In this episode of "Are We All Clear? Facilitating Security Clearances," host Marina O'Brien talks with Robert A. Friedman, co-head of Holland & Knight's International Trade practice and a leader of the firm's National Security & Defense Industry Group, about intelligence community (IC) security clearances. They discuss how IC clearances differ from the processes used by the U.S. Department of Defense (DOD) and Defense Counterintelligence and Security Agency (DCSA), highlighting that IC clearances are contract-specific, often less prescriptive and can vary depending on the assigned contracting officer. In addition, both use similar documentation and focus heavily on foreign ownership, control or influence (FOCI) analysis, but IC tends to be more cautious with foreign investors outside U.S. allies. Mr. Friedman recommends companies be as transparent as possible and seek legal counsel when filling out clearance applications and also reminds the listeners that there is a newly updated SF-328 form that requires more detailed information and diligence in the clearance process.
Listen to more episodes of Are We All Clear? here.
Podcast Transcript
Marina O'Brien: Welcome to the 21st episode of Are We All Clear? The Podcast on Facilitating Security Clearances. I'm your host, Marina O'Brien, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will discuss security clearances in the context of intelligence community. How is it the same and how does it differ than the security clearances handled by the Department of Defense (DOD) and DCSA in particular? To help us untangle this, we have with us Robert Friedman, the co-head of Holland & Knight's International Trade practice and the leader of the firm's National Security & Defense Industry Group. Welcome back to the podcast, Robbie.
Robert Friedman: Thanks, Marina. I appreciate you inviting me back. I must have caught you at a moment of weakness because after my first-time interview on the program, you invited me back, so I appreciate the courtesy.
Marina O'Brien: Absolutely, but before we dive deeper into security clearances as this relates to the intelligence community, I'm going to step back and provide our listeners, especially those who might be joining us for the first time, with a high-level overview of what clearances are. To begin with, there are two types of clearances. Personnel security clearances, also known as PCL, and facility security clearances, FCLs. Here on our podcast, we tend to focus more on facility clearances, although we cover personnel clearances as well. So what is an FCL? An FCL is essentially the U.S. government's approval of a government contractor to have access to U.S. government classified information. An FCL may be what we call possessory, meaning that a contractor can handle classified materials at its own physical location, its facility, or non-possessory, meaning that the contractor personnel are only accessing the classified information at approved government or third-party sites. And as to who issues the facility clearances? Well, they are primarily issued by the U.S. Department of Defense through an agency called the Defense Counterintelligence and Security Agency, or DCSA.
Now DCSA acts as the gatekeeper for a number of U.S. government agencies when it comes to facility clearances, such as the Navy, U.S. Air Force, NASA as well. However, certain other agencies have their own facility or FCL processes — for example, the Department of Energy — and for that please stay tuned for a future episode because we'll be talking more about this. And then some agencies within the intelligence community, which is the topic of today's discussion, they have their own processes where access may be granted on a contract-by-contract basis rather than to the contractor as a whole for use across multiple contracts. So in any of these cases though, an FCL for a government contractor is the recognition that the company has been vetted in terms of its internal organization, ownership and control and security infrastructure. And the government has determined that providing access to classified information is in the government's best interest without an undue risk to U.S. national security.
With that, let's go back to the intelligence community, or IC, and clearances. Robbie, what are they and how are they the same or different from those issued by DOD, for example, or another Cognizant Security Agency (CSA), let's say DOE or DHL, Department of Homeland Security or Department of Energy. Could you please highlight for our listeners any unique aspects of the IC clearances that set them apart?
Robert Friedman: Sure. Happy to do so, Marina. And thanks for that introduction. I think it's really helpful to lay out for our listeners some of the basic principles of the facility clearance process, as well as how our team works on those issues every day. You touched on something which I think is, if I had to characterize the most consequential distinction between the typical DCSA-led facility clearance process and the facility clearance operation that's undertaken by the intelligence community, is the point you made around what it actually does. So, a facility clearance issued by the DCSA can be repurposed for a variety of classified contracts, assuming that such contracts are at the same level of classification as the FCL is awarded or is activated. In the intelligence community, it is a contract-by-contract determination that is very much led by the contracting officer. So contrary to a situation within the DCSA landscape where there's a dedicated office that is responsible for industrial security, there's multiple units within DCSA that each have a role for the entirety of the classified contracting community, the intelligence community has a very much diametrically opposed approach when it comes to evaluating security and enabling private sector entities to perform classified government contracts. It is very much, as I mentioned, led by the contracting officer for the contract and is determined on a contract-by-contract basis. So it can lead to a couple of interesting results.
Number one is, your experience in the process can be very much impacted by who you receive as your contracting officer. Some could, for example, be very motivated to help get the process completed quickly. Some might take much longer. There's wide variation when it comes to individual contracting officers. It's also a little more opaque. We have more, I would say, detailed and specific guidelines for a DCSA-led process both in the NISPOM, the National Industrial Security Program Manual, as well as in guidance of DCSA issues. The IC doesn't have the same level of guidance. And the process itself can be more opaque. So I would say a couple of differentiators are one, the speed can vary, but it can be much faster than a DCSA process, as well as the variation can be pretty significant between contracting officer to contracting officer. Just a couple of other points for the listeners to know when it comes to the principal, I guess, foundational situation with the intelligence community.
