Facility Security Clearance (FSC)

by Gareth Shaw, Founder of Pera Prometheus

It is useful for any company aiming to work with the UK Ministry of Defence (MOD), or other sensitive UK Government Departments, to understand the definition and requirements of Facility Security Clearance (FSC). FSC accreditation assures Contracting Authorities that your Organisation is capable of supporting high-value contracts that require the storage, processing and handling of highly sensitive information and signifies your commitment to implementing and maintaining rigorous physical security standards. As a seasoned Information Security Consultancy in the Defence Industry, Pera Prometheus have successfully guided numerous companies through FSC accreditation and assurance. 

Meeting FSC requirements can be a costly experience potentially requiring a number of other pre-requisites.  There are of course significant benefits to achieving FSC but if you would like a clearer understanding of this requirement please do get in touch.  I will be happy to discuss requirements further with you.

What is Facility Security Clearance (FSC)?

Facility Security Clearance (FSC), formerly known as List X, is a critical accreditation required for organisations planning or holding contracts to safeguard UK Government assets classified as SECRET or above, or International Partners’ assets classified CONFIDENTIAL or above (hereafter referred to as ‘classified above OFFICIAL’), on their own premises. Simply put, FSC ensures your business adheres to strict security controls for protecting highly sensitive assets and information from threats including espionage, cyberattacks, and internal breaches. Information assets may be classified into three types: OFFICIAL, SECRET, and TOP SECRET, with detailed guidance available in the Government Security Classifications Guide.

Holding an FSC accreditation signals to the MOD and other contracting authorities that your company is a trusted entity capable of securely managing classified assets. Without FSC, your business will be unable to win contracts involving classified materials at SECRET or above. 

In order to be achieve FSC accreditation an organisation must be Industry Personnel Security Assurance (IPSA) accredited.  IPSA is a non-negotiable pre-requisite to MOD FSC accreditation.  Additionally, if you FSC will house an information system(s), it will be necessary to comply with other MOD frameworks such as the Cyber Security Model (CSM), DEFSTAN 05-138, Secure by Design (SbD), and Site Co-ordinating Infrastructure Design Authority (SCIDA).

Read more: Cyber Security Model & Secure by Design

How to get FSC Sponsorship?

Companies cannot directly apply for FSC; they must be sponsored by a Contracting Authority (CA), which could be:

• A UK Government department or agency
• An existing FSC company
• An overseas government or defence contractor
• An international organisation such as NATO

Your sponsoring CA will specify the classified information you must secure and the reasons for this requirement, typically via a Security Aspects Letter (SAL). For the majority of UK FSC sites, the MOD acts as the CA, with the

Essential Requirements for FSC Accreditation

Achieving FSC involves meeting stringent security standards. Detailed requirements are listed in the FSC policy and guidance for UK defence suppliers and MOD CA. Here’s a brief overview of the key requirements:

1. Corporate Structure and Leadership

Your business must:

• Be registered with Companies House
• Maintain at least 50% British nationals on your Board of Directors
• Appoint essential roles including a Board Level Contact, Facility Security Controller, Personnel Security Controller

These roles are pivotal for maintaining a robust security governance framework within your organisation.

2. Comprehensive Security Planning

Your security controls must cover physical, personnel, procedural, and possibly cyber security aspects. Demonstrating preparedness through alignment with recognised standards like ISO/IEC 27001 or the NIST Cyber Security Framework is not a requirement but may be a benefit in certain circumstances.

Read more: Information and Cyber Security Framework

3. Physical Security Requirements

Your chosen FSC location must have stringent physical security measures. Your physical FSC environment must demonstrate several layers of Barrier, Access and Detection controls through the use of security systems such as National Protective Security Authority (NPSA) approved physical build standards, CCTV, alarm systems, Access Control Systems, and appropriate storage solutions i.e. document safes, security cabinets, and secure server racks.

4. IT and Cybersecurity

If you require an Information System(s) inside your FSC, you must ensure the System(s) meet MOD cybersecurity standards, this should be discussed further with your Contracting Authority.  Your Ssystem(s) will need to undergo risk assessments, adhere to security controls outlined in your contract’s Cyber Risk Profile, and comply with either DEFSTAN 05-138 and CSM or Secure by Design requirements.  It is not always necessary to have an Information System inside an FSC so it is worth fully reviewing this requirement.  If an Information System is necessary, it will often require a bespoke solution that is assured by MOD to the same classification of the FSC (SAL) requirement and is not used outside of the Facility.

5. Industry Personnel Security Assurance (IPSA)

Your business must implement IPSA, which ensures ongoing management of individuals with access to classified information. IPSA compliance demonstrates robust internal security controls to mitigate insider threats.

Read more: Industry Personnel Security Assurance

Tips to Achieve FSC Accreditation

Tip 1: Secure a Sponsor

Begin discussions with your potential CA early to clarify requirements and secure sponsorship. Ensure you clearly understand and document the security classification and associated requirements detailed in your SAL.

Tip 2: Initial Assessment and Compliance 

Conduct a Gap Analysis to attain a clear understanding of the effort and resources required to achieve FSC status. This should involve:

• Physical security checks
• Cybersecurity assessments aligned with MOD standards
• Evaluating existing personnel security practices against IPSA standards
• Documenting findings and creating a clear, detailed action plan

Tip 3: Implement Necessary Improvements 

Address all identified security gaps comprehensively. Actions typically include:

• Installing physical security enhancements (CCTV, alarms, secure access)
• Assurance of bespoke IT System(s) – if IT is required
• Developing robust personnel security management procedures compliant with IPSA
• Providing comprehensive training and awareness for staff

Tip 4: Accreditation Audit 

Prepare meticulously for your accreditation audit by ISAC. Ensure:

• Documentation of all security processes, improvements, and roles
• Conducting internal audits and addressing any remaining issues
• Engaging with ISAC for pre-audit support and guidance
• Briefing key personnel on the audit process and their roles

Tip 5: Continual Assurance and Improvement 

Achieving FSC accreditation is the start of an ongoing commitment to security excellence. Maintain standards and continually improve by:

• Regularly reviewing and updating security measures to reflect changes in the threat landscape and standards
• Conducting periodic internal audits and addressing identified issues swiftly
• Reporting significant organisational changes, breaches, or incidents immediately to your sponsoring CA and ISAC
• Continuously training and reinforcing a culture of security within your organisation

How can Pera Prometheus help?

At Pera Prometheus, we are highly experienced in helping organisations navigate the complexities of FSC accreditation. As seasoned Information Security Consultants and Defence Industry veterans, we offer practical insights and tailored advice for companies at every stage of their FSC journey.

We provide:

• Comprehensive FSC Gap Analysis
• Guidance on achieving and maintaining IPSA compliance
• Cybersecurity expertise in Defence Industry standards such as DEFSTAN 05-138 and Secure by Design

Conclusion

Facility Security Clearance is not just another compliance hurdle. Achieving FSC accreditation positions your organisation as a trusted defence supplier, opening doors to significant contracts. If your business aims to achieve FSC and build resilience against sophisticated security threats, Pera Prometheus is here to guide you through every step of the journey.

For more information, reach out to our experienced team of GRC Consultants and Security Managers. We are here to ensure your path to accreditation is seamless and successful.