A Guide to Navigating the Facility Security Clearance Process
The facility clearance (FCL) process can be intimidating, as can all the acronyms you encounter along the way. But it’s relatively straightforward if you’re prepared. Follow the steps outlined below, and you’ll be on your way to having a cleared facility. Reach out to us if you need help along the way.
How the Process Works
Step 1: Secure a DD Form 254.
The entire FCL process hinges on your company having a legitimate need to access classified information and obtaining a form called Department of Defense 254, or DD 254, which the government or primary government contractor provides to establish the company’s need to know (in order to gain access to that classified information) as well as what specific security regulations are required of the company for that program or project.
If a company wants an FCL, it’s not a matter of simply requesting one from the federal government—it can only be sponsored by a federal agency or a cleared contractor when there is a need for your company to have access to classified information, and it typically begins after a company is awarded a contract. Fortunately, you don’t typically need to have a clearance to bid on or be awarded a government contract. And then, while you’re going through the FCL process, your company can sometimes receive a temporary or “interim” clearance before the final one so that you can begin work on the contract.
Step 2: Name an FSO.
Appoint a Facility Security Officer (or FSO), who will be in charge of not only navigating the FCL process but also maintaining the facility clearance throughout the life of the contract, which requires ensuring that the company adheres to the federal requirements regarding classified information, as outlined in the National Industrial Security Program Operating Manual (NISPOM) and others referenced by your particular DD 254 as required. The FSO must be a U.S. citizen employee, and while the role can be a full-time position at larger companies, smaller companies usually add it to the responsibilities of a current employee who already works in an administrative or facilities management role. (Note that while the FSO must be an employee, some FSO responsibilities can be outsourced.) In most cases, the FSO will also need to be able to pass a government background check, as the FSO will typically be required to be cleared to the same level (confidential, secret or top secret) as the FCL.
Step 3: Find your local DCSA rep.
After you have your DD 254 and have designated an FSO, the rest of the clearance process can be simple for the typical U.S.-owned company. Your next step should be reaching out to your local Defense Counterintelligence Security Agency (DCSA) field office through the agency’s website to get in touch with your representative. It’s that person’s job to actively assist you in getting your facility cleared.
Step 4: Research your roadmap.
Look up the FCL Orientation Handbook, provided by the DCSA. It will walk you through the process start to finish, which can be as little as 45 days from the time the DCSA accepts your sponsorship package. Starting with a phone meeting, the DCSA rep will guide your FSO through the deadlines and identify which documents and forms will need to be submitted based on your company’s business structure.
Step 5: Gather and submit your documentation.
After the phone call with your rep, you’ll need to gather information on your company and certain employees. Concurrent with your FCL, you’ll need to get personnel clearances (PCLs) for the key managers of your company and the FSO—you can’t have a facility clearance without cleared personnel, but the more people you have to clear, the longer the process could take, as they all have to go through background investigations. Here’s what the FCL package requires:
- Company documentation: You’ll need to show how your company is established legally, and based on how it’s established (e.g., corporation vs. LLC vs. partnership), you’ll submit different forms of legal documentation. For example, with a corporation, you’ll have to submit the Certificate or Articles of Incorporation, which was filed with the Secretary of State’s office. For a sole proprietorship, the requirements vary based on the state and jurisdiction.
- Personnel documentation: Based on your company’s organization, you’ll be required to submit a form listing all key management personnel (such as the company owner and FSO) who will be receiving PCLs, including social security numbers and citizenship verification. If not everyone in the company’s ownership structure will be getting a PCL, you can also submit exclusion resolutions, essentially letters explaining that the people who aren’t being cleared won’t be able to make decisions regarding the classified information and how it’s handled.
- Security documentation: A DD Form 441 is an agreement between your company and the U.S. government detailing the security responsibilities of both sides.
- Foreign ownership documentation: A SF 328 form is a certificate that pertains to a company’s foreign interests. It explains what FOCI (Foreign Ownership, Control, or Influence) is present to determine if mitigations are needed for the company to receive an FCL.
Once you have the required documents gathered on your business and key personnel, you’ll submit the forms through NISS, the National Industrial Security System, and your DCSA rep will review it to determine if you’re eligible to receive an FCL.
Step 6: Implement the security measures.
Once you receive your clearances, then you’ll need to follow through on all required security measures. Your DD 254 outlined your company’s specific security requirements, which are based on the extent to which you will be dealing with the classified information. If you’ll only be accessing classified information at another contract facility or government activity, you likely won’t need any physical security and only basic network security requirements. However, if you’ll be generating, receiving and storing classified information, you will likely need to build a secure room (such as a closed area or a SCIF, depending on the specific security requirements) and create a whole slew of processes and procedures to protect, destroy, disseminate and control classified information.
Your DCSA rep understands that if the government has engaged you for a classified effort, it’s because they recognize the value of your company to national security. The DCSA rep will therefore work to get your facility cleared as quickly as possible. While the FCL Orientation Handbook advertises a 45-day clearance process, in our experience, the process can take six months or even up to a year, depending on the complexity of your facility. However, the more prepared you are to compile your sponsorship package, the smoother and faster the process will go.
Still confused about the acronyms? Use our FCL Acronyms Guide to keep those letters straight.