Congratulations on being appointed a Facility Security Officer (FSO). Your Cleared Defense Contractor (CDC) company has trust in your ability to develop a security program to protect classified information. To many reading this article, you may have sought after and desired the opportunity as a career path. You may have applied for the job, were principle in getting the facility clearance, or otherwise knew this was coming. For others, this appointment is unexpected and you are serving as an FSO by way of necessity, and the appointment is in addition to your current roles and responsibilities. Perhaps, you are the owner, president, CEO or COO or otherwise unsure of what to expect. Regardless of which situation you find yourself in, you have a lot of responsibility.
Becoming a CDC demands more than just getting a security clearance and performing on classified contracts. It’s more to do with what to do once the clearance is awarded; specifically, protecting classified information. This protection involves physical, classified processing, and information security. It’s more than just buying safes, installing access controls and getting employees security clearances.
As the FSO, you will be a key player in developing the security program to protect classified information. This responsibility is both operational and administrative in nature as you align the CDC with National Industrial Security Program Operating Manual (NISPOM) requirements. This responsibility is administrative as you maintain the organization’s Facility Clearance (FCL) and the cleared employees’ Personnel Clearances (PCL). The operational part comes in as you train cleared employees, establish risk based security measures to safeguard classified information and inspect and document the program.
Record Required Events and Maintain Required Documents
Now that the FCL is granted, the FSO should incorporate the ability to maintain the FCL requirements. This means keeping those FCL records and having them available for review. Original documents and certificates should be available and updated to reflect any changes. The FCL records should include risk reduction measures and all the documents required to get the FCL to include:
- DOD Security Agreement, or DD Form 441
- DOD Appendage to DoD Security Agreement, or DOD 444-1 – if applicable
- Certificate Pertaining to Foreign Interests, or SF328
- Identification of Key Management Personnel
- Self-Inspection results
- Documentation of NISPOM required training
Maintenance of PCL information is just as vital. Assisting employees in acquiring and keeping their PCL is another of your FSO responsibilities.
Conduct Self-Inspections
Another FSO responsibility you have is conducting self-inspections. This self-review enables you to assess your security program and make improvements. Additionally, it will prepare you for the Defense Counterintelligence and Security Agency (DCSA) review. Inspecting your security program on a recurring basis and carrying out periodic self-inspections, you will ensure compliance with the applicable requirements of the NISPOM, ensure classified material is adequately protected, and validate your established security procedures.
Reporting
As the FSO, you are responsible for reporting certain events to the government that may affect the security clearance status of your company or an employee’s eligibility for access to classified information. Additional reportable events include insider threat activities, suspicious activities, and events that affect the ability to protect classified information. Just as important as the reported events is the establishment of organization procedures for cleared employees to report pertinent information to the FSO.
Classified Visits
Classified visits are those visits where external persons arrive on site to work on classified projects. These could be meetings, work events, conferences, or other activity requiring sharing of classified information. As the FSO, it is your responsibility to ensure that the number of classified visits will be held to a minimum in accordance with the NISPOM. There are many tasks involved including assisting with verifying security clearance level, need to know and access requirements for the visitor.
Security Education
A key FSO task is providing NISPOM required training to all cleared employees. According to the latest NISPOM, 32 CFR Part 117, cleared defense contractors should provide all employees holding security clearances with security training and briefings commensurate with their involvement with classified information. Generally, this required training consists of initial briefings, refresher briefings, and debriefings when clearances are no longer necessary. More specific training categories include insider threat, derivative classifier and handling controlled unclassified information.
If you are a new FSO, there is no reason to travel your journey alone. You may recruit fellow employees to assist with the tasks. Additionally, there are many resources available to assist with FSO responsibilities to include DCSA, NISPOM, professional organizations, consultants, books and training are available just for this purpose.
