The Defense Security Service (DSS) on Nov. 8, 2017, issued a Memorandum for Cleared Companies Operating Under Foreign Ownership, Control or Influence Mitigation Agreements Administered by the Defense Security Service. The new memorandum serves as official cancellation of the phone log requirements described in the Electronic Communications Plan (ECP) template – an important piece of DSS' foreign ownership, control, or influence (FOCI) mitigation program. DSS advised that the memorandum may be used as a reference during a FOCI company's next scheduled security vulnerability assessment.
Communication with foreign owners has been the subject of FOCI mitigation controls going back many decades. In addition to notification procedures for face-to-face visits, controls have been applied to other forms of communication such as telephone, videoconference, email and direct messaging.
Most existing DSS mitigation agreements contain a provision regulating electronic communications. These agreements define the term "electronic communications" broadly and make clear that the common devices used to transfer electronic communications include telephone (including teleconferences), facsimile, video (including videoconferences), internet (including Voice over Internet Protocol, instant messaging and any other web-based means) and electronic mail. To that end, the established practice at DSS has been to accept phone logs as an adequate control on telephone communications. While this practice has surely created a burden that increases with the volume of telephonic communications, it also functioned as a practical substitute for the prior written approvals that are still required for face-to-face visits and most video teleconferences.
Specifically, the DSS approach required that personnel at FOCI companies document telephone interactions with their foreign-controlled affiliates, provide this documentation to the facility security officer, and report quarterly to the government security committee that no telephone communications resulted in a disclosure of classified information or in undue influence from the affiliates based on the phone logs.
Removing the burden of phone logs is ostensibly a huge boon to FOCI companies to the extent that it liberalizes open communication with foreign owners. As such, the new policy appears to have the effect of removing all controls on telephonic communication so that phone calls are now on par with communications sent by post, which are currently not subject to any DSS FOCI mitigation measures. Looking forward, it will be important for FOCI companies to confirm whether DSS expects them to maintain yet-to-determined controls on telephone calls, and if so what.
It is recommended that facility security officers and government security committees maintain written procedures that document how company telephone communications will be conducted in a manner consistent with the company's national security responsibilities despite the fact that phone logs are no longer required.