Key Takeaways
• People First: IPSA (Industry Personnel Security Assurance) focuses on the management and aftercare of vetted staff, distinct from physical security.
• Mandatory Roles: You must appoint a Board Level Contact (BLC) and a Personnel Security Controller (PSC).
• Prerequisite for FSC: If you require Facility Security Clearance to store assets, you must also achieve IPSA compliance.
• Active Management: Compliance requires ongoing aftercare, including reporting changes in personal circumstances and conducting annual security appraisals.
For decades, the defence industry’s approach to security was heavily skewed towards the physical domain . We thought in terms of fences, reinforced doors, and secure containers, the classic “List X” mindset. But as the threat landscape shifted, the Ministry of Defence (MOD) has rightly recognised that a lock is only as secure as the person holding the key.
Consequently, MOD focus has shifted to the ‘insider threat’ and this is where IPSA (Industry Personnel Security Assurance) comes into its own. If you are a security manager or business owner in the UK defence supply chain, you likely know that holding Facility Security Clearance (FSC) allows you to store classified assets. However, the accompanying requirement, IPSA, is often less understood. IPSA is not just a paperwork exercise, it represents a fundamental shift in how MOD contractors manage their most critical asset and their biggest risk: their people.
This guide explains IPSA requirements for MOD contractors, breaking down the jargon into practical steps to help you turn personnel security into a business enabler.
The Shift in Focus: From Gates to People
Historically, once an employee was vetted, the job was largely considered done until their clearance expired, aftercare was required but rarely enforced. IPSA challenges this mentality. IPSA is a framework designed to ensure that companies sponsoring individuals for National Security Vetting (NSV) manage those staff with the same rigour expected within government departments. It acknowledges that an individual’s circumstances change. Financial pressures, personal relationships and mental health struggles can all potentiality impact an individuals’ reliability and integrity, over time. The key is to recognise these developments and manage them effectively.
While FSC looks at your perimeter, IPSA looks at your employee behaviour and culture. It questions, do you really know who is working on your sensitive contracts today, not just who they were five years ago?
The Personnel Reliability Framework (PRF)
To achieve defence industry compliance under IPSA, you must demonstrate maturity against the Personnel Reliability Framework (UK). The key areas are:
1. Governance and Leadership
Compliance starts at the top. You cannot delegate accountability for national security solely to an HR administrator. Under IPSA, you must appoint specific, mandatory roles:
- Board Level Contact (BLC): The BLC must be a member of your Board of Directors who is a British National and resident in the UK. They hold the ultimate risk ownership for personnel security.
- Personnel Security Controller (PSC): This is the individual responsible for the day-to-day management of security and vetting. Like the BLC, they must be a British National and typically require Security Check (SC) clearance themselves.
2. The Aftercare Culture
This is perhaps the most significant operational change for many SMEs. MOD contractor security vetting is no longer just about processing the initial application. You must demonstrate robust aftercare. This involves:
- Ongoing Monitoring: Implementing processes to identify behavioural changes or vulnerabilities.
- Reporting Changes: You must have clear procedures for reporting a change of Personal Circumstances (CPC) to UKSV, such as a marriage, change in co-habitant, or significant financial changes.
- Annual Appraisals: For staff holding higher levels of clearance (like DV), annual Security Appraisal Forms (SAF) are mandatory, to track ongoing suitability.
Crucially, this requires a bridge between your HR and Security functions. If an employee is facing disciplinary action or a welfare crisis, your security team needs to know, as it may affect their clearance status.
3. Insider Threat Risk Assessment
You must maintain a risk register that specifically addresses insider threats. This isn’t about mistrusting your staff, it is about protecting them and your business. It involves identifying roles that are critical to your operations and assessing the risks associated with the people filling them.
4. Pre-Employment Screening
Before you even apply for a clearance, you must apply the Baseline Personnel Security Standard (BPSS) to all staff. This includes verifying identity, right to work, and a three-year employment history check.
Eligibility: Who Needs IPSA?
Like FSC, IPSA is directly linked to a contractual requirement. In this case, the contractual requirement will be to provide security cleared staff. Not every supplier needs IPSA accreditation. It is a privilege that grants you the autonomy to sponsor your own staff for security clearances, rather than relying on a prime contractor or the MOD to do it for you. Generally, you are eligible (and often required) to apply if:
1. Contractual Need: You have a confirmed contract (or valid tender) involving access to assets classified SECRET or above.
2. Vetting Requirement: You have, or forecast having, a vetting population of at least 20 individuals within three years of applying to hold IPSA status. However, this is reviewed on a case by case basis and is not necessarily set in stone as a metric.
3. UK Presence: Your company is registered with Companies House and your vetting operations are based in the UK
IPSA relationship with Facility Security Clearance (FSC)
It is important to understand how IPSA fits into the wider compliance ecosystem. If your contract requires you to hold classified assets on your own premises, you will need Facility Security Clearance (FSC). You cannot hold FSC without also undertaking IPSA, but you can achieve IPSA status without having to attain FSC status.
While FSC focuses on the physical environment, IPSA covers the people accessing and working with classified information and maintaining operations of secure facilities. The Industry Security Assurance Centre (ISAC) manages both accreditations, IPSA and FSC are still classed as accreditations, often assessing them together to ensure your personnel and physical security work as one.
Preparing for Assessment
Achieving IPSA accreditation is a rigorous process. The ISAC will review your policies, but they will also look for evidence that these policies are adhered to and implemented. By treating IPSA requirements as a framework for business resilience rather than just a compliance hurdle, you demonstrate to the MOD that you are a mature, reliable partner capable of handling sensitive work.
- Do not just write a policy, create a culture: An auditor will want to see that your staff understand their responsibilities, not just that they signed a form during induction.
- Empower your PSC: Your Personnel Security Controller needs real authority to enforce security standards, even if it means challenging senior management or delaying recruitment until checks are complete.
- Audit your records: Ensure your BPSS checks are impeccable. Gaps in employment history or vague references are common stumbling blocks.
Frequently Asked Questions
1. What is the difference between IPSA and FSC?
Ans: FSC (Facility Security Clearance) assesses the physical security of your site and your secure facility’s suitability to store classified assets. IPSA assures the personnel security processes (vetting, aftercare, risk management) for the people who access those assets. You need IPSA to get FSC, but you can hold IPSA without FSC if you provide vetted staff to client sites but don’t store SECRET assets yourself.
2. Do I need IPSA if I only have 5 vetted staff?
Ans: Usually, no. The general eligibility threshold, assessed on a case by case basis by the ISAC, is a vetted population of at least 20 individuals. If you have fewer, your sponsorship may be managed by your Contracting Authority or Prime Contractor rather than holding your own account.
3. Can a non-UK national be our Personnel Security Controller?
Ans: NO. The policy mandates that the Personnel Security Controller (PSC) and the Board Level Contact (BLC) must be British Nationals.
4. What happens if we fail the IPSA assessment?
IPSA accreditation is a privilege, not a right. If you fail to meet the standards, the ISAC may refuse or rescind your accreditation. This means you would lose the ability to sponsor your own staff for clearances, which could severely impact your ability to fulfil contracts or bid for new work.
5. How often is IPSA renewed?
Once accredited, you are subject to an annual review and a full re-assurance audit every three years.
6. Is BPSS the same as a security clearance?
No. The Baseline Personnel Security Standard (BPSS) is a pre-employment check (covering ID, right to work, and criminal record). It is a mandatory prerequisite before applying for a formal security clearance like SC or DV, but it is not a clearance itself.
