(a) General. Foreign investment can play an important role in maintaining the vitality of the U.S. industrial base. Therefore, it is the intent of the USG to allow foreign investment consistent with the national security interests of the United States. The following FOCI procedures for cleared U.S. entities are intended to mitigate the risks associated with FOCI by ensuring that foreign firms cannot undermine U.S. security to gain unauthorized access to classified information.
(1) The CSA will consider a U.S. entity to be under FOCI when:
(i) A foreign interest has the power to direct or decide issues affecting the entity's management or operations in a manner that could either:
(A) Result in unauthorized access to classified information; or
(B) Adversely affect performance of a classified contract or agreement.
(ii) The foreign government is currently exercising, or could prospectively exercise, that power, whether directly or indirectly, such as:
(A) Through ownership of the U.S. entity's securities, by contractual arrangements, or other means, or;
(B) By the ability to control or influence the election or appointment of one or more members to the entity's governing board.
(2) When the CSA has determined that an entity is under FOCI, the primary consideration will be the protection of classified information. The CSA will take whatever action is necessary to protect classified information, in coordination with other affected agencies as appropriate.
(3) A U.S. entity that is in process for an entity eligibility determination for access to classified information and subsequently determined to be under FOCI is ineligible for access to classified information unless and until effective security measures have been put in place to negate or mitigate FOCI to the satisfaction of the CSA.
(4) When a contractor determined to be under FOCI is negotiating an acceptable FOCI mitigation or negation measure in good faith, an existing entity eligibility determination may continue in effect so long as there is no indication that classified information is at risk of compromise in consultation with the applicable GCA. The applicable CSA may decide that circumstances involving the FOCI are such that the entity eligibility determination will be invalidated until implementation of an acceptable FOCI mitigation plan.
(5) An existing entity eligibility determination will be invalidated if the contractor is unable or unwilling to negotiate and implement an acceptable FOCI mitigation or negation measure. An existing entity eligibility determination will be revoked if security measures cannot be taken to remove the possibility of unauthorized access to classified information or adverse effect on performance of classified contracts.
(6) Changed conditions, such as a change in ownership, indebtedness, or a foreign intelligence threat, may justify certain adjustments to the security terms under which an entity is operating or, alternatively, that a different FOCI mitigation or negation method be employed. If a changed condition is of sufficient significance, it might also result in a determination that a contractor is no longer considered to be under FOCI, or, conversely, that a contractor is no longer eligible for access to classified information.
(7) The USG reserves the right, and has the obligation, to impose any security method, safeguard, or restriction (including denial, termination or revocation of an entity eligibility determination) it believes necessary to ensure that unauthorized access to classified information is effectively precluded and performance of classified contracts is not adversely affected.
(8) Nothing contained in this section affects the authority of a Federal agency head to limit, deny, or revoke access to classified information under its statutory, regulatory, or contract jurisdiction.
(b) Factors. Factors relating to the entity, relevant foreign interests, and the government of such foreign interests, as appropriate, will be considered in the aggregate to determine whether an applicant entity is under FOCI, its eligibility for access to classified information, and the protective measures required. These factors include:
(1) Record of espionage against U.S. targets, either economic or government.
(2) Record of enforcement actions against the entity for transferring technology without authorization.
(3) Record of compliance with pertinent U.S. laws, regulations, and contracts or agreements.
(4) Type and sensitivity of the information the entity would access.
(5) Source, nature, and extent of FOCI, including whether foreign interests hold a majority or minority position in the entity, taking into consideration the immediate, intermediate, and ultimate parent entities.
(6) Nature of any relevant bilateral and multilateral security and information exchange agreements.
(7) Ownership or control, directly or indirectly, in whole or in part, by a foreign government.
(8) Any other factor that indicates or demonstrates capability of foreign interests to control or influence the entity's operations or management.
(c) Procedures. An entity is required to complete an SF 328 during the process for an entity eligibility determination or when significant changes occur to information previously submitted. In the case of a corporate family, the form may be a consolidated response rather than separate submissions from individual members of the corporate family based on CSA guidance.
(1) If an entity provides any affirmative answers on the SF 328, or the CSA receives other information which indicates that the applicant entity may be under FOCI, the CSA will make a risk-based determination regarding the relative significance of the information in regard to:
(i) Whether the applicant is under FOCI.
(ii) The extent and manner to which the FOCI represents a risk to the national security or may adversely impact classified contract performance.
(iii) The type of actions, if any, that would be necessary to mitigate or negate the effects of FOCI to a level deemed acceptable to the USG. The CSA will advise entities on the CSA's appeal channels for disputing CSA FOCI determinations.
