Facility Security Clearance (FSC): Your Top Questions Answered

– by Gareth Shaw, Founder of Pera Prometheus

It is useful for any company aiming to work with the UK Ministry of Defence (MOD), or other sensitive UK Government Departments, to understand the definition and requirements of Facility Security Clearance (FSC). FSC accreditation assures Contracting Authorities that your Organisation is capable of supporting high-value contracts that require the storage, processing and handling of highly sensitive information and signifies your commitment to implementing and maintaining rigorous physical security standards. As a seasoned Information Security Consultancy in the Defence Industry, Pera Prometheus has successfully guided numerous companies through FSC accreditation and assurance. 

Meeting FSC requirements can be a costly experience potentially requiring a number of other pre-requisites. There are of course significant benefits to achieving FSC but if you would like a clearer understanding of this requirement please do get in touch. I will be happy to discuss requirements further with you.

Read more: FSC Blog

What is a Facility Security Clearance (FSC)?

An FSC is a formal status that enables an organisation to hold UK MOD SECRET information on their premises having proven that appropriate physical and personal security measures and procedures are in place. Other Government Departments (OGDs) may vary from this standard in some cases but overall, the FSC accreditation is the acceptable standard

Who needs an FSC?

Any UK company that holds a contract that requires the storing, processing or transmission of UK SECRET information.

How does a company obtain an FSC?

To apply for an FSC, a company must be sponsored by a MOD Contracting Authority or a prime contractor. Only then will the Industry Security Assurance Centre (ISAC)  accept an application.

What are the eligibility criteria for FSC?

To qualify, the company must be UK-based, have a legitimate business need, and demonstrate its ability to implement and maintain MOD security standards.

I don’t have a contract with UK MOD or Industry Prime, but I am bidding for a contract that requires FSC, can I apply?

This is a chicken and egg scenario that can cause issues, particularly for SMEs. The short answer is “No”, you cannot apply for FSC without a contract or Security Aspects Letter (SAL) that states you have a requirement to handle SECRET information.  Engagement is key here and bidding processes should accommodate the fact that it takes time (6 – 12 months to achieve FSC status). There are things that you can do however to put yourself in a strong position to attain FSC but be aware that attaining FSC status can be costly. The best way to simultaneously understand your particular FSC requirements and assess return of investment is to conduct a Gap Analysis.

What is the difference between FSC and IPSA?

FSC applies to physical security of a facility whereas Industry Personnel Security Assurance (IPSA) relates to your organisational personnel security procedures for individuals who hold security clearances. You do not need FSC to attain IPSA but you must hold IPSA to attain FSC.

Read more: IPSA Blog

How long does the FSC process take?

The process typically takes 6-12 months, but timelines vary considerably based upon the:

  • Priority of the programme/project to the MOD Contracting Authority or Industry Prime
  • Availability of ISAC FSC and IPSA assessors
  • Security maturity within your organisation
  • Size and scale of the requirement
  • Need for a SECRET IT or OT systems

So what comes first: FSC, IPSA and possibly DEFSTAN 05-138/Secure by Design?

The first step, once you are sure you meet the eligibility and sponsorship criteria, is to submit a Government Industry Security Assurance (GISA) Form to the ISAC. The ISAC will conduct due diligence and, if satisfied, assign you an FSC and IPSA assessor (IT assurance is not an ISAC responsibility). From this point FSC, IPSA and, if required, information system assurance activities are conducted concurrently.

Read more: DEFSTAN 05-138 , Secure by Design

Is it difficult to attain FSC?

The difficulty depends on your organisation’s maturity in relation to security and your understanding of MOD requirements, whether you have previously held List X or FSC and willingness to engage with ISAC assessors (who are very helpful). You should be aware that approved NPSA security equipment and systems can be costly. In addition, you will need to put procedures in place and maintain them in order to attain FSC status.

What happens after a contract is awarded?

The supplier must maintain FSC standards, undergo periodic reviews, and report any changes in ownership, control, or security posture.

Is Information Technology (IT) included in the FSC assessment?

NO. Assurance for information systems storing, processing or transmitting UK MOD SECRET information will be assured by either DEFSTAN 05-138 or Secure by Design processes. However, you will need an FSC, to house a SECRET information system.

What are the consequences of non-compliance?

It can result in loss of clearance, contract termination, or legal action depending on the severity of the breach.

Why Choose Pera Prometheus for Your FSC Journey?

Navigating the FSC process can be daunting, but you don’t have to do it alone. At Pera Prometheus, we have extensive experience guiding businesses through the complexities of MOD security requirements. Our team can help you interpret FSC guidelines, distinguish between essential and optional activities, and debunk common myths surrounding the process. Whether you’re an SME or a larger organisation, we will help you understand what you have to do, clearly delineate must do activities from could do activities and most likely dispel a number of the myths that are perpetuated around FSC. Contact us today to streamline your path to FSC compliance and secure your MOD contracts with confidence.

Full guidance is available in the FSC Policy and Guidance for UK Defence Suppliers and MOD Contracting Authorities