(a) FOCI determination. A U.S. entity is under foreign ownership, control, or influence (FOCI) when:
(1) A foreign interest has the power to direct or decide matters affecting the entity's management or operations in a manner that could:
(i) Result in unauthorized access to classified information; or
(ii) Adversely affect performance of a contract or agreement requiring access to classified information; and
(2) The foreign interest exercises that power:
(i) Directly or indirectly;
(ii) Through ownership of the U.S. entity's securities, by contractual arrangements, or other similar means;
(iii) By the ability to control or influence the election or appointment of one or more members to the entity's governing board (e.g., board of directors, board of managers, board of trustees) or its equivalent; or
(iv) Prospectively (i.e., is not currently exercising the power, but could).
(b) CSA guidance. The CSA establishes guidance for entities on filling out and submitting a Standard Form (SF) 328, Certificate Pertaining to Foreign Interests (OMB Control No. 0704-0194), and on reporting changes in circumstances that might result in a determination that the entity is under FOCI or is no longer under FOCI. The CSA also advises entities on the Government appeal channels for disputing CSA FOCI determinations.
(c) FOCI factors. To determine whether an entity is under FOCI, the CSA analyzes available information to determine the existence, nature, and source of FOCI. The CSA:
(1) Considers information the entity or its parent provides on the SF 328/CF 328 (OMB Control No. 0704-0194), and any other relevant information; and
(2) Considers in the aggregate the following factors about the entity:
(i) Record of espionage against U.S. targets, either economic or Government;
(ii) Record of enforcement actions against the entity for transferring technology without authorization;
(iii) Record of compliance with pertinent U.S. laws, regulations, and contracts or agreements;
(iv) Type and sensitivity of the information the entity would access;
(v) Source, nature, and extent of FOCI, including whether foreign interests hold a majority or minority position in the entity, taking into consideration the immediate, intermediate, and ultimate parent entities;
(vi) Nature of any relevant bilateral and multilateral security and information exchange agreements;
(vii) Ownership or control, in whole or in part, by a foreign government; and
(viii) Any other factor that indicates or demonstrates foreign interest capability to control or influence the entity's operations or management.
(d) Entity access while under FOCI.
(1) If the CSA is determining whether an entity is eligible to access classified information and finds that the entity is under FOCI, the CSA must consider the entity ineligible for access to classified information. The CSA and the entity may then attempt to negotiate FOCI mitigation or negation measures sufficient to permit a favorable eligibility determination.
(2) The CSA may not determine that the entity is eligible to access classified information until the entity has put into place appropriate security measures to negate or mitigate FOCI or is otherwise no longer under FOCI. If the degree of FOCI is such that no mitigation or negation efforts will be sufficient, or access to classified information would be inconsistent with national security interests, then the CSA will determine the entity ineligible for access to classified information.
(3) If an entity comes under FOCI, the CSA may allow the existing eligibility status to continue while the CSA and the entity negotiate acceptable FOCI mitigation or negation measures, as long as there is no indication that classified information is at risk. If the entity does not actively negotiate mitigation or negation measures in good faith, or there are no appropriate measures that will remove the possibility of unauthorized access to classified information or adverse effect on the entity's performance of contracts or agreements involving classified information, the CSA will take steps, in coordination with the GCA, to terminate eligibility.
(e) FOCI and entities under the CCIPP. DHS may sponsor, as part of the CCIPP, a U.S. entity that is under FOCI, under the following circumstances:
(1) The Secretary of DHS proposes appropriate FOCI risk mitigation or negation measures (see paragraph (f) of this section) to the other CSAs and ensures the anticipated release of classified information:
(i) Is authorized for release to the country involved;
(ii) Does not include information classified under the Atomic Energy Act; and
(iii) Does not impede or interfere with the entity's ability to manage and comply with regulatory requirements imposed by other Federal agencies, such as the State Department's International Traffic in Arms Regulation.
(2) If the CSAs agree the mitigation or negation measures are sufficient, DHS may proceed to enter a CCIPP information sharing agreement with the entity. If one or more CSAs disagree, the Secretary of DHS may seek a decision from the Assistant to the President for National Security Affairs before entering a CCIPP information sharing agreement with the entity.
(f) Mitigation or negation measures to address FOCI.
(1) The CSA-approved mitigation or negation measures must assure that the entity can offset FOCI by effectively denying unauthorized people or entities access to classified information and preventing the foreign interest from adversely impacting the entity's performance on contracts or agreements requiring access to classified information.
(2) Any mitigation or negation measures the CSA approves for an entity must not impede or interfere with the entity's ability to manage and comply with regulatory requirements imposed by other Federal agencies (such as Department of State's International Traffic in Arms Regulation).
