Wednesday, August 25, 2010

How to Get a Facility Security Clearance for Beginners

Before a defense contractor can perform on a classified contact, it must be approved for a security clearance. You might familiar with security clearances for people, but defense contractor facilities must also be approved for security clearances called a facility clearance (FCL). Having an FCL doesn’t mean that a particular building is approved for a clearance, but rather the determination is based on the entity. For example, a defense contractor facility may be a sole proprietorship, a limited liability company, corporation, university or other recognized establishment. It is the organization itself and not the building that gets the clearance.

A company cannot process itself for a clearance. The clearance is based on a legitimate classified contract from either a government entity or other prime contractor. A company can bid on a classified contract even if it does not possess an FCL. However, it must receive the FCL prior to beginning to work on the classified contract.

When a defense contractor has a legitimate need for a clearance, it is sponsored by the awarding government agency or prime contractor. This sponsorship begins the process of the clearance request. The sponsoring organization notifies Defense Security Services (DSS) who works with the defense contractor to complete the requirements for an FCL. To be eligible for a clearance, the defense contractor facility must first have a good reputation for doing business and be in good standing. DSS will research and evaluate the company. Meanwhile, the candidate company works with DSS to provide four remaining requirements.


A security agreement (DD Form 441) must be signed. This agreement describes the responsibilities that both the contractor and government have to protect classified information. For example, in the security agreement the government agrees to provide security clearances and the contractor agrees to follow the National Industrial Security Program Operating Manual (NISPOM).


Additionally, the defense contractor has to complete the certificate pertaining to foreign interests. Once the contractor completes the certificate, DSS will have a good indication of whether or not and how much a foreign entity might influence classified contracts. If the contractor falls under foreign ownership control or influence, the amount of influence will have to mitigated.


The defense contractor will also turn in documentation indicating how they are organized (corporation, sole proprietorship, LLC or other formation). DSS will use this information to determine how the contractor is managed and how decisions are made. DSS needs to know this information to determine how decisions concerning classified information are made.


Finally, an FCL is not granted until the required key personnel are granted a security clearance. According to NISPOM, the senior ranking officer in the company and the FSO must be granted security clearances. Other cleared personnel are granted clearances based on the minimum necessary to efficiently meet the needs of the classified contract.

In summary, defense contractors come in all shapes and sizes. The NISPOM provides the minimum requirements a defense contractor must meet to be able to be granted an FCL. Whether the contractor is organized as a single owner/employee, university or large corporation, they must meet all five criteria:

Have a contractual need and be in good standing

Sign a Security agreement

Provide a certificate pertaining to foreign interests

Be a real company organization in the US or territories

Key management personnel are granted clearances

FSO 101-How to manage the security of classified contracts

For defense contractors, there can be nothing more than winning a contract and providing a great product or service. For those cleared defense contractors, landing the classified contract improves their opportunities. However, these opportunities have more requirements that must be addressed. Contractors performing on classified contracts are required to protect this information according to the National Industrial Security Program (NISP).

The NISP was established in 1993 under Executive Order 12829. The purpose of the NISP is to protect classified information at the proper level whether it is in the hands of the U.S. Government or a defense contractor. The NISP provided reciprocal protection of the same information no matter which organization owned it. In other words similar classified information should be protected the same whether at a government or defense contractor location. The NISP provided the minimum standards for everyone to abide by. Even though some organizations may implement more rigorous security measures, they could not violate the minimum standards.

The NISP also directs the creation of the NISP Operating Manual (NISPOM). This is the government’s guidance for protecting classified information at Department of Defense contractor organization. Additionally, each government agency created its own security guidance reflecting requirements of the NISP.

Each government agency created security specialists positions to establish and enforce security measures to protect classified information. Similarly, the NISPOM requires a cleared contractor to appoint a Facility Security Officer (FSO). The defense contractor can hire a full time security employee or simply appoint an employee to the position as an additional duty. Whether operating as the security manager full time or on as needed basis, the responsibilities of the FSO ensure that classified information is protected.

For small contractors, this can be more challenging. I’ve visited some defense contractor facilities made up of five engineers in a small building doing great things. While focused on the eureka moment, they still are responsible for protecting both classified and unclassified government information. While large corporations can hire and train a group of security specialists, such protection may prove a difficult endeavor for very small defense contactors with a single point of contact FSO who has no experience with basic security concepts.

While on the surface this may prove difficult, there are ways to make the job more manageable. The first place to start is with the Defense Security Services (DSS) industrial security representative. They oversee the NISP implementation for the Department of Defense at cleared contractor facilities. They also help FSOs get the required FSO Program Management Course. DSS offers this online training for cleared facilities whether or not authorized to possess classified information. Training is available at DSS also offers bite size courses that can be completed in less than an hour on topics including: marking, transporting, safeguarding and disseminating classified information. A complete novice can learn the appropriate mind set in a short amount of time.

The next step is to determine which parts of the NISPOM apply. For the most part, Chapters 1, 2, 3, and parts of 5 apply to all cleared contractors. However other chapters may apply on a case by case basis. FSOs can make more effective use of time by developing security measures tailored to applicable parts of the NISPOM. For example, if a non-possessing contractor only maintains employee security clearances, there is not much call to apply security measures to protect classified information or processing. In this case the FSO would do well to ensure they are practicing personnel security as outlined in NISPOM and inspected by DSS. To help focus direction, the customer provides the cleared contractor with the how to perform on the classified contract in the DD Form 254 and the contract. The DD Form 254 specifically addresses the protection of classified information. If additional help is needed, the defense contractor can also contact a reputable consultant or join a professional organization.

Additional FSO duties may include exports compliance. This position is assumed by many FSOs and requires knowledge of defense items and services that require special permissions prior to export. The State Department has jurisdiction. The NISPOM does cover export compliance, but the International Traffic in Arms Regulations (ITAR) is the State Departments regulation. The ITAR provides in depth guidance.

The cleared contractor is responsible for implementing and directing the protection of classified information as it relates to NISPOM, DD Form 254, security agreements and contract as they apply to the cleared facility mission. The NISPOM provides the guidance. The FSO is the appointed responsible position to ensure the cleared contractor applies the NISP. This is a tough job, but there are resources available to make it a more focused and efficient effort.

Tuesday, August 3, 2010

Industrial Security Newsletter - iContact Community

Industrial Security Newsletter - iContact Community
Great article on performing security while walking around. Check the pulse of your security program while getting to know your employees.