The Information Security Oversight Office (ISOO) released a joint notice on Oct. 5, 2023, providing clarifying guidance to agencies on facility security clearances for joint ventures in the National Industrial Security Program (NISP), including those established under the U.S. Small Business Administration's (SBA) procurement programs. ISOO released the guidance to address how the SBA's regulations governing facility security clearances interact with the NISP requirements with the intent of providing federal agencies with clarity and resolving any "confusion" created by a Government Accountability Office (GAO) decision on Aug. 27, 2021. The guidance also serves to resolve other longstanding and underlying conflicting approaches between SBA and NISP as they relate to joint venture facility security clearances.

Facility Security Clearances for Joint Ventures Under the NISP

The NISP requires any legal entity that will access classified information pursuant to a legitimate government requirement – such as a government contract – undergo an Entity Eligibility Determination (EED), also sometimes called facility security clearance (FCL). See 32 C.F.R. § 2004.32. To be eligible for an EED, an entity must be legally organized and existing in the United States. But what about joint ventures?

For joint ventures formed as separate legal entities (i.e., formed as separate limited liability companies or LLCs), the guidance states that such a joint venture "may be awarded a classified contract and may hold an EED in its own right, although as with any U.S. legal entity, it is not required to hold an EED in order to be awarded the classified contract." The EED or FCL "can be processed after contract award if the JV must have an EED to perform on the classified contract."

For joint ventures that are not established as separate legal entities (i.e., joint ventures formed "by contract"), the guidance notes that such joint ventures cannot be awarded classified contracts in their own right, nor can they hold an EED – again, because they are not distinct legal entities. For these types of joint ventures, "the legal entity or entities that make up the JV are awarded the classified contract directly and must hold the necessary EED, have the employees who will perform on the classified contract, and also employ the NISP security officials." These joint ventures must be "unpopulated" in terms of employees that perform on the classified contract but may employ administrative employees.

SBA Joint Ventures, Including Mentor-Protégé Joint Ventures

SBA's Mentor-Protégé regulations allow an SBA-approved mentor, including large businesses, to joint venture with a small business concern (protégé) in order to enhance the capabilities of the small business concern in exchange for requiring the large business to provide business development assistance and improve the small business's ability to successfully compete for federal contracts. SBA's regulations also permit small businesses participating in SBA's procurement programs to joint venture with another business that qualifies as small under the size standard applicable to the specific procurement the joint venture is pursuing. The regulations except such joint ventures from affiliation where certain requirements are met.

One SBA requirement is that the parties to the joint venture must agree that, for any contract set-aside for small businesses that is to be performed by the joint venture, the small business protégé partner will perform at least 40 percent of the work performed by the joint venture. See 13 C.F.R. § 125.8(c)(1). The work performed by the protégé must be more than administrative or ministerial so that it gains substantive experience.

In order to ensure protégés or other small business joint venture leads actually perform their required share of the work and as a condition to receiving the exception from affiliation, SBA's regulations require the joint venture to be unpopulated (meaning the joint venture itself cannot be populated with individuals intended to perform government contracts). See 13 C.F.R. § 121.103(h)(1). To achieve this, the joint venture must perform the work via subcontracts with its joint venture partners.

SBA's regulations contemplate joint ventures existing either as a separate legal entity (LLCs or other separate legal entities) or "informally," such as via a "formal or informal partnership[.]" See 13 C.F.R. § 121.103(h)(1). However the joint venture is formed, it is SBA's view that the joint venture should not be an ongoing entity but rather something formed for a limited purpose (i.e., the performance of specific contracts) and with a limited duration.

As such, SBA's regulations limit the period of time during which joint ventures can pursue set-aside contracts and enjoy the exception from affiliation. See 13 C.F.R. § 121.103(h) ("Once a joint venture receives a contract, it may submit additional offers for a period of two years from the date of that first award. … SBA will find joint venture partners to be affiliated, and thus will aggregate their receipts and/or employees in determining the size of the joint venture for all small business programs, where the joint venture submits an offer after two years from the date of the first award.").

Because of this limited purpose/limited duration requirement, many SBA-permitted joint ventures are often unable to obtain facility security clearances prior to the time of proposal submission. This is because a facility clearance typically will not be issued unless and until the offering entity actually obtains a contract requiring the clearance – i.e., needs to access classified information pursuant to a legitimate government requirement.

To address this issue, Congress included a provision in the 2020 National Defense Authorization Act (NDAA) prohibiting the U.S. Department of Defense (DoD) from requiring a joint venture to hold a "facility access clearance" if the parties to the joint venture hold the requisite clearance. Similarly, Section 644 of the Small Business Act states that where a small business joint venture entity lacks capabilities or past performance, the procuring agency must consider the capabilities and experience of the joint venture's members. Reinforcing these statutory provisions, the SBA revised its regulations governing joint ventures to include the following provision:

(5) Facility security clearances. A joint venture may be awarded a contract requiring a facility security clearance where either the joint venture itself or the individual partner(s) to the joint venture that will perform the necessary security work has (have) a facility security clearance.

(i) Where a facility security clearance is required to perform primary and vital requirements of a contract, the lead small business partner to the joint venture must possess the required facility security clearance.

(ii) Where the security portion of the contract requiring a facility security clearance is ancillary to the principal purpose of the procurement, the partner to the joint venture that will perform that work must possess the required facility security clearance.

13 C.F.R. § 121.103(h)(5)

Alignment?

ISOO's guidance attempts to align the NISP requirements and the SBA requirements, stating, "[a]s envisioned by the SBA," all work involving classified information performed by an SBA-permitted joint venture (i.e., an unpopulated joint venture) "will be performed by one or both of the individual partners to the JV and by their employees, not by the JV entity itself." In such cases, the NISP Cognizant Security Agency (CSA) will exclude the joint venture entity from access to classified information, unless other indicators (e.g., the joint venture's structure or potential influence, access or control over classified information) indicates the joint venture must have an EED. The guidance makes clear that it is not the case that any SBA-permitted joint venture will never need to hold an EED (a facility security clearance) – the NISP CSA continues to determine on a case-by-case basis whether an entity (including the individual JV entity itself) needs an EED.

Facility Security Officers. Importantly, the guidance also states that although SBA's regulations "suggest" that the joint venture "can include NISP security officials as administrative employees of the JV itself," this "is only the case under NISP rules if the JV is formed as a legal entity and holds an EED." See SBA's regulations at 13 C.F.R. § 121.103(h)(1)(i) ("the joint venture may have its own separate employees to perform administrative functions, including one or more Facility Security Officer(s), but may not have its own separate employees to perform contracts awarded to the joint venture").

Primary Purpose of the Procurement. Additionally, the guidance addresses contracts where "security work is the primary purpose of the procurement[.]" Under SBA's regulations governing mentor-protégé joint ventures, the small business protégé partner is required to perform at least 40 percent of the work performed by the joint venture entity. See 13 C.F.R. § 125.8(c). This work must be "more than administrative or ministerial" so that the small business partner "gains substantive experience." See 13 C.F.R. § 125.8(c)(2). Per the guidance, where "security work is the primary purpose of the procurement," the small business partner "must possess the required EED because it must perform meaningful work relating to the security aspects of the classified contract." Where security work is "ancillary," either party (the small business partner or the large business partner) may perform the work; however, if both partners will each perform some of the security work, then both partners must individuals possess the required EED.

Conclusion

The guidance provides much needed clarity and appropriately reconciles SBA's and NISP's regulations with regard to joint ventures performing classified work.