Skip to main content
INS // Insights

Security Clearances for Small Defense Firms

Updated April 2026 · 7 min read

Security clearances are simultaneously the most critical credential in defense contracting and one of the most misunderstood aspects of small business market entry. Many small technology companies either avoid cleared work because the clearance process seems opaque, or pursue it without understanding the requirements — wasting time and money.

This article covers what cleared work requires, how small defense tech companies navigate the clearance landscape, and practical strategies for building a cleared capability without getting stuck waiting on the clearance process.

Two Types of Clearances: FCL and PCL

Understanding the difference between a Facility Clearance (FCL) and a Personnel Clearance (PCL) is the starting point.

Facility Clearance (FCL)

An FCL authorizes a company to access, store, and work with classified information up to a specified level (Confidential, Secret, or Top Secret). The FCL is issued to the company, not to individuals.

FCL requirements:

  • The company must be incorporated in the United States
  • Ultimate beneficial ownership must be U.S. persons or acceptable foreign ownership under a FOCI mitigation plan (see below)
  • The company's Key Management Personnel (KMP) — CEO, CFO, and similar officers — must hold PCLs at the required level
  • The company must implement a classified information system or must be covered by a prime contractor's FCL for limited access

FCL process:

  • A government agency or prime contractor sponsors the company for an FCL
  • DCSA (Defense Counterintelligence and Security Agency) conducts the facility investigation
  • KMP undergo personnel investigations for their individual PCLs
  • Facility security requirements (physical security, IT systems, personnel security program) are established via a Security Agreement with DCSA
  • FCL is granted

FCL timelines vary significantly — 12–24+ months for Top Secret FCLs in current DCSA backlogs. Secret FCLs have been faster under DCSA's investigation modernization efforts.

Personnel Clearance (PCL)

A PCL is an individual's eligibility determination to access classified information. It's tied to the person, not the company. When a cleared employee changes companies, their clearance can be transferred to their new employer's FCL — this is called "in-scope" transfer and avoids re-investigation if the clearance is current.

For small companies:

  • Individual founders and key technical personnel can hold PCLs before the company has an FCL, if they previously worked at a cleared facility
  • Prior cleared personnel are an extremely valuable hiring target for small defense tech companies — they bring cleared capacity that can be leveraged immediately on prime teaming arrangements

FOCI: The Foreign Ownership Issue

Foreign Ownership, Control, or Influence (FOCI) is the most common barrier small technology companies face when pursuing FCLs. If any investor, owner, or board member is a foreign national or foreign entity, the company has a FOCI issue that must be resolved before an FCL can be granted.

FOCI mitigation options:

  • Board Resolution: Adds a resolution limiting the foreign owner's involvement in classified program decisions. Appropriate for small foreign ownership percentages.
  • Special Security Agreement (SSA): More extensive for companies with significant foreign ownership — creates a Government Security Committee (GSC) structure.
  • Proxy Agreement: For companies with majority foreign ownership — U.S. proxy officers take over management with restrictions on foreign principals.
  • Divestiture: In some cases, selling the foreign stake is the cleanest resolution.

For technology startups with venture capital investors, FOCI can arise from foreign LP exposure in VC funds. This is an increasingly common issue as defense tech companies seek non-dilutive or traditional VC funding. Structuring early investment to maintain clean U.S. ownership lines is worth discussing with counsel before the company pursues cleared programs.

Practical Paths for Small Defense Tech Companies

Path 1: Prime Teaming Without Company FCL

For uncleared small companies, prime teaming is the most practical near-term path to cleared work. Many defense programs involve unclassified development and integration work that doesn't require facility clearance — only the program-level oversight requires classified access.

As a sub on a cleared prime's contract:

  • Work performed in a classified environment (the prime's classified facility) under the prime's FCL
  • Individual personnel may require PCLs if they need to access the classified space
  • The small company doesn't need its own FCL to contribute technically

This is how many small defense tech companies do their first cleared work — building a past performance record, sponsored personnel PCLs, and the track record to eventually sponsor their own FCL.

