nooks logo text

NOOKS TurboFCL

Overview

An overview of the FCL application process from beginning to end, and beyond.

  1. What is an FCL?
  2. The 4 phases of FCL
  3. Getting started
  4. Acquiring an FCL, simplified
  5. Standard Flow & Exceptions
  6. Key Management Personnel
  7. Preparing the Sponsorship Package
  8. Awarding, Inspections, and Maintenance

What is an FCL?

A facility security clearance (FCL) lets a U.S. company access classified information. Most FCLs are granted by the Defense Counterintelligence and Security Agency (DCSA), although there are other FCL-granting organizations ("Cognizant Security Agency"), such as the Department of Energy or the Office of the National Director of Intelligence.

FCLs are generally attached to specific U.S. Government contracting activities.

The concept of "company" in this context is very broad, and can include many organization forms, including non-profits, schools, or Native American tribes, among others.

A company with an FCL might have permission to store and work with classified material in a secure location--for example, a company manufacturing missiles for the Navy will likely have classified electronics and armaments material in its manufacturing facilities. On the other hand, many FCLs are "non-possessing" or "access elsewhere"--which just means the company's cleared employees can only access classified information at an appropriate government facility or another cleared company's location, and they may not bring any such information back to their own facility.

According the DCSA, an FCL is:

"A Facility Clearance is an administrative determination that a company is eligible to access classified information at the same level as the clearance granted (e.g., Confidential, Secret, or Top Secret)."

In plain English, a facility clearance means the U.S. Government has decided a company is trustworthy enough to work on classified activities at a specific location.

The 4 phases of FCL

There are four phases to the FCL process:

  • FCL sponsorship — A government or commercial customer requests and FCL on your behalf
  • FCL package submission — Providing corporate and personnel documentation to DCSA
  • DCSA adjudication — DCSA investigates your people and company or school
  • FCL maintenance — Setting up your national security program and ensuring your program is compliant with NISPOM

Getting started

An FCL begins with sponsorship by a Government contracting office, a Government security representative, or a Prime Contractor with an existing clearance. There is not an independent application process.

DCSA has many training materials available on their website, including the FCL Process Orientation Handbook, and a comprehensive online training platform through its Center for Security Development and Excellence (CDSE).

Acquiring an FCL, simplified

In the DCSA Facility Clearance (FCL) Orientation Handbook , you'll find the flowchart to the left.

For companies of any complexity, they need to start long before receiving that email.

This is great place to begin understanding, but remember that it's written from a DCSA point of view, and they see you starting the process with their Welcome email, and it's 20-day countdown to the FCL submission deadline.

Standard Flow & Exceptions

The FCL process is designed to follow the award of a contract or a subcontract, where performance on the contracted activity requires access to classified information. Policy guidance around the FCL processes assumes that companies are entering this process with that background; however, that is not always the case. In some circumstances, companies need access to classified information just to respond to a government request for proposals; in other circumstances, the government will sign an unclassified contract for equipment or services that then requires cleared personnel to support the activity, without elevating the contract to include an FCL requirement (or justification).

Regardless of the situation, an FCL should always arise from a need to know. Companies are prohibited from advertising their FCL status, and the decision to grant an FCL is not intended to provide commercial advantage.

Key Management Personnel

At the outset of the FCL process, you should consider the Key Management Personnel (KMP) who will serve in critical roles during the course of the sponsorship and subsequent management of your facility's security program.

The three critical KMP are the Senior Management Official (SMO), Facility Security Officer (FSO), and Insider Threat Program Security Officer (ITPSO). Depending on your facility's size and legal constitution, you may have one or more SMO; the FSO and ITPSO can be separate individuals, the same individuals, or they could be additional roles held by your SMO.

  1. Ensure that the individuals serving as KMP are U.S. citizens with the ability to pass a background check and hold a Personnel Security Clearance (PCL)
  2. Think about the workload for the FSO: up to 38 hours of video training, specialized paperwork, and communication with DCSA--and how it will impact their day-to-day work
  3. Remember that all three positions are ongoing roles and require maintaining a PCL, including reporting requirements for foreign travel and periodic re-investigation

Preparing the Sponsorship Package

Once your government representative or prime contractor have begun the sponsorship process with DCSA or another CSA, you can begin preparing for the next step, in which you will describe your company and your proposed security program to the government.

  1. Officially appoint your FSO and other Key Management Personnel (KMP).
    1. The FSO and ITPSO require a written letter of appointment or other indication from your organization's governing body; the SMO(s) should similarly have written documentation of their appointment
    2. The FSO and ITPSO require specialized training
    3. All KMP (SMO, FSO, ITPSO) will require personnel clearances; these can be initiated during the FCL application process.
    4. Tools like TurboFCL can help your FSO prepare for the rest of this process
  2. Report any foreign ownership, control, or influence on the SF-328. DCSA has many instructional guides for this form, and the TurboFCL workbook can guide you through it as well. You should begin collecting information on the SF-328 as soon as possible, since some document requests to owners or legal teams might cause delays later in the process.
  3. Start filling out the org chart and KMP list, and gathering meeting minutes.
  4. Some Government sponsors are able to process the DD-254 and FCL Sponsorship without much interaction from your team; other sponsors require more active involvement. Stay in touch with your sponsor and make sure to provide any materials they need to successfully sponsor your FCL.
  5. When DCSA has processed the DD-254, they'll send you a Welcome email, sometimes known as the "Day One" email.
    1. This email starts a 20-day countdown for submitting your FCL application; if you miss the deadline, you must start over by having your sponsor resubmit the sponsorship package.
    2. Entities that begin collecting documentation upon receiving the Welcome email are at risk of missing the deadline, which is why TurboFCL and similar guides advise beginning the document collection and preparation long before that step is reached.
  6. Once the Welcome email arrives, your FSO must create a NCAISS account and register their account with NISS, which is DCSA's system of record. The FSO must submit your documentation in NISS in order to meet the 20-day deadline.
  7. While the documentation process is ongoing, KMPs will submit fingerprints and other documentation.
  8. If you pass the first round, DCSA will set up an initial orientation meeting.
  9. For possessing entities, an inspection of your physical spaces will be conducted.
  10. If everything passes, FCL is granted.

Awarding, Inspections, and Maintenance

Once DCSA has awarded a facility's FCL, they will begin scheduling annual inspections of the facility. During inspections, expect DCSA personnel to meet with KMP and a sampling of cleared employees, review security logs and documentation such as DD-254s, and to follow up on any suspicious contacts, security violations, or other reportable circumstances and events. DCSA may also provide your facility with a classified threat briefing if appropriate.

FCLs are tied to contract performance, and will be retired at the end of performance on a cleared contract unless a new cleared contract requires the FCL to remain in place. Report new classified contract activity to DCSA by submitting DD-254s through NISS, and expect your classified contract work to be part of the conversation with DCSA throughout the inspection life cycle.

Annual training for KMP and cleared employees is also an important aspect of DCSA's inspection and review of security logs; be sure to keep clear records of relevant security training available for review.

All foreign travel by cleared employees must be reported in NISS. Many organizations use an internal form to collect information, which the FSO then enters into NISS; these records should be preserved for review by DCSA upon inspection, as well.