It is more nuanced than this. A startup is virtually never a "national security project" even if they end up involved in an actual national security project. The kinds of background checks startups do are the same as any other company in any industry. It has nothing to do with national security. There are many things that can factor into a citizenship constraint depending on the type of business.
A "real" national security background check requires support and sponsorship from a national government, and governments don't provide that casually to anyone that asks. If a startup finds themselves with national security customers, there is no requirement for the startup to go full-on Secret Squirrel but governments will calibrate their trust in the startup by how seriously the startup takes security and how diligent they are when vetting employees. It does not involve everyone getting a security clearance, which would not be possible anyway if the startup works with multiple national governments.
I find the opposite situation is more common in practice: startups that find themselves in the national security space are often naive about what constitutes a baseline level of security, vetting their employees, and the pervasiveness and character of espionage programs.
It is important to recognize that national security considerations are starting to affect startups that never go anywhere near national security customers due to escalating concerns and increased rigor around software supply chains. You may not have an interest in national security but national security may take an interest in you. This has ramifications for many software business models.
A "real" national security background check requires support and sponsorship from a national government, and governments don't provide that casually to anyone that asks. If a startup finds themselves with national security customers, there is no requirement for the startup to go full-on Secret Squirrel but governments will calibrate their trust in the startup by how seriously the startup takes security and how diligent they are when vetting employees. It does not involve everyone getting a security clearance, which would not be possible anyway if the startup works with multiple national governments.
I find the opposite situation is more common in practice: startups that find themselves in the national security space are often naive about what constitutes a baseline level of security, vetting their employees, and the pervasiveness and character of espionage programs.
It is important to recognize that national security considerations are starting to affect startups that never go anywhere near national security customers due to escalating concerns and increased rigor around software supply chains. You may not have an interest in national security but national security may take an interest in you. This has ramifications for many software business models.