Defense contractors provide goods and services while performing on government contracts. They are also designated by their identifying Commercial and Government Entity (CAGE) Codes. Besides having a sought after skill, service or product, defense contractors can also perform on classified and unclassified contracts. This article discusses classified contracts and how defense contractor enterprises are granted security clearances.

A facility security clearance (FCL) is provided to a defense contractor as a result of a contract requiring performance on a classified effort. Though the contractor does not have to possess an FCL prior to bidding on a contract, it is necessary perform on the classified effort. A defense contractor can bid on and win the contract as long as they are eligible to apply for and receive the FCL. Once they win the contract, the rewarding activity provides justification for the security clearance.

A defense contractor is not able to request its own security clearance in preparation for classified work, in anticipation of classified work, or to make the enterprise more marketable; there is just no system in place for that process. Responsible classification management begins with justification of the security clearance for facilities and employees. If a defense contractor is required to perform on a classified contract, the Government Contracting Activity (GCA) or prime contractor provides the request. After the GCA or prime contractor submits the sponsorship letter, the contractor can begin the process of applying for the clearance.

Once sponsored the DSS, GCA and contractor work together to meet following security clearance request requirements.

  • CAGE Code
  • Sign Department of Defense Security Agreement
  • Complete a Certificate Pertaining to Foreign Interests
  • Provide Organization Credentials
  • Identify Key Management Personnel clearances

Department of Defense Security Agreement (DD Form 441) is a security agreement between the US Government and defense contractor and documents each party’s responsibilities for protecting classified information.

The contractor agrees to implement and enforce the security controls necessary to prevent unauthorized disclosure of classified information in accordance with the National Industrial Security Program Operating Manual (NISPOM). The contractor also agrees to provide classified information only to those possessing need to know and a valid security clearance.

The U.S. Government agrees to provide facility and personnel security clearances to the defense contractor. They will also notify the cleared contractor of the security classification level assigned to classified information. The government also agrees to not over classify material, to notify the contractor of any changes in the classification level and to instruct the contractor on the proper handling, storage and disposition of classified material. The Government will also assess the contractor’s ability to protect classified material. For the DoD, this is done through an audit or review performed by Defense Security Services (DSS).

The DD Form 441 is a requirement prior to a defense contractor getting their facility security clearance. Once complete and approved, the form is maintained at both the contractor location and DSS and is subject to DSS review. The agreement is legally binding and designates responsibilities of each party to follow procedures established by NISPOM.

Certificate Pertaining to Foreign Interests (SF 328)-Cleared contractors are evaluated to determine whether or not they fall under Foreign Ownership Control or Influence (FOCI) and to what degree.  The primary concern is always protecting classified information from unauthorized disclosure. As with determining the amount of control a company officer or board member has over classified contracts, the same holds true of foreign entities with which a company may become involved.

In today’s changing world it is not unusual for a cleared company to be involved with international business. If a contractor falls under FOCI, DSS will work with the GCA to evaluate the contractor’s ability to mitigate the extent of foreign influence concerning classified information and approve, deny or revoke the FCL.

Organization-the enterprise must be in good business standings and have a history of demonstrating a good reputation and ethical business practices. The company should prove that they are structured and a legal entity under the laws of the United States, the District of Columbia or Puerto Rico and have a physical location in the United States or territories. DSS uses this information to better determine how the company is structured and which positions are capable to influence classified processing. Required information includes the following as applicable to the type of business:  Articles of Incorporation, Stock Records, Minutes of Board Meetings, and Corporate by-laws; Federal Tax ID Number; and reports filed with the Securities Exchange Commission. More information may be requested.

Key Management Personnel (KMP)-These are management or senior leaders who influence decisions regarding classified contracts. KMPs can be members of the board of directors, vice-presidents, directors or other upper level managers. Also, neither the company nor key managers can be barred from participating in U.S. Government contracts. The minimum security clearances required are for those holding senior officer and Facility Security Officer positions.

The FCL is also tied to the personnel security clearance (PCL) process. A company cannot have an FCL unless key employees are eligible for a PCL Subsequently, PCLs cannot be granted without the FCL. The Key Management Personnel are required to have clearances for the FCL, with the remainder of employees requested as needed.

For more information, see the DSS website for the security clearance checklist and starter package

Related News

Jeffrey W. Bennett, SAPPC, SFPC, ISOC, ISP is a podcaster, consultant and author of NISPOM, security, and risk management topics. Jeff's first book was a study guide for security certification. Soon after, Jeff began writing other security books and courses, and started his company Red Bike Publishing, LLC. You can find his books, ITAR, NISPOM, PodCast and more @