In a recently issued interim final regulation, the U.S. Department of Defense (DoD) has codified and clarified many of its policies applicable to government contractors that are subject to foreign ownership, control or influence (FOCI) and are working with – or seek to work with – classified information. 1 Although these policies are for the most part not new, their codification in a formal rulemaking is significant for several reasons: First, it makes the DoD policies and procedures in this area much more transparent: previously, other than the relatively high-level provisions on FOCI in the National Industrial Security Program Operating Manual (NISPOM), agency guidance has largely been available only through individual contacts with DoD staff. Second, the new rule offers contractors more certainty in planning transactions that may result in FOCI. The new rule prescribes certain specific deadlines for private sector and agency actions related to mitigating FOCI, and expressly states that, if DoD is not provided with specific identification of a foreign entity with an ownership or voting interest of five percent or more in a U.S. company, including through a private equity or hedge fund, DoD may deny that company access to classified information. Third, the new rule presages increased formalization and uniformity in DoD standards beyond the area of FOCI: it is part of a broad initiative by the agency to review and update policies and procedures. Background and Applicable Scope of the New Rule Under policies set forth in the NISPOM and DoD’s “Policy Guidance for Foreign Ownership, Control, or Influence (FOCI),” 2 when a foreign entity seeks to acquire an interest in a U.S. company that is authorized to have access to classified data pursuant to a facility security clearance (FCL), or when a U.S. company subject to FOCI wishes to obtain an FCL, measures must be implemented to mitigate (or “negate”) the FOCI so as to protect the security of the classified information to which the U.S. company has, or seeks to have, access. As stated in the new rule, a company is deemed subject to FOCI whenever “a foreign interest has the power, direct or indirect, whether or not exercised, …to direct or decide matters affecting the management or operations of that company in a manner that may result in unauthorized access to classified information or may adversely affect the performance of classified contracts.” 3 T h e r e a r e f o u r p r i n c i p a l t e c h n i q u e s f o r m i t i g a t i n g FOCI, each of which is described in the new rule as applicable depending on particular circumstances. The four measures range from a relatively simple Board Resolution, to the more complex arrangements under a Security Control Agreement, Special Security Agreement, or Proxy Agreement/Voting Trust Agreement (the latter being the most stringent and protective). 4 The new rule details the terms of each of these types of FOCI mitigation and the circumstances under which each may be appropriate. Perhaps most notably, the new rule codifies policies and procedures regarding: 1. How decisions will be made on the appropriate means to mitigate FOCI; 2. Timing of agency and contractor actions involved in FOCI-mitigation; and 3. Requirements for coordinating with the Committee on Foreign Investment in the United States. Importantly, the new rule governs only those agencies that are either “DoD Components” 5 or have entered into agreements with DoD under which DoD’s Defense Security Service (DSS) acts as the NISP Cognizant Security Agency (CSA) with respect to security services for protecting classified information. Agencies that act independently of DSS and are therefore not subject to the new rule include the Department of Energy, the Office of the Director of National Intelligence, and the Nuclear Regulatory Commission, each of which administers programs similar, but not identical, to that of DSS and which may – but not necessarily will – take steps to align its policies with those prescribed in the new rule. Issues Addressed In the New Rule 1. Who and What Determines How FOCI Should Be Mitigated? The new r ul e makes c l ea r t ha t a l t hough t he r e a r e certain factors that generally determine the appropriate mechanism for mitigating FOCI in a given circumstance, DSS maintains wide discretion to make a final decision. In particular, the rule expressly emphasizes that, while two principal determinants of the appropriate FOCI-mitigation measure for a U.S. company are (1) the nature and extent of foreign interest in the company (e.g., a majority, substantial minority, or lesser ownership position) and (2) the type and sensitivity of the classified information to be accessed by the company, those factors “should not be construed as DoD-sanctioned criteria mandating the selection or acceptance of a certain FOCI action plan,” and that “DSS retains the authority to reject or modify any proposed FOCI action plan.” 6 Accordingly, government contractors should approach FOCI mitigation with the expectation that, even if the percentage of foreign ownership in their organization is very low, for example, such that a board resolution would typically suffice, DSS may determine that a more stringent and extensive mitigation measure is required. The new rule enumerates several factors that might drive DSS to such a decision, including: the country or countries in which the foreign interest is domiciled and has its principal place of business (if not in the country of domicile);
the U.S. company’s record of enforcement and/or engagement in unauthorized technology transfer and record of compliance with pertinent U.S. laws, regulations, and contracts; the nature of any relevant bilateral and multilateral security and information exchange agreements (e.g., the political and military relationship between the U.S. Government and the government of the foreign interest); any ownership or control, in whole or in part, that could be exercised over the U.S. company by a foreign government; and any other factor that indicates or demonstrates a capability on the part of foreign interests to control or influence the operations or management of the business organization concerned. 