What Does a Facility Security Officer Do? Complete Role Guide 2026

If you’re looking at a job posting that says “Facility Security Officer” and wondering what you’d actually do all day, here’s the short version: you own your company’s clearance. Every day you spend in the role is spent keeping that clearance in good standing with the Defense Counterintelligence and Security Agency (DCSA).

The longer version is more interesting, and it’s what this guide covers. By the time you finish reading, you’ll know what the job looks like hour by hour, what DCSA expects you to know on day one, what 32 CFR Part 117 actually requires, and what the role pays in 2026.

What an FSO actually does

An FSO is the person DCSA calls when something goes wrong at a cleared contractor. You are the single appointed individual responsible for making sure your company complies with the National Industrial Security Program (NISP). If your company has a Facility Clearance (FCL), you are required by regulation to have an FSO. No FSO, no FCL.

That sounds abstract. Here’s what the job looks like in practice.

On a typical Monday you walk in and check NISS (the National Industrial Security System) for DCSA messages, review overnight security incident reports from your guard force, and approve three new clearance applications routed through HR. By lunch you’ve briefed two new hires, closed out a suspicious contact report from Friday, and answered three emails from program managers asking whether their contract allows a foreign national visitor. In the afternoon you sit down with a program team to mark up a new Statement of Work, update your Standard Practice Procedures (SPP) to reflect a change in classified storage, and spend an hour on self-inspection prep because your annual review window opens next month.

That’s a normal day. A bad day adds a cleared employee who’s been arrested over the weekend, a lost classified document, or a FOCI (Foreign Ownership, Control, or Influence) change-of-ownership notification that puts your FCL at risk.

You’re the person who handles all of it.

Core responsibilities under 32 CFR Part 117

NISPOM was rewritten as 32 CFR Part 117 and took effect August 24, 2021. The duties DCSA inspects you against are spread across the whole rule, but the heavy hitters sit in these sections.

Section 117.7 — General responsibilities. This is the spine of the job. You establish and maintain a security program covering all cleared personnel and all classified information held by the facility. That includes being appointed in writing, keeping a current Insider Threat Program under 117.7(b), and running an annual self-inspection.

Section 117.8 — Reporting requirements. When something happens, you report it. Suspected loss or compromise of classified information, adverse information about cleared employees, unauthorized disclosures, cyber incidents on covered contractor information systems, changes in ownership, foreign travel by cleared personnel — all of it goes up to DCSA, most of it through NISS, and most of it has a reporting clock.

Section 117.9 — Entity eligibility (FCL). You maintain the FCL. That means keeping your Key Management Personnel (KMP) list current, submitting SF 328s for the KMPs, and keeping your DD Form 441 security agreement on file and accurate.

Section 117.10 — Personnel clearances. You initiate and maintain PCLs (Personnel Clearances) for the people who need them. You don’t make clearance decisions — DCSA’s Consolidated Adjudication Services does — but you initiate the e-App investigation, fingerprint submission, and briefings.

Section 117.12 — Security training and briefings. Every cleared employee gets an initial security briefing before accessing classified. Every cleared employee gets annual refresher training. Departing employees get debriefings. You run all of that.

Sections 117.13 through 117.15 — Classification, marking, and safeguarding. You make sure classified material is properly marked, properly stored (GSA-approved containers, open-storage rooms, or approved alternatives), and properly handled end to end.

Section 117.18 — Information system security. On classified systems, you work with the ISSM (Information System Security Manager) to keep authorization current. On CUI, you’re increasingly in the CMMC conversation.

That is not the whole manual. It’s the parts you spend most of your time on.

Required qualifications

DCSA does not require a degree to be an FSO. That surprises people. The requirement in 32 CFR 117.7(a)(2) is that the FSO must be a U.S. citizen, must be cleared to the level of the FCL, and must complete DCSA-required FSO training within one year of appointment.

What employers want in practice goes further:

• A bachelor’s degree (often in criminal justice, homeland security, or business) — listed on most job postings even when the rule doesn’t require it
• An active Secret or Top Secret clearance
• Experience in any security-adjacent role: military, law enforcement, corporate security, HR compliance
• Familiarity with NISS, DISS (Defense Information System for Security), and STEPP (Security Training, Education, and Professionalization Portal)

Companies running ITAR or EAR export-controlled work, or holding a TS/SCI FCL, add expectations for export compliance and SCIF experience.

