Key Takeaways
- List X and Facility Security Clearance (FSC) have the same focus (List X is still applied and used across other parts of HMG). The MOD renaming was formal and deliberate, not cosmetic and was announced through the publication of Industry Security Notice (ISN) ISN 2023/02.
- The intent and purpose have not changed, however, for MOD, the focus has changed to include identifying insider threat(s).
- What else has changed: For MOD only, Industry Personnel Security Assurance (IPSA) was introduced for managing security clearances, without the need to become FSC accredited.
- If you are relying on guidance written before 2023, treat it as historical reference only. The current governing document is the MOD FSC Policy and Guidance v1.4, published March 2024.
Introduction
The term “List X” is still relevant to other parts of HMG, but not MOD. MOD have now fully embraced FSC, replacing the List X approach to securing facilities.
This said, you will often come across the term ‘List X’ being used in Defence related conversations and it is worth being cautious of this. Many well-meaning people refer to the requirements of List X as opposed to FSC when advising on preparation or feasibility; some of the requirements are quite different.
FSC was introduced in Industry Security Notice 2023/02 and updated policy guidance was published in 2024. The major changes introduced by FSC were the physical security assessment tool and IPSA. The Classified Materiel Assessment Tool (CMAT) was replaced by the Surreptitious Threat and Mitigation Plan (STaMP) assessment tool. The change of tooling, for assessing secure sites, was in response to the change in threat.
STaMP has been developed by the National Protective Security Agency (NPSA), the National Authority in this area.
What Was List X?
List X was the legacy term for MOD accreditation that allowed a company to hold UK Government assets classified as SECRET or above on its own premises.
The name came from an internal MOD register, a literal list of approved facilities. List X focused upon physical security characteristics and perimeter security, designed to prevent or delay entry to a site by unauthorised personnel.
Why the MOD Renamed from List X to FSC?
Two things happened at the same time, and both are worth understanding. The first was international alignment. “Facility Security Clearance” is the standard term used by the United States and other NATO partners. Using FSC means UK contractors working across allied programmes speak the same language as their counterparts abroad.
The second was a deliberate shift in threat focus. List X was designed to guard against external physical attack. FSC explicitly incorporates insider threat, as a core concern. The MOD recognised that the greatest risk to classified material is often not the person trying to break in, it is frequently the person already ‘inside the wire’, whether acting with malicious intent, under personal pressure, or simply unwittingly compromising information assets.
MOD also took the opportunity to address an area which had been a source of frustration for some time – Security Clearance Management. Until the introduction of FSC, the only way a business could manage its own security clearances was to become a List X company. However, unless the business had a clear need to become a List X company (i.e. have a contract requiring them to physically hold SECRET information, a sponsor for their List X application, and a Security Aspects Letter relating to the contract, they could not become List X. Without List X organisations could not have authorisation and access to the systems that enabled them to manage their own security clearances, even if they had a contract requiring them to supply security cleared personnel. This was something of a ‘catch 22’ situation.
The introduction of the Industry Personnel Security Assurance (IPSA) process has resolved this. Now, MOD suppliers can apply to hold IPSA status, separately to FSC and this is covered in our blog Industry Personnel Security Assurance (IPSA). Any company applying to become FSC certified MUST also go through the IPSA process..
What Did Not Change
The sponsorship model has not changed. You still need a Contracting Authority to sponsor your application, a contract specifically requiring you to Store/Handle/Discuss SECRET information as part of contract delivery and a Security Aspects Letter (SAL) related to the contract.
The Industry Security Assurance Centre (ISAC) still manages the process. If your organisation held List X and maintained your standards, your accreditation was not invalidated by the rename but you will need to go through the new FSC process at the next formal review date. provided of course your contract remains valid. FSC is linked to a contract, when the contract expires the need to hold FSC status expires with it.
For a full breakdown of what the current requirements involve, see our post on Facility Security Clearance: What It Is and When Your Organisation Needs It.
What Did Change: Four Practical Differences
- IPSA is now a firm prerequisite: You cannot attain or maintain FSC without IPSA. The two are assessed concurrently by different assessors within the ISAC team. IPSA is not a form filling exercise; it is an ongoing framework for managing the people in your organisation who hold security clearances. How they are supported, monitored, and what happens when their personal circumstances change.
For details on what IPSA requires, see IPSA Is Not an HR Process: It’s Your First Line of Defence Against Insider Threat and IPSA Requirements Explained.
- A dedicated MOD policy document now exists: A separate FSC policy is in place FSC Policy and Guidance as a specific supplement to GovS 007, addressing MOD requirements and the FSC and IPSA relationship explicitly. The current version of MOD FSC policy is v1.4, dated March 2024. If your team is still working from older guidance, that gap needs closing.
- Company Security Instructions now have a clearer mandate: Under FSC, your organisation must produce Company Security Instructions, a set of written rules that explain exactly how your FSC is managed day to day. These are not general policy statements, the instructions must be specific to your facility, signed off at Board level, and kept up to date. An assessor will want to see that they reflect how your organisation actually operates, not how it operated when you first wrote them.
- Keeping ISAC informed is a requirement: Once you hold FSC, you have an ongoing duty to keep ISAC up to date. If your company changes ownership, appoints new directors, moves premises, or experiences anything that affects your security arrangements, you must report it promptly. You cannot wait until your next scheduled review. FSC is not something you achieve and then set aside. It requires active management for as long as you hold classified material on your premises. If you bring in subcontractors who need access to that material, the same obligations apply to them too. For more on how this works in practice, see FSC and the Defence Supply Chain.
What do organisations need to do?
If you hold a contract for handling classified material and information within your premises, at SECRET or above, then you need to be FSC and IPSA compliant. At Pera Prometheus, we have guided contractors through both List X and the transition to FSC, and we know where the gaps tend to appear. Get in touch and let’s start a discussion on where your organisation stands.
Frequently Asked Questions
Q: If we held List X before 2023, do we need to reapply for FSC?
A: No. If you maintained your List X standards, your facility will be reassessed to the new requirement at the next formal review point (provided you still have a valid contract in place). You were not required to restart the application process. What ISAC now expects is compliance with the expanded scope, particularly around IPSA.
Q: Is IPSA something we do separately from FSC, or at the same time?
A: At the same time. Once ISAC accepts your Government Industry Security Assurance (GISA) form, they assign both an FSC and an IPSA assessor. The two processes run concurrently. You can hold IPSA without FSC, but you cannot hold FSC without IPSA.
Q: Is there any guidance using the “List X” term that we can still rely on?
A: For MOD, guidance that refers to List X predates the ISN 2023/02 transition. It is useful for historical context but should not be treated as current policy. The governing document is the MOD FSC Policy and Guidance v1.4, March 2024.
Q: What is GovS 007 and how does it relate to the MOD’s FSC requirements?
A: GovS 007 is the Government Functional Standard for Security, the overarching framework all UK government contractors must comply with. The MOD FSC Policy and Guidance v1.4 is a specific MOD supplement to it. Both apply, and the MOD supplement takes precedence where there is any difference.
Q: We have just been told we need FSC for a new contract. Where do we start?
A: Get in touch with Pera Prometheus for a free initial consultation. There are a number of variables that can apply at this stage, each dependent upon your current situation. We can’t offer cart blanche advice that covers everything but a quick call can provide a great deal of clarity that will enable us to advise you on where you currently sit in the process, what you should consider before committing to attaining FSC, and recommended next steps.
