How to Start a Classified Government Contracting Company: FCL, Sponsorship, and DCSA Requirements

A roadmap for the defense industrial base. Companies considering a move into classified government contracting often approach the process backwards. They assume that obtaining a Facility Security Clearance is something a company applies for, the way it might apply for a business license. It is not. A Facility Clearance is something a company is sponsored into, and the process that follows touches corporate structure, personnel security, foreign ownership review, and an ongoing compliance obligation that does not end once the clearance is granted. As someone who holds Facility Security Officer certification for possessing facilities and serves as an Insider Threat Program Senior Official through DCSA, I have seen this process from the inside, and I regularly advise contractors entering the cleared defense industrial base on how to approach it correctly the first time.

In Short

To start a classified contracting company, you generally need:

• A real classified contract or subcontract requirement
• A government or prime-contractor sponsor
• Corporate documents and ownership records in order
• Identified Key Management Personnel and a plan for required clearances
• Early assessment of FOCI, facility type, and insider threat obligations

Step One: Establish a Bona Fide Need

DCSA will not consider a company for a Facility Clearance, or FCL, simply because the company is interested in classified work. There has to be an actual, demonstrable requirement. That typically means one of two things: a government agency intends to award the company a classified prime contract, or a cleared prime contractor needs the company as a subcontractor on a contract that requires access to classified information. Without that underlying justification, there is no path forward, regardless of how well-prepared the company otherwise is.

Step Two: Secure a Sponsor

A company cannot apply for an FCL directly. Sponsorship must come from either the government agency awarding the contract or a cleared prime contractor with an FCL at the appropriate level. The sponsor typically initiates the request through the National Industrial Security System and provides the security documentation supporting the requirement for classified access, often including the DD Form 254, Department of Defense Contract Security Classification Specification, and an explanation of the scope of work. If a prime contractor is sponsoring a subcontractor, the prime must justify a genuine procurement requirement, not a speculative or future interest.

A practical caution for very small businesses: a company built around a single individual often runs into structural problems in the FCL process. Even where the legal entity itself is valid, the company still has to satisfy DCSA's requirements for key management personnel, security responsibilities, and ongoing NISPOM compliance. In practice, businesses trying to enter classified contracting with a true one-person operating model should assess that structure carefully before sponsorship is submitted.

A second early question is whether the company needs to be a possessing facility, able to store classified information at its own location, or a non-possessing facility that only accesses classified information at government or prime-contractor spaces. That distinction materially affects the security infrastructure, physical safeguards, and cost of compliance, and it is worth settling before the process begins rather than discovering it mid-stream.

When the Sponsor Is a Government Agency

Agency sponsorship works differently from prime contractor sponsorship, and it is worth understanding the mechanics separately, since this is the path that applies to a company pursuing a prime classified contract directly with the government rather than working as a subcontractor.

The sponsoring agency is referred to in NISP terminology as the Government Contracting Activity, or GCA, the specific department or agency element that holds contracting authority and intends to award the classified work. Agency sponsorship typically arises in connection with an active or anticipated procurement. As the GCA develops a solicitation that will require contractor access to classified information, its contracting officer, often working with a security specialist or program security officer, prepares the DD Form 254 that will accompany the contract. If the agency has identified a prospective awardee, the GCA's representative submits the sponsorship request directly to the cognizant security authority on the company's behalf.

Sponsorship can arise either before award or after award, depending on the procurement and whether classified access is needed during proposal preparation or only during contract performance. That timing matters. A solicitation may require an offeror to already hold, or at least be actively pursuing, an FCL before award, while other procurements allow sponsorship only after selection. Knowing which situation applies to a given opportunity helps a company decide how early it needs to begin preparing.

It is also worth understanding that not every classified contracting relationship is administered the same way. Although most contractor FCLs are processed through DCSA, the agency and the nature of the work can change the oversight picture. In intelligence community work, or in specialized energy and nuclear contexts, a company may encounter additional or different security oversight requirements beyond the standard DCSA-administered process, including requirements such as polygraph or access to Sensitive Compartmented Information that sit on top of the baseline NISPOM standards. A company pursuing that kind of work should expect the sponsoring agency to define which security authority will process the request and what additional requirements apply.

As a practical matter, a valid FCL can often be used across multiple classified contracting relationships without starting from zero each time. But a company should not assume that one agency's acceptance resolves every security requirement for another contract. Additional contract-specific requirements, or SCI, special access program, or agency-specific security overlays, may still apply.

A point that surprises many first-time applicants concerns cost. The contractor is not paying DCSA an application fee for the FCL itself, and the government bears the cost of the underlying clearance investigation and adjudication process. The contractor's real expense is building and maintaining a compliant security program: personnel, training, documentation, safeguarding procedures, and, if applicable, the infrastructure of a possessing facility.

Finally, agency sponsorship is not a one-time event that ends once the sponsorship package is submitted. The GCA remains central after sponsorship. It provides the contract's security classification guidance through the DD Form 254 and serves as the government point of contact for contract-specific security requirements that go beyond the NISPOM baseline. In the event of a loss or suspected compromise of classified information, the agency also plays a central role in the classification and damage-assessment process. The relationship a company builds with its GCA's contracting officer and security staff during the sponsorship process is generally the same relationship that governs the contract for its duration.