7 Before negotiating a deal with a foreign investor, a U.S. government contractor with an FCL should carefully assess these factors, in relation to the types of classified information needed for its contract performance, in deciding whether to proceed with the deal. 2. When Are FOCI-Related Determinations Made? The principal trigger for DSS to assess the existence of FOCI and to commence the process of selecting a FOCI-mitigation technique is the submission by a U.S. government contractor of a Certificate Pertaining to Foreign Interests (DoD Standard Form (SF) 328). Such submission is required to obtain an FCL and updates to the SF 328 must be submitted in the event of any relevant changed circumstances. As stated in the new rule: “Changed conditions, such as a change in ownership, indebtedness, or a foreign intelligence threat, may … require the use of a particular FOCI mitigation or negation agreement” or, in some cases, justify a determination by DSS “that a contractor is no longer eligible for an FCL.” Typically, a U.S. contractor that is undergoing a change in ownership that involves a merger with, sale to, or acquisition by a foreign interest will work with DSS on a FOCI-mitigation plan prior to consummating the transaction. The new rule codifies DSS’s position that, when an acceptable FOCI-mitigation agreement has not been reached before such a transaction occurs, “DSS will invalidate any existing FCL until such time as DSS determines that the contractor has submitted an acceptable FOCI action plan … and has agreed to inter im measures that address FOCI concerns pending formal execution of a FOCI mitigation or negation agreement.” 8 As stated in the new rule: “Invalidation renders the contractor ineligible to receive new classified material or to bid on new classified contracts.” Only if “the affected GCA [government contracting agency] determines that continued access to classified material is required,” and where “there is no indication that classified information is at risk of compromise,” will DSS consider continuing the FCL in an invalidated status. 9 As a significant new policy, the rule provides certain t ime l ines and bo t tom - l ine c r i te r i a fo r FOC I - r e la ted decisions: First, if “DSS determines that a company may be ineligible for an FCL by virtue of FOCI, or that additional action by the company may be necessary to mitigate the FOCI or associated risks,” DSS will notify the company and require it to submit a FOCI action plan within 30 calendar days of the notification. “In addition, DSS will advise company management that failure to submit the requested plan within the prescribed period of time will result in termination of FCL processing or initiation of action to revoke an existing FCL, as applicable.” DSS will provide written feedback to the company on the acceptability of the FOCI action plan within 30 calendar days after receiving the proposed plan. 10 Second, if a company disputes a decision that it is under FOCI, or disputes DSS’s decision that a particular type of FOCI-mitigation is required, the company may, within 30 days after receiving notice of that decision, submit a written appeal to the DSS Director. In such an appeal, the company must “identify the specific relief sought and the grounds for that relief,” and should be prepared to provided additional information to DSS upon request. DSS, in turn, must respond to the appeal within 30 days of its submission – either with a decision or an estimated date for rendering a decision. 11 Third, if the information provided to DSS fails to permit specific identification of a foreign owner or foreign voting interest of five percent or more in the U.S. company (whether in the context of an appeal or otherwise), DSS may deter mine that the company is not eligible for an FCL (and thus may terminate an existing FCL). The new rule expressly points out the potential for such action in cases where participating investors in a foreign investment or hedge fund are investing five percent or more in a cleared company but have not been individually identified to DSS. 3. How Will FOCI Decisions Be Coordinated With CFIUS? The new rule also codifies procedures for coordinating DSS FOCI-mitigation decisions with decisions of the Committee on Foreign Investment in the United States (CFIUS) on proposed investments that will result in foreign control over U.S. companies and might affect U.S. national security. As the rule explains, although DoD is a member of CFIUS, “[t]he CFIUS review and the DSS industrial security review for FOCI are separate processes subject to independent authorities, with different time constraints and considerations.” And, although CFIUS acts independently of DSS in determining whether a proposed foreign investment may threaten to impair national security and therefore require U.S. Government intervention to mitigate that threat, “CFIUS may not m i t i gate nat i ona l secur i t y r i sks t hat a r e adequate ly addressed by other provisions of law.” 12 The implication is that, if DSS imposes a FOCI-mitigation measure by agreement with a U.S. government contractor, CFIUS lacks authority to impose additional national security risk-mitigation measures absent some showing that the DSS-imposed measure is inadequate.
W i t h r espec t to t he t i m i ng of DSS FOC I - m i t i gat i on decisions in relation to CFIUS reviews, which are subject to specific statutory time limits, the new rule provides as follows: If the NISP process has not begun or has not been completed pr ior to the submission of a CFIUS notice, DSS will review, adjudicate, and mitigate FOCI on a priority basis. By the 10th calendar day after the CFIUS review period begins, DSS will advise the DoD CFIUS team electronically of the U.S. company’s FCL status (e.g., no FCL, FCL in process, and level of clearance). For contractors or U.S. companies in process for an FCL, DSS will provide specific information regarding the contractor/company in a signed memorandum, with rationale for DSS’s views on FOCI mitigation and whether additional time is needed to assess FOCI mitigation than is afforded by the prescribed CFIUS review timeline. If it appears that DSS will not be able to reach agreement with the U.S. target company on material terms of a FOCI action plan, or if the U.S. company subject to the proposed transaction fails to comply with the FOCI reporting requirements, DSS may recommend that there be additional time to resolve any national security issues related to FOCI mitigation, which could mean that CFIUS would extend its review beyond the initial 30-day period prescribed by statute to a 45-day investigation. 13 Further, in a provision notable to entities considering w h e t h e r t o n o t i f y C F I U S v o l u n t a r y o f a p r o p o s e d investment that will result in foreign control over a U.S. government contractor, the new rule states that “if DSS, under its FOCI authorities, is notified of a transaction with respect to which the parties thereto have not filed a notice with CFIUS, DSS will notify the [DoD] CFIUS Team” through the proper channels. 14