Companies eyeing a foothold in the U.S. defense sector must understand an important fact: the U.S. government requires substantial protections for information it considers classified. Classified information is any information that, if released to U.S. adversaries, may adversely affect U.S. national security. The first step to receive classified information is to receive the proper security clearances. Long before a contractor can touch classified information, or even hire the right team to handle it, the government must decide whether both the company and its people can be trusted to do so.
In 2025, the Defense Counterintelligence and Security Agency (DCSA) published its 2025-2030 Strategic Plan, signaling the agency’s intent to streamline clearance processes and modernize oversight mechanisms.
At the same time, the updated Standard Form 328 (Certificate Pertaining to Foreign Interests) went into effect on May 12, 2025, demanding significantly more detailed disclosures about foreign ownership, revenue and outsourcing.
At the heart of the security clearance process are two distinct but interlocking authorizations: the Facility Security Clearance (FCL) and Personnel Security Clearance (PCL). Together, they form the backbone of the National Industrial Security Program, a framework designed to protect the nation’s most sensitive projects. An FCL grants a company the right to receive and the responsibility to safeguard classified material, while a PCL authorizes vetted employees to work with it.
For new entrants to the defense market, the nuance here can be burdensome. A company can win a classified contract without yet holding an FCL, but it can’t begin performance until that clearance is in place. Likewise, an employee may be part of a cleared organization but still barred from seeing classified information until their personal clearance is granted. The system is intricate, deliberate, and often slow-moving, yet it’s essential for ensuring protection of classified information.
Understanding how and when these clearances apply is an invaluable strategic advantage for defense contracting entrants and veterans. Knowing the difference between a facility and personnel clearance, when sponsorship is required, and how compliance with the National Industrial Security Program Operating Manual (NISPOM) shapes day-to-day operations can determine whether a company successfully enters the defense market.
What is an FCL?
A Facility Security Clearance (“FCL”) is the company-level clearance. The NISPOM defines it as “an administrative determination that a company is eligible for access to classified information.” In other words, it is the government’s determination that a company has sufficient need and security to access and handle classified information. Each FCL specifies the highest classification of information the company is eligible to receive, including Confidential, Secret, or Top Secret.
Companies seeking to work with classified information, either under a classified government contract or as a subcontractor to a prime contractor, must obtain an FCL prior to receiving classified information. The FCL must allow the company to receive the highest level of classified access required by the contract. For example, if a company seeks to work with Top Secret information, it must have a Top Secret FCL or higher. Companies may bid on and win classified contracts without an FCL but must receive one before beginning performance.
To apply for an FCL, a company must have a sponsor, typically a U.S. government contracting officer or an already-cleared prime contractor. The sponsor submits a request to the Defense Counterintelligence and Security Agency (“DCSA”), which then opens an FCL case. DCSA will request business documents for background checks, review the company’s need to receive classified information, and investigate any foreign ownership, control, and influence (“FOCI”). Key management personnel for the company, such as the CEO, President, and other corporate officers, must obtain their own PCLs as part of the process. Even companies with minimal foreign ownership may be asked to enter into agreements or pass board resolutions to ensure classified information is adequately protected.
The FCL process can take anywhere from one to two years in most cases. Once granted the FCL remains active as long as the company maintains its eligibility and need for access under NISPOM and continues to require access to classified information. This includes maintaining appropriate security measures by appointing security officers, including a Facility Security Officer (“FSO”), an Insider Threat Program Senior Official (“ITPSO”), and an Information System Security Manager (“ISSM”). These positions must be filled by U.S. citizens. Key management personnel must also maintain up-to-date personnel security clearances.
While the FCL authorizes a company to access classified material, the PCL extends that authorization to specific individuals.
What is a PCL?
A Personnel Security Clearance (“PCL”) is the individual-level security clearance, defined as “an administrative determination that an individual is eligible … for access to classified information.” Like a FCL, a PCL is a governmental determination that a person is eligible for access to classified information. PCLs are granted at specific security levels, including Confidential, Secret, or Top Secret.
Individuals, including employees and other personnel, must obtain a PCL prior to receiving or accessing classified information. The process begins when a sponsor, usually the employee’s FSO or another cleared person, submits the required form on the individual’s behalf. DCSA then conducts a background investigation and requests additional information. A company can only sponsor a PCL when it holds an active FCL.
Generally, individuals must be U.S. citizens to receive a PCL, with limited exceptions. In some cases, the U.S. government may grant a Limited Access Authorization (“LAA”) to certain non-U.S. citizens if their unique expertise is urgently needed for a government contract. An LAA allows recipients temporary and restricted access to classified information but does not permit access to certain information including Top Secret information.
Historically, once granted PCLs must be maintained through periodic reinvestigations, which occur every five to ten years depending on the clearance level and other terms. However, DCSA is transitioning to a continuous vetting process. Any changes in circumstances, such as foreign travel, foreign contacts, or other significant occurrences, must be disclosed to and evaluated by DCSA.
When does the NISPOM apply?
For companies, the NISPOM applies when working with classified information, either under a classified government contract or as a subcontractor to another entity under a classified contract.
For individuals, the NISPOM applies when a person seeks to work with classified information. Importantly, even if your company has an FCL, individual employees still need their own PCLs to access classified information.
When are both clearances required?
To perform work using classified information both an FCL and PCL are required, but at different stages. Companies must have an FCL before receiving classified information. While they can bid on and receive contracts without one, they cannot perform on a classified contract until an FCL is obtained. Similarly, subcontractor companies must have an FCL prior to receiving classified information from prime contractors.
Even with an FCL in place, the U.S. government will not permit performance on a classified contract until all employees intending to work on classified portions of the contract have a PCL. This is because no individual may access or receive classified information without a valid clearance. Not every employee requires a PCL, only those directly working with the classified information. Strong internal screening and security protections can reduce the clearance requirement for companies with many projects.
Can employees without PCLs work on classified projects?
No. Employees must have the appropriate level clearance prior to receiving or accessing classified information. However, companies may hire employees and then sponsor them for PCLs. Until those clearances are granted, such employees cannot receive or work on classified information.
What Contractors should do now
If your company is considering bidding on or performing a classified government contract here are several practical steps to take:
- Confirm Sponsorship: Ensure you have a government contracting officer or cleared prime contractor willing to sponsor your company for an FCL.
- Identify Key Personnel: Determine which officers and employees will require PCLs and prepare them to provide the necessary background information.
- Prepare Compliance Systems: Establish internal cyber and physical security procedures, appoint an FSO, plan for annual training, and create a process for reporting foreign travel, contacts, and other required disclosures.
- Collect Required Information: Begin gathering information required by DCSA, including company ownership and details about investors and board members (names, citizenship, places of birth, and connections to foreign entities).
Taking these steps in advance can reduce delays, strengthen your clearance application, and help avoid risks such as contract performance issues or suspension of eligibility.
Understanding and planning for security clearances early can make the difference between a smooth contract launch and costly delays. For companies entering the defense market, proactive compliance is not just an administrative requirement, it is a strategic advantage.