What Is DCSA?
The Defense Counterintelligence and Security Agency (DCSA) is a DoD Component responsible for protecting the U.S. defense industrial base from foreign intelligence threats, oversight of personnel security, and safeguarding classified information held by private industry. DCSA is the largest civilian element of the intelligence community by personnel and serves as the primary Cognizant Security Agency (CSA) for the overwhelming majority of cleared industry. [VERIFIED: dcsa.mil/About/]
DCSA was established in its current form in October 2020 through a merger of the Defense Security Service (DSS) and the National Background Investigations Bureau (NBIB), absorbing additional missions from OPM related to personnel vetting. The agency's name change — from DSS to DCSA — reflects an expanded mission: not just security but active counterintelligence to identify foreign intelligence entities targeting defense contractors.
By the numbers, DCSA oversees approximately 13,000 cleared facilities, processes hundreds of thousands of personnel security investigations annually, and maintains security oversight over contracts worth trillions of dollars. If you're a defense contractor working with classified information, DCSA is your primary point of accountability.
Mission: Protect classified information and cleared personnel in defense industry from foreign intelligence threats. Primary authority: National Industrial Security Program (NISP) under E.O. 12829. Cleared facilities overseen: ~13,000. HQ: Quantico, Virginia.
The Facility Clearance (FCL) Process
A Facility Clearance (FCL) is a determination by the U.S. government that a company — not an individual employee — is eligible to access classified information at a specific classification level: Confidential, Secret, or Top Secret. The FCL is required before your company can be awarded a classified contract or receive classified information from a prime contractor. [VERIFIED: 32 CFR Part 117 (NISPOM), dcsa.mil/Industrial-Security/]
How the FCL Process Starts
An FCL cannot be self-initiated. The process begins when a U.S. government agency or a cleared prime contractor sponsors your company. The sponsor submits a DD Form 254 (Contract Security Classification Specification) identifying the classification level required for the work. DCSA then initiates the FCL investigation.
You cannot apply for an FCL "speculatively" to compete for future classified contracts. A government sponsor must initiate the process. If you're pursuing classified contracts, establish a relationship with a prime contractor or agency program office first — they become your sponsor.
FCL Process Steps and Timelines
Sponsor Initiates / SF-328 Submitted
The government sponsor notifies DCSA. Your company completes and submits the SF-328 (Certificate Pertaining to Foreign Interests) — the foundational document disclosing ownership, control, and foreign connections. Incomplete or inaccurate SF-328 submissions are the #1 cause of early delays.
FOCI Determination
DCSA evaluates whether your company is under Foreign Ownership, Control, or Influence (FOCI). Any foreign investors, board members, or contractual relationships that could allow a foreign entity to influence your company's operations are scrutinized. FOCI can delay or block an FCL — mitigation agreements may be required.
Key Management Personnel (KMP) Clearances
Senior officers, board members, and individuals with authority over the company must hold personal security clearances (PCLs) at the FCL level. If KMP don't already hold clearances, their investigations run in parallel — and often become the critical path. Executives with foreign travel, dual citizenship, or financial issues can block the entire FCL.
Facility Security Review
A DCSA Industrial Security Representative (IS Rep) conducts an on-site assessment of your facility. They verify physical security controls, safe storage for classified material, visitor control procedures, and security documentation. First-time facilities typically receive more scrutiny than established cleared contractors.
FCL Granted
DCSA grants the FCL at the appropriate level. Your designated Facility Security Officer (FSO) receives the determination. For Confidential/Secret, typical timelines are 6–15 months. For Top Secret, 12–18+ months. Ongoing DCSA oversight begins from this point.
| FCL Level | Typical Timeline | Primary Driver | Annual Cost Factor |
|---|---|---|---|
| Confidential | 6–12 months | FOCI review, KMP investigations | FSO time, physical security setup |
| Secret | 9–15 months | KMP clearances, FOCI, facility review | Same + more training requirements |
| Top Secret | 12–18+ months | Full-scope investigations, TS KMP clearances | Dedicated FSO common, SCIF may be required |
CMMC deadline countdown + defense bid alerts
Get the weekly brief defense contractors actually read — deadlines, new contract awards, compliance changes.
No spam. Unsubscribe anytime.
Check Your CMMC Readiness in 5 Minutes
FCL and CMMC often apply simultaneously — cleared contractors handling CUI on unclassified networks need both. Find your gaps before DCSA or your prime contractor does.
