DCSA facility clearance audits — formally called Facility Security Clearance (FCL) reviews under the NISPOM — examine whether a cleared contractor facility maintains its FCL in compliance with 32 CFR Part 117. The scope of an FCL review covers the full range of NISPOM requirements: physical security, information security, personnel security, and program security for any Special Access Programs (SAPs) or Sensitive Compartmented Information (SCI) programs under the facility's purview.
Within personnel security, identity documentation has become one of the most consistently examined areas in recent DCSA reviews. The reason is structural: personnel security records are the foundation on which every other security program element depends. DCSA reviewers who find documentation gaps in personnel records cannot fully evaluate whether access controls are working as intended, because the records that would demonstrate control effectiveness are incomplete.
This guide organizes the identity documentation categories DCSA reviewers most commonly request, with specific guidance on what the documentation must contain to satisfy reviewer expectations.
Personnel Security Files: The Core Documentation Category
The Personnel Security File (PSF) is the primary document category DCSA reviewers examine during an FCL audit. Under NISPOM Section 3-100, each cleared individual must have a PSF maintained by the FSO that contains the documentation supporting their clearance and continued access authorization.
DCSA reviewers typically request a sample of PSFs — often 10 to 20 percent of cleared personnel, with selection weighted toward recent hires, personnel with recent access changes, and any personnel flagged in DISS for adverse information. For each PSF reviewed, the documentation checklist includes:
- Clearance determination documentation — including the level, the investigation basis, and the granting authority
- Signed SF-312 (Classified Information Nondisclosure Agreement), dated prior to first classified access
- Initial security briefing acknowledgment, with date and topic coverage confirmed
- Identity proofing record — documentation of what identity documents were reviewed, when, and by whom
- Access authorization records — what facility areas, classification levels, and information systems the individual is authorized to access
- Re-briefing records for annual refresher training
- Any adverse information reports, foreign travel reports, or security-relevant event records
The identity proofing record is frequently absent or inadequate. A common finding pattern: the PSF contains the SF-86 printout, the SF-312, and the initial briefing record, but no documentation of the physical identity verification that occurred at onboarding — no record of what document was reviewed, when, or whether the document matched the DISS record. Reviewers treat this absence as indicating that identity proofing may not have been conducted, not as an administrative omission.
Re-Verification Events: The Gap DCSA Finds Most Frequently
NISPOM establishes that personnel security is an ongoing program, not a one-time clearance determination. Several categories of events trigger re-verification obligations that must be documented in the PSF:
- Expiration of identity documents: When the government-issued ID on file expires, re-verification is required. Facilities that do not track document expiration dates have no mechanism to initiate re-verification and no documentation that it occurred.
- Extended foreign travel: Cleared personnel returning from travel to NISPOM Appendix B countries or countries of counterintelligence concern require security debriefs that include identity confirmation. The debrief record must document that the debriefer confirmed the individual's identity, not merely that a debrief occurred.
- Role transitions: Personnel transitioning from one cleared position to another, particularly when the transition involves a change in access scope, require access authorization re-documentation. The PSF must reflect the current authorized access scope, not just the initial access grant.
- Reinstatement after inactivity: When a cleared individual's access has been inactive for 24 months or more (the standard NISPOM reinvestigation trigger threshold), reinstatement requires documented re-verification of identity and clearance status before access is restored.
Consider a mid-size cleared defense contractor supporting classified logistics management programs, with a 60-person cleared workforce. During their FCL review, DCSA requested re-verification records for all personnel who had reported foreign travel in the prior 18 months. Of 14 foreign travel reports on file, 7 had debrief records — but only 2 of those 7 debrief records documented that identity verification had occurred during the debrief. The finding: 5 personnel records were deficient in re-verification documentation following foreign travel. The corrective action plan required implementing a standardized debrief form that explicitly included an identity verification attestation field.