DCSA training requirements

DCSA’s Center for Development of Security Excellence (CDSE) publishes the FSO Curriculum. The required courses depend on whether your facility has a possessing FCL (you actually hold classified on-site) or a non-possessing FCL (your cleared employees work classified elsewhere).

At minimum you complete:

• IS011.16 — FSO Role in the NISP
• IS051.16 — NISP Self-Inspection
• The FSO Orientation and FSO Program Management curriculum on STEPP

Possessing facilities add courses on safeguarding, marking, transmission, and information systems. You have one year from appointment to finish the required curriculum per 32 CFR 117.12.

For a detailed breakdown of which courses you need and in what order, see FSO training requirements and the DCSA curriculum path.

Salary range in 2026

FSO pay has climbed steadily since the CMMC rollout created more demand for compliance-minded security staff. Typical 2026 ranges:

• Entry-level FSO (appointed as an additional duty, or first-time full-time FSO, under 2 years’ experience): $60,000 – $80,000
• Mid-career FSO (3 – 7 years, full-time, managing a Secret-level possessing facility): $85,000 – $115,000
• Senior FSO / Corporate Security Director (7+ years, multi-facility or TS/SCI, ISP certified): $120,000 – $165,000+

Location matters. FSOs in the DC / Northern Virginia metro, Huntsville, San Diego, and Colorado Springs tend to be at the top of these ranges. Remote or hybrid is possible for non-possessing FCLs and for corporate-level roles overseeing multiple sites.

Factors that move pay up: clearance level (TS/SCI adds 10–20%), ISP or SPeD certification, CMMC Assessor status, and multi-facility or international security experience.

Career path

Most FSOs come into the role one of three ways:

1. Military transition. A retired E-7 or O-4 with a security MOS, a former counterintelligence specialist, or an OSI / NCIS investigator walks straight into an FSO role because they already hold a clearance and understand classification mechanics.
2. Internal promotion. You’re in HR, facilities, or program management at a cleared company; the prior FSO leaves; the company asks if you’re willing. This is the most common path and the one that catches people unprepared.
3. Career security professional. You started as a cleared guard, security specialist, or junior analyst and moved up.

From FSO, the typical progressions are:

• FSO → Senior FSO → Director of Corporate Security → VP Security
• FSO → CMMC consultant or assessor (a large lane post-2026)
• FSO → government civilian (DCSA Industrial Security Representative, for example)
• FSO → independent consultant servicing small cleared contractors

A lot of this is easier to plan with real numbers. Pay bands by years of experience and by region live in the separate FSO career path and salary guide.

Frequently asked questions

Do you need a college degree to be an FSO? No. 32 CFR 117.7(a)(2) requires U.S. citizenship, a clearance at the FCL level, and completion of DCSA-required training — not a degree. In practice, most job postings ask for a bachelor’s.

Can the FSO also be the company owner? Yes. Small cleared contractors routinely have the owner or a senior officer serve as FSO. The person still has to be cleared and complete DCSA training within one year.

How much classified handling does an FSO actually do? It depends on the FCL. At a non-possessing facility, almost none — classified stays at the customer site. At a possessing facility, you manage the full lifecycle: receipt, storage, marking, reproduction, transmission, and destruction.

Is the FSO responsible if an employee loses a clearance? Individual employees are responsible for reporting information that affects their own eligibility (SEAD 3). The FSO is responsible for reporting adverse information about cleared employees to DCSA under 117.8 and for executing the debrief if eligibility is revoked.

What’s the hardest part of the job? For most new FSOs, it’s the first self-inspection. You’re suddenly looking at your own program through DCSA’s eyes, and the gaps are usually in documentation rather than in practice. A structured workbook makes this much less stressful — the one I put together lives at the FSO workbook template.

Before you take the job

The FSO role is underrated. It’s stable, it’s paid well, it’s recession-resistant (cleared contracts do not stop), and it gives you a seat at the table in every significant business decision your company makes — because every significant decision has a security angle.

It’s also the role where a single compliance failure can cost your employer its clearance and, by extension, its largest contracts. If that weight feels heavy, you’re reading the role correctly.

If you’re ready to take the next step, start with the DCSA training path so you know exactly what the first 90 days look like.