Step Three: Get Corporate Readiness in Order Early

Once DCSA approves the sponsorship request, the company generally has a narrow window, often around 20 days, to submit its business documentation and identify Key Management Personnel in the system. Companies that wait until this point to get organized lose time they cannot get back. Before sponsorship is ever submitted, it pays to have the following in place:

• An active, current registration in the System for Award Management, along with a CAGE Code
• Articles of incorporation, bylaws or operating agreement, and any shareholder or membership agreements
• A complete ownership chain identifying every shareholder or member with a five percent or greater interest
• A corporate organizational chart, particularly if the company has any parent, subsidiary, or affiliate relationships
• A designated Facility Security Officer identified before the sponsorship request is even filed, since the FSO's contact information must accompany the request

Before pursuing sponsorship, a company should also decide what kind of cleared business it is actually trying to build. Will it need its own classified storage and closed area, or is it planning to support work entirely at government or prime-contractor locations? Will the key officers themselves need routine access to classified information, or can the company structure roles to minimize clearance bottlenecks? Those are business decisions as much as security decisions, and they are much easier to make before the sponsorship clock starts running.

Step Four: Identify and Clear Key Management Personnel

DCSA determines Key Management Personnel, or KMP, based on the company's legal structure, governing documents, and actual authority. In a corporation, that often includes senior officers, the Facility Security Officer, and the Insider Threat Program Senior Official, but the precise list, and whether certain individuals can be formally excluded from access, depends on the company's structure and DCSA's review of those roles. The individuals DCSA determines must be cleared generally need to be favorably processed at the level required for the facility clearance before the FCL can be finalized. This is one of the more common points of delay, particularly for newer companies whose officers have never held a clearance before.

Step Five: Foreign Ownership, Control, or Influence Review

Every FCL applicant undergoes a Foreign Ownership, Control, or Influence, or FOCI, review. A company operating under FOCI is not automatically disqualified, but an FCL cannot be granted while unmitigated FOCI exists. If foreign ownership, voting interests, board representation, or financial relationships create FOCI concerns, the company will need to negotiate a mitigation agreement with DCSA before the clearance can proceed. This is an area where it is worth involving counsel early, since the structure of the mitigation agreement can have lasting implications for how the company is governed.

Step Six: The DCSA Validation Visit

As part of the FCL process, the assigned Industrial Security Representative will conduct an initial orientation and validation review of the company's submission and the FSO's understanding of the requirements of 32 C.F.R. Part 117, the regulation that implements the National Industrial Security Program. If the company is seeking to operate as a possessing facility, meaning it intends to store classified material rather than only access it elsewhere, DCSA will also need to validate that the facility can properly safeguard that material.

What the Timeline Actually Looks Like

DCSA's public orientation materials describe a 45-day roadmap for the early stages of the FCL process after sponsorship is accepted, not a guaranteed real-world issuance date for every facility. In practice, a straightforward case may still take several months, and FOCI issues, KMP clearance delays, missing corporate documentation, or workload constraints can stretch the timeline much longer. This is not simply bureaucratic caution. DCSA's own oversight capacity has been under sustained strain, a point documented in the agency's own performance data and in recent Government Accountability Office reporting on DCSA's industrial security mission. Companies should build that reality into their proposal timelines and client commitments rather than assuming the advertised benchmark will hold.

The Obligation Does Not End at Approval

An FCL is not a one-time achievement. Once granted, the company must maintain compliance with the National Industrial Security Program for as long as it holds classified work, and that includes an obligation that surprises a number of newly cleared companies: every cleared facility is required to establish a written Insider Threat Program, led by a designated Insider Threat Program Senior Official, with annual training for cleared employees and a defined process for identifying, reporting, and responding to potential insider risk indicators. This is not an optional best practice. It is a NISPOM requirement, and DCSA reviews it during facility security reviews along with the rest of the company's security program.

Beyond the insider threat program, ongoing obligations include self-inspections, safeguarding classified material consistent with the facility's possessing or non-possessing designation, periodic personnel reinvestigations or continuous vetting enrollment for cleared staff, and prompt reporting of any changes to corporate structure, ownership, or KMP that could affect the FCL.

Common Mistakes That Delay or Derail the Process

• No actual classified need yet — pursuing sponsorship before there is a real contract or subcontract requirement
• Corporate documents not ready — waiting until sponsorship is approved to gather ownership and governance records
• No FSO identified early — trying to name a Facility Security Officer after the request is already moving
• KMP clearance delays ignored — assuming officers can be cleared quickly just because the company is ready
• Insider threat program treated as a later problem — instead of building it into the initial security program design
• Reading the 45-day roadmap as a deadline — assuming early-stage milestones translate into a guaranteed issuance date, especially in a FOCI-affected case

Where This Office Can Help

For companies exploring entry into classified contracting, or already in the sponsorship process and running into avoidable delays, my office helps with the practical side of getting ready before DCSA starts asking questions. That includes reviewing corporate structure and ownership for FOCI issues, identifying likely KMP and clearance bottlenecks, helping structure the FSO and ITPSO compliance framework, and advising on how to build an insider threat program that will hold up under review. I hold DCSA Facility Security Officer certification for possessing facilities and serve as an Insider Threat Program Senior Official, and that experience, alongside a 26-year career in federal security and intelligence community operations, informs how I approach these engagements.