Your company has an opportunity to engage with the U.S. government, but it requires security clearances, and facility clearances to do the work. Where do you start? You know you need a Facility Security Officer (FSO), but as someone in the government contracting space, you may wonder if this is a task you can subcontract out, particularly if you lack the skill set in house. The advice to divide the task into core and context and outsource as much as possible to arrive at operational availability more rapidly is attractive.  After all, nearly every day we hear of new risks to government contractors, the growth of insider threats, and changing policies your FSO will need to be aware of.

While many of the tasks can be accomplished by third-party contractors, be cautious, as doing it poorly can also sink your ship.

Can I contract out FSO services to a third-party?

The National Industrial Security Program Operating Manual (NISPOM) does not allow companies to contract out FSO services. Here is the specific language:

1-201. Facility Security Officer (FSO). The contractor shall appoint a U.S. citizen employee, who is cleared as part of the facility clearance (FCL), to be the FSO. The FSO will supervise and direct security measures necessary for implementing this Manual and related Federal requirements for classified information. The FSO, or those otherwise performing security duties, shall complete security training as specified in Chapter 3 and as deemed appropriate by the Cognizant Security Authority (CSA).

It’s clear: the FSO must be an employee of the government contracting company. That said, there is no prohibition of hiring in experts with experience and knowledge of the NISPOM as assistants to the FSO. It’s just important to make sure those individuals are acting in the role of assistants – and that you have qualified security personnel on your staff.

Security Clearance Assistance

Any consultant who tells you they can get your personnel their security clearance in specific amount of time, ignore and step away. No, run.

Contracting a consultant to educate and familiarize your personnel with the clearance process is prudent. Having the consultant own the process on your behalf, remotely, will find yourself in the crosshairs of the Defense Counterintelligence Security Agency (DCSA). This work needs to be accomplished in house on site. So bring your contractors into your company to do the support work with respect to the clearance process.

Your facility clearance

Ask the question – will I have to store and handle classified information onsite?

If the answer is yes, you are looking at having to harden your footprint in accordance with the NISPOM. This may include the buildout of a Sensitive Compartmented Information Facility (SCIF) to handle the processing and storage of classified information.

If the answer is no, your pathway to the facility clearance is far less arduous and substantially less expensive. Using a consultant to understand and assist your FSO through the process is permissible. The FSO, however, is the responsible person for the facility clearance. If your facility is found to have compromised classified information, pointing a finger at a third-party will not help your case – you are responsible for having the appropriate knowledge and security measures in place on site.

Counterintelligence, Travel and Security Briefings

Use of contractors to help the FSO provide to all cleared personnel their counterintelligence, travel or security briefings is permissible. Indeed, individuals with briefing/training expertise who provide topical expertise may be a judicious use of contracting dollars to assist the FSO in ensuring timely and relevant briefing materials are provided to their personnel. Insider threat training requirements mandate annual security training for all cleared personnel – which should be considered the minimum.

Consultants and contractors are an integral part of almost all government agencies, and government contractors. But use those consultants wisely, and never allow them to take the place of full-time employee requirements.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com