The Information and Security Oversight Office (“ISOO”) provided a Joint Notice , 2024-01, regarding the eligibility determinations of joint ventures (“JV”)—specifically addressing the unpopulated structure of JV due to SBA regulations. Overall, the eligibility of each entity participating in a JV with security will be evaluated on a case by case basis, but there is some good guidance that reconciles the tension between unpopulated JVs and security clearances.
Lots of acronyms should be explained first as there are many players involved. NISP is the National Industrial Security Program. NIPSOM is the National Industrial Security Program Operating Manual. 13 CFR 121.103(h) is the SBA regulation on size and JVs, which require, in many instances, the JVs be unpopulated. EED is Entity Eligibility Determinations also known as Facility Security Clearances—FCLs.
Some basics—while the JV itself may not be required to hold an EED, the company accessing the secure information must hold the EED. A NISP agent will assess the business structure of the JV and determine which companies may need the EED. A JV formed as a separate legal entity may be awarded a classified contract and may hold an EED in its own right although it is not required to do so as the EED may be processed after contract award if such a clearance is necessary.
If the JV is not a separate legal entity but formed by contract alone then the JV cannot hold an EED. Instead, the entities making up the JV—the partner or partners accessing the information—must hold the EED, must be awarded the contract directly, have the employees who will perform the classified contract, and have the Facility Security Officer (FSO).
SBA Rules—SBA envisions the work performed by a JV to be performed and measured by the partners to it—thus, the JV is unpopulated with the people to perform the work. “Although the SBA rule suggests that the JV can include NISP security officials as administrative employees of the JV itself, this is only the case under NISP rules if the JV is formed as a legal entity and holds an EED.”
• Any entity in the JV that will perform the security work must possess the EED.
• The SBA rule does not contemplate any entity without the required clearance performing the security work for which must hold an EED under NISP requirements.
• As stated above for the different requirements of a separate legal entity or one solely formed by contract, the security agent will determine the structure, who is performing the work, and then decide what entity or entities in the JV need to hold an EED.
For the original guidance issued please click here: ISOO Joint Notice 2024-01 NISP-SBA re JVs