(3) If the CSA approves a FOCI mitigation or negation measure for an entity, it may agree that the measure, or particular portions of it, may apply to all of the present and future sub-entities within the entity's organization.
(4) Mitigation or negation measures are different for ownership versus control or influence.
(5) Methods to mitigate foreign control or influence (unrelated to ownership) may include:
(i) Assigning specific oversight duties and responsibilities to independent board members;
(ii) Formulating special executive-level security committees to consider and oversee matters that affect entity performance on contracts or agreements requiring access to classified information;
(iii) Modifying or terminating loan agreements, contracts, agreements, and other understandings with foreign interests;
(iv) Diversifying or reducing foreign-source income;
(v) Demonstrating financial viability independent of foreign interests;
(vi) Eliminating or resolving problem debt;
(vii) Separating, physically or organizationally, the entity component performing on contracts or agreements requiring access to classified information;
(viii) Adopting special board resolutions;
(ix) A combination of these methods, as determined by the CSA; or
(x) Other actions that effectively negate or mitigate foreign control or influence.
(6) Methods to mitigate or negate foreign ownership include:
(i) Board resolutions. The CSA and the entity may agree to a board resolution when a foreign interest does not own voting interests sufficient to elect, or is otherwise not entitled to representation on, the entity's governing board. The resolution must identify the foreign shareholders and their representatives (if any), note the extent of foreign ownership, certify that the foreign shareholders and their representatives will not require, will not have, and can be effectively excluded from, access to all classified information, and certify that the entity will not permit the foreign shareholders and their representatives to occupy positions that might enable them to influence the entity's policies and practices, affecting its performance on contracts or agreements requiring access to classified information.
(ii) Security control agreements (SCAs). The CSA and the entity may agree to use an SCA when a foreign interest does not effectively own or control an entity (i.e., the entity is under U.S. control), but the foreign interest is entitled to representation on the entity's governing board. At least one cleared U.S. citizen must serve as an outside director on the entity's governing board.
(iii) Special security agreements (SSAs). The CSA and the entity may agree to use an SSA when a foreign interest effectively owns or controls an entity. The SSA preserves the foreign owner's right to be represented on the entity's board or governing body with a direct voice in the entity's business management, while denying the foreign owner majority representation and unauthorized access to classified information. When a GCA requires an entity to have access to proscribed information, and the CSA proposes an SSA as the mitigation measure, the CSA makes a national interest determination (NID) as part of determining an entity's eligibility for access. See paragraph (h) of this section for more information on NIDs.
(iv) Voting trust agreements (VTAs) or proxy agreements (PAs). The CSA and the entity may agree to use one of these measures when a foreign interest effectively owns or controls an entity. The VTA and PA are arrangements that vest the voting rights of the foreign-owned stock in cleared U.S. citizens approved by the CSA. Under the VTA, the foreign owner transfers legal title in the entity to the trustees approved by the CSA. Under the PA, the foreign owner conveys their voting rights to proxy holders approved by the CSA. The entity must be organized, structured, and financed to be capable of operating as a viable business entity independently from the foreign owner. Both VTAs and PAs can effectively negate foreign ownership and control; therefore, neither imposes any restrictions on the entity's eligibility to have access to classified information or to compete for contracts or agreements requiring access to classified information, including those involving proscribed information. Both VTAs and PAs can also effectively negate foreign government control.
(v) Combinations of the measures in paragraphs (f)(6)(i) through (iv) of this section or other similar measures that effectively mitigate or negate the risks involved with foreign ownership. CSAs must identify combination agreements in a way that distinguishes them from other agreements (e.g., a combination SSA-proxy agreement cannot be identified as either an SSA or a proxy agreement beause those names would not distinguish the combination agreement from either of the other types). CSAs must also coordinate terms in combination agreements with the controlling agency prior to releasing proscribed information.
