When it was enacted in August 2018, the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) overhauled the US law governing CFIUS national security reviews for the first time in 11 years. Many of FIRRMA's most significant changes, however, await implementing regulations or other action by the Trump Administration before going into force, a process that likely has been stalled due to the US Government shutdown. This CFIUS update focuses on what has been done to date.

In October 2018 regulations, CFIUS took the first step in implementing some of those FIRRMA provisions that were not effective immediately on enactment. The new rules, set up as a pilot program expiring in March 2020, implement two game-changing provisions of FIRRMA by extending CFIUS jurisdiction to certain non-controlling foreign investments in certain US critical technology businesses, and by subjecting those investments, whether controlling or not, to a mandatory shortform CFIUS declaration. The regulations also set out the rules for application of an exemption from the mandatory declaration when indirect foreign investments are made through certain investment funds. Prior to FIRRMA and these regulations, CFIUS could only assert jurisdiction over transactions that could result in foreign control of a US business--not non-controlling investments--and CFIUS filings were generally voluntary, although CFIUS had the authority to self-initiate a formal review.


The pilot program regulations require a mandatory, short-form declaration in cases in which a foreign person makes a controlling or certain non-controlling investments in an unaffiliated US business1 that produces, designs, tests, manufactures, fabricates, or develops any of the 27 critical technologies listed in the regulations. The mandatory filings are required in the case of non-controlling investments when the foreign investor has access to any material non-public technical information in the possession of the US business, or membership or observer rights on the US company's board of directors; or has any right beyond its voting shares to make decisions for the US business regarding the use, development, acquisition, or release of critical technology.

The 27 critical technologies, listed in the regulations by their NAICS codes, include the following:

- Aircraft Manufacturing

- Aircraft Engine and Engine Parts Manufacturing

- Alumina Refining and Primary Aluminum Production

- Ball and Roller Bearing Manufacturing

- Computer Storage Device Manufacturing

- Electronic Computer Manufacturing

- Guided Missile and Space Vehicle Manufacturing

- Guided Missile and Space Vehicle Propulsion Unit and Propulsion Unit Parts Manufacturing

- Military Armored Vehicle, Tank, and Tank Component Manufacturing

- Nuclear Electric Power Generation - Optical Instrument and Lens Manufacturing

- Other Basic Inorganic Chemical Manufacturing

- Other Guided Missile and Space Vehicle Parts and Auxiliary Equipment Manufacturing

- Petrochemical Manufacturing - Powder Metallurgy Part Manufacturing

- Power, Distribution, and Specialty Transformer Manufacturing

- Primary Battery Manufacturing

- Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing

- Research and Development in Nanotechnology

- Research and Development in Biotechnology (except Nanobiotechnology)

- Secondary Smelting and Alloying of Aluminum

- Search, Detection, Navigation, Guidance, Aeronautical, and Nautical System and Instrument Manufacturing 

- Semiconductor and Related Device Manufacturing

- Semiconductor Machinery Manufacturing

- Storage Battery Manufacturing

- Telephone Apparatus Manufacturing

- Turbine and Turbine Generator Set Units Manufacturing

The October regulations also clarified a FIRRMA provision giving an exemption from the mandatory declaration for indirect foreign investments made through certain investment funds. The exemption applies when the foreign investor has membership as a limited partner or equivalent on an advisory board or a committee of the fund and the following is in place:

- The fund is an ``investment company,'' as defined in section #(a) of the Investment Company Act of 1940;

- The fund is managed exclusively by a general partner who is not the foreign person;

- Neither the advisory board nor the foreign person has the ability to approve, disapprove, or otherwise control investment decisions of the fund or the entities in which the fund is invested or to unilaterally select or dismiss the general partner; and

- The foreign person does not have access to material non-public technical information as a result of its participation on the advisory board or committee.

Contents of the mandatory declaration, which is much shorter in duration than the filing of a CFIUS notice, include information about the transaction, the entities financing it, and the parties, including any governance rights held by foreign persons and any access foreign persons will have to material non-public technical information.4 The regulations also require submission of certain business information regarding the corporate parents of the foreign investors, including any shareholder with greater than a five percent interest in the ultimate parent, when the parent is a public company.

CFIUS has 30 days to review the declaration, at which time CFIUS will do one of the following: (i) request that the parties file a full CFIUS notice; (ii) inform the parties that CFIUS is not able to complete action based on the declaration; (iii) self-initiate a CFIUS review; or (iv) notify the parties in writing that the Committee has concluded all action. Parties may file a traditional formal CFIUS notice in lieu of a short-form declaration. The regulations provide for penalties up to the value of the transaction for any person who does not comply with the mandatory filing requirement.


