Biden Issues First-Ever Presidential Directive Defining National Security Factors for CFIUS to Consider in Evaluating Transactions

12 min read

On September 15, President Biden signed an Executive Order (the "EO") identifying national security risks that the Committee on Foreign Investment in the United States ("CFIUS" or the "Committee") must consider when reviewing covered transactions. The EO focuses on five areas: supply chain resilience, impact on US technological leadership, assessment of aggregate investment trends in industries, cybersecurity risks, and sensitive data. Although the EO provides specific guidance on national security factors that the Committee must consider in its review of foreign investment in the United States, it does not affect CFIUS's processes, authority, or legal jurisdiction. The EO signals the US Government's continued emphasis on assessing national security considerations in CFIUS reviews—including highlighting specific priority areas—while balancing the long-standing US policy of encouraging foreign direct investment. 


As we discussed previously, the Foreign Investment Risk Review Modernization Act of 2018 ("FIRRMA") expanded CFIUS's authority to review covered transactions for any risk to the national security of the United States that arises as a result of such transactions.1 Although, consistent with long-standing practice, neither FIRRMA nor its implementing regulations define "national security", the CFIUS statute provides the following non-exhaustive list of factors for CFIUS to consider in reviewing covered 

  1. domestic production needed for projected national defense requirements;
  2. the capability and capacity of domestic industries to meet national defense requirements, including the availability of human resources, products, technology, materials, and other supplies and services;
  3. the control of domestic industries and commercial activity by foreign citizens as it affects the capability and capacity of the United States to meet the requirements of national security;
  4. the potential effects of the proposed or pending transaction on sales of military goods, equipment, or technology to any country identified by the Secretary of State as a country that supports terrorism or as a country of concern regarding specific considerations; 
  5. the potential effects of the proposed or pending transaction on US international technological leadership in areas affecting US national security;
  6. the potential national security-related effects on US critical infrastructure, including major energy assets;
  7. the potential national security-related effects on US critical technologies;
  8. whether the covered transaction is a foreign government-controlled transaction;
  9. the subject country's record of adhering to nonproliferation control regimes; cooperating in counter-terrorism efforts; and the potential for transshipment or diversion of technologies with military applications, including an analysis of national export control laws and regulations;
  10. the long-term projection of US requirements for sources of energy and other critical resources and material; and
  11. such other factors as the President or the Committee may determine to be appropriate, generally or in connection with a specific review or investigation.2

This list of factors was not new or changed under FIRRMA—it was last updated 15 years ago by the prior overhaul of the CFIUS statute pursuant to the Foreign Investment and National Security Act of 2007 (FINSA). As described below, the EO expands on two of the above factors and directs CFIUS to consider three additional factors in its reviews. Of note, nothing precluded CFIUS from considering such issues prior to the EO—indeed, most of the points covered in the EO track with areas of CFIUS focus in recent years—but it does direct CFIUS formally to consider these new factors in reviews. Accordingly, the EO reflects a clear policy priority by the Biden Administration as the USG continues to try to adapt CFIUS to the ever-evolving national-security risk landscape. 

The Executive Order

For the first time in CFIUS's nearly 50-year history, the President has expressly directed CFIUS to consider certain specific sets of factors in its review of national-security risks arising from covered transactions, underscoring the Biden Administration's view of their importance to the national security of the United States. Each of the factors addressed in the EO is discussed below.

(1) A given transaction's effect on the resilience of critical US supply chains that may have national security implications, including those outside of the defense industrial base.

