Overview
Foreign companies seeking to invest in the US defense industry typically must clear several regulatory hurdles. When the US target is authorized to work with classified information, those include two similar but distinct processes to ensure that foreign ownership does not jeopardize national security: the Committee on Foreign Investment in the United States (CFIUS) and the Defense Security Service (DSS) evaluation of Foreign Ownership, Control or Influence (FOCI).
The CFIUS and DSS/FOCI reviews often run in parallel and sometimes intersect. An interim Department of Defense (DOD) rule issued on April 9, 2014 (FOCI Rule or the Rule) addressed some of these interactions.[1] Now that the FOCI Rule has been in place for almost a year, we offer some thoughts as to how the CFIUS and DSS/FOCI processes have interacted under it. A key take-away is that even though the FOCI Rule aims to reduce delays, there are still multiple potential snags that can create acute timing problems. Careful planning is required to minimize these timing risks.
I. The Review Processes
A. CFIUS
CFIUS, an interagency committee chaired by the Treasury Department, reviews potential national security risks from foreign investment.[2] Its concerns include not only the defense industry, but also information and communications technology, transportation infrastructure, energy assets, biotechnology companies, chemical facilities, and more.
CFIUS has broad authority to review the national security implications of any “covered transaction,” defined as any transaction that “could result in control of a US business by a foreign person.”[3] In assessing the US national security risk, CFIUS evaluates the “threat” of the buyer (the buyer’s intent and capability) and the “vulnerability” of the assets being acquired (the potential to use the assets to undermine national security).
CFIUS is authorized to initiate a review of any covered transaction. Parties to a transaction commonly initiate the review themselves by voluntarily submitting a notice seeking CFIUS clearance before the deal has closed. Pre-closing CFIUS notification is the prudent course in any transaction that potentially involves US national security, for while it is technically voluntary, CFIUS takes a dim view of transactions it believes should have been notified but were not.
After CFIUS accepts a notice as complete, it undertakes a 30-day review. It has discretion to extend the review an additional 45 days by initiating an “investigation.”
At the end of its investigation, CFIUS must clear the transaction or recommend that the President block or (if already closed) unwind it. CFIUS may also require a “mitigation agreement”—under which the parties commit to implementing specified measures to address any outstanding national security concerns—as a condition to clearance.
If CFIUS issues arise but the parties and CFIUS are unable to conclude a mitigation agreement within the statutory timeframe, the parties may withdraw their notice and re-file, thereby restarting the clock to provide more time for negotiation. If CFIUS concludes the national security risks are insurmountable, the parties may withdraw and walk away from the deal. While they may instead take their chances with the President, that is exceedingly rare. Only twice have foreign acquirers insisted the President make a decision on a transaction that CFIUS declined to clear.[4]
CFIUS typically clears 85-90% of the deals reviewed in a given year without a mitigation agreement, requires mitigation agreements for 5-15%, and declines to clear 0-5%.
B. DSS/FOCI
DSS is the DOD agency responsible for issuing facility security clearances (FCL). An FCL authorizes a facility to perform classified work, provided the facility meets DSS security standards. Access to classified information is limited to individuals with personnel security clearances (PCLs), who must be US citizens.
DSS’s foreign investment reviews generally are limited to those involving contractors that hold FCLs. When a contractor becomes subject to “foreign ownership, control or influence”—hence the acronym FOCI—DSS can invalidate the FCL unless the parties commit to mitigation measures safeguarding the classified information. The regulations define FOCI extremely broadly; as a practical matter, DSS decides whether FOCI exists or will exist, and a contractor must inform DSS whenever FOCI might exist.[5]
Before coming under FOCI, a US company with an FCL must provide DSS with a “FOCI action plan” that proposes a strategy for mitigation. The plan then is subject to negotiation between DSS, the acquiring foreign entity, and other relevant parties. DSS’s approval depends on its assessment of several factors, such as the type and sensitivity of the information that will be accessed; the source, nature, and extent of the FOCI; and the foreign party’s record of compliance with pertinent US laws, regulations, and contracts.
DSS has approved five basic mechanisms for mitigating FOCI. All involve establishing separation between the foreign company and the classified information held by the US company. The specific requirements vary depending on the extent of anticipated foreign control and related concerns. In order of increasing burden, the mechanisms are:
1. Board Resolution
May be used when a foreign entity does not acquire enough voting stock to elect a representative to the target company’s governing board. It requires a resolution by the cleared company’s board prohibiting access by foreign persons to classified information.