As noted above, prior to FIRRMA, CFIUS could exercise jurisdiction only when a transaction could result in control of a US business by a foreign person, with a focus on whether the foreign person, through a combination of equity and governance, could decide important matters affecting the US business, giving parties at least some certainty of which organizational structures are more likely to invoke CFIUS jurisdiction. That analysis has been made more complicated by the pilot program regulations, which introduce a number of new elements in determining which non-controlling "critical technologies" investments are subject to CFIUS jurisdiction, and when those investments require a mandatory declaration. The new rules also change when the CFIUS "safe harbor" for additional investments is available. That safe harbor does not apply in the case of a mandatory declaration.5 Another important factor for US and foreign companies to consider is that the October regulations only implement part of the statute referring to both mandatory declarations and non-controlling investments. In addition to critical technologies, FIRRMA extends CFIUS jurisdiction over noncontrolling investments to US businesses involved in critical infrastructure and those that collect sensitive personal data of US citizens, as well as certain real estate transactions in proximity to sensitive US Government facilities. The October regulations addressed only the critical technologies portion of those provisions, but it is highly likely that later regulations will address those other areas. In addition, the statutory mandatory declaration language is focused on certain foreign governmentcontrolled investment, so it is possible that provision could also be further clarified.


Early versions of FIRRMA included provisions that would have extended CFIUS jurisdiction to outbound investments such as joint ventures located abroad. Following pushback from a range of industries, Congress retreated from that position in the final FIRRMA legislation, relying instead on US export control laws to reach a variety of transactions that fall short of acquisitions or significant investments, in an attempt to limit the transfer of US technology to certain foreign countries, especially China.

In the Export Control Reform Act of 2018, which was enacted as part of the same legislative package as FIRRMA, Congress directed the President to start an interagency process to identify "emerging and foundational technologies" that "are essential to the national security of the United States" and not already included in existing definitions of critical technologies. In doing so, that law directs the Administration to take into account "the development of emerging and foundational technologies in foreign countries; the effect US export controls may have on the development of such technologies in the United States; and the effectiveness of export controls imposed pursuant to this section on limiting the proliferation of emerging and foundational technologies to foreign countries." In a clear indication that this process is aimed at limiting technology transfers to China, the legislation requires that "at a minimum" the Secretary of Commerce "shall require a license for the export, reexport, or in-country transfer of [this] technology to or in a country subject to an embargo, including an arms embargo, imposed by the United States." China has been subject to a US arms embargo since 1989.

That process took the first step forward on November 19, 2018 when the US Commerce Department, which administers the Export Administration Regulations, published a Federal Register notice seeking public comment on what the criteria should be for identifying "emerging technologies that are essential to U.S. national security" in an effort to inform the interagency process and lay the groundwork for new export controls. The request for comments was limited to emerging technologies, with the Commerce Department indicating it would later issue a separate request regarding identification of foundational technologies. Once the new export control regulations are finalized, Congress will have successfully limited at least some corporate partnerships between US high-tech firms and China and other "countries of special concern" in a way Congress felt it could not through changes to CFIUS rules.

Commerce listed the following general categories of technology on which it was seeking comment on which emerging technologies should be considered essential to the US national security:

- Biotechnology, such as: Nanobiology; Synthetic biology; Genomic and genetic engineering; or Neurotech.

- Artificial intelligence and machine learning technology, such as: Neural networks and deep learning (e.g., brain modelling, time series prediction, classification); Evolution and genetic computation (e.g., genetic algorithms, genetic programming); Reinforcement learning; Computer vision (e.g., object recognition, image understanding); Expert systems (e.g., decision support systems, teaching systems); Speech and audio processing (e.g., speech recognition and production); Natural language processing (e.g., machine translation); Planning (e.g., scheduling, game playing); Audio and video manipulation technologies (e.g., voice cloning, deepfakes); AI cloud technologies; or AI chipsets.

- Position, Navigation, and Timing (PNT) technology.

- Microprocessor technology, such as: Systems-on-Chip (SoC); or Stacked Memory on Chip.

- Advanced computing technology, such as: Memory-centric logic.

- Data analytics technology, such as: Visualization; Automated analysis algorithms; or Context-aware computing.

- Quantum information and sensing technology, such as Quantum computing; Quantum encryption; or Quantum sensing.

- Logistics technology, such as: Mobile electric power; Modeling and simulation; Total asset visibility; or Distribution-based Logistics Systems (DBLS).

- Additive manufacturing (e.g., 3D printing);

- Robotics such as: Micro-drone and micro-robotic systems; Swarming technology; Self-assembling robots; Molecular robotics; Robot compliers; or Smart Dust.

- Brain-computer interfaces, such as Neural-controlled interfaces; Mind-machine interfaces; Direct neural interfaces; or Brain-machine interfaces.

- Hypersonics, such as: Flight control algorithms; Propulsion technologies; Thermal protection systems; or Specialized materials (for structures, sensors, etc.).

- Advanced Materials, such as: Adaptive camouflage; Functional textiles (e.g., advanced fiber and fabric technology); or Biomaterials.

- Advanced surveillance technologies, such as: Faceprint and voiceprint technologies.

The anticipated regulations will certainly lead to new licensing requirements for US technology, and likely limit the extent to which US emerging technology companies may enter licensing agreements with Chinese partners. This would also have an impact on US exports in these sectors, as well as the extent to which US companies may legally give access to foreign companies at their US facilities.