Industrial Security
Protecting the cleared industrial base where classified work actually happens: in facilities, programs, and the people who run them.
Security programs built for the assessment and the adversary behind it.
ECG helps cleared contractors and the government organizations that oversee them build, assess, and strengthen industrial security programs. Our practitioners bring operational experience inside the National Industrial Security Program, spanning facility clearances, foreign ownership risk, insider threat, and counterintelligence integration across the cleared industrial base.
We work in an advisory capacity across the full life of a security program: standing up a first facility clearance, designing FOCI mitigation that operates day to day, preparing for government assessments, and maturing the insider threat and personnel security obligations that come with cleared work. The standard is the same throughout. Documentation that holds up to review, and a posture that holds up to the threat.
From first sponsorship through sustained compliance.
Six capability areas span the industrial security lifecycle, delivered by practitioners with hands-on experience inside the National Industrial Security Program.
Facility Clearance Lifecycle Support
Sponsorship strategy, initial FCL package preparation, key management personnel structuring, NISS submissions, and change condition reporting. Sustained clearance health through self-inspection programs and readiness for government assessments.
FOCI Risk Assessment and Mitigation
Foreign ownership, control, or influence analysis for transactions and standing corporate structures. Design and operation of mitigation instruments: board resolutions, Security Control Agreements, Special Security Agreements, proxy arrangements, and Electronic Communications Plans.
NISP and 32 CFR Part 117 Readiness
Gap assessments against the NISPOM rule, security vulnerability assessment preparation, corrective action planning, and program documentation built to stand up to government review the first time.
Insider Threat for Cleared Industry
Program design and maturation for ITPSO obligations: governance, triage and reporting workflows, training, and integration of behavioral indicators with security and HR processes. Programs scaled to the facility, not copied from a template.
Counterintelligence Integration
Threat awareness built from operational CI experience: how foreign intelligence entities target cleared facilities, suspicious contact reporting programs that produce real reports, and CI input to security posture for facilities holding critical program information.
Personnel Security and Continuous Vetting
Alignment of contractor personnel security programs with Trusted Workforce 2.0: eligibility management, continuous vetting enrollment, reporting requirements, and adjudication support workflows that keep cleared populations current.
Practitioners, not checklist auditors.
Four operating principles that distinguish how ECG runs industrial security work.
Operational Experience First
Our practitioners have worked inside the National Industrial Security Program, not just read about it. They know how facility clearances are processed, how assessments are conducted, and where programs actually fail. That experience shapes every recommendation we make.
Mitigation That Operates
A FOCI instrument that exists only on paper protects nobody. We design board resolutions, agreements, and Electronic Communications Plans around how the business actually runs, so the mitigation works on a Tuesday afternoon, not just at the annual review.
Built for Review and for Threat
Compliance and security are different tests, and a program has to pass both. We write documentation that stands up to government assessment and build posture that stands up to foreign intelligence targeting. A program that does one without the other fails twice.
Education That Creates Ownership
Required annual briefings are the floor, not the program. We build tailored curricula for security staff and cleared employees, and we put security risk in front of leadership in business terms, because a program only matures when the people who own the risk understand it.
Where this work shows up.
Representative scenarios that reflect the kinds of problems ECG industrial security practitioners work.
First Facility Clearance
A company entering cleared work for the first time needs sponsorship strategy, an FCL package that processes cleanly, key management personnel structured correctly, and a security program ready to operate the day the clearance is granted.
Foreign Investment Under Deal Pressure
An acquisition or investment introduces foreign ownership questions on a compressed timeline. FOCI analysis, mitigation instrument design, and coordination of the security workstream so the deal and the clearance survive together.
Government Review on the Calendar
A cleared facility facing a security vulnerability assessment needs an honest gap review against 32 CFR Part 117, a corrective action plan with real owners and dates, and documentation that reflects how the program actually runs.
SAP Security Support
Program security support for special access program environments: facility and program documentation, access management discipline, and compliance with DoD SAP security requirements sustained across the program lifecycle.
Aligned to the authorities that govern this work.
Industrial security answers to a dense body of regulation and policy. ECG operates fluently across all of it.
Where ECG also delivers.
Ready to strengthen your security program?
Tell us where your program stands today. We will route to leadership and acknowledge within one business day.