Podcast - Find Someone Observant: The Vital Role of Facility Security Officers

Molly O'Casey: Welcome to the seventh episode of Are We All Clear, the podcast on facilitating security clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will discuss FSOs, or facility security officers. We will talk about the FSO's role, scope and importance, as well as how to select an FSO. Today's speakers are Antonia Tzinova and Libby Bloxom. Antonia is a partner with the International Trade Group in our D.C. office. Antonia leads Holland & Knight's CFIUS and Industrial Security Team. Libby is an associate with the International Trade Group in Holland & Knight's Dallas office, where she practices international trade and commercial transactions. Welcome back to the podcast, ladies.

Antonia Tzinova: Hey, Molly. Good to be back.

Libby Bloxom: Hey, Molly. Thanks.

Molly O'Casey: All righty. Let's get started. So, who is the FSO?

Antonia Tzinova: The FSO, or the facility security officer, is a position at the cleared company that is mandated under the NISPOM, the National Industrial Security Program Operating Manual. So every cleared company must have one, and the FSO must be cleared at the level of the company. Maybe Libby wants to add more.

Libby Bloxom: Sure. Thanks, Antonia. The FSO is the officer responsible for ensuring that a company with a facility security clearance maintains a secure environment. So I think it's important to remember that a company with the facility security clearance has made a commitment to the U.S. government to put in appropriate security controls to protect classified information that the government has entrusted to that company. And a big part of this commitment is appointing someone at the company to act as FSO.

Molly O'Casey: Got it. So while everyone in the company is responsible for maintaining security standards, the FSO has the main responsibility for keeping the company compliant. What does the FSO role entail?

Libby Bloxom: So as I just said, you know, the FSO is responsible for implementing and maintaining the security program that complies with the NISPOM and working with the DCSA, or the Defense Counterintelligence and Security Agency, representative to process and maintain the company's facility security clearance. So all of the documentation we have discussed in the other episodes that have to be submitted to DCSA, the FSO is responsible for compiling and submitting this through the NISS system, the National Industrial Security System, and providing any updates to that information in a change condition package. Other duties that the FSO has: making sure that employees, visitors and information are safe within the facility, like logging the entry records for employees, visitors, vendors, suppliers, monitoring security footage, managing access to controlled or restricted areas, as well as investigating any suspicious events or behaviors. The FSO is responsible for reporting information that could affect cleared employees. So foreign travel plans. And this also includes adverse information about those employees and suspicious contacts they may have. In addition, the FSO must train cleared employees and is responsible for implementing all of that training for the employees as well. So lots of paperwork, reporting requirements and collaboration with senior management, government officials and lawyers like us.

Molly O'Casey: So it sounds like once the initial implementation of the NISPOM requirements and the establishment of the FCL is complete, the focus is on record keeping, training, and investigating or reporting violations. How is an FSO chosen?

Antonia Tzinova: The FSO is an employee of the company, and that's important to remember. It's typically chosen by senior management. This can be one of the other KMPs, for example, the senior management official. Most often, though, it is an employee that is tasked with overseeing security compliance. This person must be a U.S. citizen, and he or she must be eligible for personnel clearance and must be an employee of the company. A lot of "musts" here. It's important to remember. And then once that person is appointed, they may use the services of outside counsel or an outside consultant. There are companies out there that outsource FSO services in discharging some of the responsibility of the FSO. However, I want to emphasize it is a company employee and it is one of the company's KMPs, key management personnel.

Molly O'Casey: When in the FCL process is an FSO selected?

Antonia Tzinova: So at the very beginning, we've discussed in prior episodes that a facility clearance is not issued in vacuum. Either the government customer or the, a prime contractor must sponsor a company for facility clearance. And so in the very sponsorship letter, which is submitted by the sponsor to the DCSA, the FSO must be identified. And this is the person who, who will interface with the DCSA from the very beginning in establishing the facility clearance. Therefore, as soon as the company is ready to have its paperwork submitted to DCSA for processing, they should have already identified the FSO and included them in the paperwork. So he becomes the contact person for the DCSA.

Molly O'Casey: Lucky them. So the publication of the FSO seems like it would be a factor in DCSA approving the facility security clearance.

Antonia Tzinova: Yeah, as the person who interfaces with them and who must be cleared and is a mandated position by the NISPOM. This person will be vetted by DCSA. I mean, in a company that is newly created, this person may not have personnel clearance, so they will have to undergo the process. In cases where we are, you know, replacing the FSO, we have an established clearance. This is probably a person that's already cleared. So it's well known to DCSA.

Molly O'Casey: What should be a company's main consideration when choosing an officer?

