If you've ever worked on a government contract — or tried to hire someone who has — you've probably run into the alphabet soup of security programs. In real terms, fCL, PCL, NISP, DCSA, JPAS, DISS. It gets noisy fast Small thing, real impact. Simple as that..
But here's the short version: contractor personnel are cleared under the National Industrial Security Program (NISP).
That's the program. One name. Everything else — the databases, the forms, the adjudication guidelines, the facility clearances — hangs off it And that's really what it comes down to..
What Is the National Industrial Security Program
The NISP isn't a clearance itself. The government doesn't clear every contractor employee directly. It's the framework. Even so, established by Executive Order 12829 back in 1993, it sets the rules for how private industry handles classified information. Instead, it clears the company (that's the Facility Clearance, or FCL), and then the company sponsors individual clearances (Personnel Clearances, or PCLs) for its employees under NISP oversight.
Think of it like this: the government says "we trust this company to safeguard secrets." The company then says "we trust this employee to handle them." Both trust decisions happen inside the NISP structure The details matter here. Practical, not theoretical..
Who actually runs it
Since 2019, the Defense Counterintelligence and Security Agency (DCSA) owns the NISP mission. Think about it: the acronyms change. Before that, it was DSS (Defense Security Service). Before that, DISCO. The mission doesn't: protect classified information in industry hands Surprisingly effective..
DCSA does the heavy lifting — processing clearance applications, adjudicating cases, inspecting facilities, running the continuous evaluation program. They're the referee, the investigator, and the auditor all at once.
The legal backbone
Three documents matter most:
- Executive Order 12829 — the authority
- 32 CFR Part 117 (the NISPOM rule) — the regulations
- DoD 5220.22-M — the old manual, still referenced in contracts but technically superseded by the rule
If you're reading a contract clause like DFARS 252.204-7012 or the NISPOM clause (DFARS 252.204-7000), you're looking at NISP requirements translated into contractual language.
Why It Matters / Why People Care
You can't just "get a clearance" as a contractor. You need a sponsor. And that sponsor needs an FCL. And that FCL only exists because the company won a classified contract — or at least got a DD Form 254 saying one is coming Small thing, real impact..
The chicken-and-egg problem
Small businesses hit this wall constantly. They want cleared staff to bid classified work. But they can't get staff cleared without an FCL. And they can't get an FCL without a classified contract requiring it.
The workaround? So team with a prime that already has an FCL. In practice, or pursue a "pre-clearance" path through a government sponsor willing to write a justification. It's not impossible — but it's not fast either Worth knowing..
Clearance levels under NISP
Three tiers. Same as government employees:
- Confidential — damage to national security if disclosed
- Secret — serious damage
- Top Secret — exceptionally grave damage
Plus two special access categories that live on top of those:
- SCI (Sensitive Compartmented Information) — intelligence sources and methods
- SAP (Special Access Program) — ultra-restricted programs with their own access controls
A contractor with a Top Secret clearance still needs separate SCI or SAP access. Worth adding: the clearance is the foundation. The access is the room you're allowed to enter.
How It Works (or How to Do It)
The lifecycle of a contractor clearance under NISP follows a predictable path. Most people only see their piece. Here's the full picture Worth keeping that in mind..
1. The company gets an FCL
A government contracting officer determines a contract needs classified work. In practice, they issue a DD Form 254 (Contract Security Classification Specification). That form triggers the FCL process Nothing fancy..
The company submits:
- SF 328 (Certificate Pertaining to Foreign Interests)
- Ownership/control documentation
- Key Management Personnel (KMP) clearance applications
- A Facility Security Plan
DCSA investigates the entity — not just the people, but the corporate structure, foreign ownership, financial health. Consider this: if a foreign entity owns 5% or more, you're looking at a Special Security Agreement (SSA) or a Proxy Agreement. That adds months Simple, but easy to overlook. But it adds up..
2. The company sponsors an employee for a PCL
Once the FCL exists, the Facility Security Officer (FSO) initiates a Personnel Clearance in DISS (Defense Information System for Security — the current case management system, replacing JPAS) The details matter here. Took long enough..
The employee completes:
- SF-86 (Questionnaire for National Security Positions) — 130+ questions, 10-year history
- Fingerprints (FD-258 or electronic)
- Authorization for release of information
The FSO reviews, submits, and waits Took long enough..
3. Investigation happens
DCSA (or a contractor investigator) runs the background check:
- Credit history
- Criminal records
- Employment verification
- Education verification
- References (listed and developed)
- Foreign contacts, travel, financial interests
- Psychological conditions (voluntary reporting)
- Drug/alcohol involvement
For Secret: Tier 3 investigation (T3). For Top Secret: Tier 5 (T5) — includes a subject interview and deeper fieldwork.
