On September 15, 2022, President Biden issued the Executive Order on Ensuring Robust Consideration of Evolving National Security Risks by the Committee on Foreign Investment in the United States (CFIUS or the Committee). This is the first time in the Committee’s history that a president has expressly directed CFIUS to prioritize certain national security risks when reviewing covered transactions. Although this Executive Order does not change the Committee’s review process or legal jurisdiction, it elaborates on existing factors and adds new national security factors for CFIUS to examine when evaluating covered transactions.

Specifically, the Executive Order requires CFIUS to consider:

(1) Critical supply chain resilience, including the covered transaction’s effect on supply chain security and resilience, both within and outside the defense industrial base. Specifically, consideration of:

  • The degree of involvement a foreign person who is a party to the covered transaction has in the U.S. supply chain, including the foreign person’s concentration of ownership or control.
  • U.S. manufacturing, services, critical mineral resources, and technology capabilities.
  • The degree of diversification through alternate suppliers.
  • Whether the U.S. business that is a party to the covered transaction directly or indirectly supplies the U.S. government, energy sector industrial base, or defense industrial base.

The Executive Order directs CFIUS to focus on supply chain resilience in critical sectors, including artificial intelligence, advanced clean energy, aspects of the agricultural industrial base that have implications relating to food security, biomanufacturing and biotechnology, climate adaptation technologies, and quantum computing.

(2) U.S. technological leadership in critical sectors, especially when foreign investments deal with sectors crucial to U.S. national security. Critical sectors include, but are not limited to, those described above. This factor also instructs the Committee to consider whether a covered transaction involves critical mineral resources, manufacturing capabilities, services, or technologies in those fields.

By evaluating the implications on U.S. technological leadership, the Committee must consider whether “a covered transaction could reasonably result in future advancements and applications in technology that could undermine national security, and whether a foreign person involved in the transaction has ties to third parties that may pose a threat to U.S. national security.”

(3) Aggregate industry investment trends, including the national security risks of multiple acquisitions or investments in similar U.S. businesses in a single sector, or in related manufacturing capabilities, services, critical mineral resources, or technologies.

(4) Cybersecurity risks, including whether a covered transaction could provide foreign persons or third parties with access to conduct cyber intrusions or other malicious cyber-enabled activities that could undermine the protection or integrity of data, election integrity, or U.S. critical infrastructure (including critical energy infrastructure and telecommunications) and the defense industrial base.

(5) Risks to U.S. persons’ sensitive data, including whether the covered transaction involves a U.S. business that has access to sensitive data (e.g., health, digital identity, or other biological data) and any data that could be made identifiable or de‑anonymized through advancing techniques, or whether the foreign investor or parties to whom they are linked could use the information to harm U.S. national security. This factor reflects the U.S. government’s concern that access to sensitive data can create national security risks through its use for surveillance, tracing, tracking, and targeting of individuals or groups of individuals.

Key takeaways

The new Executive Order expands the factors CFIUS considers in reviewing covered transactions. We expect this Executive Order will:

  • Result in increased scrutiny of review and CFIUS mitigation measures in cases where there have been previous transactions in the same, similar, or related sectors, even if the covered transaction, standing alone, does not necessarily present a national security risk.
  • Expand CFIUS’s focus on investments in critical technology, cybersecurity, and sensitive personal data.
  • Require parties that frequently engage in foreign investments like private equity and venture capital to thoroughly assess the likelihood of CFIUS review and the possibility they will need to file a declaration or notice.
  • Raise the number of voluntary notices reviewed by the Committee.
  • Require parties to engage in enhanced due diligence at the beginning of the transaction process to ensure they have a clear understanding of the foreign party or parties involved, including any third-party relationships, to assess whether CFIUS could view them as a threat to national security.