Defence Industry Related Frequently Asked Questions (FAQs)

What is Facility Security Clearance (FSC)?

Facility Security Clearance (FSC) is an accreditation that confirms an organisation can safeguard UK government assets classified as SECRET or above, or International Partners’ assets classified CONFIDENTIAL or above (hereafter referred to as ‘classified above OFFICIAL’), held on their premises.

How do you get FSC?

You cannot apply directly. You must be sponsored by a Contracting Authority, which could be:

A UK Government department or agency
An existing FSC company
An overseas government or defence contractor
An international organisation such as NATO

How do you get Security Clearances (Vetting) for my personnel?

Personnel Security Clearances (e.g., SC or DV) are obtained via sponsorship through an Industry Personnel Security Assurance (IPSA) accredited organisation. Employees must first pass BPSS checks before National Security Vetting (NSV) applications can be made. More details can be found on IPSA Policy and Guidance. Pera-Prometheus can also provide support navigating through the complexity of this process.

Can anyone contract with Defence?

Yes, any company can bid for MOD contracts. However, organisations looking to contract with Defence may need to align with security requirements such as Facility Security Clearance, Industry Personnel Security Assurance accreditation, Cyber Security Model, DEFSTAN 05 – 138, GRC compliance and other relevant security conditions. Pera Prometheus specialises in supporting organisations to prepare and win Defence contracts.

Explore more on our services

What is List X?

List X was the former name for what is now known as Facility Security Clearance (FSC). It refers to UK companies accredited to hold SECRET or above classified information on their premises.]

What is List V?

List V was the project name for what is now Industry Personnel Security Assurance (IPSA). It focuses on managing and assuring the security of personnel who have been vetted for access to classified material or working for organisation accredited with FSC.

What is the difference between OFFICIAL and OFFICIAL-SENSITIVE?

Both are part of the UK Government’s “OFFICIAL” classification tier.

As per the UK Government Security Classification Policy (GSCP), most Government information is classified as OFFICIAL by default. It includes routine administrative or policy data where loss or compromise would cause little or no harm to the UK, its partners, or the public.

OFFICIAL-SENSITIVE is a subset of OFFICIAL. It is used when the information is more sensitive and could cause moderate harm if compromised. It is likely to be of interest to threat actors due to its sensitivity or topical significance. A compromise could cause moderate, short-term damage to: HMG, the UK’s international reputation, the UK economy, HMG’s relations with its partners (including international partners) or moderate harm or distress to an individual or group of people.

What is Information Security?

Information Security a broad discipline that focuses on protecting all forms of information whether digital, physical, or intellectual property. This includes protecting data from unauthorised access, use, disclosure, disruption, modification, or destruction. It involves frameworks, policies, and best practices to ensure Confidentiality, Integrity, and Availability of information, this is known as the CIA Triad.

What is Cybersecurity?

Cyber Security is a subset of Information Security that deals specifically with protecting digital systems, personal devices, networks, and data from cyber threats like hacking, malware, and phishing attacks.

What is the difference between Information and Cyber Security?

Information Security applies across all environments, ensuring that sensitive information is appropriately managed and protected, regardless of format or location.

Cyber Security is a subset of Information Security that focuses specifically on the protection of digital systems, networks, devices, and data from cyber threats.

While Information Security addresses a broader range of risks including physical and human factors, Cyber Security concentrates on defending against malicious activity in the cyberspace domain.

Not quite. GDPR focuses mainly on protecting personal data. Information and Cybersecurity encompass a wider range of protection, including information of all forms, classified materials, intellectual property, and broader organisational assets, not just personal data.

How do you accredit IT Systems for MOD?

If you require an IT system to handle classified information for MOD, it must be accepted as an assured System by your MOD Contracting Authority or the Prime Industry Partner. You may then be directed to adhere to certains MOD standards such as DEFSTAN 05-138, Secure by Design principles, adhere to GRC compliance and Cyber Security Model (CSM) requirements.

Pera Prometheus specialises in guiding organisations to achieve Defence Industry accreditation through expert support on compliance and security standards.

What is an Insider Threat?

An insider threat occurs when an individual within an organisation such as a current or former employee, contractor, or business partner misuses their authorised access to cause harm. This harm can be intentional, such as data theft or system sabotage, or unintentional, resulting from negligence or lack of awareness. For example:

A disgruntled employee may leak confidential customer data in retaliation against their employer.
A negligent insider might unknowingly click on a phishing email, exposing the company’s network to cybercriminals.
A contractor with excessive access privileges could inadvertently delete critical business files, disrupting operations.

Did you find this useful? Please share using one of the buttons below.