(2) When an entity with a favorable eligibility determination enters into negotiations for the proposed merger, acquisition, or takeover by a foreign interest, the entity will submit notification to the CSA of the commencement of such negotiations.
(i) The submission will include the type of transaction under negotiation (e.g., stock purchase, asset purchase), the identity of the potential foreign interest investor, and a plan to negate or mitigate the FOCI by a method outlined in paragraph (d) of this section.
(ii) The entity will submit copies of loan, purchase, and shareholder agreements, annual reports, bylaws, articles of incorporation, partnership agreements, other organizational documents, and reports filed with other Federal agencies to the CSA.
(d) FOCI action plans.
(1) When FOCI factors not related to ownership are present, the CSA will determine if positive measures will assure the CSA that the foreign interest can be effectively mitigated and cannot otherwise adversely affect performance on classified contracts. Examples of such measures include:
(i) Modification or termination of loan agreements, contracts, and other understandings with foreign interests.
(ii) Diversification or reduction of foreign-source income.
(iii) Demonstration of financial viability independent of foreign interests.
(iv) Elimination or resolution of problem debt.
(v) Assignment of specific oversight duties and responsibilities to board members.
(vi) Formulation of special executive-level security committees to consider and oversee issues that affect the performance of classified contracts.
(vii) Physical or organizational separation of the contractor component performing on classified contracts.
(viii) Adoption of special board resolutions.
(ix) Other actions that negate or mitigate foreign control or influence.
(x) A combination of these methods, as determined by the CSA.
(2) When FOCI factors related to ownership are present, methods the CSA may apply to negate or mitigate the risk of foreign ownership include, but are not limited to:
(i) Board resolution.
(A) When a foreign interest does not possess voting interests sufficient to elect, or otherwise is not entitled to representation on the entity's governing board, a resolution(s) by the governing board may be adequate. In the resolution, the governing board will:
(1) Identify the foreign shareholder.
(2) Describe the type and number of foreign-owned shares.
(3) Acknowledge the entity's obligation to comply with all industrial security program requirements.
(4) Certify that the foreign owner does not require, will not have, and can be effectively precluded from unauthorized access to all classified information entrusted to or held by the entity.
(B) The governing board will provide for annual certifications to the CSA acknowledging the continued effectiveness of the resolution.
(C) The entity will distribute to members of its governing board and to its KMP copies of such resolutions, and report in the entity's corporate records the completion of such distribution.
(ii) Security control agreement (SCA). When a foreign interest does not effectively own or control an entity (i.e., the entity is under U.S. control), but the foreign interest is entitled to representation on the entity's governing board, an SCA may be adequate. At least one cleared U.S. citizen must serve as an outside director on the entity's governing board. There are no access limitations under an SCA.
(iii) SSA. When a foreign interest effectively owns or controls an entity, an SSA may be adequate. An SSA is an arrangement that, based upon an assessment of the source and nature of FOCI and FOCI factors, imposes various industrial security measures within an institutionalized set of entity practices and procedures. The SSA preserves the foreign owner's right to be represented on the entity's board or governing body with a direct voice in the entity's business management, while denying the foreign owner majority representation and unauthorized access to classified information.
(A) Requirement for a National Interest Determination (NID). Unless otherwise prohibited by law or regulation (e.g., Section 842 of Pub. L. 115-232), the applicable CSA must determine whether allowing an entity access to proscribed information under an SSA is consistent with national security interests of the U.S. with concurrence from controlling agencies, as applicable. Such NIDs will be made as part of an entity eligibility determination or because of a changed condition when a GCA requires an entity to have access to proscribed information and the CSA proposes an SSA as the mitigation measure. The NID can be program, project, or contract specific.
(B) NID process:
(1) The CSA makes a NID for TOP SECRET or SAP information to which the entity requires access. Contractors should be aware that DOE Order 470.4B provides additional information and requirements for processing NID requests for access to RD.
(2) In cases in which any category of the proscribed information is controlled by another agency (ODNI for SCI, DOE for RD, the National Security Agency (NSA) for COMSEC), the CSA asks that controlling agency to concur or non-concur on the NID for that category of information.
(3) The CSA informs the GCA and the entity when the NID is complete. In cases involving SCI, RD, or COMSEC, the CSA also informs the GCA and the entity when a controlling agency concurs or non-concurs on that agency's category of proscribed information. The entity may begin accessing a category of proscribed information once the CSA informs the GCA and the entity that the controlling agency concurs, even if other categories of proscribed information are pending concurrence.