4. Adjudication
An adjudicator reviews the Report of Investigation (ROI) against the 13 National Security Adjudicative Guidelines (Guideline A through M):
- A: Allegiance to the United States
- B: Foreign Influence
- C: Foreign Preference
- D: Sexual Behavior
- E: Personal Conduct
- F: Financial Considerations
- G: Alcohol Consumption
- H: Drug Involvement
- I: Psychological Conditions
- J: Criminal Conduct
- K: Handling Protected Information
- L: Outside Activities
- M: Use of Information Technology
They apply the "whole person concept." One issue doesn't automatically disqualify. Pattern, recency, mitigation, and honesty matter more than any single factor.
5. Grant or deny
If granted: the clearance is recorded in DISS. The employee gets a briefing, signs an NDA (SF-312), and can now be "read on" to specific programs via the DD 254.
If denied: the employee gets a Statement of Reasons (SOR). That said, they can respond, request a hearing before an Administrative Judge, and appeal. The process takes months. During that time — no classified access.
6. Continuous Evaluation (CE)
This is the biggest change in the last five years. Periodic reinvestigations (every 5 or 10 years) are being replaced by continuous evaluation — automated checks of credit, criminal, and other databases in near-real-time. If something hits, the FSO gets an alert. The clearance can be suspended or revoked between investigations.
CE applies to all clearance holders now. It's not optional.
Common Mistakes / What Most People Get Wrong
"I have a clearance, so I can work on any classified contract"
No. You have a clearance level (Secret, TS). You need access to
specific programs. Consider this: ), and what the facility clearance (FCL) requirements are. That access is granted via a DD Form 254 (Contract Security Classification Specification), which flows down from the government program office to the prime contractor, and often to subs. The 254 spells out: what classification level, what specific compartments (SCI, SAP), what special handling caveats (NOFORN, REL TO, etc.You can hold an active TS/SCI and still be legally barred from a specific TS/SCI program because you haven't been "read on" to that program's 254.
And yeah — that's actually more nuanced than it sounds And that's really what it comes down to..
"My clearance transfers automatically when I switch companies"
It doesn't transfer; it reciprocates—but only if it’s current (investigation within scope) and active (currently serving in a cleared position). Also, reciprocity assumes the gaining agency accepts the prior adjudication. Past 24 months? You’re likely looking at a fresh Tier 3 or Tier 5. You can usually reactivate it without a new investigation if you’re within that 24-month window and the new employer submits a request in DISS. If you have a break in service exceeding 24 months, your clearance goes "current but not active" (often called "lapsed"). Most DoD/Intel Community agencies play by the same rules (Security Executive Agent Directive 4), but some SAPs or specific IC elements impose additional polygraphs or lifestyle polygraphs that don't reciprocate Still holds up..
"I only need to report arrests or bankruptcies"
The reporting obligation under SEAD 3 (and your SF-312/NDA) is continuous and broad. You must self-report:
- Any arrest, citation (beyond minor traffic), or legal proceeding
- Significant financial changes: bankruptcy, garnishment, tax liens, inability to pay debts
- Foreign travel (pre-travel reporting is often required for TS/SCI; post-travel for Secret)
- Foreign contacts (close and continuing relationships)
- Cohabitation with a foreign national
- Mental health counseling if it involves a condition that could impair judgment or reliability (voluntary reporting is protected; failure to report when required is a Guideline E/I issue)
- Drug use (including marijuana—federal law still classifies it as Schedule I, regardless of state legality)
Waiting for the next CE pull or periodic reinvestigation to "catch it" is a Guideline E (Personal Conduct) violation. Self-reporting is a mitigating factor; concealment is an aggravator Simple, but easy to overlook. And it works..
"Contractors have different standards than government civilians"
Same 13 Guidelines. Same SEAD 4 standards. Same CE requirements. So the process differs (contractor FSOs use DISS/NIPS; government uses agency-specific portals), and contractors pay for their own investigations via the Fee-for-Service model, but the adjudicative standard is unified. A Secret clearance granted to a GS-11 is identical to a Secret clearance granted to a cleared contractor employee No workaround needed..
"SCI is just a higher clearance than Top Secret"
SCI (Sensitive Compartmented Information) is not a clearance level; it’s an access determination based on a completed Tier 5 investigation plus a favorable SSBI (Single Scope Background Investigation) adjudication plus a specific need-to-know for a specific compartment. Which means the clearance is the foundation; the compartment is the room you’re allowed to enter. g., TK, GAMMA, HCS). On the flip side, you hold a Top Secret clearance; you are granted access to SCI compartments (e. Which means same for SAPs (Special Access Programs). You can lose access to one compartment (de-read) while retaining your TS clearance and access to others.