Take the Free Assessment →The National Industrial Security Program (NISP)
The National Industrial Security Program (NISP) is the U.S. government's primary framework for granting cleared industry access to classified information. It was established by Executive Order 12829 (1993, as amended) and is operationalized through the National Industrial Security Program Operating Manual (NISPOM), codified at 32 CFR Part 117 (effective February 2021 as a binding regulation, replacing the previous manual format). [VERIFIED: 32 CFR Part 117, E.O. 12829, dcsa.mil]
Every cleared contractor operates under NISPOM. It governs how you physically protect classified material, how you control access, how you conduct security education, how you report security incidents, and how you handle classified information systems. The NISPOM is not optional guidance — it is a federal regulation with legal force.
Core NISP Requirements for Cleared Contractors
- Facility Security Officer (FSO): Every cleared facility must designate an FSO who is a U.S. citizen employee responsible for implementing the company's security program. The FSO is DCSA's primary point of contact and must complete mandatory FSO training. The FSO cannot be a contractor — they must be a direct employee.
- Need-to-Know: Access to classified information must be on a strict need-to-know basis. Personnel with appropriate clearance levels cannot access classified information unless they have a documented need for that specific information. Clearance level is necessary but not sufficient — need-to-know is always required simultaneously.
- Personnel Security: Cleared employees must be subject to personnel security requirements including initial investigations, continuous monitoring, and adverse information reporting. Cleared personnel must report foreign travel, foreign contacts, financial changes, arrests, and any information that may affect their reliability.
- Physical Security: Classified material must be stored in GSA-approved containers (safes) at minimum for Secret information. Top Secret requires additional controls. Secure Compartmented Information Facilities (SCIFs) are required for certain types of classified work.
- Information Systems: Classified information systems (those that store, process, or transmit classified data) must receive an Authorization to Operate (ATO) from DCSA or the applicable cognizant security authority before use.
- Security Education: Cleared employees must receive initial and annual security briefings. DCSA's CDSE (Center for Development of Security Excellence) provides training that satisfies NISPOM requirements.
- Insider Threat Program: All cleared facilities must have a formal Insider Threat Program that monitors for indicators of potential insider threats and trains employees to recognize and report concerning behaviors.
DCSA can suspend or revoke an FCL for NISPOM violations. Suspension means you cannot receive new classified contracts and may lose access on existing ones. Revocation ends your cleared contractor status entirely. Neither result is recoverable quickly — reinstatement processes take months and may not succeed.
Continuous Evaluation (CE) vs. Periodic Reinvestigation (PR)
The way cleared personnel are monitored changed fundamentally when the federal government adopted Continuous Evaluation (CE) as the primary vetting mechanism, replacing the legacy Periodic Reinvestigation (PR) model. This shift was directed by Security Executive Agent Directive 6 (SEAD 6) and is now the standard for most cleared personnel. [VERIFIED: SEAD 6, ODNI.gov, DCSA CE program documentation]
| Feature | Periodic Reinvestigation (PR) | Continuous Evaluation (CE) |
|---|---|---|
| Frequency | Every 5–10 years by clearance level | Ongoing automated monitoring, real-time triggers |
| Method | Full investigative review with interviews | Automated record checks (financial, criminal, foreign travel, public records) |
| Trigger | Calendar-based reinvestigation cycle | Event-based: arrest, financial delinquency, foreign contact, etc. |
| Speed of response | Issues could go undetected for years | Anomalous events flag within days to weeks |
| Status | Legacy — mostly phased out | Current standard for most cleared personnel |
What this means for cleared contractors: employee issues surface faster now than ever before. A DUI arrest, an unpaid debt collection, or a foreign trip not reported will trigger a CE flag within weeks — not surface at the next five-year reinvestigation. Your Insider Threat Program and FSO must be equipped to handle CE notifications and act on them appropriately.
Ensure all cleared employees understand their reporting obligations under CE. The speed of CE means unintentional non-reporting of foreign travel or financial changes is caught faster than it used to be. Build a habit of proactive reporting — self-disclosure before DCSA discovers an issue is always handled better than discovered non-disclosure.
DCSA's Role in CMMC
DCSA and CMMC are distinct frameworks, but cleared contractors operating in both classified and unclassified environments must manage both simultaneously. Understanding where they intersect — and where they don't — prevents costly compliance gaps. [VERIFIED: 32 CFR Part 170 (CMMC rule), 32 CFR Part 117 (NISPOM), DoD CUI Program documentation]
What Each Framework Governs
| Framework | Information Type | Systems Covered | Enforced By |
|---|---|---|---|
| DCSA / NISP | Classified (Confidential / Secret / TS) | Classified information systems (ATO required) | DCSA Industrial Security |
| CMMC / NIST 800-171 | CUI (Controlled Unclassified Information) | Unclassified contractor systems handling CUI | DoD OUSD(A&S), C3PAOs |
The practical reality: many contracts generate both classified information and CUI. Your classified systems fall under DCSA oversight and NISPOM requirements. Your unclassified systems that process CUI fall under CMMC. These systems may be air-gapped or physically separated, but the compliance obligations run in parallel.