2. Security Control Agreement (SCA)
May be used when the foreign entity does not effectively own or control the target company, but acquires sufficient voting power to be represented on its board. An SCA requires that the cleared company add one DSS-approved “Outside Director” to its Board of Directors.[6] An Outside Director must be a US citizen eligible to receive a personnel security clearance at a level equal to the company’s FCL (e.g., for Top Secret contracts, Top Secret clearance).
3. Special Security Agreement (SSA)
May be used when the foreign entity effectively gains control of the target company. An SSA typically requires that the cleared company appoint at least three Outside Directors and that the number of Outside Directors exceed the number of “Inside Directors” (i.e., directors appointed by the company without DSS approval, who may be representatives of the foreign company).
Additionally, the US company must obtain a National Interest Determination (NID) to access information above the “Secret” level. A NID is a determination by the Government Contracting Activity (GCA)—the agency responsible for awarding a classified contract—that the release of information to the SSA-protected company will not harm US national security interests. Because DSS does not control the issuance of NIDs, an SSA can add uncertainty to the timetable for completing the DSS/FOCI process, potentially delaying closing. The FOCI Rule includes provisions intended to speed up the NID process by, for instance, requiring the GCA to issue a decision within 30 days of receiving a NID request (or 60 days if interagency concurrence is required).[7] Notwithstanding, parties to a transaction may be unable to facilitate timely decisions regarding NIDs.
4. Proxy Agreement
May also be used when the foreign entity effectively gains control of the target. A Proxy Agreement requires the cleared entity’s voting rights to be vested exclusively in “Proxy Holders” (NIDs are not required). Proxy Holders generally must have the same qualifications as SSA Outside Directors—cleared or clearable US citizens with no prior relationship to the company and approved by DSS. No Inside Directors can serve on the company’s board, and the foreign entity must completely give up control of the company.
5. Voting Trust Agreement (VTA)
Functionally similar to a Proxy Agreement and available under the same circumstances. While the regulations contemplate VTAs, in practice they are rarely used.
A FOCI action plan must culminate in a signed “FOCI mitigation agreement,” pursuant to which the US company and foreign company commit to a suitable mechanism to mitigate FOCI. DSS also requires that companies adopt detailed compliance-related policies to implement FOCI mitigation. These generally entail a Technology Control Plan, Electronic Communication Plan, and Affiliated Operations Plan, as well as other monitoring and compliance certification procedures.
Completing a FOCI mitigation agreement typically takes several months, and in some instances even longer. However, parties often can close a transaction prior to executing a final FOCI mitigation agreement by signing a “Commitment Letter” agreeing to the essential elements of FOCI mitigation as well as interim security measures.[8]
II. Joint CFIUS and DSS Review
If a transaction involves a US company with an FCL, it is virtually certain that CFIUS will conduct a national security review. Transactions subject to parallel CFIUS and DSS reviews have presented timing challenges, as CFIUS review generally is capped at 75 days while DSS/FOCI review can go much longer, especially when NIDs are involved.
For that reason, the FOCI Rule aims to bring the CFIUS and DSS/FOCI processes into closer alignment.[9] It instructs DSS to “review, adjudicate, and mitigate FOCI on a priority basis” if the CFIUS process begins and the DSS/FOCI process is not yet complete.[10] DSS must also update CFIUS on the status of FOCI mitigation at regular intervals, and provide by an agreed date a memorandum describing the US contractor, its clearance level, its outstanding classified contracts, and the status of discussions to mitigate FOCI.[11] Finally, the FOCI Rule allows DSS to begin implementation of a FOCI action plan for which one or more NID requests are pending (and to notify CFIUS to this effect), provided there has been no indication the NID request will be denied.[12]
While these provisions have helped improve certain aspects of concurrent CFIUS and DSS reviews, the regulations do not completely address the challenges companies face. Careful planning and proactive measures are necessary to ensure that both processes stay on track.
What follows is some practical guidance, based on our experience, that foreign investors should take into account when approaching transactions subject to review by both agencies.
A. Communicate Effectively with Both CFIUS and DSS
Particularly with the FOCI Rule, parties should expect CFIUS and DSS to routinely exchange information and confer about the transaction. There may be an urge to devote more resources to CFIUS given its broader scope, especially if the classified portion of the US target comprises a relatively small portion of its revenues. But if DSS is dissatisfied with the status of FOCI discussions, this can threaten to spill over into the CFIUS process.