Path 2: DCSA-Sponsored FCL via a Government Customer

If a government agency wants to work directly with a small company on classified programs, the agency can sponsor the FCL. This is the most direct path but requires a government customer willing to invest the time in sponsoring the process.

Programs like SBIR/STTR Phase II and OTA agreements sometimes include FCL sponsorship for companies working on controlled technology development.

Path 3: Building a Cleared Team Through Hiring

Hiring personnel with active or in-scope clearances is an accelerant for a small company's cleared capability. An individual's PCL transfers with them — if they were active cleared at their previous employer within the past 24 months, reinstatement is significantly faster than initial investigation.

A small defense tech company that hires 2–3 cleared engineers and then pursues an FCL is in a much better position than a company starting from zero — the PCL investigations are already complete or in-scope, reducing one of the major timeline constraints.

Cleared Work Without Overclaiming

In marketing and content, small defense companies sometimes overclaim clearance status — implying capabilities the company doesn't yet have. This creates credibility issues with prime contractor BD teams who will ask directly about FCL level and current cleared contracts.

The right positioning is transparent and forward-looking:

  • If you have personnel with active PCLs but no company FCL, say exactly that
  • If you're pursuing an FCL, note the level and approximate timeline
  • Focus positioning on the capability and technical work, not the clearance level

Contracting officers and prime BD teams work with cleared companies every day — they appreciate specificity and are immediately skeptical of vague clearance claims.

Rutagon's Position

Rutagon operates in the defense technology market with U.S. persons on the team and is actively building toward cleared program eligibility. Current engagement is on unclassified government programs, CUI-handling systems, and prime teaming arrangements where classified access requirements are managed at the prime level.

Rutagon Government Contracting Capabilities →

Prime Contractor Teaming and Cloud Engineering →

Frequently Asked Questions

How long does it take to get a company FCL?

FCL timelines are highly variable. Secret FCLs have ranged from 6–18 months in recent years under DCSA's modernization efforts. Top Secret FCLs typically take 18–30+ months due to the depth of the personnel investigations for KMP. The sponsoring agency or prime contractor relationship and the company's organizational complexity (FOCI issues, foreign ownership) are the primary timeline drivers.

Can a startup with venture capital funding get a facility clearance?

Yes, but VC-backed companies must carefully evaluate their investor base for FOCI issues. VC funds with foreign LPs or foreign fund managers can create FOCI issues for portfolio companies. DCSA evaluates the ultimate beneficial ownership — not just the fund name. Work with an export control attorney and a cleared security consultant before accepting investment if you plan to pursue cleared programs.

What physical security requirements come with an FCL?

FCL holders must maintain an approved closed area (for classified storage) or utilize a classified system under the prime's coverage. Requirements include locked storage for classified materials (per NISPOM), visitor control procedures, and an Insider Threat Program. DCSA provides the Industrial Security Facility Database (ISFD) access and conducts periodic reviews of facilities. For software companies doing classified development, the classified system (IT) requirements are often more burdensome than the physical security requirements.

Is an FCL required to respond to classified RFPs?

Yes — responding to a classified RFP (a solicitation that includes classified performance requirements) requires an FCL at the appropriate level. For solicitations that are unclassified but where the resulting work will involve classified information, companies typically need to have an FCL or a definitive plan to obtain one before contract award. Contracting officers will specify the security requirements in Section H of the solicitation.

How does a small company handle the cost of maintaining an FCL?

FCL maintenance involves ongoing costs: security officer time, classified system costs, annual training, DCSA reviews, and periodic personnel reinvestigations. For a small company, these costs are real but manageable — a part-time Facility Security Officer (FSO) is often sufficient for small programs with limited classified access. Many small defense companies use a consultant FSO for the first 1–2 years before building internal capability.