The requirements and roles of a facility security officer (FSO)
For defense contractors, a facility security officer (or FSO) is a crucial position for establishing and maintaining a facility clearance (FCL) and the associated programs/requirements. Here’s what becoming an FSO entails.
Depending on the size of the company, an FSO could be its own full-time position or simply be added to the responsibilities of someone already working at the company. Either way, the FSO must be a U.S. citizen, an employee of the company and must undergo approximately 40 hours of STEPP training (Security Training, Education and Professionalization Portal) on the Center for Development of Security Excellence (CDSE) website. The FSO must also hold a personnel clearance at the same level as the FCL.
In order to become an FSO, a person will need the help of the Industrial Security Representative (IS Rep) assigned to them through the DCSA (Defense Counterintelligence and Security Agency). It’s the IS Rep’s responsibility to make sure that an FSO has everything they need to do their job.
Generally, an FSO acts as the liaison between the defense contractor and the U.S. government security agency that the company is contracted with. The 32 CFR Part 117, National Industrial Security Program Operating Manual (NISPOM) serves as an FSO’s “bible” on industrial security processes and guides them on how to carry out their responsibilities.
Company compliance: After completing the training, the first thing an FSO needs to do is study the NISPOM as well as supplementing Industrial Security Letters (ISLs) to ensure that their company is compliant with the government standards for how a company that handles classified information should operate. Those two items are the foundation for establishing and maintaining a healthy facility clearance, but each facility might have its own set of requirements, based on the specific contract it has with the government. Any additional requirements, such as COMSEC or network security, will be spelled out in the DD 254 document, received from the government when the contract was awarded. An FSO must read through the DD 254 and make sure all of its requirements are followed to a “T.”
Personnel clearances (PCLs): An FSO is responsible for managing all of the company’s personnel clearances—submitting people for clearances and putting them in for investigation. The FSO also tracks clearances and submits periodic investigations when needed. FSOs also debrief cleared personnel when they leave the company.
Education and security awareness for cleared personnel: All cleared personnel must attend two annual trainings at a minimum—an annual DoD security refresher training and an insider threat awareness training. The FSO leads those trainings and ensures attendance by cleared employees. Depending on the company’s DD 254, there may be additional trainings required, such as cybersecurity, COMSEC or NATO.
Document control: If a firm handles classified information, the FSO is responsible for maintaining it and making sure it’s marked, handled, disseminated, stored and destroyed properly by training employees and keeping them accountable.
Facility management: Depending on the contract, the DD 254 may require that a NISPOM Closed Area, now known as an open storage are under 32 CFR Part 117, or a SCIF be built (learn more about building a SCIF here). The Closed Area might have acoustic protections, high-security hardware and access control measures. An FSO not only maintains the secure facility but also makes sure that employees who have access to the Closed Area are educated on how to handle themselves in and around the area.
In addition to the responsibilities above, an FSO can wear other hats, such as managing corporate security (HR investigations, criminal activities, safety), managing COMSEC or being the Information System Security Manager (ISSM). With all the roles an FSO can take on, it’s important that every responsibility is carried out thoroughly, and engaging a security specialist for support will ensure your company’s facility clearance can be maintained expertly and efficiently. Fortunately, the FSO community is tight-knit and willing to share. One of the best things a new FSO can do within their new role is participate in a professional group of security professionals such as NCMS, ASIS or ISAC to connect with and learn from other FSOs.