FSO Requirements for a Cleared Contractor:
Who Must Appoint One, and What They Actually Have to Do
Procedures. Security training and briefings. Determination of access. Reporting requirements. Information system security. Those five categories were roughly 82 percent of every open security vulnerability the Defense Counterintelligence an…
Updated July 15, 2026
Recruiting
Procedures. Security training and briefings. Determination of access. Reporting requirements. Information system security. Those five categories were roughly 82 percent of every open security vulnerability the Defense Counterintelligence and Security Agency carried across cleared industry as of September 29, 2025, per GAO-26-107861. That is not a list of audit findings. It is a job description, and it belongs to one person: the Facility Security Officer. Every entity holding a facility clearance must appoint one.
Key takeaways
- DCSA oversees more than 12,500 cleared facilities and an estimated 90 to 95 percent of U.S. classified contracts (GAO, April 2026).
- In FY2025 it completed 4,634 security reviews, documented 815 violations, and carried over 1,000 open vulnerabilities.
- The five largest FY2025 vulnerability categories are about 82 percent of the total, and all sit inside the FSO’s remit.
- A new FSO has six months to complete required training (32 CFR 117.12(d)); the CDSE curriculum for a possessing facility is 38.5 hours across 14 courses, 75 percent to pass.
- No BLS code exists for Facility Security Officer. The closest published proxy, Compliance Officers (SOC 13-1041), had a May 2025 median of $80,730.
Who has to appoint an FSO?
Any entity with a facility clearance. 32 CFR 117.9(c)(5) conditions the FCL on having a Senior Management Official, an FSO, and an Insider Threat Program Senior Official who all hold and maintain eligibility for access to classified information. Five employees or five thousand, the rule reads the same.
A contractor cannot apply for its own entity eligibility determination; a government contracting activity or an already-cleared contractor has to sponsor it (117.9(a)(10)), and DCSA’s facility-clearance checklist puts it plainly: “Contractors cannot sponsor themselves for an FCL.” Until the determination issues, nobody touches classified information (117.9(a)(4)). FSO and ITPSO appointment letters are required documents in the FCL package.
A cleared company may not use that determination for advertising or promotional purposes, though it may advertise positions requiring a clearance (117.9(a)(9)). That is the seam every cleared job posting lives in; our clearance guide for 2026 covers the process behind it.
What does the rule require of the person in the seat?
Four things: a U.S. citizen, an employee of the cleared entity, appointed in writing by the SMO, cleared to the level of the company’s own FCL and carried on the key management personnel list.
Section 117.7(b) opens on citizenship: “Contractors will appoint security officials who are U.S. citizens.” Section 117.9(d)(1)(iii) is blunter. “Appoint a U.S. citizen employee as the FSO.” Hold on to the word employee; it settles the outsourcing question below.
The clearance condition is what ambushes newly cleared firms. Under 117.7(b)(1)(iv) the FSO is investigated and adjudicated “at the level of the entity’s eligibility determination for access to classified information (e.g., FCL level)” and must be on the KMP list. A Top Secret FCL means a Top Secret FSO, not a Secret one who is working on it. If your FCL sits at the TS/SCI end, the pool shrinks hard, and the clearance level is not negotiable at hire. Appointment is documentary: designated in writing per CSA guidance (117.7(b)(1)(iii)), with the same training every cleared employee takes plus position-specific training (117.7(b)(1)(ii)).
Can one person be both the FSO and the insider threat lead?
Yes. Section 117.7(b)(2)(ii) lets the SMO appoint a single employee as both FSO and ITPSO, and 117.7(b)(1)(i) states that “a single contractor employee may serve in more than one position.” The small-business dual hat is written into the rule, not tolerated around it.
The insider threat program is not optional. It flows from Executive Order 13587, and 117.7(d) requires a program that gathers, integrates and reports information indicative of a potential or actual insider threat. Splitting the roles removes no duty and adds a coordination one: where the ITPSO is not the FSO, 117.7(b)(4)(i) still requires the FSO to be “an integral member” of the program. One more appointment gets forgotten. Any contractor processing classified information on its own system must appoint an Information System Security Manager, cleared to the highest level of information on it (117.7(b)(5)).
What training does a new FSO have to complete?
