If you are a commercial company seeking to hold government information with a security classification of SECRET or above on your own premises, you’ll need ‘FSC’ accreditation. This article will give you a very brief introduction to FSC, with useful links and points of contact that will help you in the process.
What is FSC?
The term ‘FSC’ was formerly referred to as ‘List X’ and is the UK equivalent to Facility Security Clearance (FSC) used in the rest of the world.
The term refers to contractors or subcontractors that have been placed on the FSC database because they are carrying out work on their own premises that bears a UK Government classification of SECRET or above.
Sponsorship for FSC
Companies cannot ‘apply’ for FSC status; they must be ‘sponsored’ by a Contracting Authority (CA) that intends passing them classified information. The CA can be:
- A UK government body;
- An existing FSC company;
- Overseas government or defence contractors;
- NATO.
The CA will detail the security aspects of the FSC requirement e.g. what classified information is to be held and why.
Who manages FSC?
Each UK Government Department or Agency is responsible for accrediting and assuring their own Contractors including any Subcontractors. Accreditation and assurance shall include an assessment of the physical, personnel, and cyber security controls.
The Ministry of Defence, Defence Equipment & Support, Principal Security Advisor hosts the Industry Security Assurance Centre (ISAC). The ISAC is responsible for FSC accreditation and assurance in relation to MOD contracts and contracts with International Defence Organisations. Additional ISAC responsibilities include Industry Personnel Security Assurance (IPSA) together with administration of the FSC and IPSA Databases, the promulgation of Security Notices and other security guidelines, and advice or instructions via the ISAC Vault (restricted access website), or other appropriate methods.
More information can be found here – Industry Security Assurance Centre
FSC security requirements
The process of obtaining FSC is not just about an assessment of the physical controls in place at the premises where the classified information is to be held. It encompasses the whole security culture of an organisation including risk management, personnel security and security roles and responsibilities. For example, it is mandated that FSC companies have a Board Level representative that accepts responsibility for maintaining the requirements of FSC and informing the CA if any changes in the company are likely to impact on their FSC status such as change in company ownership.
It is worth noting that neither the List X or the FSC assessment process covers the accreditation of IT systems. Accreditation of IT systems should be initiated with the CA’s accreditation authority (Cyber Defence and Risk – Industry ICT Accreditation). It should be noted that post July 2023, accreditation will be replaced by the Secure by Design initiative – Secure by Design Requirements.
Another mandated role for FSC companies is the Security Controller. Specific duties include:
- Interpreting, implementing and monitoring compliance with FSC security controls;
- Maintaining a relationship with the CA and/or DE&S Physical Security Assessor (PSyA);
- Preparing and implementing company security instructions, Risk Management and Accreditation Document Sets (RMADS) and Security Operating Procedures (SyOPs);
- Education and awareness training;
- Incident management;
- Inform CA and DE&S PSyA on changes to the List X requirement;
- Controlling visitors within the ‘need-to-know’ rule.
The Defence Industry Security Association (DISA) provide a variety of courses relevant to those working in the List X/Defence arena. Full details of these courses and of how to join DISA are shown on their website.
The Security Advisor & FSC Assessment
The CA or DE&S PSyA will appoint a Security Advisor who will be responsible for advising on the FSC security requirements and inspecting the premises on an annual basis to ensure compliance. A FSC Assessment, Checklist and Guidelines document is usually sent to the FSC company at the start of the process and then annually.
This document is in the form of a comprehensive questionnaire that captures the information necessary for approval for sites to handle, store, process or manufacture classified assets. It covers the Mandated Requirements (MR) listed in the Government Functional Standard Security 007 (Government Functional Standard GovS 007: Security – GOV.UK (www.gov.uk)).
Watch our webinar – Achieving List X security clearance
You may also find these webinars of interest:
- Presented by Ascentor’s Simon Jones in January 2020, and from a general interest perspective Achieving List X Security Clearance covers an informative agenda and interesting detail around the reasons for robust defence supply chain security, a history of List X and useful tips of what a company can do to prepare for an external List X assessment. Simon also covers some of the aspects around security clearances and the MOD Cyber Security Model – Achieving list X security clearance 2020.
- As an update to the 2020 presentation, in January 2022, Simon provided an update on the change to FSC as well as additional updates around the Cyber Essentials and other areas – MOD Information Security Assurance Update 2022