Dissatisfaction from DSS can lend support to CFIUS members who are more averse to a transaction, and can cast the foreign acquirer in a negative light. Reports from DSS of a transparent and cooperative foreign acquirer can have the opposite effect. It is therefore important to allocate sufficient resources to both processes; although legally separate, they can influence each other in both helpful and counterproductive ways.
B. Assure US Government Customer Buy In
If a target’s USG customers are sufficiently opposed to a transaction, it can disrupt not only the DSS/FOCI process, but also the CFIUS process. To avoid this result, it may be necessary to educate USG customers about the transaction and the foreign acquirer.
This can be tricky when classified contracts are involved because the foreign company generally cannot engage with USG customers directly. It must rely on the US company to liaise with the customers and report back on their sentiment. For this to work, the US company and foreign acquirer, as well as their counsel, must establish a strong working relationship.
C. Manage Application of FOCI Mitigation in the CFIUS Context
The FOCI Rule makes clear that CFIUS may not mitigate “national security risks that are adequately addressed by other provisions of law,” e.g., the DSS/FOCI process.[13] Notwithstanding this requirement, a CFIUS mitigation agreement often works in conjunction with FOCI mitigation. On a basic level, CFIUS will take FOCI mitigation into account when evaluating national security risks. But beyond that, CFIUS may leverage FOCI mitigation to address security risks associated with non-classified products.
This can be beneficial in that it can allow the parties to assuage CFIUS national security concerns by leveraging resources that are already allocated to address FOCI issues. However, this can at times be too much of a good thing.
For example, when a foreign company acquires control of a US company with an FCL, the prospect of subjecting the entire US business to an SSA or Proxy Agreement can be a bitter pill to swallow. A common strategy is to designate a cleared subsidiary to perform all work requiring classified information. Since the SSA or Proxy Agreement applies only to that subsidiary, the foreign acquirer is able to limit FOCI mitigation to the classified business while maintaining control of the broader commercial operations. However, CFIUS could view the new subsidiary, with its DSS-approved directors, segregated networks, and enhanced government oversight, as an attractive alternative to foreign control of the US company altogether. Accordingly, it may try to push sensitive non-classified products into the subsidiary.
In these situations, it is beneficial to engage CFIUS early in the review process, certainly before CFIUS has started drafting mitigation terms. The US Government’s overall policy is to welcome most foreign investment, and CFIUS generally wants the deals it reviews to close. CFIUS consequently may be sympathetic to well-presented arguments as to why relinquishing control of one or more non-classified products in a mitigation agreement is commercially untenable. But CFIUS must be made aware of these arguments before drafting mitigation terms, lest it apply restrictive FOCI mitigation measures to both the classified business and the unclassified business. Parties would be wise to explain to CFIUS—as early as possible—why it is impractical to apply FOCI mitigation, and the management separation that inheres in it, to non-classified business.
D. Evaluate Risks Associated with Eliminating the Classified Portion of a US Business
Completing the DSS/FOCI process often can require substantial resources—equaling or exceeding those required for the CFIUS process. If the classified portion of the acquired US business is small, it may seem tempting to shut down that business and close the deal without FOCI mitigation in place.
While this may be possible in some instances, the foreign acquirer should be aware of potential consequences. Losing an FCL may put the company in breach of contract obligations, potentially subjecting it to contractual remedies or, in extreme cases, suspension or debarment proceedings. Even where a contract is expired or subject to termination, there may be ongoing warranty obligations that require a valid FCL to perform. These risks should be properly vetted and analyzed as part of the due diligence process, which may require engaging counsel with a valid personnel security clearance to review any classified contracts.
It is also possible that, irrespective of contract obligations, a USG customer will react negatively to being told that certain classified products or services will no longer be available. That could harm future relations with that customer, and, depending on the product, negatively affect CFIUS’s national security analysis. The US company should leverage its contacts with the USG customer to get a sense of whether it is amenable to shuttering the classified contracts before any decision is made.
Ideally, a foreign acquirer should decide during deal negotiations whether acquiring the classified piece of a US company is worth the anticipated costs, including FOCI mitigation. If not, the foreign acquirer should address that at the outset, limiting the deal to the non-classified piece of the US company.
E. Tailor Mitigation Discussions to Each Agency
CFIUS and DSS have very different approaches to drafting mitigation terms. Although much of the CFIUS process is fairly predictable, negotiating mitigation agreements often follows a much less foreseeable course.