(4) An entity's access to SCI, RD, or COMSEC remains in effect so long as the entity remains eligible for access to classified information and the contract or agreement (or program or project) which imposes the requirement for access to those categories of proscribed information remains in effect, except under any of the following circumstances:
(i) The CSA, GCA, or controlling agency becomes aware of adverse information that impacts the entity eligibility determination.
(ii) The CSA's threat assessment pertaining to the entity indicates a risk to one of the categories of proscribed information.
(iii) The CSA becomes aware of any material change regarding the source, nature, and extent of FOCI.
(iv) The entity's record of NISP compliance, based on CSA reviews, becomes less than satisfactory. Consult DOE Order 470.4B for additional information and requirements for processing NID requests for access to RD.
(5) Under any of the circumstances in paragraphs (d)(2)(iii)(B)(4)(i) through (d)(2)(iii)(B)(4)(iv) in this section, the CSA determines whether the entity remains eligible for access to classified information, it must change the FOCI mitigation measure in order to remain eligible for access to classified information, or the CSA must terminate or revoke the access to classified information.
(6) When an entity is eligible for access to classified information that includes a favorable NID for SCI, RD, or COMSEC, the CSA does not have to request a new NID concurrence for the same entity if the access to classified information requirements for the relevant category of proscribed information and terms remain unchanged for:
(i) Renewing the contract or agreement.
(ii) New task orders issued under the contract or agreement.
(iii) A new contract or agreement that contains the same provisions as the previous one (this usually applies when the contract or agreement is for a program or project.)
(iv) Renewing the SSA.
(7) Under certain conditions, entities under an SSA may not require a NID for one or more categories of proscribed information in accordance with CSA-provided guidance. Categories of proscribed information for entities under SSAs not requiring a NID will be recorded in the CSA's system of record for entity eligibility determinations.
(iv) Voting Trust (VT) or Proxy Agreement (PA). The VT and the PA are arrangements that vest the voting rights of the foreign-owned stock in cleared U.S. citizens approved by the USG. Under a VT, the foreign owner transfers legal title its ownership interests in the entity to the trustees. Under a PA, the foreign owner's voting rights are conveyed to the proxy holders. Neither arrangement imposes any restrictions on the entity's eligibility to have access to classified information or to compete for classified contracts.
(A) Establishment of a VT or PA involves the selection of trustees or proxy holders, all of whom must become members of the entity's governing board. Both arrangements must provide for the exercise of all prerogatives of ownership by the trustees or proxy holders with complete freedom to act independently from the foreign owners, except as provided in the VT or PA. The arrangements may limit the authority of the trustees or proxy holders by requiring approval be obtained from the foreign owner with respect to issues such as:
(1) The sale or disposal of the entity's assets or a substantial part thereof.
(2) Pledges, mortgages, or other encumbrances on the entity's assets, capital stock, or ownership interests.
(3) Mergers, consolidations, or reorganizations.
(4) Dissolution.
(5) Filing of a bankruptcy petition.
(B) The trustees or proxy holders may consult with the foreign owner, or vice versa, where otherwise consistent with U.S. laws, regulations, and the terms of the VT or PA.
(C) The trustees or proxy holders assume full responsibility for the foreign owner's voting interests and for exercising all governance and management prerogatives relating thereto to ensure the foreign owner will be insulated from the entity, thereby solely retaining the status of a beneficiary. The entity must be organized, structured, and financed to be capable of operating as a viable business entity and independent from the foreign owners' interests that required FOCI mitigation or negation.
(v) Combination measures. The CSA may apply combinations of the measures in paragraphs (d)(2)(i) through (d)(2)(iv) in this section or other similar measures that effectively mitigate or negate the risks involved with foreign ownership.
(e) Limited entity eligibility determination due to FOCI. In accordance with the provisions of this section and CSA-provided guidance, a limited entity eligibility determination may be an option for a single, narrowly defined contract, agreement, or circumstance for entities under FOCI without mitigation or negation. Limitations on access to classified information are inherent with the granting of limited entity eligibility determinations and are imposed upon all of the entity's employees regardless of citizenship.
(1) In exceptional circumstances, when an entity is under FOCI, the CSA may decide that a limited entity eligibility determination is appropriate when the entity is unable or unwilling to implement FOCI mitigation or negation measures, and the conditions in paragraphs (e)(1)(i) through (iii) of this section are met. This is not the same as a limited entity eligibility determination for purposes not related to FOCI. Information on limited entity eligibility determinations for purposes other than FOCI can be found in § 117.9(m). A CSA may decide that a limited entity eligibility is appropriate for an entity under FOCI if:
(i) The limited entity eligibility determination is in accordance with national security interests and a GCA has informed the CSA that access to classified information by the contractor is essential to contract or agreement performance.
