How to Pass a Facility Security Audit: What You Need to Know

Share on FacebookTweet about this on TwitterShare on LinkedIn

Share on FacebookTweet about this on TwitterShare on LinkedIn

If you work with Department of Defense (DoD) classified contracts, you most likely have been or will be audited by a government agency at some point in time. The agency most often affiliated with these audits is the Defense Security Service (DSS), which is responsible for providing numerous cleared contractors with facility security support services. They serve as an interface between the Government and cleared industry (or contractors) to ensure that the National Industrial Security Program Operating Manual (NISPOM) is followed.



Facility security audits are a critical part of ensuring national security with regard to cleared contractor staff supporting classified projects. While the term “audit” typically makes a person cringe, a knowledgeable and prepared Facility Security Officer (FSO) should not have anything to fear if they are running a tight security program at their organization. In this article I will discuss what is needed to pass a facility security audit for a non-possessing company.

Preparing For an Audit

Here at Segue, we are typically audited every year and have always successfully passed thanks to the responsiveness of our DSS representative. Initially, the audit takes place and contains multiple wide-ranging questions, such as where do you keep your files on cleared personnel; what cleared contracts do you have; and so on. Next, more detailed questions about your organization’s contracts and security processes are asked. This information is unique and proprietary to each organization, but having these components properly set up is a basic part of maintaining a facility clearance.

As the audit process advances, DSS provides ample information to help contractors prepare. The first one of these is the “Checklist for New Facility Security Clearances” portion of the DSS Website. This is an overarching page that highlights, from the beginning, what is needed to get your facility security program started and how to maintain it successfully.

The primary document on this page is the NISPOM, the document contractors must follow to access classified information. It spells out, in great detail, all the rules and regulations. All Security Officers should be familiar with this document! If you do not feel comfortably prepared to handle your facility audit, than the NISPOM will provide the right path to follow.

If you are already an experienced Security Officer and have previous audit experience, then the NISPOM can help you prepare for the new rating calculation system that has been recently implemented. This rating calculation system is presented in a matrix and has thirteen categories (listed below) which relate directly back to the NISPOM. An explanation of each category is also posted on the DSS website.

To start, each contractor begins with a score of 700 and points are added or subtracted to this score to produce a final number. An additional 15 points is given for fulfilling any one of the thirteen categories listed below. Scores are then tallied to provide a rating of Unsatisfactory, Marginal, Satisfactory, Commendable, or Superior, based on the score’s range. For example, 730 points falls in the “Satisfactory” range of 650 – 749. Keep in mind contractors’ can also be docked points for not complying to certain categories as well, which could put you in the Unsatisfactory range.

The Thirteen Categories in the Security Rating Calculation Worksheet include:

  1. Security Education (Events)
  2. Security Education (Products)
  3. Security Education (Staff Training)
  4. Security Education (Community Information Sharing)
  5. Self-Inspection
  6. Class Material Control
  7. Counter Intelligence
  8. Information Systems
  9. FOCI
  10. International
  11. Community Membership
  12. Active Participation
  13. Personnel Security

Although it may appear easy, meeting the necessary requirements to receive additional points for any of the thirteen categories above can be difficult. Some of the categories may not apply directly to your facility (i.e. International or FOCI). There are some categories, however, that will apply, and those are the ones Security Officers should take particular interest in. Identifying which categories relate most to your facility and meeting the necessary requirements listed will assist you in passing your next audit.

Need Help? Contact us