The Small Business Administration (SBA) and the Information Security Oversight Office (ISSO) have issued a Joint Notice to clarify how Facility Security Clearances (FCLs) (also called Entity Eligibility Determinations, or EEDs) work for joint ventures. As we have discussed before, the SBA regulations for a few years now have specified that procuring agencies may not require joint ventures to possess an FCL as a condition of the award of a small business set-aside contract. We discussed this rulemaking and a bid protest decision upholding those regulations in previous posts.
It is worth adding that the SBA’s regulation, which applies only to small business joint ventures, partially derives from the National Defense Authorization Act for Fiscal Year 2020 (2020 NDAA). The 2020 NDAA, in turn, provides that an FCL is not required for any joint venture that is composed entirely of entities that currently possess FCLs. Notwithstanding these authorities, cognizant security agencies (particularly the Department of Defense (DOD)) took the position that SBA lacks authority to dictate which entities do and don’t need an FCL. For the last two years, SBA and the security agencies have been trying to reach an understanding. The new Joint Notice achieves that.
Here are the key takeaways in light of the new guidance:
- The main point is that the SBA regulation stands. In accordance with 13 C.F.R. § 121.103(h), a small business joint venture (whether of the all-small or mentor-protégé variety) does not need to hold an FCL in its own name as a condition of award, as long as the joint venture member(s) that will perform the work involving classified information hold(s) the requisite clearance.
- Offerors should watch for any contrary provisions in solicitations; if a solicitation includes a term that contradicts this SBA regulation, a company waives its right to object unless it protests the term before the date set for receipt of proposals.
- From a security perspective, the Joint Notice signals an evolution in the government’s interpretation, including:
- That an unpopulated small business joint venture awarded a classified contract generally will not need an FCL/EED, even after award: “[I]f the legal entity awarded the classified contract is an unpopulated JV formed pursuant to this SBA regulation, the NISP CSA will exclude the JV from access to classified information (rather than determining its eligibility for access) unless the JV’s structure or potential influence, access, or control over the classified information/contract indicates it must also have an EED.” Security agencies previously asserted the authority to insist that any entity (including unpopulated joint ventures) awarded a classified contract needed a clearance to perform that contract.
- That entities in privity with the government—e.g., unpopulated JV awardees—can be effectively “excluded” from the need to obtain an FCL. Cognizant security agencies retain the authority, however, to require joint ventures to undergo an EED after award if that entity will perform classified activities.
The old insistence that unpopulated joint ventures hold FCLs in their own name generally drove the need for these entities to employ essential management and security personnel (i.e., the senior management official and facility security officer), often as their only employees. The Joint Notice suggests that this oddity will become a thing of the past.
The Joint Notice also emphasizes that neither SBA nor the National Industrial Security Program requires any entity to possess an FCL prior to bidding on or being awarded a classified contract. Rather, there is only a “requirement for entities to go through the eligibility determination process and be cleared before performing on a classified contract.” (Emphasis in original.) The Joint Notice states this is the timing rule for “any U.S. legal entity,” and not only for joint ventures.