Libby Bloxom: Well, I'll take this one just to kind of piggyback on what Antonia said. You know, it's important for an FSO to be qualified and have the time to properly administer the security program. It can be a full-time job. And as Antonia said, the person must be eligible for and obtain personnel security clearance in order to handle the classified information. And you know, as we've heard, there are extensive background checks and the government will dig into that person's life, their finances and so forth. So that's something to keep in mind when you're thinking about the appropriate candidate for the FSO.

Molly O'Casey: Are there any other considerations to keep in mind when choosing an FSO?

Libby Bloxom: Yeah, other characteristics to think about are the candidate's observational skills. You know, these kind of skills are needed in order to monitor the security protocols and make sure they're working and identify any weaknesses or vulnerabilities at the company. The FSO should be able to act quickly and calmly in a situation, particularly when there is a security breach. Level of experience with DCSA, NISS and obviously all the acronyms, that helps, and familiarity with security procedures and the regulations in the NISPOM. Also, someone who is knowledgeable of the business is important, as a deep understanding of the business will help the FSO identify any areas that may need more security procedures or enhanced security procedures. The FSO also must successfully complete, in this form, required training within one year of being appointed to the FSO position. Antonia, do you have anything else to add?

Antonia Tzinova: You put it very well. And just to emphasize, this is an involved position that requires, you know, dedicated resources, time commitment, easy access to senior management and, of course, very high ethical standards. If I can sum it up in a few words.

Molly O'Casey: Yeah, it sounds like you need a sophisticated understanding of both the security requirements and the company, as well as the sort of soft skills to coordinate with the different teams within the company.

Antonia Tzinova: Very well put, Molly. Yes, I mean, all the (inaudible) cleared company is held to very high standards because it handles very sensitive information of the U.S. government. So the person who is selected as the FSO must appreciate the seriousness of the work that they're performing in safeguarding classified information and, ultimately, U.S. national security interests.

Molly O'Casey: Who tends to be selected as an FSO? like, is an FSO usually chosen from within the company, or is that an outside hire?

Antonia Tzinova: In the NISPOM it is very specific. The FSO must be a company employee. And as mentioned earlier, it could be one of the senior officers of the companies that are already designated as KMPs, for example, the CEO. But the FSO is involved in a lot of hands-on compliance oversight. So if the CEO is selected to serve nominally as the FSO, it is recommended that they also appoint an employee as an assistant FSO to, you know, help with discharging the duties. The FSO will be devoting a lot of time to the responsibilities, and so typically that's a full-time position. They could perform other functions within the company. For example, they can also serve as the company Insider Threat Program Security Officer, or ITPSO, which is another security position mandated by the NISPOM. And then they can have some other responsibilities. I mean, they could be maybe the compliance officer of the company or export compliance officer, depending on what the business is, but it's quite an involved position.

Molly O'Casey: So depending on who and how you end up hiring somebody for that, it would impact your timeline for implementing the FCO.

Antonia Tzinova: That's right.

Molly O'Casey: How does the FSO relate to other people involved in the FCO process, such as KMPs?

Libby Bloxom: The FSO is a KMP, so that kind of shows you how important of a role that the FSO plays in a cleared company. They have a lot of responsibilities and need to have the ability, authority and the full support of senior management to do the job, or if they are senior management, like Antonia said, they can give it to themselves, but otherwise the senior management, the other KMPs need to make sure that they dedicate the resources and authority needed for the FSO to perform the job effectively. The success of a company's security program really depends on choosing a good FSO.

Molly O'Casey: Definitely something to think about. Thank you so much for coming on and sharing your thoughts with me today. This area is full of acronyms. This week we were introduced to Facilities Security Officer, or FSO, and Insider Threat Program Security Officer, or ITPSO. Each episode, we ask our speaker to explain an acronym that featured in the episode with wrong answers only. So, ladies, you have an acronym you would like to provide the wrong answer for?

Libby Bloxom: Sure. I'll go with FSO, but I think I missed an opportunity there with ITPSO. FSO, when choosing an FSO, remember to "Find Someone Observant."

Molly O'Casey: There you go.

Antonia Tzinova: I mean, on my end, I don't know how I can top what Libby suggested, but I'm just going to build on hers. "Find Someone Outstanding." I could have chosen "obstinate" or "objective," but I thought "outstanding." Probably better describing the person.

Molly O'Casey: Well, I hope that we can all find somebody who's observant, outstanding and potentially obstinate. Thank you so much for your time, ladies. On our next episode, we will be discussing DCSA investigations and audits. What are the vulnerabilities and how do we address them? I hope everyone has a great week.