(ii) There is an industrial security agreement with the foreign government of the country from which the FOCI is derived.
(iii) The contractor meets all other entity eligibility requirements outlined in § 117.9(c) except that KMP, other than the FSO, may be citizens of the country from which the FOCI derives and the United States has obtained security assurances at the appropriate level from that country.
(2) A U.S. subsidiary of a foreign entity may be sponsored for a limited entity eligibility determination by a foreign government when the foreign government desires to award a contract or agreement to the U.S. subsidiary that involves access to only that classified information for which the foreign government is the OCA.
(3) Limited entity eligibility determinations are specific to the classified information for the requesting GCA or foreign government and the single narrowly defined contract, agreement, or circumstance the request was based on. The limited entity eligibility determination will only be verified to that GCA or foreign government for the authorized level of access to classified information and any limitations to that access to classified information.
(4) A limited entity eligibility determination is not an option for contractors that require access to proscribed information when a foreign government has ownership or control over the entity.
(5) Release of classified information must be in conformity with the U.S. National Disclosure Policy-1 (provided to designated disclosure authorities on a need-to-know basis from the Office of the Under Secretary of Defense for Policy, Defense Technology Security Administration).
(6) A limited entity eligibility determination will be administratively terminated when there is no longer a need for the contractor to access the classified information for which it was sponsored. Administrative termination of one limited entity eligibility determination does not impact a contractor's other limited entity eligibility determinations.
(7) If there is no industrial security agreement with the foreign government of the country from which the FOCI is derived, in extraordinary circumstances, a limited entity eligibility determination may also be granted if there is a compelling need to do so consistent with U.S. national security interests and the GCA has informed the applicable CSA that access to classified information by the contractor is essential to contract or agreement performance. Under this circumstance, the entity must follow all provisions of this rule.
(f) Qualifications of trustees, proxy holders, and outside directors. Individuals who serve as trustees, proxy holders, or outside directors must meet the following criteria:
(1) Trustees and proxy holders must be resident U.S. citizens who can exercise governance and management prerogatives relating to their position in a way that ensures that the foreign owner can be effectively insulated from the entity.
(2) Outside directors must be resident U.S. citizens who can exercise governance and management prerogatives relating to their position in a way that ensures that the foreign owner can be effectively separated from the entity's classified work.
(3) New trustees, proxy holders, and outside directors must be completely disinterested individuals with no prior involvement with the entity, the entities with which it is affiliated, or the foreign owner.
(4) The CSA may consider other circumstances that may affect an individual's eligibility to serve effectively including the number of boards on which the individual serves, the length of time serving on any other governance boards, and other factors in accordance with CSA-provided guidance.
(5) Trustees, proxy holders, and outside directors must be determined eligible for access to classified information at the level of the entity eligibility determination for access to classified information. Individuals who are serving as trustees, proxy holders, or outside directors as part of a mitigation measure for the entity are not considered to have prior involvement solely by performing that role for purposes of paragraph (f)(3) of this section.
(g) Government security committee (GSC). Under a VT, PA, SSA, or SCA, the contractor is required to establish a permanent committee of its board of directors, known as the GSC.
(1) Unless otherwise approved by the CSA, the GSC consists of trustees, proxy holders, or outside directors and those officer directors who have been determined to be eligible for access to classified information.
(2) The members of the GSC are required to ensure that the contractor adheres to laws and regulations and maintains internal entity policies and procedures to safeguard classified information entrusted to it. The GSC ensures that violations of those policies and procedures are promptly investigated and reported to the appropriate authority when it has been determined that a violation has occurred.
(3) The contractor's FSO will be the principal advisor to the GSC and attend GSC meetings. The chairman of the GSC must concur with the appointment and replacement of FSOs selected by management. The FSO functions will be carried out under the authority of the GSC.
(h) Additional procedures for FOCI mitigation or negation measures. In addition to the basic requirements of the FOCI mitigation or negation agreement, the entity may be required to document and implement additional procedures based upon the circumstances of an entity's operations. Those additional procedures will be established in supplements to the FOCI mitigation agreement to allow for flexibility as circumstances change without having to renegotiate the entire agreement. When making use of supplements, the CSA does not consider the FOCI mitigation measure final until the CSA has approved the required supplements. These supplements may include:
(1) Technology control plan (TCP). A TCP approved by the CSA will be developed and implemented by those entities cleared under a VT, PA, SSA and SCA and when otherwise deemed appropriate by the CSA. The TCP will prescribe all security measures determined necessary to reasonably prevent the possibility of access by non-U.S. citizen employees and visitors to information for which they are not authorized. The TCP will also prescribe measures designed to assure that access by non-U.S. citizens is strictly limited to only that specific information for which appropriate USG disclosure authorization has been obtained, e.g., an approved export license or technical assistance agreement. Unique badging, escort, segregated work area, security indoctrination schemes, and other measures will be included, as appropriate.