Following more than two years of supply chains disruptions in the United States and globally, the EO's directive begins by emphasizing the United States' need to ensure supply chain resiliency. In expanding on the issues to be considered under the third statutory factor noted above, the EO states that supply chain disruptions are a vulnerability to US national security if they occur in certain manufacturing capabilities, services, critical mineral resources, or technologies fundamental to US national security. Notably, the EO emphasizes that supply chain resilience considerations are not limited to the defense industrial base. The EO specifically references microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy (such as battery storage and hydrogen), climate adaptation technologies, critical materials (such as lithium and rare earth elements), and elements of the agriculture base that have implications for food security as examples of such areas fundamental to national security. In assessing supply chain considerations, the EO directs that the Committee must consider, as appropriate (i) the United States' domestic capacity to meet national security requirements of supply chains; (ii) the degree of involvement in the supply chain by a foreign person party to the transaction that might take actions to threaten or impair national security or has relevant third-party ties that might cause the transaction to pose such a threat; (iii) the degree of diversification through alternative suppliers, including those located in allied or partnered economies; (iv) whether the US business party to the transaction supplies, directly or indirectly, the USG, the energy sector industrial base, or the defense industrial base; and (v) the concentration of ownership or control by the foreign person in the given supply chain. 

(2) A given transaction's effect on US technological leadership in areas affecting US national security, including microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies.

The EO acknowledges that foreign investment can foster domestic innovation, but emphasizes that it is important to protect US technological leadership via CFIUS reviews. Accordingly, in expanding on the fifth statutory factor noted above, the EO requires CFIUS to consider, as appropriate, whether a covered transaction involves certain manufacturing capabilities, services, critical mineral resources, or technologies fundamental to US technological leadership, which it notes include microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies. In addition to considering whether the foreign person party to the transaction or its relevant third-party ties create risks to national security, the EO directs CFIUS to consider whether a covered transaction could reasonably result in future advancements and applications in such technologies that could undermine national security. Maintaining technological leadership has long been a factor that CFIUS is specifically instructed under the statute to consider in reviews, but the EO identifies specific industries in which CFIUS must analyze this consideration. The EO also directs the Office of Science and Technology Policy to "periodically" publish a list of technology sectors, in addition to those identified in the EO, that are fundamental to US technological leadership in areas relevant to national security. Accordingly, as part of ongoing efforts to make CFIUS more nimble and adaptable, the EO intends for the list of industries CFIUS considers with respect to technology leadership issues to evolve over time. 

(3) Industry investment trends that may have consequences for a given transaction's impact on US national security when considered in the aggregate.

Although CFIUS reviews each covered transaction on a case-by-case basis, the EO directs CFIUS to look beyond the specific transaction before it in assessing its impact on US national security and consider the aggregate impact of foreign investments in the same or related industries. This approach is not necessarily new, but it arguably denotes a subtle shift in CFIUS's long-held public stance that it reviews each case based on the facts of the particular transaction before it. While FIRRMA and its implementing regulations generally direct the Committee and the President to review the risk arising from the particular transaction before it in assessing the national security risks arising from the transaction,3 the EO makes clear that such reviews should not occur in isolation, and should instead consider industry investment trends. The White House Fact Sheet released with the EO notes that "there may be a comparatively low threat associated with a foreign company or country acquiring a single firm in a sector, but a much higher threat associated with a foreign company or country acquiring multiple firms within the sector."4

This emphasis on considering incremental investments over time in the same or related industries will likely add a layer of uncertainty when parties assess the potential risks arising from their transactions. This is because it may be difficult to assess both general investment trends within an industry and whether a particular transaction will be the tipping point within an industry trend that the Committee finds problematic. Of note, not all incremental investments need qualify as covered transactions in order for CFIUS to consider their collective impact pursuant to this provision of the EO. To assess whether this risk might affect CFIUS's review of a transaction, investors and their counsel will need to monitor closely activities in target industries—as well as bear in mind a given investor's history of investments and overall market presence in relevant industries. 

(4) Cybersecurity risks that threaten to impair national security.

