How to Become a Facility Security Officer: Requirements, Training, and Salary

The FSO role exists because every cleared defense contractor is required to have one. There are roughly 12,500 cleared facilities in the United States, and every one of them has at least one Facility Security Officer. That’s a lot of positions, consistent demand, and very little of the career advice on the internet actually tells you how to get one of them.

This guide walks you through the path — from zero to appointed FSO — including what you need before you apply, how clearances work if you don’t already have one, which DCSA training is required, which certifications are worth pursuing, and what the pay looks like at each stage of the career.

If you’re already in a security-adjacent role (military, law enforcement, corporate security, HR at a cleared contractor) you’ll see a short path. If you’re coming from outside the defense world, the path is longer but real — and it opens up a stable career that’s hard to outsource and hard to automate.

What DCSA actually requires

Start here because the formal requirements are short. Per 32 CFR 117.7(a)(2), to be designated as an FSO you need to:

1. Be a U.S. citizen
2. Hold a personnel security clearance at the level of the Facility Clearance (Confidential, Secret, or Top Secret)
3. Complete the DCSA-required FSO training within one year of appointment

That’s the regulation. Three things. Every other requirement you’ll see on job postings — degrees, years of experience, specific certifications — comes from the employer, not from DCSA.

What this means in practice: if a cleared contractor is willing to sponsor you for the clearance and appoint you as FSO, you don’t need a degree or prior security experience to be legally qualified. Whether a company is willing to do that is a different question, and the answer depends on the size of the employer, the size of the FCL, and how much security experience you bring.

Education: what employers look for

Most FSO job postings list a bachelor’s degree as a requirement or preferred. The most common fields:

• Criminal justice
• Homeland security
• Business administration
• Information assurance / cybersecurity
• Any degree, plus security experience

Whether the degree actually matters depends on the employer. Small cleared contractors (under 100 employees) routinely hire FSOs without degrees, especially if the candidate has a current clearance and a military security background. Large primes and classified labs almost always want a degree, and often want a master’s for senior FSO or corporate security roles.

If you’re starting from no degree and considering whether to pursue one specifically for an FSO career, the answer is usually no. You’ll get a better return on investment pursuing a clearance first (through an employer who’ll sponsor you) and then layering in DCSA training and an ISP certification. If a degree comes along for other reasons, choose a field that also prepares you for adjacent roles — cybersecurity is the obvious hedge given CMMC’s trajectory.

How the clearance works

This is the gate most people get stuck on. You can’t self-submit for a clearance. An employer has to sponsor you, which means you need a job offer that requires a clearance before the clearance process starts.

The clearance process:

1. Employer sponsorship. A cleared contractor submits a request for a clearance on your behalf, usually at the Secret level to start.
2. e-App submission. You complete the SF 86 (Questionnaire for National Security Positions) in the e-App system. This is a 100+ page form covering your entire history going back at least 10 years — employment, residences, foreign contacts, financial history, drug use, mental health.
3. Fingerprints. Submitted through the employer.
4. Background investigation. Conducted by DCSA. At the Secret level, you’re typically looking at a Tier 3 investigation. Top Secret is Tier 5.
5. Adjudication. DCSA’s Consolidated Adjudication Services (CAS) makes the eligibility determination.
6. Access granted. Your employer’s FSO indoctrinates you (SF 312 signed, initial briefing delivered) and grants access at your level.

Timeline: Secret clearances in 2026 are running somewhere in the 30 – 90 day range from submission to eligibility determination. Top Secret takes longer, often 4 – 8 months. Interim clearances (granted on initial favorable review) can come through in days and let you start working.

The adjudication criteria are the Adjudicative Guidelines for Determining Eligibility for Access to Classified Information. They look at thirteen factors: allegiance, foreign influence, foreign preference, sexual behavior, personal conduct, financial considerations, alcohol, drugs, psychological conditions, criminal conduct, handling of protected information, outside activities, and use of IT systems. Financial and personal-conduct issues are the two most common reasons for denial.