A cleared contractor who achieves CMMC Level 2 certification but neglects their NISPOM obligations — or vice versa — is compliant on one axis and exposed on the other. Both frameworks must be satisfied for the full scope of classified/CUI contract work.
eMASS: What It Is and Why It Matters
The Enterprise Mission Assurance Support Service (eMASS) is the DoD's web-based tool for implementing the Risk Management Framework (RMF) and managing the Authorization to Operate (ATO) process for information systems. For cleared contractors with classified information systems, eMASS is the platform through which DCSA tracks system security posture and grants operational authority. [VERIFIED: DISA eMASS program documentation, disa.mil/eMASS, DCSA IS guidance]
How eMASS Affects Cleared Contractors
Contractors typically do not operate eMASS directly — that's the government's job. However, you are responsible for producing the documentation that feeds into it:
- System Security Plan (SSP): A comprehensive description of your classified information system, its boundaries, controls implemented, and control owners. Must be maintained and current.
- Plan of Action & Milestones (POA&M): Documents known security weaknesses and the timeline to remediate them. Open POA&M items are not automatically disqualifying, but unaddressed items that exceed their milestones are.
- Security Control Assessment (SCA) evidence: Technical evidence that each required security control is implemented as described. Artifacts include screenshots, configuration outputs, logs, and scan results.
- Continuous Monitoring: Once an ATO is granted, it is not permanent. You must continuously monitor, update documentation, and report significant changes. Changes to the system boundary, major software upgrades, or new interconnections can trigger a re-authorization event.
An ATO has an expiration date (typically 3 years). If you fail to initiate re-authorization in time, your ATO lapses and you lose authority to operate the classified system — effectively pausing classified work until re-authorization is complete. Build a compliance calendar with ATO expiration dates and initiate re-authorization 6–9 months before expiry.
Known FCL Pain Points (and How to Avoid Them)
DCSA's FCL process is not fast under the best circumstances. These are the most common avoidable causes of delay:
1. Foreign Ownership, Control, or Influence (FOCI) Issues
Any foreign investor, parent company, board member, or contractual arrangement that could allow a foreign entity to influence your company's operations triggers an extended FOCI review. If your company has private equity backing, venture capital, or any international shareholders — even minority investors — expect FOCI questions. Address this proactively: disclose fully on the SF-328, consult legal counsel experienced in FOCI mitigation before submitting, and be prepared for a mitigation agreement (SSA, SSBA, or Proxy) if needed.
2. Incomplete or Inaccurate SF-328
The SF-328 (Certificate Pertaining to Foreign Interests) is your initial disclosure document. Errors, omissions, or ambiguity cause DCSA to pause and request clarification — which restarts the clock on that phase. Have an attorney review the SF-328 before submission if your ownership structure is anything other than simple direct U.S. ownership.
3. KMP Clearance Delays
Key Management Personnel (KMP) — executives and board members — must hold personal clearances at or above the FCL level. If your CEO or a board member has never held a clearance, their investigation becomes the critical path. Issues that commonly delay KMP investigations: dual citizenship, extensive foreign travel, foreign contacts, financial issues (collections, liens, judgments), and previous criminal records. Identify potential KMP clearance issues early and address them honestly with your DCSA representative.
4. Inadequate Physical Security Preparation
DCSA's on-site inspection will evaluate physical security before FCL grant. Cleared contractors without a dedicated secure area often underestimate what's required. At minimum: GSA-approved Class 6 container for Secret material storage, access control, visitor logs, and documented procedures. Establish these before the inspection — retrofitting after a failed inspection adds months.
5. Slow Response to DCSA Requests
DCSA sends Requests for Information (RFIs) throughout the process. Every day you take to respond is a day added to your timeline. Designate a single point of contact for DCSA communications, respond within 48–72 hours of any request, and treat DCSA correspondence as high-priority. Cases that sit waiting on contractor responses can slip to the back of an investigator's queue.
6. FSO Not Identified or Trained Early
Your Facility Security Officer must be identified and begin training before FCL grant. DCSA requires FSO completion of mandatory training through the CDSE. Starting FSO training after the FCL is granted is common but suboptimal — FSOs who are trained before grant are better positioned to pass the on-site inspection. Enroll your designated FSO in CDSE training within the first 30 days of initiating the FCL process.
10-Step FCL Checklist for First-Time Applicants
🏛️ First FCL Readiness Checklist
- Secure a government sponsor Identify the government agency or cleared prime contractor that requires the FCL and confirm they will sponsor your application. Get the DD Form 254 in hand — you need the classification requirement documented.
