What is CMMC Level 2 and who needs it?

CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

When is the CMMC certification deadline?

CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

Can I use CMMC Command for my self-assessment?

Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score which you're already required to submit to SPRS.mil.

How does the AI compliance analyst work?

Our 8 AI features analyze your actual assessment data - not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI - only control metadata.

Do you store CUI or sensitive documents?

No. CMMC Command stores compliance metadata - control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and we explicitly do not store controlled unclassified information.

How does CMMC Command compare to hiring a consultant?

A typical CMMC consultant charges $200-$400/hr, and most assessments require 80-200 hours ($16K-$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning for $749/mo.

What integrations are supported?

We connect with 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. We also support full data export.

Facility Security Clearance (FCL): The Complete Guide for Defense Contractors

What Is a Facility Security Clearance (FCL)?

A Facility Security Clearance (FCL) is an administrative determination made by the Defense Counterintelligence and Security Agency (DCSA) that an organization is eligible for access to classified national security information. The FCL grants the company authorization to bid on, win, and perform classified government contracts.

An FCL is not optional for contractors pursuing classified work. Without one, your facility cannot legally receive, store, process, or generate classified information, and prime contractors cannot legally flow classified requirements down to your team.

FCL vs. Personnel Security Clearance (PCL)

These two types of clearances are related but distinct:

	Facility Security Clearance (FCL)	Personnel Security Clearance (PCL)
Who holds it	The organization (facility)	An individual employee
What it authorizes	The company to safeguard classified info	The person to access classified info
Granted by	DCSA	DCSA (via sponsorship)
Required for	Holding classified contracts	Working on classified projects

Both are required in practice. The FCL makes your facility eligible, while PCLs authorize specific employees to handle classified materials. Key Management Personnel (KMP) at your company must obtain individual PCLs as part of the FCL process.

Classification Levels

FCLs correspond to three levels of classified information, each with progressively stricter requirements:

Confidential: The baseline classification level. Unauthorized disclosure could reasonably be expected to cause damage to national security.
Secret: The mid-tier classification level. Unauthorized disclosure could reasonably be expected to cause serious damage to national security.
Top Secret: The highest classification level. Unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security.

Your FCL level must match or exceed the highest classification level of information your facility will handle. A facility with a Secret FCL cannot access Top Secret information. Most defense contractors start with Secret.

Possessing vs. Non-Possessing Facilities

Before applying, you must determine what type of FCL your operations require.

Possessing Facilities safeguard classified information at their own physical location. This requires GSA-approved security containers or vaults, formal access control systems, and documented physical security procedures. This is the most common type for active program work.

Non-Possessing Facilities do not store classified information at their site. Employees access classified materials only at the customer's or government's secure facility. The company still requires the FCL, but physical security requirements are significantly lighter.

If you are unsure which type applies, evaluate where the classified work will actually occur: at your facility or at the customer's secure location.

The 7-Step FCL Acquisition Process

DCSA manages FCL issuance through a structured process. Here is what to expect at each stage:

Step 1: Sponsorship

You cannot self-apply for an FCL. A cleared U.S. government agency or cleared prime contractor must sponsor your facility and document a legitimate contractual need for classified access. Without this documented need, DCSA will not process the application.

If you are a subcontractor, your prime must initiate the sponsorship. If you are pursuing a direct government contract, the contracting officer or program office serves as the sponsor.

Step 2: Sponsorship Package Submission

The sponsor submits documentation through the National Industrial Security System (NISS), the government's portal for managing industrial security activities. The package typically includes:

DD Form 441, the Department of Defense Security Agreement
DD Form 254, the Contract Security Classification Specification, which defines what classified information the contractor will handle
Performance Work Statement or contract details
Company identification information

Missing or incomplete DD Form 254 documentation is one of the top two reasons FCL applications are denied. Confirm your sponsor has this document correctly completed before submission.

Step 3: DCSA Package Review

DCSA reviews the sponsorship package to verify the justification is valid and the company is eligible to proceed. This is an administrative gate check before the full investigation begins.

