nooks logo text

NOOKS TurboFCL

Overview

An overview of the FCL application process from beginning to end, and beyond.

  1. What is an FCL?
  2. The 4 phases of FCL
  3. Getting started
  4. Acquiring an FCL, simplified
  5. Standard Flow & Exceptions
  6. Key Management Personnel
  7. Preparing the Sponsorship Package
  8. Awarding, Inspections, and Maintenance

What is an FCL?

A facility security clearance (FCL) lets a U.S. company access classified information. Most FCLs are granted by the Defense Counterintelligence and Security Agency (DCSA), although there are other FCL-granting organizations ("Cognizant Security Agency"), such as the Department of Energy or the Office of the National Director of Intelligence.

FCLs are generally attached to specific U.S. Government contracting activities.

The concept of "company" in this context is very broad, and can include many organization forms, including non-profits, schools, or Native American tribes, among others.

A company with an FCL might have permission to store and work with classified material in a secure location--for example, a company manufacturing missiles for the Navy will likely have classified electronics and armaments material in its manufacturing facilities. On the other hand, many FCLs are "non-possessing" or "access elsewhere"--which just means the company's cleared employees can only access classified information at an appropriate government facility or another cleared company's location, and they may not bring any such information back to their own facility.

According the DCSA, an FCL is:

"A Facility Clearance is an administrative determination that a company is eligible to access classified information at the same level as the clearance granted (e.g., Confidential, Secret, or Top Secret)."

In plain English, a facility clearance means the U.S. Government has decided a company is trustworthy enough to work on classified activities at a specific location.

The 4 phases of FCL

There are four phases to the FCL process:

  • FCL sponsorship — A government or commercial customer requests and FCL on your behalf
  • FCL package submission — Providing corporate and personnel documentation to DCSA
  • DCSA adjudication — DCSA investigates your people and company or school
  • FCL maintenance — Setting up your national security program and ensuring your program is compliant with NISPOM

Getting started

An FCL begins with sponsorship by a Government contracting office, a Government security representative, or a Prime Contractor with an existing clearance. There is not an independent application process.

DCSA has many training materials available on their website, including the FCL Process Orientation Handbook, and a comprehensive online training platform through its Center for Security Development and Excellence (CDSE).

Acquiring an FCL, simplified

In the DCSA Facility Clearance (FCL) Orientation Handbook , you'll find the flowchart to the left.

For companies of any complexity, they need to start long before receiving that email.

This is great place to begin understanding, but remember that it's written from a DCSA point of view, and they see you starting the process with their Welcome email, and it's 20-day countdown to the FCL submission deadline.

Standard Flow & Exceptions

The FCL process is designed to follow the award of a contract or a subcontract, where performance on the contracted activity requires access to classified information. Policy guidance around the FCL processes assumes that companies are entering this process with that background; however, that is not always the case. In some circumstances, companies need access to classified information just to respond to a government request for proposals; in other circumstances, the government will sign an unclassified contract for equipment or services that then requires cleared personnel to support the activity, without elevating the contract to include an FCL requirement (or justification).

Regardless of the situation, an FCL should always arise from a need to know. Companies are prohibited from advertising their FCL status, and the decision to grant an FCL is not intended to provide commercial advantage.

Key Management Personnel

The KMP List identifies those persons who, because of the position they occupy at the company, are required to be eligible for access to classified information at the level of the FCL, such as the President or CEO, Board Chair, Facility Security Officer (FSO), Insider Threat Program Senior Official (ITPSO), and those additional company personnel who have significant control or influence over the operations of the company or over the company's performance of classified contracts. At a minimum, the KMP List should include persons who are formally appointed as officers, directors, partners, LLC members or managers, regents, or trustees and whose positions or roles are identified in business documentation (such as By-Laws or Operating Agreements).

DCSA will review your company's business documentation and compare the official positions identified in the business documentation to your KMP List. Therefore, it is critical that the business documentation match the KMP List. In addition, DCSA may determine that additional persons who have significant control or influence at the company should be identified as KMP, regardless of whether they were appointed by a Board of Directors or similar governance body. An example of significant control includes the authority to manage day-­to-day operations of classified contracts. In all cases, DCSA analyzes business documentation and authorities of personnel within the cleared company to validate the accuracy of the KMP List. Each company is different, so there is not a "one-size-fits-all" approach.

For operation or operational purposes, DCSA identifies a KMP in one of two categories:

  1. Essential KMP: Those persons who are required to be cleared in connection with the facility clearance. In other words, the company's FCL requires that each of these personnel have a current personnel security clearance (PCL). These persons must each hold a PCL at the same or higher level as the FCL. At a minimum, this includes the SMO, ITPSO, and FSO. Example: A Chief Operating Officer who has direct control and influence over day-to­day operations of classified contracts.
  2. Non-Essential KMP: Those persons who are not required to be cleared in connection with the facility clearance. In other words, the granting or continuation of the FCL does not depend on those persons having been granted a PCL. Non-essential KMPs may be cleared or uncleared, depending on their duties. These KMP may, and should, be formally excluded from access to classified information through execution of an Exclusion Resolution, if their job duties do not require access to classified information. Non-essential KMP may, however, be cleared if they require access to classified information to perform their duties for the company. An example: The Corporate Secretary, who has been formally identified in the By-Laws and appointed by the Board of Directors, does not require access to classified information for daily job duties. Additionally, this person does not hold any other positions of authority that provide an opportunity to affect the overall business or classified contracts. Based on these circumstances, DCSA considers this Corporate Secretary a non-essential KMP, will not need to be cleared, and can be effectively excluded from access to classified information by formal resolution.

