The National Industrial Security Program

The US National Industrial Security Program (NISP), largely administered by the Defense Counterintelligence and Security Agency (DCSA) at the US Department of Defense (DOD), mandates requirements, restrictions and other safeguards to prevent unauthorized disclosure of classified US information, which include clearances, special security agreements and secured facilities. Any foreign acquisition of a US entity that performs on classified contracts or has access to classified US information will likely be subject to a CFIUS review, as well as a separate review by DCSA to assess the impact of the “foreign ownership, control or influence” (FOCI) on the US entity. The goal of the FOCI review is to ensure foreign buyers do not undermine US security or export controls to gain access to US critical technology or classified information. 

In making its determination, DCSA considers the following factors with respect to the company, the foreign interest and the government of the foreign interest in the aggregate:

  • The type and sensitivity of the information that shall be accessed;

  • The source, nature and extent of FOCI;

  • Record of compliance with pertinent U.S. laws, regulations and contracts;

  • Record of economic and government espionage against US targets;

  • Record of enforcement and/or engagement in unauthorized technology transfer;

  • The nature of any bilateral and multilateral security and information exchange agreements that may pertain; and,

  • Ownership or control, in whole or in part, by a foreign government.

In determining the extent of the FOCI, DCSA considers whether foreign interests hold a majority or substantial minority position in the company, taking into consideration the immediate, intermediate and ultimate parent companies. A minority position is deemed substantial if it consists of greater than five percent of the ownership interests or greater than ten percent of the voting interest.

If FOCI is found to be present, DCSA will require some kind of agreement or arrangement to mitigate foreign influence and potential access by foreign persons to classified information. Similar to CFIUS, such mitigation can range from putting in place security measures to ensure there will be no foreign access to classified information to, under a proxy agreement, requiring a fully independent board to oversee the US entity, depending on the extent of FOCI. 

How the National Security Regimes Interact

DCSA FOCI review and adjudication is separate and distinct from a CFIUS review, and often conducted in parallel.  NISP provides that if the contracting agency “becomes aware of a proposed transaction that should be reviewed by CFIUS, and the parties thereto do not file a joint voluntary notice with CFIUS to initiate review within a reasonable time, the [contracting agency] shall initiate action to have CFIUS notified.”

What You Need To Know

  • US businesses handling classified contracts must be careful not to expose classified information to foreign persons during the negotiating, due diligence or transition processes.

  • It is generally advisable to commence the FOCI process before formally filing with CFIUS.

  • Foreign buyers in some cases will have to assess whether they are willing to accept mitigation in which they will have very diminished governance rights over a company they will own.

  • Parties should factor the timing of any DCSA review into the anticipated closing timelines of any transaction.