Step 4: FCL Package Submission

Once DCSA approves the sponsorship, your company has 20 days to submit its own FCL package through NISS. This includes:

Business formation and ownership documentation
Identification of all Key Management Personnel (KMP)
Foreign ownership, control, or influence (FOCI) disclosures
Organizational structure and any parent/subsidiary relationships

Step 5: DCSA Analysis

This is the most complex phase. DCSA conducts three parallel workstreams:

Business analysis: Cases are routed to a Tier 1 (straightforward) or Tier 2 (complex) team based on ownership structure, size, and FOCI risk.
FOCI investigation: Assesses whether foreign interests could compromise the facility's ability to protect classified information.
KMP clearance initiation: All uncleared Key Management Personnel must obtain individual PCLs before the FCL can be issued.

FOCI is a significant consideration for any company with foreign ownership, investment, or board influence. If DCSA identifies a FOCI condition, it may require mitigation measures such as a Special Security Agreement (SSA), Board Resolution, Proxy Agreement, or Voting Trust.

Step 6: Initial Orientation Meeting (IOM)

A DCSA Industrial Security Representative conducts an on-site meeting with your designated Facility Security Officer (FSO). The IOM verifies submitted information and confirms that your FSO understands all requirements under 32 CFR Part 117, also known as the National Industrial Security Program Operating Manual (NISPOM).

This meeting is not a pass/fail audit. It is an orientation, but your FSO is expected to demonstrate working knowledge of NISPOM requirements before the process can advance.

Step 7: FCL Issuance

Once DCSA completes the business analysis favorably, concludes the FOCI investigation, and confirms KMP clearances, the FCL is issued. You will receive formal notification and can begin performing classified work under the terms of your contracts.

Key Roles in the FCL Program

Facility Security Officer (FSO)

The FSO is responsible for day-to-day security compliance at your facility and serves as the primary point of contact with DCSA. Responsibilities include:

Implementing all NISPOM (32 CFR Part 117) requirements
Managing personnel clearance processing and periodic reinvestigations
Conducting security awareness training for cleared employees
Maintaining required security records and logs
Reporting security violations, adverse information, and foreign contact incidents to DCSA

FSOs are expected to complete DCSA's FSO Program Management curriculum through the Center for Development of Security Excellence (CDSE). Requirements are more extensive for possessing facilities. DCSA does not issue a formal FSO certification, but completion of CDSE courses is expected and tracked.

Key Management Personnel (KMP)

KMP are individuals with the ability to direct or influence facility operations in ways that could affect the protection of classified information. This typically includes:

Officers (CEO, CFO, COO, President)
Directors and board members
Managers with direct responsibility over classified programs or the FSO

All KMP must hold personnel clearances at or above the facility's FCL level. If a KMP cannot obtain a clearance due to a background investigation failure, the FCL application will be denied unless that individual is removed from the KMP list.

Timeline and Costs

Timeline: DCSA publishes a target of 45 days for FCL processing. In practice, timelines routinely run several months to a year or longer. Complexity drivers include:

Higher clearance levels (Top Secret takes longer than Confidential)
FOCI issues requiring mitigation agreements
KMP background investigation delays
Company ownership structures requiring deeper analysis

Plan for a minimum of six months if you have no prior cleared history. Foreign ownership or investment adds additional time to the process.

Costs: There is no application fee for an FCL. DCSA does not charge for processing. Your organization will, however, incur real internal costs:

FSO personnel time (often a significant portion of someone's role)
CDSE training completion
Physical security upgrades for possessing facilities (GSA-approved storage, alarm systems, access controls)
Legal or consulting fees if FOCI mitigation is required
Ongoing compliance program maintenance

These costs vary widely. A small non-possessing facility might spend a few thousand dollars on administrative overhead and training. A large possessing facility pursuing Top Secret clearance could spend tens of thousands on physical security infrastructure alone.

Foreign Ownership, Control, or Influence (FOCI)

FOCI is one of the most scrutinized aspects of the FCL process. If a foreign interest has the ability, whether directly or indirectly, to direct or influence company decisions in a way that could compromise classified information, DCSA will identify a FOCI condition.

