On May 11, 2016, the Defense Security Service (DSS) released a new guide on mitigating and managing affiliate operations for entities bound by a Foreign Ownership, Control, or Influence (FOCI) mitigation agreement. The guide, titled Navigating the Affiliated Operations Plan: A Guide for Industry, outlines how companies can identify whether they are engaging in affiliated operations, submit an Affiliated Operations Plan (AOP), and ensure that they are properly mitigating potential risks. In compiling an AOP, a company is expected to describe all operations and services it intends to share with affiliates, as well as the potential risks of the collaboration and how those risks will be mitigated. The guide emphasizes that, unless there are special circumstances, an AOP must be provided before a company can start leveraging any affiliated operations.
Affiliated operations are cooperative administrative, commercial or operational endeavors between a mitigated company and an affiliate. Sharing human resources, disclosing financials and accounting data, permitting audits, engaging in business development, collaborating in marketing, sharing personnel, and sharing legal counsel are all considered affiliate operations that must be approved by DSS. According to DSS, such services can potentially permit an affiliate entity to exert undue influence and undermine the managerial and operational independence of a mitigated company. Another concern is the potential disclosure of confidential and operational security information as a result of access to a mitigated company’s records. To alleviate the risk of a breach in security, the guide recommends transparency through close collaboration with DSS, the Government Security Committee (GSC) and Facility Security Officers (FSOs). The guide encourages GSC review of the type of information disclosed to the affiliate, as well as the method and format of the disclosure. To protect operational independence, the guide mandates that mitigated companies reserve the ultimate decision-making authority for themselves. A mitigated company should demonstrate that it is not dependent on an affiliate and has alternative means for obtaining a shared service.
In putting together an AOP, a company is expected to use DSS formatted templates available at http://www.dss.mil/isp/foci/affiliated-operations-plan.html. In populating the template, a company should provide DSS with a description of the shared service, the potential risks of collaboration, the company’s mitigating measures, and the details of an internal review conducted by the company, as well as an external review conducted by DSS. In describing the service, the mitigated entity should include the following details:
- The entity providing the affiliated operation
- To whom that entity is providing the benefit
- Why that entity is providing the benefit
- Who will pay for the benefit
- What it would cost for the mitigated company to perform the service on its own
- How the affiliated operation will be implemented
- Whether the leveraging operation is mandatory
- What technology will be utilized in the operation
- Who owns this technology
- The types of information to be exchanged
- The frequency of interaction between the company and the affiliate
In addition, under the “review of service” section, the company should specify the internal steps GSC will take to ensure compliance with mitigating procedures, as well as how the FSO and Technology Control Officer (TCO) will participate in securing compliance. The mitigated company should provide documents and the names of employees that DSS can review to verify compliance. Lastly, the mitigated company and affiliates must provide signed statements acknowledging their understanding that DSS may require immediate termination of the services if there is serious or systematic non-compliance.
Finally, the guide offers some best practices for mitigated companies considering affiliate operations. First, a mitigated company should not assume that a service does not create a FOCI risk. Similarly, a company that believes the risk has already been mitigated is still required to submit an AOP. Unless there are unusual circumstances, unapproved affiliated operations may affect the status of the facility security clearance, and may impact a company’s final security rating. Even in the case of unusual circumstances that require affiliate operation prior to DSS approval, a mitigated company must promptly notify DSS of the situation. To ensure compliance following DSS approval, GSC must certify that it is monitoring the affiliated operations and that those operations do not allow affiliates to exercise undue influence or control, allow unauthorized access to sensitive government information, or introduce new and unmitigated risk. To facilitate compliance, a mitigated company should maintain management support from GSC, should include an FSO in management and board meetings, and should train employees to notify the FSO when operations are leveraged. In the end, airing on the side of disclosure and inviting DSS and GSC involvement are the best options for securing AOP approval and future compliance with the plan.