(2) Electronic communications plan (ECP). The contractor will develop and implement an ECP, subject to CSA approval, tailored to the contractor's operations to verify that electronic controls are in place for clear technical and logical separation of electronic communications and networks between the contractor, the foreign interest, and its affiliates. The purpose is to prevent the unauthorized disclosure of classified information to the foreign parent or its affiliates. The contractor will include in the ECP a detailed network description and configuration diagram that clearly delineates which networks will be shared and which will be protected from access by the foreign parent or its affiliates. The network description will address firewalls, remote administration, monitoring, maintenance, and separate email servers, as appropriate.
(3) Affiliated operations plan. There may be circumstances when the parties to a transaction propose in the FOCI action plan that the U.S. contractor provides certain services for the foreign interest or enters into arrangements with the foreign interest, or the foreign interest provides services for or enters into arrangements with the U.S. contractor. In such circumstances, the contractor will document a plan, subject to CSA approval, outlining the entity's consolidated policies and procedures regarding the control of affiliated operations, regardless of whether such endeavors are administrative, operational, or commercial, performed directly or through third-party service providers, within the entity, or among any of the entity's controlled entities, or the foreign interest and its affiliates.
(4) Facilities location plan. When a contractor is potentially collocated with or in close proximity to its foreign parent or an affiliate, the contractor will prepare a facilities location plan to assist the CSA in determining if the contractor is collocated or if the close proximity can be allowed under the FOCI mitigation plan. A U.S. entity generally cannot be collocated with the foreign parent or affiliate, i.e., at the same address or in the same location.
(i) Annual review and certification -
(1) Annual review. The CSA will meet at least annually, and otherwise as required by circumstances, with the GSCs of contractors operating under a VT, PA, SSA, or SCA to review the purpose and effectiveness of the clearance arrangement and to establish a common understanding of the operating requirements and their implementation. These reviews will include an examination of:
(i) Acts of compliance or noncompliance with the approved security arrangement, standard rules, and applicable laws and regulations.
(ii) Problems or impediments associated with the practical application or utility of the security arrangement.
(iii) Whether security controls, practices, or procedures warrant adjustment.
(2) Annual certification. For contractors operating under a VT, PA, SSA, or SCA, the chairman of the GSC will submit to the CSA one year from the effective date of the agreement and annually thereafter, an implementation and compliance report. Such reports will include:
(i) A detailed description of the manner in which the contractor is carrying out its obligations under the agreement.
(ii) Changes to security procedures, implemented or proposed, and the reasons for those changes.
(iii) A detailed description of any acts of noncompliance, whether inadvertent or intentional, with a discussion of remedial measures, including steps taken to prevent such acts from recurring.
(iv) Any changes, or impending changes, of KMP or key board members, including the reasons therefore.
(v) Any changes or impending changes in the organizational structure or ownership, including any reorganizations, acquisitions, mergers, or divestitures.
(vi) Any other issues that could have a bearing on the effectiveness of the applicable agreement.
(j) Transactions involving foreign persons, and the Committee on Foreign Investment in the United States (CFIUS).
(1) The CFIUS is a USG interagency committee chaired by the Treasury Department that conducts assessments, reviews and investigations of transactions that could result in foreign control of a U.S. business, and certain non-controlling investments and certain real estate transactions involving foreign persons under 50 U.S.C. 4565.
(2) In CFIUS cases where the acquired U.S. business requires access to classified information, the CFIUS assessment, review or investigation, as applicable, and the CSA industrial security FOCI review are carried out in parallel, but are separate processes with different time constraints and considerations.
(3) The CSA will promptly advise the parties in a transaction under CFIUS review that would require FOCI negation or mitigation measures if consummated, to submit to the CSA a plan to negate or mitigate FOCI. If it appears that an agreement cannot be reached on material terms of a FOCI action plan, or if the U.S. person that is a party, or in applicable cases, a subject of the proposed transaction fails to comply with the FOCI reporting requirements of this rule, the CSA may recommend a full investigation of the transaction by the CFIUS to determine the effects on national security.