On October 5, 2023, the National Archives Information Security Oversight Office (ISOO) released a joint notice to provide guidance on facility clearances for joint ventures (JVs) in the National Industrial Security Program (NISP). This guidance addresses the interaction of NISP requirements and an October 16, 2020 Small Business Administration (SBA) rule on JVs and also aims to clarify confusion arising from a Government Accountability Office (GAO) decision interpreting the SBA 2020 rule. The ISOO joint notice concludes that the SBA rule on JVs does not materially alter the requirements under the NISP concerning which entities are required to obtain facility security clearances (FCL) and a NISP Cognizant Security Agency (CSA) (such as the Defense Counterintelligence and Security Agency) will continue to make these determinations.
Context for SBA Joint Ventures
The SBA regulations under 13 CFR 121.103(h) allow a JV between an eligible small business partner and a non-eligible partner (e.g., a large business mentor or another small business that does not have the required socio-economic status to qualify for the SBA program) to assist in the development of the lead small business partner. In October 2020, the SBA released a rule stating that these types of JVs may be awarded contracts involving access to classified information when either the JV itself, or the JV’s member partners responsible for performing classified work, possess the required FCL. Notably, under the SBA rule, the JV itself does not have to hold an FCL where, if the member partner entity(ies) that will access the classified information has one, and the JV itself would not be performing the work involving the classified information.
On August 27, 2021, the GAO issued a decision concluding that the 2020 SBA rule “clearly and unambiguously” prohibits agencies from issuing solicitations that require a small business joint venture itself, rather than the members of the joint venture, to hold the required FCL. In essence, this decision authorized small business JVs pursuing DoD classified contracts to rely on the FCLs of their members. This decision resulted in some confusion since it failed to address the SBA Rule and NISP requirements.
The October 5th ISOO joint notice aims to clarify confusion between the SBA rule and NISP requirements that resulted from the aforementioned GAO decision.
Facility Clearances for Joint Ventures Under the NISP
Under the NISP regulations at 32 CFR 2004, any legal entity that will access classified information pursuant to a legitimate government requirement (such as a government contract), must obtain a FCL (also referred to as an Entity Eligibility Determination). The FCL requirement applies to JVs that are separate legal entities from their parents and have been awarded a contract or agreement that requires access to classified information.
In addressing the applicability of NISP requirements to JVs, the ISOO’s joint notice provides that when a JV is awarded a classified contract covered by the NISP, both the JV and any partners to the JV must hold FCLs in order to access the information. A JV formed as a separate legal entity may be awarded a contract and may hold an FCL in its own right. However, a JV established by contract (i.e., not a separate legal entity) cannot be awarded a classified contract and cannot hold an FCL. Instead, because the contract is awarded to the partner entities that make up the JV, the legal entities must hold the necessary FCL, employ the individuals who will perform on the classified contract, and employ the NISP security officials. Importantly, this means that contractual JVs with foreign partners would not be able to obtain an FCL, as foreign companies generally are not eligible to have a clearance. In contrast, U.S. companies with foreign ownership can potentially qualify for an FCL if appropriate measures are taken to “mitigate” the foreign owner’s control over relevant corporate decisions.
Impact on Joint Ventures and SBA Joint Ventures
The recent ISOO guidance makes clear that the SBA rule on JVs does not materially change the requirements under the NISP regarding which entities must undergo FCLs. As noted above, when determining eligibility for an FCL or appropriate exclusion from classified information, a NISP CSA will assess the business structure and governance documents of a legal entity. A portion of this assessment will depend on which entity or entities within the JV will be performing on or influencing the contract. For example, if a CSA finds that a subsidiary, subcontractor, or JV partner entity of the JV will perform all the classified work, the CSA may exclude the JV itself from access to classified information rather than determining its eligibility for an FCL. The SBA rule concerning JVs does not alter this process.
However, JVs formed under the SBA rules that are unpopulated (i.e., that have no employees that will perform on classified contracts) will be excluded from accessing classified information unless the JV’s structure or potential influence, access, or control over the classified information/contract indicates it must also have an FCL. The ISOO underscores that a NISP CSA will continue to determine whether an entity needs an FCL, meaning that it is not appropriate to assert that JVs formed under SBA programs covered by 13 CFR 121.103(h) will never need to hold an FCL; instead, these determinations will be made by a CSA or on a case-by-case basis.