(g) Standards for FOCI mitigation or negation measures. The CSA must include the following requirements as part of any FOCI mitigation or negation measures, to ensure that entities implement necessary security and governing controls:
(1) Annual certification and annual compliance reports by the entity's governing board and the KMOs;
(2) The U.S. Government remedies in case the entity is not adequately protecting classified information or not adhering to the provisions of the mitigation or negation measure;
(3) Supplements to FOCI mitigation or negation measures as the CSA deems necessary. In addition to the standard FOCI mitigation or negation measure's requirements, the CSA may require more procedures via a supplement, based upon the circumstances of an entity's operations. The CSA may place these requirements in supplements to the FOCI mitigation or negation measure to allow flexibility as circumstances change without having to renegotiate the entire measure. When making use of supplements, the CSA does not consider the FOCI mitigation measure final until it approves the required supplements (e.g., technology control plan, electronic communication plan); and
(4) For agreements to mitigate or negate ownership (PAs, VTAs, SSAs, and SCAs), the following additional requirements apply:
(i) FOCI oversight. The CSA verifies that the entity establishes an oversight body consisting of trustees, proxy holders or outside directors, as applicable, and those officers or directors whom the CSA determines are eligible for access to classified information (see § 2004.36). The entity's security officer is the principal advisor to the oversight body and attends their meetings. The oversight body:
(A) Maintains policies and procedures to safeguard classified information in the entity's possession with no adverse impact on performance of contracts or agreements requiring access to classified information; and
(B) Verifies the entity is complying with the FOCI mitigation or negation measure and related documents, contract security requirements or equivalent, and the NISP;
(ii) Qualifications of trustees, proxy holders, and outside directors. The CSA determines eligibility for access to classified information for trustees, proxy holders, and outside directors at the classification level of the entity's eligibility determination. Trustees, proxy holders, and outside directors must meet the following criteria:
(A) Be a U.S. citizen residing in the United States who can exercise management prerogatives relating to their position in a way that ensures that the foreign owner can be effectively insulated from the entity or effectively separated from the entity's classified work;
(B) Be completely disinterested individuals with no prior involvement with the entity, the entities with which it is affiliated, or the foreign owner and its affiliates. Individuals who are serving as trustees, proxy holders, or outside directors as part of a mitigation measure for the entity are not considered to have prior involvement solely by performing that role; and
(C) Be involved in no other circumstances that may affect an individual's ability to serve effectively, such as the number of boards on which the individual serves or the length of time serving on any other boards;
(iii) Annual meeting. The CSA meets at least annually with the oversight body to review the purpose and effectiveness of the FOCI mitigation or negation agreement; establish a common understanding of the operating requirements and their implementation; and provide guidance on matters related to FOCI mitigation and industrial security. These meetings include a CSA review of:
(A) Compliance with the approved FOCI mitigation or negation measure;
(B) Problems regarding practical implementation of the mitigation or negation measure; and
(C) Security controls, practices, or procedures and whether they warrant adjustment; and
(iv) Annual certification. The CSA reviews the entity's annual report; addresses, and resolves issues identified in the report; and documents the results of this review and any follow-up actions.
(h) National interest determination (NID) -
(1) Requirement for a NID.
(i) The CSA must determine whether allowing an entity access to proscribed information under an SSA is consistent with national security interests of the United States as part of making an entity eligibility determination in cases in which:
(A) The GCA requires an entity to have access to proscribed information;
(B) The entity is under FOCI; and
(C) The CSA proposes an SSA to mitigate the FOCI.
(ii) This determination is called a national interest determination (NID). A favorable NID confirms that an entity's access to the proscribed information under an SSA is consistent with national security interests. If the CSA is unable to render a favorable NID, it must consider other FOCI mitigation measures instead of an SSA or reassess the entity's eligibility for access to classified information.
(2) NID process.
(i) The CSA makes the NID for any categories of proscribed information for which the entity requires access.
(ii) In cases in which any category of the proscribed information is controlled by another agency (ODNI for SCI, DOE for RD, NSA for COMSEC), the CSA asks that controlling agency to concur on the NID for that category of information.
(iii) The CSA informs the GCA and the entity when the NID is complete. In cases involving SCI, RD, or COMSEC, the CSA also informs the GCA and the entity when a controlling agency concurs or non-concurs on that agency's category of proscribed information. The entity may begin accessing a category of proscribed information once the CSA informs the GCA and the entity that the controlling agency concurs, even if other categories of proscribed information are pending concurrence.
(iv) An entity's access to SCI, RD, or COMSEC remains in effect so long as the entity remains eligible for access to classified information and the contract or agreement (or program or project) which imposes the requirement for access to those categories of proscribed information remains in effect, except under the following circumstances:
(A) The CSA, GCA, or controlling agency becomes aware of adverse information that impacts the entity eligibility determination;
(B) The CSA's threat assessment pertaining to the entity indicates a risk to one of the categories of proscribed information;
(C) The CSA becomes aware of any material change regarding the source, nature, and extent of FOCI; or
(D) The entity's record of NISP compliance, based on CSA reviews in accordance with § 2004.26, becomes less than satisfactory.
(v) Under any of these circumstances, the CSA determines whether an entity may continue being eligible for access to classified information, it must change the FOCI mitigation measure in order to remain eligible, or the CSA must terminate or revoke access.
(3) Process for concurring or non-concurring on a NID.
