The US Department of Defense’s Defense Security Service (DSS) is moving towards a new procedure in connection with issuing facility security clearances (FCL) to companies under foreign ownership, control or influence (FOCI). In addition to establishing the necessary FOCI mitigation plan (i.e., a Proxy Agreement, Special Security Agreement (SSA) or Security Control Agreement (SCA)), a company seeking to obtain an FCL now must also obtain DSS approval for, and implement, an Electronic Communications Plan (ECP), Technology Control Plan (TCP) and, if applicable, Affiliated Operations Plan (AOP) prior to the FCL being issued. Previously, FCLs would be issued shortly after the Proxy Agreement, SSA or SCA was executed by DSS, with drafts of the ECP, TCP and AOP due to DSS within 45 days of the FOCI mitigation agreement taking effect.
Under its new procedure, DSS is essentially taking the position that, for purposes of issuing a new FCL, a company’s FOCI is not effectively mitigated until the required compliance plans have been approved and implemented. For example, DSS requires that FOCI-mitigated companies operate on a distinct information technology network from their parents and affiliates outside of the FOCI mitigation arrangement, which must be reflected in the company’s ECP. Previously, the ECP would not have had to be in effect until after the FOCI mitigation agreement was executed by DSS and the FCL was already issued. Under this new procedure, however, the ECP must be approved and implemented—and DSS’s computer specialists will audit the company’s network to ensure that it is in compliance with the company’s ECP—prior to issuing the FCL.
The new DSS procedure potentially has significant timing implications as companies often need the FCL to be processed as quickly as possible in order to perform on a new classified contract. Accordingly, in order to facilitate an expedient process, it is essential to carefully plan and prepare the compliance policies early in the process and coordinate them with DSS. The FOCI- mitigated company’s Government Security Committee (GSC) will also need to review and approve the ECP, TCP and AOP and provide written certifications to DSS before DSS will issue the FCL. Accordingly, it is important for foreign shareholders to nominate Outside Director or Proxy Holder candidates as soon as the nominees have been determined and appoint them to the FOCI-mitigated company’s board once they have been approved by DSS. This allows the GSC to effectively be established prior to the FOCI mitigation agreement taking effect, which can support earlier approval of the compliance plans and faster issuance of FCLs.
Please note that the new DSS procedure is specific to companies in the process of obtaining a new FCL. These requirements do not apply to cleared companies that require FOCI mitigation as a result of an acquisition or investment by a foreign (or foreign-owned) entity. In the case of such acquisitions, DSS will continue to rely upon the Commitment Letter process to ensure that FOCI mitigation requirements are satisfied in the interim period between the transaction closing and the FOCI mitigation agreement taking effect. Nonetheless, even in that context, DSS will expect the cleared company to move expeditiously towards developing and implementing an ECP, TCP and AOP.
In all cases, it is critical to consider carefully the desires of the parties regarding how the cleared company will operate, as well as the DSS concerns regarding FOCI, in order to plan and implement an effective compliance structure that successfully balances business needs and security requirements.