Training within six months of appointment, and, where DCSA approves the facility to store classified material, an FSO program management course within six months of that approval. Both clocks are in 32 CFR 117.12(d). DCSA, not the employer, delivers the FSO’s initial security briefing.
The curriculum is not trivial. CDSE’s FSO Program Management for Possessing Facilities (IS030.CU) runs 38.5 hours across 14 courses, with a 75 percent passing score required on the exams and performance exercises. The non-possessing version, IS020.CU, is 26.5 hours across 10 courses. The course list is an inventory of the job: facility clearances, FOCI, reporting requirements, personnel clearances, visits and meetings, self-inspection, safeguarding, derivative classification and marking. GAO counted 338,136 completions of NISP-related courses by contractor personnel.
Training never finishes. Cleared employees get security education every 12 months (117.12(k)). Insider threat awareness training is annual, and new employees must have it before any access is granted (117.12(g)(2)). Anyone performing derivative classification retrains at least once every two years, or the company must suspend that authority (117.12(h)(2)).
What does the FSO own day to day?
The statutory duty is one sentence: supervise and direct the security measures necessary to implement the rule (117.7(b)(3)(i)). Four recurring jobs come out of it.
The self-inspection. Contractors conduct a formal self-inspection at least annually (117.7(h)(2)). The FSO writes the report of findings and their resolution, and the company retains it until after the next DCSA security review (117.7(h)(2)(ii)). The signature at the end is not the FSO’s. The SMO certifies annually, in writing, that the inspection happened, that other KMP were briefed on the results, that corrective actions were taken, and that management fully supports the security program (117.7(h)(2)(iii)).
The record. NISS is DCSA’s system of record for industrial security oversight. DISS replaced JPAS as the personnel security system of record on March 31, 2021, and its Joint Verification System is where access is documented and eligibility verified. NBIS Agency is where FSOs process background applications, which is why the FSO lives inside the eApp transition, the adjudication sequence, and every continuous vetting alert.
The reporting funnel. Section 117.8(a)(2) requires internal procedures so cleared employees know their duty to report pertinent information to the FSO, and SEAD 3 extends reportable events, foreign travel and foreign contacts among them, to every cleared employee whose self-reporting duties mirror it. Adverse information is reportable, and 117.8(c)(1) closes the loophole: “The termination of employment of an employee does not negate the requirement to submit this report.” Espionage, sabotage, terrorism or subversive activity goes promptly and in writing to the nearest FBI field office (117.8(b)). Any change to the KMP list is reportable too (117.8(c)(7)(iii)), including the day you replace the FSO.
Security education. Briefings, refreshers, debriefs, insider threat awareness. The least glamorous item here, and the second most common finding in the country.
What does a DCSA security review actually look for?
Facilities authorized to possess classified material, and all FOCI-mitigated facilities, are generally reviewed every 12 months. Everyone else, every 18. The reviewer is a DCSA Industrial Security Representative, working out of one of 167 field locations.
The volume is real: 4,634 industrial security reviews in fiscal year 2025 and 4,692 in FY2024, up from 3,618 in 2023. In FY2025 DCSA logged 815 security violations and over 1,000 open vulnerabilities. It spent over $160 million and fielded more than 470 industrial security mission personnel.
| Category | Open | Share | In FSO terms |
|---|---|---|---|
| Procedures | 231 | 22.4% | Standard practices, security officials’ procedures, insider threat procedures |
| Security training and briefings | 204 | 19.8% | Initial and refresher training, insider threat briefings, FSO training |
| Determination of access | 162 | 15.7% | Who got access, and whether the record proves why |
| Reporting requirements | 137 | 13.3% | The 117.8 funnel: adverse information, changed conditions, SEAD 3 |
| Information system security | 111 | 10.8% | The ISSM’s territory, and the FSO’s problem without one |
| All other categories | 187 | 18.1% | Everything else combined |
GAO’s footnotes settle the reading. The Procedures bucket includes “contractor security officials’ procedures” and insider threat program procedures. The training bucket explicitly includes “facility security officer training.” The most common thing DCSA finds in cleared industry is, in large part, an FSO function that was never built.
Silence is not absolution. DCSA told GAO that for every year a review slips it finds 1.5 to 2.5 times more vulnerabilities, and in 2023 the agency said it was resourced to conduct required NISP oversight of only about 25 to 30 percent of the cleared industrial base.
