The Facility Security Officer (FSO) plays a key role in the execution of classified contracts. By designation, the FSO role is to manage a security program to protect classified information, and this can be done most effectively through a good professional relationship with the Contracting Officer’s Representative (COR).

For those unfamiliar with government contracting, the Government Contracting Agency (GCA) provides requirements to their prime contractor through contract language. The contract language and associated programmatic documentation describes the products or services the GCA desires of the Cleared Defense Contractor (CDC). The CDC team made up of service or product providers and contract and security support staff develop a plan to meet the requirements. The COR is one agent the GCA uses to ensure that the defense contractor is performing as required. Additionally, the Defense Security Services (DSS) is the Cognizant Security Authority that inspects CDC security programs for the GCA.

One of the programmatic documents provided to the CDC is the Contract Security Classification Specification (DD Form 254) and is used to describe the type of classified work and what is required to perform the classified work. Some information addressed in the form includes the classification level required to perform on the contract, types of classified information the contractor must access, and classified information format and location of performance. For example, the DD Form 254 might notify the CDC that they will have access to TOP SECRET information, requiring access to COMSEC material to be performed at the contractor’s location.

The FSO should be part of the program management team that responds to requirements, clarifies direction, and seeks clarity of expectations. One function the FSO should perform is liaison between the COR and the CDC PM to ensure that the classified information in the CDC possession is protected as the GCA requires and meet those requirements during the DSS review. The other function is to ensure that the CDC program management team has the resources required to carry out their classified work.

Some specific FSO / COR interaction should include.

  • Requesting Security Classification Guidance which identifies what the government program office has determined as classified and at what classification level
  • Requesting classified document retention if required beyond the contract duration
  • Challenging classification decisions if in contrast with work requirements
  • Requesting approval of classified work space, special equipment, or information systems necessary in the performance of classified work
  • Coordinating the execution of classified government meetings at the contractor location

One method an FSO could use for successful execution is to list each requirement in a database or spreadsheet and use that track performance. For example, if the earlier example, the DD Form 254 identified that the CDC would have access to TOP SECRET information, requiring access to COMSEC material to be performed at the contractor’s location, the FSO would break those tasks down to performance metrics. Some of these metrics could include:

  1. Require access to COMSEC information at the TOP SECRET Level
  2. COMSEC information should be stored away from other TOP SECRET classified information
  3. COMSEC custodian should be appointed with TOP SECRET Control Officer Responsibilities
  4. COMSEC briefings should be provided
  5. Area designated for the performance of TOP SECRET work
  6. Security program established to provide physical security to protect COMSEC information at the TOP SECRET level.

Though the government COR is tracking classified performance, the FSO should ensure they follow guidance in the National Industrial Security Program Operating Manual (NISPOM). The FSO should interact with the COR to understand requirements and use NISPOM guidance and the Self-Inspection Handbook for NISP Contractors as metrics to determine success.

The execution of classified contracts is a team event that involves the government and CDC members. While the CDC program manager seeks clarification from and reports status for product or service to the government customer, the FSO should be likewise performing through the COR. A classified contract integrating a knowledgeable FSO establishes the baseline for a successful security program designed to protect classified information.

Related News

Jeffrey W. Bennett, SAPPC, SFPC, ISOC, ISP is a podcaster, consultant and author of NISPOM, security, and risk management topics. Jeff's first book was a study guide for security certification. Soon after, Jeff began writing other security books and courses, and started his company Red Bike Publishing, LLC. You can find his books, ITAR, NISPOM, PodCast and more @