The EO provides that CFIUS shall consider whether a covered transaction might provide a foreign person, or third-parties to which it has ties, with direct or indirect access to capabilities or information databases and systems through which they could conduct cyber intrusions or other malicious cyber-enabled activity. The EO highlights as relevant national security considerations cyber activities that can impact (i) the outcome of elections; (ii) the operation of US critical infrastructure, including critical energy infrastructure and smart grids; (iii) the confidentiality, integrity, or availability of US communications; and (iv) the protection or integrity of data in storage or databases or systems housing sensitive data. The EO also instructs CFIUS to consider the cybersecurity posture, practices, capabilities, and access of both the foreign person and the US business involved in the transaction that could enable malicious cyber activities. The EO's emphasis on cyber security is neither new nor surprising given ongoing concerns about cyber vulnerabilities. We have seen CFIUS address concerns relating to cyber security issues in covered transactions, including potential third-party vulnerabilities, and the EO confirms our expectation that this will continue to be a focus area for CFIUS. 

(5) Risks to US persons' sensitive data.

Consistent with ongoing heightened national security interest in data security, the EO instructs CFIUS to consider a number of factors relating to sensitive data of individuals. As we have previously reported, CFIUS has repeatedly underscored data's significance as a national security consideration in recent years, including by designating companies that collect or maintain "sensitive personal data" as a category of "TID US business" under FIRRMA, thereby affording CFIUS expanded authorities over covered transactions involving such US businesses. Additionally, "data" was the only substantive issue area to get a dedicated panel at the Treasury Department's inaugural CFIUS conference earlier this year. CFIUS has also taken action in a number of deals in recent years—including closed transactions via its non-notified authorities—for transactions involving US businesses that collect and maintain large amounts of personal data, including the two most recent presidential blocks. 

The EO instructs CFIUS to consider the risks to national security of foreign investments in US businesses that have access to or that store personal data of US persons. Notably, whereas the TID US business standard in the CFIUS regulations refers to US businesses that collect or maintain sensitive personal data, the EO directs CFIUS to consider US business that have access to sensitive data, which is a broader standard. The EO also goes well beyond data considerations under the TID US business standard by using the term "sensitive data," which is distinct from—and more expansive than—the defined term "sensitive personal data" under the CFIUS regulations. Significantly, the EO notes that sensitive data includes US persons' "health, digital identity, or other biological data and any data that could be identifiable or de-anonymized, that could be exploited to distinguish or trace an individual's identity in a manner that threatens national security." (Emphasis added.) This is consistent with our experience of CFIUS sometimes having significant data-related concerns even where the relevant US business has no involvement with the types of data enumerated under the "sensitive personal data" definition in the CFIUS regulations. 

The EO also notes that "advances in technology, combined with access to large data sets, increasingly enable the re-identification or de-anonymization of what was once identifiable data." We have repeatedly seen CFIUS be reluctant to exempt anonymized or aggregated data from requirements in mitigation agreements relating to data concerns, and the EO confirms the Biden Administration's concerns in this area. Given the breadth of the EO provisions on data, our experience with CFIUS reviews of data cases in recent years, and the increasing role of data collection in businesses in a wide array of industries, we expect CFIUS to maintain and expand its focus on data-related transactions.

Although the EO does not change the CFIUS process or authorities—and as indicated, the factors it sets forth are likely already being considered by CFIUS in reviews—it does emphasize this administration's focus on CFIUS's role in using its foreign investment review authorities to protect US national security, and the EO highlights areas of particular national security concern. Accordingly, the EO provides a useful—but not definitive—guide for considering whether contemplated transactions have a potential nexus to national security and could have CFIUS implications. 

Brittany Henderson (White & Case, Associate, Washington, DC) contributed to the development of this publication.

1 50 USC. § 4565(a)(4), (l). 
2 50 USC. § 4565(f)(1)-(11).
3 For example, FIRRMA provides that the President may suspend or prohibit any covered transaction if he or she finds, inter alia, that there is credible evidence that leads the President to believe "that a foreign person that would acquire an interest in [the US business] as a result of the covered transaction might take action that threatens to impair US national security." 50 USC. § 4565(d)(4) (emphasis added).
4 FACT SHEET: President Biden Signs Executive Order to Ensure Robust Reviews of Evolving National Security Risks by the Committee on Foreign Investment in the United States (Sept. 15, 2022)

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2022 White & Case LLP