If you’re coming out of the military, you probably already have a clearance or can easily re-establish one. If you don’t, the fastest path is a cleared entry-level role (security specialist, analyst, cleared IT position) with an employer who sponsors new applicants, even if that role isn’t the FSO seat you ultimately want.

The DCSA training path

Once you’re cleared and appointed, DCSA gives you one year to complete the FSO training curriculum. The Center for Development of Security Excellence (CDSE) publishes the required courses on STEPP (Security Training, Education, and Professionalization Portal).

For non-possessing facilities (no classified held on-site):

• IS011.16 — FSO Role in the NISP
• FSO Orientation curriculum
• IS051.16 — NISP Self-Inspection
• Insider Threat Program courses
• Recommended: IS020.16 NISP Reporting Requirements, SEAD 3 Reporting Requirements

For possessing facilities (classified held on-site):

All of the above, plus:

• IS100.16 — Transmission and Transportation for Industrial Security
• IS101.16 — Safeguarding Classified Information in the NISP
• IS103.16 — Marking Classified Information
• Additional courses specific to closed areas, classified IS, or special access programs if relevant

Most of the courses are 1 – 3 hours of self-paced online training. End-of-course knowledge checks are required. Print and retain your STEPP completion certificates — DCSA will ask for them during a security review.

Beyond the required curriculum:

The FSO Program Management Course and the FSO Curriculum Skill Verification capstone give you a stronger foundation than the minimum. If your employer pays for training time, take them.

Many FSOs also complete the CDSE Industrial Security Oversight Certificate to strengthen credibility with DCSA and employers.

If you want the step-by-step course list with ordering and time estimates, it’s broken out in the DCSA FSO training requirements guide.

ISP certification (NCMS)

The Industrial Security Professional (ISP) certification is issued by NCMS (The Society of Industrial Security Professionals). It’s the closest thing the field has to a gold-standard professional credential.

Eligibility requires two years of industrial security experience and NCMS membership. The exam covers:

• NISPOM / 32 CFR Part 117
• Personnel security
• Document and physical security
• Industrial security program management
• Information systems security
• International security
• FOCI
• Classified visits
• Security education and training

The exam is three hours, closed book. Pass rate historically hovers in the mid-60s percent. Most candidates prep for 3 – 6 months using a combination of the NCMS study guide, the current NISPOM, DCSA ISLs, and a study group.

Why get it: ISP on your resume signals to employers and to DCSA that you know the manual cold. It correlates strongly with higher pay bands — most senior FSO roles either require or strongly prefer it. Recertification is every three years with continuing education.

For a deeper walkthrough of the exam structure, prep timeline, and study materials, see the ISP certification guide.

What FSOs actually make (by experience and location)

Pay varies more than most career sources suggest, because the FSO role itself varies from “additional duty, 10 hours a week” to “director of corporate security managing a multi-site possessing FCL.” The ranges below assume a full-time dedicated FSO role.

By experience level (2026):

• Entry-level / additional-duty FSO: $55,000 – $78,000. Usually at small contractors (under 50 employees); the FSO often wears a second hat (HR, office manager).
• Mid-career FSO (3 – 7 years): $82,000 – $115,000. Full-time dedicated FSO at a Secret-level facility, possessing or non-possessing.
• Senior FSO (7 – 12 years, ISP certified): $115,000 – $150,000. Multi-facility or TS-level work.
• Corporate Security Director: $140,000 – $200,000+. Multi-site, corporate-level decision authority, often CISO-adjacent.