- Audit your ownership structure for FOCI Identify all foreign ownership, investors, board members, or contractual relationships before completing the SF-328. Consult a FOCI attorney if any foreign connections exist. Don't guess on the SF-328 — errors extend the process significantly.
- Complete and submit the SF-328 File the Certificate Pertaining to Foreign Interests accurately and completely. This is your formal entry into the FCL process. Incomplete submissions are returned for correction.
- Designate your Facility Security Officer (FSO) Select a U.S. citizen direct employee to serve as FSO. This person becomes DCSA's primary point of contact and owns day-to-day security operations. They must be authorized to implement security policies on behalf of the company.
- Enroll the FSO in mandatory CDSE training DCSA's Center for Development of Security Excellence (CDSE) provides the required FSO training. Start immediately — training takes weeks and should be completed before the on-site inspection.
- Identify and initiate KMP clearance investigations List all Key Management Personnel who will need personal clearances. Submit SF-86 forms for each KMP as soon as the FCL process is initiated — KMP investigations often drive the critical path.
- Establish physical security controls Procure a GSA-approved Class 6 container for classified material storage (minimum for Secret). Document your access control procedures, visitor logs, and secure area protocols. Do this before the DCSA on-site inspection.
- Draft your security procedures documentation Create written procedures for: classified material receipt and handling, need-to-know verification, visitor control, classified system use (if applicable), security incident reporting, and employee security briefings. DCSA will review these during the site inspection.
- Establish an Insider Threat Program NISPOM requires a formal Insider Threat Program. At minimum: designate an Insider Threat Program Senior Official (ITPSO), develop reporting procedures for concerning behaviors, and complete CDSE insider threat training for covered employees.
- Respond to all DCSA requests within 48–72 hours Assign a single point of contact for all DCSA communications. Treat every DCSA request for information as a priority. Delays in responding are the most common avoidable cause of timeline extensions.
Need Help Navigating DCSA Requirements?
DefenseBizStack connects you with compliance experts who've guided hundreds of contractors through FCL applications, FOCI reviews, and NISP compliance programs.
Talk to a Compliance Expert →Frequently Asked Questions
What is a Facility Clearance (FCL) and do I need one?
An FCL is a government determination that your company is eligible to access classified information at a specific level (Confidential, Secret, or Top Secret). You need one if a government contract or a cleared prime requires you to receive, store, or generate classified information. The FCL is tied to your company — not individual employees. Personnel clearances (PCLs) are separate. You cannot hold a classified contract without an active FCL at the appropriate level.
How long does the FCL process take?
Typically 6–18 months depending on clearance level, company complexity, and foreign ownership issues. Confidential FCLs tend to run 6–12 months; Secret FCLs 9–15 months; Top Secret FCLs 12–18+ months. The most common delays are FOCI issues, KMP clearance investigations, incomplete SF-328 submissions, and slow responses to DCSA requests. Start early — ideally before contract award.
What is the National Industrial Security Program (NISP)?
NISP is the U.S. government program that authorizes private companies to access classified information. It is governed by the NISPOM (32 CFR Part 117) and establishes binding requirements for physical security, personnel security, information system security, and security education. Every cleared contractor must operate under NISPOM standards. DCSA enforces NISPOM compliance through annual assessments and periodic inspections.
What is Continuous Evaluation (CE) and how does it affect my cleared employees?
Continuous Evaluation (CE) replaced periodic 5-year background reinvestigations as the primary vetting mechanism for cleared personnel. Under CE, automated systems continuously monitor cleared employees against financial, criminal, foreign travel, and other records. Issues that previously might go undetected for years now surface within days to weeks. Cleared employees must report foreign travel, foreign contacts, financial changes, and legal issues proactively — because CE will likely detect them anyway.
How does DCSA relate to CMMC requirements?
DCSA governs security for classified information under NISP. CMMC governs cybersecurity for CUI (Controlled Unclassified Information) on unclassified systems. Many contractors need both — classified work falls under DCSA/NISPOM while the unclassified systems handling CUI that flows from that work fall under CMMC. Both frameworks must be satisfied simultaneously for cleared contractors working with CUI on unclassified networks.
What is eMASS and why does it matter for cleared contractors?
eMASS (Enterprise Mission Assurance Support Service) is the DoD's Risk Management Framework tool used to grant and track Authority to Operate (ATO) for classified information systems. Cleared contractors don't operate eMASS directly, but must produce the documentation that supports it: System Security Plans, POA&Ms, and security control evidence packages. ATOs expire (typically every 3 years) — let an ATO lapse and you lose authority to operate your classified system until re-authorization is complete.