Key Takeaways
- OFFICIAL-SENSITIVE (For overseas collaboration) and SECRET (Domestic and overseas collaboration) classified material cannot be shared with a subcontractor, even one with Provisional FSC status until the MOD Delivery/Project team give their consent.
- Before subcontracting or collaborating, with industry partners, on classified work the MOD Delivery/Project team must be notified and give their consent. Consent is obtained by completing Form 1686 (F1686). The F1686 Security Procedure is the mechanism by which Defence Suppliers can request permission to subcontract or collaborate with Third-Party Defence Suppliers on classified work in support of UK MOD programmes.
- FSC typically takes 6 to 12 months to achieve.
- Until further notice from the ISAC, IPSA accreditation is a non-negotiable prerequisite, as part of the FSC process: no IPSA means no FSC application can proceed.
- FSC status is linked directly to a contract and the requirement to hold, handle and store classified materiel at SECRET or above. Once the contract completes, the requirement to maintain FSC status no longer stands (FSC status can be transferred to another contract which requires work at SECRET).
- Preparation for FSC and IPSA can provide a competitive advantage.
Before a Defence Supplier enters preliminary discussions, collaborates with, or places a subcontract with a Third-Party Defence Supplier for work involving material classified SECRET or above the MOD Delivery/Project Team must be consulted. This is achieved through the completion of a Form 1686 (F1686).
The F1686 has two functions, it ensures that the MOD Delivery/Project Team is content for the work to go ahead and that the work will be carried out in the appropriate security environment for its classification.
What the Rules Actually Say
MOD’s Industry Security Notice 2026/03, issued in April 2026, sets out the requirements for subcontracting or collaborating on classified MOD programmes. The rule is unambiguous, where work involves assets classified at SECRET or above, the industry Contracting Authority (CA), usually a prime contractor, must confirm that the subcontractor’s UK facility holds FSC status at the appropriate level before any classified material is provided. Provisional FSC status, something that is rarely seen, does not satisfy this requirement.
If the subcontractor has begun the accreditation process but not yet completed it, SECRET-level assets cannot be released to them, full stop. Any subcontracting arrangement that involves classified work/materiel must go through a the formal MOD F1686 approval process, , before the arrangement can proceed.
The F1686 process also applies where sub-contracting and collaborating with a overseas partner is required at OFFICIAL-SENSITIVE. It should be noted that some countries require an FSC to be in place to hold handle store materiel marked at OFFICIAL-SENSITIVE. Refer to ISN 2026/03 for more information on this.
The F1686 process is not in place for the sake of bureaucratic caution. It reflects the need for robust export controls and the security reality that classified material, once disclosed to an uncleared facility, cannot be undisclosed. The controls exist because the consequences of a breach in the supply chain are just as serious as a breach at the prime.
The Prime Contractor’s Responsibility
Before a Defence supplier enters into preliminary discussions, collaborates with, or places a sub-contract with a domestic or foreign Third-Party Defence Supplier, for work involving materiel classified at OFFICIAL-SENSITIVE (This applies to some overseas countries/partners) or SECRET or above, the MOD Delivery/Project Team must be consulted.
ISN 2026/03 is explicit about where accountability sits. Before releasing any SECRET classified assets to a subcontractor, the CA must confirm the subcontractor’s FSC status either with the sub-contractor themselves (in the case of UK based suppliers) or with the Industry Security Assurance Centre (ISAC) for overseas based suppliers.. It is not sufficient to take the subcontractor’s word for it. Primes must also verify that the key personnel involved in the subcontracted work hold appropriate security clearances.
The obligations do not stop at the point of appointment. Both the prime and the subcontractor must immediately notify the ISAC and the relevant contracting authority of any changes that could affect:
- security,
- changes of ownership,
- accommodation,
- key security personnel,
- IT systems
- all notifiable events under the MOD FSC Policy and Guidance v1.4.
For prime contractors, this means supply chain security is an ongoing management task, not a ‘one-time’ check at the point of contract award. Organisations building and managing classified supply chains need robust processes for monitoring subcontractor clearance status, across the life of the programme.
The Problem
Here is where many SMEs, not holding FSC status, can find themselves in an awkward position.
FSC cannot be applied for without a Sponsor, contract requiring a business to be able to hold, handle, store SECRET materiel and a Security Aspects Letter (SAL), related to the contract which demonstrates a genuine requirement to handle SECRET-level information.
