If you are navigating the UK defence supply chain in 2026, you have likely encountered a wall of acronyms. Among the most critical and often the most misunderstood is Facility Security Clearance (FSC), still often referred to as ‘List X’, which was the forerunner to FSC.
For many suppliers, FSC is the key that allows them to hold and manage sensitive assets, classified at SECRET and above, on their own premises. However, achieving FSC is not a box-ticking exercise. It entails a rigorous review and transformation of your physical and personnel security culture.
As consultants at Pera Prometheus, we want to ensure that organisations understand the FSC process, including their obligations and the costs involved. This blog explains what FSC is, how it interacts with the new cyber standards, and when your organisation needs it.
What is Facility Security Clearance (FSC)?
FSC is the mandatory certification required for organisations responsible for managing and safeguarding UK national assets classified as SECRET or above (or international partners’ assets at CONFIDENTIAL or above), on their own business premises.
If you have been in the industry for a long time, you might know this by its legacy name, ‘List X’. While the terminology has changed to align with international standards, the focus has expanded to identify the propensity for ‘insider threat’ based attacks, designed to compromise physical security arrangements and gain access to classified assets.
The requirement for industry is defined in the MOD FSC Policy and Guidance v1.4 (March 2024). Achieving FSC status provides the Contracting Authority (CA) with the assurance that your facility can be relied upon to protect its assets, not just in terms of gates, fences, walls and alarms, but in terms of governance and business culture.
When Do You Actually Need It?
A common misconception is that every defence contractor needs an FSC. This is incorrect. You only need FSC if you are contractually required to store, process, or manufacture assets classified at SECRET or above at your specific facility. The trigger for this, is the Security Aspects Letter (SAL) relating to the contract.
When you are awarded a contract (or occasionally during the tender stage), the Contracting Authority will issue a SAL specifying the security classification of the assets involved. If that SAL lists assets at SECRET, you must obtain FSC. For businesses who do not hold FSC status at the point of bidding for a new contract, FSC will be required before the contract can commence, or in the very least before you will be permitted to hold SECRET material. If your work is limited to OFFICIAL or OFFICIAL-SENSITIVE, or if you only access SECRET assets at an MOD site, you generally do not need FSC for your own premises.
To apply for FSC, your business will require:
- A contract requiring SECRET materiel to be managed and held on the business premises;
- A sponsor for your application – this is usually the Contracting Authority;
- A SAL relating to the contract.
As a business, it is your responsibility to apply to become an FSC business, using the Government Industry Security Assurance (GISA) form which can be found on the www.gov.uk Website.
The Three Pillars of Assurance
Achieving FSC is a holistic process. It is no longer enough to just install a secure door. The Industry Security Assurance Centre (ISAC), the body within DE&S responsible for accreditation, will assess your organisation across three distinct pillars.
1. Physical Security
Your facility must meet stringent build standards approved by the National Protective Security Authority (NPSA). This typically involves onion skin approach to security often referred to as BAD layers:
• Barriers: Elements that will delay, deter or channel a hostile actor
• Access: Controls put in place to dictate who can go where and when they can go there
• Detection: Early identification of an intruder and the triggering of an appropriate response
2. Personnel Security (IPSA Prerequisite)
This is the most significant shift for many companies. Industry Personnel Security Assurance (IPSA) is now a non-negotiable prerequisite for FSC. You cannot achieve FSC without first (or concurrently) achieving IPSA accreditation. IPSA ensures you have robust procedures for vetting and managing staff not just processing clearances, but managing aftercare and insider threat risks. You must appoint specific British Nationals to key roles, specifically a Board Level Contact and a Facility Security Controller, both of whom must hold SC clearance.
3. Procedural Security
You must develop and maintain Company Security Instructions. These are not generic policy documents but detailed instructions, signed off by your Board, that dictate exactly how classified material is moved, stored, and managed within your facility.
The 2026 Landscape: Cyber Integration
It is critical to understand where FSC ends and Cyber assurance begins. As of 2026, the landscape has evolved. FSC focuses strictly on the physical and personnel environment. It does not assure your IT systems. If you intend to process SECRET data on an IT system or network, you must comply with separate assurance requirements.
For the specific purpose of assuring an IT system to hold, handle and store SECRET data/information the Secure by Design process will most likely need to be applied and followed (although this will be dictated by your Contracting Authority).
Secure by Design (SbD): This initiative is now mandatory. It requires security to be baked into your system architecture from day one, rather than bolted on as an afterthought.
While ISAC manages your FSC and IPSA, your digital assurance is handled through the Secure by Design assurance process, which is driven by the Senior Risk Owner for the contract you are supporting. However, remember the dependency: you need the physical FSC accreditation to house the SECRET terminals required for your IT system.
Further clarification can be obtained through interactive SbD process flowchart which can be found on Pera Prometheus website.
Cyber Supply Chain Security – In recognition of the increasing threat to National Security, the MOD have introduced Defence Condition (DEFCON) 658 which requires industry suppliers to apply a level of cyber security controls to their corporate networks. These controls are detailed in Defence Standard (DefStan) 05-138 and the number of controls to be applied will depend on the Cyber Risk Profile Level assigned by MOD in response to the assessed threat to the contract (MOD carry out this assessment).
Further clarification can be obtained through interactive CSM Issue 4 process flowchart which can be found on Pera Prometheus website.
The Sponsorship Model
To become an FSC business, you will need to be sponsored. The sponsor initiates the process with ISAC. Without a confirmed requirement linked to a contract or a specific tender, ISAC will not entertain an application.
A sponsor must be a Contracting Authority (CA), which can be:
• A UK Government Department (like the MOD).
• A Prime Contractor who already holds FSC and needs you to hold SECRET assets.
• An international defence organisation (like NATO).
Common FSC Myths Debunked
• Myth: We need FSC before we can bid for this contract.
◦ Fact: The MOD and Primes operate on principles of free trade. Generally, you do not need FSC to bid and having it, should not give you preferential treatment during the tender evaluation. If selected, you will go through the accreditation process post-award.
• Myth: FSC is just about buying a secure safe and installing secure doors.
◦ Fact: FSC is an ongoing commitment to governance, through the life of the contract. It involves annual audits, risk registers, and strict reporting of ownership changes to ISAC.
The Pera Prometheus Advantage
The timeline for achieving FSC typically runs 6 to 12 months, depending on your current security maturity and the availability of ISAC assessors. For a business trying to mobilise a contract, this delay can be inconvenient at best. This is where Pera Prometheus steps in to assist you with preparing for and implementing the management systems you need to demonstrate your capability to manage classified information appropriately.
We don’t just hand you a manual, our consultants are defence industry veterans who have navigated the ISAC assessment process many times. We offer a comprehensive Gap Analysis that reviews your physical estate, personnel procedures, and security posture against the current standards and expectations.
We help you:
- Pre-audit your facility to identify NPSA compliance issues before the ISAC assessor arrives.
- Draft compliant Company Security Instructions and IPSA policies.
- Navigate the gap between FSC physical security requirements and Secure by Design IT security requirements.
- We can also review your Cyber Security Model (DefStan 05-138) supply chain security requirements.
By engaging experts early, you reduce the risk of audit failure and significantly reduce the time needed to achieve the expected standard(s).
What Next?
Facility Security Clearance is a significant investment of time and resources, but it is the gateway to working on the UK’s most sensitive and high-value defence programmes.
Do not wait for the audit to find out where your gaps are. Contact Pera Prometheus today for an FSC Readiness Assessment or to discuss how we can build a security roadmap that aligns with your business goals.
Stay Safe, Stay Secure