CFIUS proposes mitigation terms based on the input of participating agencies, with the designated lead agencies driving the national security analysis and substantive mitigation discussions. Different factions within CFIUS may have different concerns about a transaction, resulting in diverse solutions for addressing multiple concerns. Although Treasury does its best to moderate the process, the number of individuals participating in drafting mitigation terms can result in a medley of security provisions being included in a draft term sheet. After a first draft is prepared, Treasury provides a copy of the term sheet to the parties and negotiations commence, typically around the 55-65 day mark.
As noted, however, the best strategy is to engage CFIUS before it has put pen to paper, and well before it issues the term sheet. Although CFIUS expects the term sheet will be subject to heavy negotiation with the parties and their counsel, the first draft nonetheless provides an important baseline. And while it is possible through negotiation to soften certain proposed mitigation terms, it is much more difficult to substantially alter the initial draft’s overall framework.
We accordingly recommend taking proactive measures to discuss potential mitigation terms with CFIUS. This often involves making a presentation to CFIUS representatives.
In contrast to the highly negotiated terms of CFIUS mitigation, the substantive provisions of FOCI mitigation are established almost entirely by DSS-issued templates. Each of the five FOCI mitigation mechanisms has a template explaining in detail what DSS expects.[14] While this template-driven approach makes some aspects of FOCI mitigation more predictable, it also restricts DSS latitude. Indeed, DSS’s authorization to alter the templates is limited to “non-substantive provisions.”[15]
Consequently, while there may be substantial discussions with DSS regarding surrounding issues such as the level of FOCI mitigation required and the timeframe for implementing it, there is little opportunity to negotiate the FOCI mitigation terms themselves. Parties should presume DSS will require FOCI mitigation measures substantially similar to those in the templates, subject to minor modifications as may be required in particular circumstances.
III. Conclusion
For any deal involving a cleared US entity, counsel to both parties should be familiar with the relationship between the CFIUS and DSS/FOCI processes so as to minimize surprises and reduce the likelihood of delays in closing. While the FOCI Rule has clarified aspects of parallel CFIUS and DSS review, navigating these processes concurrently requires careful planning and strategic engagement with both agencies.
[1] See 79 Fed. Reg. 19467 (Apr. 9, 2014). The interim rule is codified at 32 C.F.R. Part 117 Subpart C.
[2] CFIUS also includes representatives from the Departments of Commerce, Defense, Energy, Homeland Security, Justice, and State, among other Executive Branch agencies.
[3] See 31 C.F.R. § 800.207 (2008).
[4] The more recent instance is currently in court. In 2012, CFIUS recommended the President order divestiture of Chinese company Ralls Corporation’s acquisition of wind farms in Oregon, which had closed earlier in the year. After the President issued an order blocking the transaction and requiring divestiture within 90 days, Ralls filed suit challenging the CFIUS and Presidential orders. The US Court of Appeals for the DC Circuit ultimately held that Ralls had a constitutionally protected property interest in the transaction and had not been afforded due process. Ralls Corp. v. CFIUS, 758 F.3d 296 (DC Cir. 2014). Our recent alert provides more information on the Ralls case: Ralls May Give Foreign Investors More Leverage with CFIUS.
[5] See National Industrial Security Program – Operating Manual (NISPOM), DoD 5220.22-M (2-300).
[6] 32 C.F.R. § 117.56(b)(4)(iii)(A) (2014). The FOCI Rule clarifies that DSS can require more Outside Directors at its discretion.
[7] Id. § 117.56(b)(5).
[8] DSS has made a template Commitment Letter available on its website. See Commitment Letter, US Department of Defense, Defense Security Service, available at http://www.dss.mil/documents/foci/OGC-Standard-Commitment-Letter.doc (last visited March 2, 2015).
[9] 32 C.F.R.§ 117.56(b)(14).
[10] Id. § 117.56(b)(14)(iv).
[11] Id. § 117.56(b)(14)(iv)(B).
[12] Id. § 117.56(b)(14)(vi).
[13] See id. § 117.56(b)(14)(iii).
[14] These templates are available on DSS’s website. FOCI Mitigation Instruments, US Department of Defense, Defense Security Service, available at http://www.dss.mil/isp/foci/foci_mitigation.html (last visited March 2, 2015). There are also templates associated with the different compliance policies DSS generally requires, such as an Electronic Communications Plan, Technology Control Plan, and Affiliated Operations Plan. See Implementation Procedures, US Department of Defense, Defense Security Service, available at https://www.dss.mil/isp/foci/implementation-procedures.html (last visited March 2, 2015).
[15] See 32 C.F.R.§ 117.56(b)(4)(vi).