(i) Each controlling agency tells the CSAs what information the controlling agency requires to consider a NID. ODNI identifies the information it requires to assess a NID for access to SCI, DOE identifies the information it requires to assess a NID for access to RD, and NSA identifies the information it requires to assess a NID for access to COMSEC.
(ii) The CSA requests from the GCA justification for access, a description of the proscribed information involved, and other information the controlling agency requires to concur or non-concur on the NID.
(iii) The CSA requests concurrence on the NID from the controlling agency for the relevant category of proscribed information (ODNI for SCI, DOE for RD, NSA for COMSEC), and provides the information that controlling agency identified.
(iv) The relevant controlling agency (ODNI for SCI, DOE for RD, NSA for COMSEC) responds in writing to the CSA's request for concurrence.
(A) The controlling agency may concur with the NID for access under a particular contract or agreement, access under a program or project, or for all future access to the same category of proscribed information.
(B) If the relevant controlling agency does not concur with the NID, the controlling agency informs the CSA in writing, citing the reasons why it does not concur. The CSA notifies the applicable GCA and, in coordination with the GCA, then notifies the entity. The entity cannot have access to the category of proscribed information under the control of that agency (i.e., if ODNI does not concur, the entity may not have access to SCI; if DOE does not concur, the entity may not have access to RD; and if NSA does not concur, the entity may not have access to COMSEC). The CSA, in consultation with the applicable GCA, must decide whether the reason the controlling agency did not concur otherwise affects the entity's eligibility for access to classified information (see § 2004.32(g)), or requires changing the FOCI mitigation measure (see paragraph (f) of this section).
(v) When an entity is eligible for access to classified information that includes a favorable NID for SCI, RD, or COMSEC, the CSA does not have to request a new NID concurrence for the same entity if the access requirements for the relevant category of proscribed information and terms remain unchanged for:
(A) Renewing the contract or agreement;
(B) New task orders issued under the contract or agreement;
(C) A new contract or agreement that contains the same provisions as the previous one (this usually applies when the contract or agreement is for a program or project); or
(D) Renewing the SSA.
(vi) When making the decision whether or not to concur with a NID for proscribed information under its control, the controlling agency will not duplicate work already performed by the GCA during the contract award process or by the CSA when determining entity eligibility for access to classified information.
(4) Timing for concurrence process.
(i) The CSA requests NID concurrence from the controlling agency as soon as the CSA has made a NID, if the entity needs access to SCI, RD, or COMSEC.
(ii) The controlling agency provides a final, written concurrence or non-concurrence to the CSA within 30 days after receiving the request for concurrence from the CSA.
(iii) In cases when a controlling agency requires clarification or additional information from the CSA, the controlling agency responds to the CSA within 30 days to request clarification or additional information as needed, and to coordinate a plan and timeline for concurring or non-concurring. The controlling agency must provide written updates to the CSA every 30 days until it concurs or non-concurs. In turn, the CSA provides the GCA and the entity with updates every 30 days.
(i) Limited eligibility determinations (for entities under FOCI without mitigation or negation).
(1) In exceptional circumstances when an entity is under FOCI, the CSA may decide that limited eligibility for access to classified information is appropriate when the entity is unable or unwilling to implement FOCI mitigation or negation measures (this is not the same as limited eligibility in other circumstances; for more information on limited eligibility in other cases, see § 2004.32(f)).
(2) The GCA first decides whether to request a limited eligibility determination for the entity and must articulate a compelling need for it to the CSA that is in accordance with U.S. national security interests. The GCA must verify to the CSA that access to classified information is essential to contract or agreement performance, and accept the risk inherent in not mitigating or negating the FOCI. See § 2004.32(b)(3).
(3) The CSA may grant a limited eligibility determination if the GCA requests and the entity meets all other eligibility criteria in § 2004.32(e).
(4) A foreign government may sponsor a U.S. sub-entity of a foreign entity for limited eligibility when the foreign government desires to award a contract or agreement to the U.S. sub-entity that involves access to classified information for which the foreign government is the original classification authority (i.e., foreign government information), and there is no other need for the U.S. sub-entity to have access to classified information.
(5) Limited eligibility determinations are specific to the classified information of the requesting GCA or foreign government, and specific to a single, narrowly defined contract, agreement, or circumstance of that GCA or foreign government.
(6) The access limitations of a favorable limited eligibility determination apply to all of the entity's employees, regardless of citizenship.
(7) A limited eligibility determination is not an option for entities that require access to proscribed information when a foreign government has ownership or control over the entity. See § 2004.32(e)(9).
(8) The CSA administratively terminates the entity's limited eligibility when there is no longer a need for access to the classified information for which the CSA made the favorable limited eligibility determination. Terminating one limited eligibility status does not impact other ones the entity may have.