"The polygraph is part of the clearance investigation"
For the vast majority of DoD clearances (Secret, Top Secret), there is no polygraph. And a "TS/SCI with Poly" on a job req means: TS clearance + SCI eligibility + Polygraph exam passed. The polygraph is an access gate, not a clearance gate. Polygraphs (Counterintelligence Scope, Lifestyle, or Full Scope) are required for specific SCI access, certain SAPs, and most IC agency positions (CIA, NSA, NGA, DIA). Failing a polygraph typically results in loss of access to that specific program/agency, not automatic revocation of the underlying national security clearance (though the information developed during the poly can trigger a clearance action) That's the part that actually makes a difference..
The Strategic Reality for 2024 and Beyond
The clearance ecosystem is in a transition that creates friction for everyone Worth keeping that in mind..
Timelines are the #1 program risk. DCSA’s stated goals are 74 days for Tier 3 and 114 days for Tier 5 (initiate to adjudicate). Reality? Tier 3 often runs 120–180+ days; Tier 5 frequently exceeds 300–400 days. Contractors bidding on classified work must factor this into staffing plans. "Cleared ready" talent is a premium commodity precisely because the pipeline is slow Worth keeping that in mind. Worth knowing..
**Continuous Evaluation changes the culture
Continuous Evaluation (CE) changes the culture of clearance management by turning a once‑annual “snapshot” into an ongoing data stream. In practice, the new paradigm relies on real‑time access to payroll records, credit reports, criminal databases, and even social‑media footprints. For most personnel, this means a shift from waiting for a periodic background check to being monitored continuously; a missed mortgage payment or an unexpected foreign travel event can trigger an automatic flag that prompts a supplemental review before the issue escalates And that's really what it comes down to..
People argue about this. Here's where I land on it.
From a program‑management perspective, CE promises faster revocation of access when risk is identified, which should, in theory, reduce the window of exposure for compromised accounts. That said, the same speed creates operational friction: security officers must triage a higher volume of alerts, and agencies must invest in analytics platforms capable of distinguishing true threats from benign anomalies. The learning curve is steep, and the need for skilled analysts who understand both the data sources and the adjudicative criteria has become a critical hiring priority But it adds up..
The contractor community is feeling the ripple effects most acutely. Because CE data are shared across the government’s integrated systems, a discrepancy in a contractor’s payroll or a sudden change in employment status can be flagged instantly, regardless of which service‑provider is handling the investigation. Plus, this eliminates the “buffer” that once existed between a contractor’s HR practices and the federal clearance process, making compliance with CE requirements a non‑negotiable part of any cleared‑personnel strategy. Companies that previously relied on periodic re‑certifications now must embed continuous monitoring into their talent‑management workflows, or risk having cleared staff temporarily suspended while investigations are opened.
Parallel to CE, the rise of automated adjudication tools is reshaping decision‑making. Machine‑learning models are being trained on historic adjudication outcomes to surface patterns that human reviewers might miss—such as correlations between financial stress and foreign contacts. While these tools accelerate the review cycle, they also introduce a new layer of accountability: agencies must document the algorithmic rationale for each decision, and they must guard against bias that could undermine the fairness of the process. Transparency, therefore, becomes a cornerstone of the next generation of clearance adjudication.
Talent acquisition strategies are evolving in response as well. The traditional “cleared candidate” pipeline is shrinking, prompting organizations to invest in internal training programs that can fast‑track employees through the requisite Tier‑3 or Tier‑5 investigations. Some agencies are piloting “clearance bootcamps” that combine classroom instruction with accelerated investigative work, aiming to shave weeks off the typical timeline. For contractors, the fee‑for‑service model means they must balance the cost of these bootcamps against the premium that customers place on rapid onboarding of cleared staff And it works..
Looking ahead, the convergence of CE, automated adjudication, and tighter timelines points toward a more data‑driven, agile clearance ecosystem. The ultimate metric of success will be the ability of agencies and industry partners to maintain a secure workforce without sacrificing the speed and reliability that modern operations demand.
Conclusion
The clearance landscape in 2024 is defined by three interlocking forces: persistent delays that jeopardize program schedules, a cultural shift toward continuous, data‑centric evaluation, and the integration of automation that promises both efficiency and new governance challenges. On the flip side, together, these forces compel government agencies and private contractors to rethink how they recruit, monitor, and retain cleared personnel. Organizations that proactively invest in transparent processes, dependable analytics, and workforce development will be best positioned to figure out the evolving requirements and keep classified programs moving forward without compromising security.