Common FOCI triggers include:

Foreign parent company or majority shareholder
Foreign national on the board of directors
Foreign government as investor
Licensing agreements that give foreign parties operational influence

A FOCI condition does not automatically disqualify you from an FCL. DCSA provides several mitigation options:

Mitigation Instrument	Typical Use Case
Board Resolution	Limited foreign equity, passive investment
Security Control Agreement (SCA)	Foreign parent with operational role, no classified involvement
Special Security Agreement (SSA)	Foreign parent with operational control, classified work required
Proxy Agreement / Voting Trust	Foreign ownership where complete operational isolation is required

If FOCI applies to your company, engage legal counsel with cleared facility experience before proceeding.

Maintaining Your FCL

An FCL is not a one-time event. Maintaining it requires ongoing compliance across several areas:

Annual DCSA reviews: DCSA conducts regular compliance inspections of cleared facilities.
Continuous reporting obligations: FSOs must report security incidents, adverse information about cleared employees, changes in ownership or KMP composition, and foreign contact.
Reinvestigations: Cleared individuals require periodic reinvestigations every five to ten years depending on clearance level.
Training requirements: Annual security awareness training is required for all cleared personnel.

FCL validity: An FCL remains active as long as your facility holds active classified contracts. If contracts end, DCSA can place the FCL in an inactive or deactivated status. Reactivation is typically much faster than the initial process because DCSA retains the prior vetting history on file.

A facility can hold multiple clearance levels simultaneously, such as Secret on one contract and Confidential on another. The highest level always drives the most stringent requirements.

Common Reasons FCL Applications Are Denied or Delayed

Missing or incomplete DD Form 254: The most common issue. This document must be properly completed by the sponsoring agency or prime contractor because it defines what classified information you will access.
KMP clearance denial: If a key executive cannot pass a background investigation, the FCL is blocked until that individual is removed from the KMP list or the investigation is resolved.
Unresolved FOCI: Foreign ownership or influence that cannot be adequately mitigated through DCSA's available instruments.
Incomplete NISS submission: Missing business documentation or incomplete entity identification.
FSO not adequately prepared for the IOM: While not a hard denial, an unprepared FSO signals a compliance risk and can delay the process significantly.

FCL vs. CMMC: Understanding the Difference

FCLs and CMMC are both security requirements for defense contractors, but they address completely different threat domains:

	FCL	CMMC
Protects	Classified information (Secret, Top Secret)	Controlled Unclassified Information (CUI)
Administered by	DCSA	DoD / Cyber AB
Framework	NISPOM (32 CFR Part 117)	NIST SP 800-171 / CMMC 2.0
Focus	Physical and personnel security	Cybersecurity
Applies to	Contractors with classified contracts	Contractors handling CUI on DoD contracts

Many contractors need both. If your company pursues classified DoD work and also handles CUI, you will be managing two overlapping compliance programs. There is significant overlap in the underlying security culture, however. Strong access control, personnel vetting, audit logging, and incident response practices benefit both programs.

Some CMMC controls also directly support FCL compliance. Implementing multi-factor authentication (NIST 3.5.3), establishing audit logs (NIST 3.3.x), and documenting your information system boundary in your SSP all align with NISPOM security requirements.

Your FCL Readiness Checklist

Before initiating the sponsorship conversation, confirm the following:

Identified a cleared government agency or prime contractor willing to sponsor
Have a legitimate, documented contractual need for classified access
Identified your FSO candidate and confirmed they can complete CDSE training
Identified all KMP and assessed any potential clearance issues
Reviewed your ownership structure for foreign interests
Determined facility type (possessing vs. non-possessing) and assessed physical security gaps
Set a realistic timeline (6 to 12 months minimum for new facilities)

How CMMC Command Supports Defense Contractors Pursuing Both FCL and CMMC

If you are pursuing an FCL, you almost certainly also handle CUI, which means CMMC requirements apply. CMMC Command helps you manage the cybersecurity side of the equation:

Free CMMC assessment: All 110 NIST SP 800-171 controls with real-time SPRS scoring using the same methodology the DoD uses to evaluate contractor cybersecurity posture
SSP generation: Your System Security Plan documents the cybersecurity environment DCSA and C3PAOs both require
Policy templates: Pre-built policies for all 14 NIST control families
Evidence vault: Centralized storage and tracking for your compliance artifacts

Start your free CMMC assessment and get your SPRS score in under an hour, with no credit card required.