This client alert discusses recent notable developments in the Foreign Ownership, Control, or Influence (FOCI) mitigation program administered by the Defense Security Service (DSS).
By way of background, DSS is the Department of Defense agency in charge of evaluating the FOCI factors of US entities that are cleared or are seeking security clearances under the National Industrial Security Program. For companies under majority FOCI, DSS typically requires a Special Security Agreement (SSA) or a Proxy Agreement as a condition to obtaining or maintaining a facility security clearance.
Over the past couple of years, there have been some favorable developments that provide more flexibility to companies operating under majority FOCI mitigation arrangements, including on a case by case basis (1) increased parent-entity discretion regarding board composition for FOCI-mitigated companies; (2) shareholder nomination of successor Proxy Holders (to replace, subject to DSS approval, Proxy Holders who depart during the term of a Proxy Agreement); (3) Routine Business Visits (which are categories of visits that, under an SSA, are normally approved by a company’s Facility Security Officer) in Proxy Agreements; (4) exemption of commonly owned entities operating under separate SSAs and/or Proxy Agreements from their respective mitigation agreements’ visitation and communication requirements; (5) adoption of non-FOCI-mitigated parent or affiliate (collectively, "Affiliate") compliance plans if approved as an affiliated operation (affiliated operations are discussed below); and (6) notification to US government customers (rather than prior approval) regarding the use of Affiliate technology in support of classified contracts.
DSS has also recently modified its policies regarding affiliated operations (i.e., operational relationships among FOCI-mitigated companies and their Affiliates). This culminated in DSS’ recent issuance of a new Affiliated Operations Plan (AOP) template, which formalizes the requirements for seeking approval for affiliated operations, including specifying the categories of covered operations and the information that must be provided about them. The two primary purposes of the AOP are (1) to provide DSS with a complete understanding of the relationship between a FOCI-mitigated company and its Affiliates, and (2) to assist the FOCI-mitigated company’s Government Security Committee (GSC) with its oversight responsibilities concerning affiliated operations.
A company operating under an SSA or a Proxy Agreement must submit an AOP to DSS for approval prior to engaging in new or materially different affiliated operations. The DSS AOP template identifies more arrangements for prior approval than were previously required under administrative or shared services agreements. In particular, the AOP requires reporting and prior approval for the following categories of affiliated operations:
- Affiliated Services: services provided by/to the FOCI-mitigated company to/by its Affiliates;
- Shared Third-Party Services: instances of common service contracts among a third-party service provider, the FOCI-mitigated company, and one or more Affiliates;
- Shared Persons: employees of an Affiliate or a FOCI-mitigated company that perform a function on behalf of the FOCI-mitigated company or the Affiliate, respectively; and
- Cooperative Commercial Arrangements: arrangements whereby an arm’s-length contract or agreement for products or services exists among a FOCI-mitigated company and one or more Affiliates.
Please note that these categories capture "reverse services" (i.e., services provided by the FOCI-mitigated company to an Affiliate) as well as Affiliate-provided services. In our experience, however, DSS generally tends to view reverse services as raising fewer FOCI concerns than Affiliate-provided services.
Notwithstanding the release of the AOP template and its broader scope, companies with current approved Administrative Service Agreements (or similar arrangements) may continue to operate under those arrangements, although they must submit an AOP if they engage in new affiliated operations or make material changes to existing affiliated operations. Moreover, newly captured services (e.g., cooperative commercial arrangements) are generally grandfathered, and therefore companies need not immediately submit a new AOP to cover those existing activities. As a matter of best practices, however, companies should consider preparing AOPs that account for all existing qualifying services since DSS will be requiring a complete AOP that covers all existing affiliated operations upon a company’s request for a new or modified affiliated operation. Furthermore, the GSC should be made aware of all affiliated operations and regularly monitor them to help ensure compliance.
Companies should expect 30- to 90-day approval periods for AOPs, although complex affiliated operations, DSS caseload and other factors can prolong that timing. While some affiliated operations should be generally approved with relative ease (e.g., payroll, insurance, benefits), we have found that IT services, internal legal services and internal audit services are generally among the most problematic. If properly tailored with appropriate risk-mitigation measures, however, DSS may consider approving some degree of these types of affiliated operations. In all cases, it is critical to carefully consider the desired affiliated operations, the potential FOCI risks they may present, and how such FOCI concerns can be specifically mitigated.