So, as we talked about on prior episodes, the National Industrial Security Program Manual, NISPOM, which is kind of the rule book for the classified contracting community, provides that facility clearances are the responsibility of the Cognizant Security Agency, so the CSAs. The NISPOM itself does not provide specifics for how the intelligence community should implement its responsibilities. The information that we have based on NISPOM is that the ODNI, the Office of the Director of National Intelligence, national intelligence is under the jurisdiction and control of the DNI (Director of National Intelligence) who establishes security policy for the protection of national intelligence and intelligence sources, methods and activities.
In addition to the guidance in NISPOM, contractors shall follow IC directives, policy guidance standards and specifications for the protection of classified national intelligence. So, it basically is a diversion from the NISPOM to the IC's own processes. And those processes are relatively sparse. We do have some directives that we can point to, and I'll just highlight a couple of them just as background. So we have Intelligence Community Directive 612, which provides for core contract personnel, and according to that ICD, industrial contractor is defined as a commercial business other than an independent contractor or sole proprietorship that enters into contract with the U.S. government. So the core contract personnel are differentiated within the IC world from non-core contract personnel. And then there's a variety of other directives and policy guidance that apply to specific situations, but again it's very, I would say, bespoke, when it comes to how a process can proceed and very much led by the contracting officer in the nature of the contract itself.
Marina O'Brien: Thank you, Robert. That's very insightful. And I guess the best way to learn is to speak with somebody who has gone through the process since there's not much out there as there is with DCSA. Could you also let us know what does this mean in terms of the information that's requested by the government and whether any of the type of the information that they actually grant access to, how different is it than, let's say, DOD clearance?
Robert Friedman: It's a very good question. The basic core, the nucleus of materials is the same. The IC calls it a little bit different and the materials are labeled slightly differently. But the starting point, as we talked about, we had an entire episode, which I participated in, on the SF-328, and really how to think about that SF-328, how to prepare to fill it out, and then how to make a submission that really hits the mark when it comes to what the government expects. The same SF-328 is what is used by the IC to evaluate foreign interests. And so that is going to be a common document across the two different processes.
Similarly, in the DCSA context, we need to submit a structure chart, which lays out how the company fits into the broader corporate family. Owners, investors and so forth need to be highlighted. The IC has something called an organizational entity structure document, and that establishes parents, subsidiary, affiliate relationships, and again, it's designed to give the government a clear picture of how the applicant fits into a broader corporate family and what their ownership and control structure looks like. So those documents are largely common as well. They're called slightly different names, but request the same information. The other core documents are also very similar. A KMP list, which we all know is required in the DCSA process, is also required in the IC process. And I will say that the underlying principle for obtaining approvals to perform classified contracts under the IC rubric is really the FOCI (foreign ownership, control or influence) determination or the FOCI analysis. And that is the ultimate goal of the IC process, is to evaluate on a contract-by-contract basis, whether the contractor has any foreign ownership, control or influence, and then what it looks like and how it presents itself. And so that is discovered through a similar process that we have in DCSA as a starting point, the SF-328, review of the structure chart, corporate governance documents, and then an analysis of potential foreign touch points and determination of whether there's any extant FOCI that could prevent the contractor from doing classified work.
Marina O'Brien: Do you think, in your experience so far, that the IC community sees the threat and security issues a little bit differently than DOD? So, for example, if, let's say, we have a cleared company and potential investor via equity partnership, and these are limited partners and some of them might have Chinese investors, but let's say it's even 2 percent or less than 1 percent, below the 5 percent threshold. Would the IC community look differently at this as opposed to DCSA? In other words, are they more rigorous and stricter?
Robert Friedman: Yeah, it's a good question. It's hard to know within the actual process if the evaluation is more rigorous or if the review process is more onerous for the applicant, it's kind of difficult to know. In our experience, we've had success with the IC going through the process, but I guess what I would say, part of the answer is if you measure it by how long the process takes, then the IC process in some ways is more streamlined because it can be quicker than DCSA. So that certainly isn't as lengthy as a DOD-led review process. But one part that is — there's no guidance on this, but it just is based on our anecdotal experience — is that historically the IC has been less comfortable granting access to classified information within the IC rubric for companies that have foreign touch points with countries that are not Five Eyes countries, or very close U.S. allies. And of course, the Five Eyes — Australia, New Zealand, Canada and the United Kingdom — have very close intelligence relationships with the U.S. government, and so are far more likely to see approvals when it comes to performance of classified contracts for the IC, whereas companies that might have touch points in other jurisdictions had a more difficult time. We are beginning to see that process thaw. We've had some success, for example, with companies that have touch points in France, with touch points in Israel, for example. So there is a, I would say, an evolving process within the IC where I think the comfort level with companies in the private sector that are from some of these other jurisdictions, that there's more reception than there was, you know, a decade ago.
Marina O'Brien: That's very interesting. Thanks for sharing. So I would be curious to know, given all of this, what are some of the tips you could share when applying for clearances within the intelligence community?