Common List of KMPs based on Business Structure

Corporation (Private/Public)

  • Chairman of the Board - (Essential KMP)
  • CEO/President - (Essential KMP)
  • Vice President
  • Secretary
  • Treasurer
  • Board of Directors

LLC

  • Member(s): In a member-managed LLC, the member with dominant authority must be cleared. When all members in a member-managed LLC have equal rights, all members must be cleared.
  • Manager(s): In a manager-managed LLC, the head of the Board of Managers, or the person serving as the SMO, must be cleared - (Essential KMP)

Sole Proprietorship

  • Owner - (Essential KMP)

General Partnership

  • General Partners - (Essential KMP)
  • Head of Management Committee - (Essential KMP)

College/University

  • President/Provost/Chancellor - (Essential KMP)
  • Regents/Trustees/Directors

Branch Office of a Multiple Facility Organization (MFO)

  • Local Management Official - (Essential KMP)
  • Local SMO & FSO - (Essential KMPs)

Caveats

  • Ensure that all Essential KMP are U.S. citizens with the ability to pass a background check and hold a Personnel Security Clearance (PCL)
  • Think about the workload for the FSO: up to 38 hours of video training, specialized paperwork, and communication with DCSA--and how it will impact their day-to-day work
    • The ITPSO also need time to perform their FCL functions
  • Remember that all three positions are ongoing roles and require maintaining a PCL, including reporting requirements for foreign travel and periodic re-investigation

Preparing the Sponsorship Package

Once your government representative or prime contractor have begun the sponsorship process with DCSA or another CSA, you can begin preparing for the next step, in which you will describe your company and your proposed security program to the government.

  1. Officially appoint your FSO and other Key Management Personnel (KMP).
    1. The FSO and ITPSO require a written letter of appointment or other indication from your organization's governing body; the SMO(s) should similarly have written documentation of their appointment
    2. The FSO and ITPSO require specialized training
    3. All KMP (SMO, FSO, ITPSO) will require personnel clearances; these can be initiated during the FCL application process.
    4. Tools like TurboFCL can help your FSO prepare for the rest of this process
  2. Report any foreign ownership, control, or influence on the SF-328. DCSA has many instructional guides for this form, and the TurboFCL workbook can guide you through it as well. You should begin collecting information on the SF-328 as soon as possible, since some document requests to owners or legal teams might cause delays later in the process.
  3. Start filling out the org chart and KMP list, and gathering meeting minutes.
  4. Some Government sponsors are able to process the DD-254 and FCL Sponsorship without much interaction from your team; other sponsors require more active involvement. Stay in touch with your sponsor and make sure to provide any materials they need to successfully sponsor your FCL.
  5. When DCSA has processed the DD-254, they'll send you a Welcome email, sometimes known as the "Day One" email.
    1. This email starts a 20-day countdown for submitting your FCL application; if you miss the deadline, you must start over by having your sponsor resubmit the sponsorship package.
    2. Entities that begin collecting documentation upon receiving the Welcome email are at risk of missing the deadline, which is why TurboFCL and similar guides advise beginning the document collection and preparation long before that step is reached.
  6. Once the Welcome email arrives, your FSO must create a NCAISS account and register their account with NISS, which is DCSA's system of record. The FSO must submit your documentation in NISS in order to meet the 20-day deadline.
  7. While the documentation process is ongoing, KMPs will submit fingerprints and other documentation.
  8. If you pass the first round, DCSA will set up an initial orientation meeting.
  9. For possessing entities, an inspection of your physical spaces will be conducted.
  10. If everything passes, FCL is granted.

Awarding, Inspections, and Maintenance

Once DCSA has awarded a facility's FCL, they will begin scheduling annual inspections of the facility. During inspections, expect DCSA personnel to meet with KMP and a sampling of cleared employees, review security logs and documentation such as DD-254s, and to follow up on any suspicious contacts, security violations, or other reportable circumstances and events. DCSA may also provide your facility with a classified threat briefing if appropriate.

FCLs are tied to contract performance, and will be retired at the end of performance on a cleared contract unless a new cleared contract requires the FCL to remain in place. Report new classified contract activity to DCSA by submitting DD-254s through NISS, and expect your classified contract work to be part of the conversation with DCSA throughout the inspection life cycle.

Annual training for KMP and cleared employees is also an important aspect of DCSA's inspection and review of security logs; be sure to keep clear records of relevant security training available for review.

All foreign travel by cleared employees must be reported in NISS. Many organizations use an internal form to collect information, which the FSO then enters into NISS; these records should be preserved for review by DCSA upon inspection, as well.