By location (typical mid-career band):

• DC / Northern Virginia / Maryland: $95,000 – $130,000
• Huntsville, AL: $85,000 – $115,000
• San Diego / LA: $90,000 – $125,000
• Colorado Springs / Denver: $85,000 – $115,000
• Dallas / Fort Worth: $80,000 – $110,000
• Remote (non-possessing FCL only): $75,000 – $105,000

What moves pay up:

• TS/SCI clearance: +10 – 20%
• ISP or SPeD certification: +$5,000 – $15,000
• CMMC Assessor status: +$15,000+
• Multi-facility experience: +$10,000 – $25,000
• International security experience (ITAR, FMS): +$10,000 – $20,000
• Industry — classified aerospace and intelligence community contractors pay more than DoD manufacturing

More breakdown, including exact bands at the largest primes, lives in the FSO career path and salary guide.

A day in the life

Here’s what a Tuesday looks like for a mid-career FSO at a Secret-level possessing facility with ~200 cleared employees.

8:00 AM. Open NISS. Check for DCSA messages and incoming visit requests. Clear your inbox of adverse-info routing from HR overnight.

8:30 AM. Two new hires need initial security briefings. You deliver the briefing, collect SF 312s, grant DISS access, coordinate with IT for system accounts.

10:00 AM. Weekly touch-base with the ITPSO (often also you). Review the prior week’s insider threat indicators from the hotline, from HR, and from the IS audit logs. Nothing actionable this week.

10:45 AM. A program manager stops by with a question about a foreign national visit scheduled for next month. You pull the contract DD 254, confirm the limits, then start the visit authorization paperwork.

12:00 PM. Lunch.

1:00 PM. A cleared employee self-reports foreign travel to Germany under SEAD 3. Brief them on travel precautions, document the reporting, add a post-travel debrief to the calendar.

2:00 PM. Self-inspection prep. The annual window opens in three weeks. You walk through the 117.15 safeguarding items and take notes on two containers with combo-change dates that are overdue.

3:30 PM. HR flags an arrest on one of your cleared engineers over the weekend. You interview the employee, confirm details, file the adverse information report in DISS the same day.

4:30 PM. Email catch-up. Close out three low-priority items. Update your FSO workbook with today’s entries.

Not every day has an arrest or a travel report. Most days have exactly none. The job is 80% routine and 20% unpredictable.

Frequently asked questions

How long does it take to become an FSO from a cold start? Realistically, 12 – 24 months. That’s time to find a cleared-industry employer, get sponsored for a clearance, have the clearance adjudicated (3 – 9 months depending on level), and be in position for an FSO appointment. Faster if you’re already cleared or transitioning from the military.

Can I become an FSO without military experience? Yes. Plenty of FSOs come from corporate compliance, HR, or facilities backgrounds. Military experience helps because it typically comes with an existing clearance and security-mindedness, but it’s not a requirement.

Is the FSO role going away because of CMMC? No — if anything, CMMC expands the role. CMMC focuses on CUI protection; the FSO’s NISPOM responsibilities focus on classified information. Most small-to-mid cleared contractors are consolidating both functions under the FSO. Expect the role to get broader, not narrower.

Do I need to be physically on-site? At a possessing FCL, yes — classified has to be controlled by cleared personnel in person. At a non-possessing FCL, remote and hybrid work is common.

What’s the biggest mistake new FSOs make? Treating the role as paperwork compliance instead of program management. The documentation matters, but the real job is knowing what’s actually happening across your cleared population and catching problems early. FSOs who run it as a compliance checklist eventually get a nasty surprise; FSOs who build relationships with HR, IT, program managers, and cleared employees catch issues before they become DCSA findings.

What to do this week

If becoming an FSO is the goal:

• If you’re not cleared, start applying to cleared-industry entry-level roles where the employer will sponsor. Intelligence contractors, cleared manufacturers, and IT integrators are good starting points.
• If you’re cleared already, tell your current FSO you’re interested in backing them up. Most FSOs are happy to train a deputy, and that’s often how the seat transfers.
• Sign up for a STEPP account today even if you haven’t been appointed yet. Most CDSE courses are open to anyone with an account, and you can start building the training record.

The full path takes time. The work is stable, the pay is decent, and the field is one of the few in security where demand is still growing. Start with the first step.