep will send a TEA to the FSO when there is a specific issue to address with a company. This is a form that the rep sends outlining the problem. The FSO is given 15 to 30 days to fix the specific problem.
If you are holding an FCL and are looking for help with your responsibilities, let Adamo’s FSO support services lighten your workload and free you up to focus on what matters. Our security experts can run trainings, manage PCLs and help you navigate the incredibly important relationship between you and your DCSA Rep. Contact us today to learn how we can change your work life for the better.