Robert Friedman: Yeah, so just a couple, and these are, you'll find, I think, pretty common across all of the industrial security landscape and really with DCSA as well. Is, you know, it's a self-serving comment, but having a specialist or an expert assist in the submission process is highly recommended. Not only because it is complex and it is opaque, so having somebody that has been there before and has done the process is helpful, but you also want to make sure that you're presenting the material to the government in a way which they will understand and that will minimize the amount of Q&A or follow-up that's required. Every classified contractor wants to begin performing as soon as possible, begin realizing revenue from classified contracts. And so to the extent that the process extends to the right, significantly, by months or even a year or more, it can delay or it can block a potential revenue stream. So ensuring that the materials that are submitted to the government are properly prepared and anticipate areas of interest for the government and can address those in the submission, have a far better chance of getting streamlined treatment in our experience. So that's number one: Make sure you've got the right people on your team and the right submission is going in.
The second is transparency. I mean, that's a principle that I would hope that most companies use as a guiding principle, because the quickest way to lose trust with either the IC or with DCSA is to submit materials that are incomplete or that omit key information or, even worse, that try to kind of hide the ball on certain things. So we highly recommend being transparent and really having kind of an open tent approach to the company and to its investors and to its structure to ensure that there's no confusion on the part of the regulators and that there's no suspicion that the contractor might be hiding something from them.
Marina O'Brien: Those are all good points, very well taken. I'm wondering, given the sensitivity, are mitigations more likely when applying for an FCL within the IC?
Robert Friedman: You know, that's a little bit of a tough question to answer, Marina. What I will say is that the intelligence community is far less prescriptive when it comes to mitigation than DCSA. So DCSA, as some of our listeners might know, when you actually go through the process of applying for an FCL, you will be told what is required to mitigate the FCL — or mitigate the FOCI rather — in order to have the FCL approved. And within the intelligence community, there isn't really a sort of recommended or a suggested form of mitigation that the contracting officer will provide. You either pass or you fail your FOCI assessment. So it's very much incumbent on the contractor to do a lot of diligence upfront and determine where there is potential FOCI and then be proactive in mitigating it.
And in some ways we recommend if contractors are interested in doing both classified and unclassified contracts or, even better, classified contracts within the DOD landscape as well as the IC, to move into the DOD first because the DCSA process, although it can be a little bit longer, the more detailed prescription will actually be useful when going to the IC. Now the IC is not going to just take the DCSA process completely and just rubber stamp it. There's going to be an independent evaluation on the IC side of the equation, but it is a positive step and it will aid in the IC process to have gone through the DCSA process to develop the mitigation strategy and implemented the mitigation requirements for that FCL. So turning around and then going to the IC is often a preferred approach. And again, the primary reason for that is you won't get as much guidance from the IC when it comes to required mitigation. You might just be told, "go figure it out."
Marina O'Brien: Well, we're getting a lot of good guidance from you today. So for our last question of the day, is there any parting thoughts that you'd like to share with our listeners or perhaps a note on future trends as you see them in the security clearances related to either the IC community or otherwise?
Robert Friedman: Yeah, I mean, just one or two points. I think we're going to have a future podcast episode on this, but for our listeners, just to know that there's a new SF-328 as of a couple of weeks ago, and it is really important to spend time and review it because it requires additional information beyond what was required in the SF-328 that has historically been in place. It requires more diligence on the part of the contractor, and it's going to be applicable both for new FCL applicants as well as for those that are filing change condition packages in the NISS, you will have to provide additional information. So doing the homework now, getting that information lined up will help you both apply for new FCLs but also have a quick process when it comes to change condition packages. So that's, I think, the number one thing I would remind the listeners to look at and to focus on, and I know we'll have an episode that will do a deep dive on that in the near term.
Marina O'Brien: Well, thank you for joining us, Robbie. This was really informative.
Robert Friedman: Sure, happy to do so. Thanks for having me.
Marina O'Brien: Well, this area is full of acronyms. This week, we had multiple acronyms, including FCL or facility clearance; PCL or personnel security clearance; DCSA, the Defense Counterintelligence and Security Agency; CSA or the Cognizant Security Agency; and last but not least, IC or the intelligence community. Each episode, we ask our speaker to explain an acronym that is featured in the episode but with wrong answers only. So, Robbie, would you like to choose an acronym?
Robert Friedman: Sure, I'll choose an acronym that both describes the DCSA and intelligence community processes, as well as what we have in store for ourselves on a Friday in the middle of the day. This is being recorded just before the Memorial Day weekend and I think everyone is working very hard to wrap up all the work and enjoy a long weekend. I will take for the FCL acronym, fun comes later. In the industrial security process, the process of getting approvals to perform classified contracting can be onerous, can be time-consuming, can be costly. But once you get through the process, it opens up lots of opportunities for fun when it comes to contracting on the classified side of the house, as well as it can provide new revenue streams for companies. And for all of us who are trying to wrap up our work, fun will come later.
Marina O'Brien: Oh, that's great. I think it's going to be my favorite acronym so far that I've heard. Well, to all of our listeners, thank you and I hope everyone has a great week.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