Once the Sponsor, Contract and SAL are in place, achieving FSC status can take between 6 to 12 months to complete, from initial application (Submission of the Government Industry Security Assurance (GISA) form). Added to this is the requirement for FSC businesses to manage their own security clearances and so achieving Industry Personnel Security Assurance (IPSA) status is also a mandatory requirement and this in itself can take months to complete. The time required to complete FSC and IPSA is largely driven by:
- Implementation/preparatory work,
- Availability of FSC and IPSA ISAC Assessors.
For a clear overview of what FSC involves and how to assess whether your organisation genuinely needs it, Facility Security Clearance: What It Is and When Your Organisation Needs It is a useful starting point.
There is not much that can be done to de-risk ISAC Assessor availability. However, provided the business has confidence their bid will be accepted and the contract will land, as expected, there is something that can be done about time needed for implementation activities. Addressing this area can potentially reduce the time an ISAC Assessor needs to review implementation preparations.
The organisations that navigate this well are those that treat FSC not as a reactive compliance task but as a strategic investment. What Defence Subcontractors Need to Do First
For organisations seriously pursuing classified supply chain work, the practical sequence looks like this.
Conduct an FSC Gap Analysis. This will establish the implementation roadmap that needs to be completed in readiness for an external ISAC assessment. This, for many businesses, will be a non-trivial investment in terms of time and money but, once preparations are complete will position the business for ISAC Assessment potentially saving months.
Develop the IPSA documented management system, detailing how your business will manage staff security clearances. This management system is referred to as the Personnel Reliability Framework (PRF). Being in a position to present a fully formed PRF to the ISAC Assessor will save a considerable amount of time.
Once your business has the contract in place, you will be able to submit the Government Industry Security Assurance (GISA) form to the ISAC and engage your assigned Assessor(s). The assessment will scrutinise your physical, personnel, procedural, and cyber security controls all of which need to be demonstrably in place before the visit. A well-constructed Security Management Plan is one of the most effective ways to prepare your organisation for this scrutiny.
Finally, don’t underestimate the information/cyber security dimension to all of this. FSC and IPSA sits alongside the broader defence compliance landscape, and assessors will expect your information security posture to be consistent with your claimed level of clearance. For a clear view of how FSC and cyber compliance interrelate, DCC and FSC: Navigating Defence Cyber Compliance Frameworks covers this in detail.
Ready to Take the Next Step?
Whether you are a Prime contractor managing supply chain security obligations or an SME working to become FSC-ready, the compliance picture is complex and the timeline is less forgiving than most organisations expect.
At Pera Prometheus, we work with both prime contractors and defence subcontractors at exactly this stage. Get in touch and let’s work through where you are and what needs to happen next.
Frequently Asked Questions
Q: Can a prime contractor share classified information with a subcontractor that only has Provisional FSC?
A: No. MOD ISN 2026/03 is explicit that SECRET or above material must not be released until full FSC status is confirmed with the ISAC. Provisional FSC does not satisfy this requirement.
Q: Does our organisation need FSC if the classified work takes place entirely at the Prime’s site?
A: If you are not storing, processing, or manufacturing SECRET-level assets at your own facility, FSC may not be required. However, this should be confirmed against your specific contract conditions and Security Aspects Letter. Do not assume without checking.
Q: How does FSC differ between an Industry Contracting Authority (Prime) contractor and a Subcontractor?
A: The accreditation process and standard are the same. FSC is facility-specific regardless of your role in the supply chain. The key difference is that Primes carry an additional obligation to verify and monitor their subcontractors’ FSC status throughout the contract.
Q: What must a prime report to the ISAC, if a subcontractor’s clearance status changes?
A: Both parties must immediately notify the ISAC and the contracting authority if any change occurs that could affect security. This includes changes of ownership, accommodation, IT systems, or key security personnel at the subcontractor’s facility.
Q: Can we start the FSC process before we have a signed contract?
A: You need a contract or Security Aspects Letter to demonstrate a legitimate business need for FSC and engage with the ISAC team. However, there is nothing to prevent you from commencing FSC and IPSA preparatory activities. Early engagement with a specialist adviser, like Pera Prometheus Ltd, can help you structure your approach before the formal application stage.
Stay Safe, Stay Secure