Full-time FSO, collateral duty, or contract FSO?
All three are legal. Only one is widely misunderstood. Because 117.9(d)(1)(iii) requires an employee, the appointment itself cannot be outsourced.
| Model | Typical fit | The trap |
|---|---|---|
| Full-time FSO | Possessing facility, classified IT, FOCI mitigation, 12-month review cadence | A cleared, credentialed, thin candidate pool. Time-to-fill is the constraint, not salary |
| Collateral duty (dual hat) | Non-possessing facility, small headcount. Allowed by 117.7(b)(1)(i); the same person may also be ITPSO under 117.7(b)(2)(ii) | 26.5 hours of CDSE and an annual self-inspection land on someone whose day job already has deadlines |
| Contract or fractional FSO | A new FCL, a gap after a departure, or expertise needed a few days a month | Not a vendor arrangement: 117.10(m)(4) makes a consultant your employee for compliance purposes, so the seat still needs a written appointment, a KMP-list entry, and a clearance at your FCL level |
That last row is where cleared companies get into trouble. The rule does contemplate outside specialists, just not as vendors. Section 117.10(m)(4) provides that for security administration purposes a consultant is “considered an employee of the using contractor for compliance with this rule,” and 117.10(m)(1) keeps that consultant from accessing classified information off your premises except on an authorized visit. If a firm offers to “be your FSO” with nobody on your KMP list and nobody carried as your employee of record, ask them to point at the sentence in the rule that allows it.
What does an FSO req cost to fill?
No BLS occupation code exists for Facility Security Officer, so no published federal FSO wage exists either. The closest primary proxy is Compliance Officers, SOC 13-1041, whose BLS May 2025 median annual wage is $80,730 against a mean of $88,400 across 417,070 U.S. jobs.
Treat that as a floor. Adjacent BLS categories show why: Information Security Analysts (15-1212) posted a May 2025 median of $129,180 and Managers, All Other (11-9199) came in at $141,900. The FSO you want holds an active clearance at your FCL level and has run a self-inspection that survived an ISR. Rival bidders are recruiting that person now. The 90th percentile for compliance officers ($133,720) is the honest anchor for a possessing facility with classified systems. For a federal benchmark, OPM’s 2026 General Schedule pays $76,463 at GS-12 step 1 and $90,925 at GS-13 step 1 before locality. Time-to-hire, not budget, is where govcon employers lose this candidate, and whoever you hire will carry your recruiters through every cleared hire after that.
DCSA plans 800 to 1,200 remote reviews of non-possessing facilities in fiscal year 2026, and whoever reviews you will open with the procedures, the training records, the access determinations and the reporting file. Those four things are exactly what an under-resourced FSO does not have. Look hard at who holds the seat today, and if the honest answer is “the contracts manager, on Fridays,” write the req this quarter rather than after the finding.
Frequently Asked Questions
Does every cleared contractor need an FSO?
Yes. Under 32 CFR 117.9(c)(5) an entity cannot obtain or keep a facility clearance without a Senior Management Official, an FSO and an ITPSO who all hold and maintain eligibility for access to classified information. No exemption exists for small or non-possessing facilities.
Can we hire an outside firm to be our FSO?
Not as a pure vendor relationship. Section 117.9(d)(1)(iii) requires the entity to “Appoint a U.S. citizen employee as the FSO,” so the appointed person is an employee of record: appointed in writing, on the KMP list, cleared to the FCL level. A consultant can hold the seat only because 117.10(m)(4) treats a consultant as an employee of the using contractor for compliance with the rule. A fractional FSO takes on that employee-of-record status; it is not a function you buy from a vendor.
Can the same person be the FSO and the ITPSO?
Yes. Section 117.7(b)(2)(ii) lets the SMO appoint one employee to both roles, and 117.7(b)(1)(i) confirms that a single contractor employee may serve in more than one position. Where they are split, 117.7(b)(4)(i) still requires the FSO to be an integral member of the insider threat program.
How long does a new FSO have to complete training?
Six months from appointment (32 CFR 117.12(d)). Where DCSA has approved the facility to store classified information, the FSO must also complete an FSO program management course within six months of that approval. CDSE’s IS030.CU curriculum runs 38.5 hours across 14 courses and requires a 75 percent passing score.