Access Transition Records: Provisioning, Modification, and Revocation
DCSA reviewers examine access transition records to verify that the facility's access authorization process maintains integrity across the full employee lifecycle. Three transition categories receive the most scrutiny:
Initial provisioning: The PSF must document when access was granted, to what systems and areas, at what classification level, and on whose authorization. The provisioning record should be dated after the clearance verification and identity proofing documentation, demonstrating correct sequencing. Provisioning records that predate identity proofing documentation are a sequencing finding even if the technical access was appropriate.
Access modification: When a cleared individual's access scope changes — new system access, elevated classification level, removal of access to a specific program — the PSF should reflect the modification with a date and authorizing FSO signature. Facilities that manage access modifications only in their access control systems, without corresponding PSF documentation, have a documentation gap that reviewers will find when they cross-reference PSF records against access control system logs.
Access revocation and separation: NISPOM requires immediate revocation of access upon separation. "Immediate" is not defined in hours, but DCSA reviewers will compare the separation date in HR records against the access revocation date in both the PSF and the access control system. Gaps exceeding one business day require explanation; gaps exceeding several business days will generate a finding. DISS record updates — deactivating the DISS access authorization record for the separated employee — must also occur within DCSA's required reporting window.
We are not suggesting that every access transition gap is evidence of intentional misconduct or insider threat activity. The documentation requirement exists because the PSF is a retroactive investigation tool — its value is greatest when it needs to be used, which is also when the cost of documentation gaps is highest. An incomplete PSF cannot tell investigators what access a person held at a specific point in time if the access modification records were not maintained.
DISS Record Currency: The Cross-Reference DCSA Always Checks
DCSA reviewers will cross-reference PSF records against DISS records for a sample of cleared personnel. The most common discrepancy patterns they look for: individuals present in the facility's cleared workforce list whose DISS records have not been updated to reflect their current employer, individuals whose DISS records show a security concern flag that is not reflected in any PSF documentation, and individuals who have separated from the facility but whose DISS records have not been updated to reflect separation.
DISS record management is a shared responsibility between the FSO and DCSA's Industrial Security Representative (ISR) for the facility. The FSO is responsible for reporting personnel security changes — new hires, separations, changes in access scope — to DCSA within required timelines. DCSA ISRs process those updates in DISS. When the FSO's reporting is delayed, DISS records lag behind the actual personnel security status.
The practical implication for audit readiness: FSOs should run a periodic reconciliation between their internal cleared personnel roster and DISS records, verifying that every individual on the internal roster has a current DISS record, that their clearance status in DISS matches the PSF documentation, and that no separated personnel remain active in DISS. This reconciliation should be documented — the date it was run, the number of records reviewed, and any discrepancies found and resolved.
For security officers building systematic processes for this documentation, our FSO platform capabilities include DISS-linked record management and audit export functions. For the onboarding-specific documentation sequence that populates these records correctly from day one, see our cleared personnel onboarding checklist. For the broader InTP context in which these records serve as operational evidence, see our guide on identity verification for NISPOM-required insider threat programs.
Preparing for an FCL Review: A Pre-Audit Documentation Process
DCSA typically provides advance notice for FCL reviews — usually 30 to 90 days for standard reviews, with shorter notice for specific program security inspections or for-cause reviews. The FSO's pre-audit process should prioritize the documentation categories with the highest finding frequency.
A practical pre-audit sequence: (1) Pull the full cleared personnel roster and verify DISS currency for each individual; (2) Sample 20 to 30 percent of PSFs for completeness against the documentation checklist — prioritizing recent hires, personnel with recent access changes, and any personnel with reported foreign travel or adverse information; (3) Identify and remediate gaps in re-verification documentation for trigger events in the prior 24 months; (4) Verify that separation records in the prior 12 months show access revocation dates at or before separation dates; (5) Confirm that access modification records in the PSF are current and match access control system records.
The goal of pre-audit remediation is not to manufacture documentation after the fact — retroactively created records that appear fabricated will generate far more serious findings than gaps. The goal is to identify whether gaps reflect actual process failures that need corrective action plans, and to ensure that documentation that exists but is misfiled or in the wrong format is organized and accessible before DCSA reviewers arrive.