Here at Ascentor, we get many companies asking us how they can become a FSC company. The answer is always the same – it is not something that you can just do; you must have a contract, usually with the MOD, that requires you to hold sensitive government assets on your own premises. However, there are a few things you can do to prepare if you think a contract may be forthcoming.
This blog aims to give you a few hints and tips about some pragmatic steps you can take to get you up and running as a FSC company much quicker.
Before reading further, you should note that government Departments and Agencies must not give preference to existing FSC contractors over non-FSC companies. Investing in FSC security requirements before a contract is awarded is entirely at your own risk.
Tip 1: Understand why you need FSC
As stated above, the only way you can be a FSC company is if you have a requirement to store, on your own premises, government assets classified as SECRET or above or, international partners – e.g. NATO, information at CONFIDENTIAL or above.
If it is a UK contract, the requirement will be stated in a contract from the UK government Contracting Authority and will be accompanied by a Security Aspects Letter (SAL) that details the types of information and its associated sensitivity that you will need to hold.
If it is a foreign contract, then the requirement may just be in the contract security requirements. Remember that the Contracting Authority is responsible for gaining appropriate assurance in your suitability to hold classified assets, e.g. SECRET and above for UK.
Tip 2: Meet the basic company requirements
FSC companies are required to maintain a minimum of 50% British nationals on the Board of Directors (See Facility Security Clearance – Policy and Guidance ). In addition, the following positions must be in place before FSC can be awarded:
- Board Contact: The Board Contact must be a British national and is responsible for ensuring the security requirements of a FSC company are maintained throughout the life of the contract. The Board contact is responsible for:
- Ensuring the Contracting Authority (CA) and/or MoD Principle Security Advisor (PSyA) are informed about any changes to the company status e.g. Ltd to PLC, overall ownership, control or closure. In particular, the CA must be informed about any of the following:
- change in ownership that raises foreign interest above 5%;
- the appointment of new Board Directors;
- appointment of non-UK personnel with influence over protectively marked assets or appointments;
- the transfer of any FSC responsibilities to another FSC company.
- Providing support and authority to the Security Controller. The Board member should have regular meetings with the Security Controller to discuss any issues and areas where policy may be lacking or weaknesses in security procedures need board level support to address;
- Approving the Company Security Instructions that are required to document FSC commitments and responsibilities.
- Ensuring the Contracting Authority (CA) and/or MoD Principle Security Advisor (PSyA) are informed about any changes to the company status e.g. Ltd to PLC, overall ownership, control or closure. In particular, the CA must be informed about any of the following:
- Security Controller: Must also be a British national and is responsible to the Board Contact for the day-to-day security management within the premises. The Security Controller is the engine of the FSC company and the Board Member’s right-hand person. The Security Controller must also be British and ensures that the company remains in compliance with the requirements of FSC, although overall responsibility remains with the Board of Directors.
Specific duties include:
- Liaison with the Contracting Authority representative or appointed FSC Security Advisor;
- Completing the annual FSC compliance questionnaire;
- Implementing and monitoring the effectiveness of required security controls;
- Preparing and implementing:
- Company Security Instructions (see later);
- Security Definition and Management Document (SDMD), formerly referred to as the Risk Management Accreditation Document Set, for ICT security;
- Security Operating Procedures.
- Implementation of security awareness training on FSC requirements within the company;
- Implementing and managing a security incident management process and reporting to the Contractual Authority or PSyA;
- Implementing and managing the FSC visitor process;
- Where authorised, complete self-accreditation requirements.
- Cyber Security Officer: Responsible for oversight and compliance with cyber aspects of information security, including undertaking cyber compliance reviews, managing cyber-related security incidents and assisting in the remediation of information security incidents.
Depending on the type of contract, you may also need to appoint an ATOMIC Liaison Officer and/or a Crypto Custodian. Full details for the different roles and responsibilities are available from the Security Requirements for FSC Contractors.
Being able to demonstrate that your company has had these positions in place for some time and they are supported by written processes and procedures will provide confidence to the FSC inspectors that an appropriate security governance framework is already in place.
Tip 3: Assess your information risks and develop a security improvement plan
Being a FSC company does not just mean applying good security practices to a single area of your business; it means having those practices embedded in your every day working for the whole company. It is about maintaining good risk management around physical, personnel, procedural and technical security. The more mature your holistic company security practices are, the more likely that FSC security requirements will be simple tweaks or easily applied enhancements.
Follow a recognised standard that is likely to be known by the FSC assessors, such as ISO/IEC 27001:2013. If that isn’t already on the horizon, try putting together a security plan to identify areas for improvement. You may like to consider the National Protective Security Authority’s (NPSA) guidance for the protection of critical assets against security threats. Conducting such a plan will not only improve your company’s overall security exposure but also introduce measures that will be required as part of the FSC process.
Tip 4: Develop your company security instructions
The Company Security Instructions are a mandated requirement and are the responsibility of the Security Controller to produce. They must be sanctioned by the FSC Board member and issued with the authority and signature of the Managing Director. The purpose of the instructions is to detail the FSC appointments, their specific responsibilities and make clear how they can be contacted for advice, guidance or to report an incident.
It should be borne in mind that these instructions should be classified as low as practicable, to help ensure full circulation and availability to all involved staff (Those with a ‘need to know’).
Tip 5: Define the physical space to be used
Having a clear understanding of where you intend to create the FSC physical space will help you get the security requirements in place before the contract is awarded. When assessing the most appropriate space you should consider the following:
- Boundary controls such as CCTV, approved doors, windows, locks etc. NPSA provides advice and guidance about the types of physical security barriers that are required.
- The alarm system will need to be from a reputable company, preferably NSI approved with an adequate response time (normally within 20 minutes). This is usually achieved by having the alarm monitored by a 24-hour service provider which alerts a nominated key-holder and the local police.
- Depending on the types of sensitive asset held, there may be a requirement for security furniture such as secure server racks, document safes, shredders etc.
Tip 6: Prepare the IT system
Depending on your level of confidence in winning a FSC contract, you may like to prepare the IT system that is likely to be used in the contract. If you are likely to be required to produce written reports at SECRET, you will need to set up an appropriate IT system. Whatever solution you design it will need to be accredited by Cyber Defence and Risk (CyDR): defence industry ICT.
Once you have a FSC contract, you will be required to register the IT system you intend to use on the Defence Assurance Risk Tool (DART) which is only available from an RLI terminal. This is a bit of a catch 22 situation as you are unlikely to have an RLI terminal without already being List X. However, a softcopy registration form and additional annexes, is available for download. Reviewing this form gives you an idea of the information that will be required to achieve accreditation.
Assessing the accreditation requirements of the IT system before achieving FSC will give you a head start on the accreditation process and allow you to get up and running much more quickly.
WARNING: DART registration forms are OFFICIAL-SENSITIVE when completed and must not be sent over the Internet unencrypted (More information can be found here on the electronic movement of OFFICIAL-SENSITIVE information (Electronic Movement of OFFICIAL-SENSITIVE MOD Identifiable Information)) . Adequate protection should also be provided to forms completed in soft copy.
If your contract is with the MOD, your corporate IT system will also need to comply with Cyber Security Model requirements.
Summary
We hope you find the above tips useful in your endeavours to become an FSC company. Our overall opinion is that achieving FSC should not be a major challenge as the security requirements these days are equally applicable to any business working with sensitive information in the cyber marketplace.