FIRRMA: Proposed CFIUS Legislation Would Bring Significant Changes

21 min read

Senator John Cornyn (R-TX) and Representative Robert Pittenger (R-NC) have introduced parallel legislation that, if passed, would implement significant changes to the Committee on Foreign Investment in the United States (CFIUS) review process. Notably, the legislation would extend the CFIUS review timeframes, increase the scope of transactions subject to CFIUS's jurisdiction, make certain notifications mandatory, and establish a process that would allow for expedited review and approval of certain transactions.

Over the past couple of years, many politicians and commentators have publicly questioned whether the CFIUS process can adequately address evolving national security concerns resulting from foreign investments in US companies. On November 8, 2017, Senator John Cornyn, the Senate Majority Whip, introduced the Foreign Investment Risk Review Modernization Act of 2017 (FIRRMA), which would implement significant changes to the CFIUS process. This would be the first update to the CFIUS statute in a decade—since the passage of the Foreign Investment and National Security Act of 2007. US Representative Robert Pittenger introduced a substantively identical bill in the House of Representatives. The bills were introduced with strong bipartisan support—reportedly, the Senate version has five Republican and four Democratic co-sponsors, and the House version has ten Republican and three Democratic co-sponsors. FIRRMA was also reportedly developed in close consultation with Administration officials, including Treasury Secretary Steven Mnuchin, who chairs CFIUS. Given its bipartisan support and expected endorsement from the Trump Administration, FIRRMA appears well positioned to become law.

Senator Cornyn has stated that FIRRMA is not meant to overhaul CFIUS or expand CFIUS's authority beyond conducting national security reviews, but that it is intended to update the CFIUS process to address modern threats while maintaining the United States' long-standing policy of being open to foreign investment. While in many cases FIRRMA would effectively codify current CFIUS practices, it does make some significant changes to several aspects of the review process.

For example, the initial review period would be expanded to 45 days from the current 30-day period, and in "extraordinary circumstances" CFIUS could extend a 45-day investigation by an additional 30 days—resulting in a formal review process that could take up to 120 days—a month and a half longer than the time currently authorized for a single CFIUS review and investigation cycle. FIRRMA would also expand CFIUS's jurisdiction to cover a number of new types of transactions. These include purchases or leases of real estate in close proximity to sensitive U.S. Government facilities, and the contribution of intellectual property and associated support to a foreign person through any arrangement (e.g., a joint venture). Both of these categories would capture transactions beyond the traditional mergers and acquisitions currently subject to CFIUS review, and neither requires that the transaction involve a US business (as is presently needed for CFIUS to have jurisdiction). Additionally, FIRRMA provides CFIUS with broader jurisdiction for transactions involving critical technology or infrastructure companies. FIRRMA also departs from the current CFIUS framework by introducing a new "declaration" process, which would make an abbreviated filing mandatory in certain cases—compared with CFIUS review being ostensibly voluntary for all transactions under the current law. The declaration process would also allow for expedited approvals in certain cases and feedback from CFIUS on whether it wants to conduct a full review in others. This marks a notable change from the current CFIUS approach, in which CFIUS will not provide any formal feedback until parties have submitted a full notice meeting all regulatory requirements.

We highlight FIRRMA's key provisions below and offer our perspective on them.


FIRRMA expands CFIUS's jurisdiction and the scope of the CFIUS review process.

Currently, CFIUS has jurisdiction to review any transaction that could result in control of a US business by a foreign person. FIRRMA expands "covered transactions" (i.e., transactions subject to CFIUS's jurisdiction) to specifically include a number of new transaction types, including:

  • The purchase or lease by a foreign person of private or public real estate in the United States that is located in close proximity to a US military installation or to another facility or property of the US Government that is sensitive for reasons relating to national security. A number of transactions have been rejected in the past because the US business had facilities or assets in close proximity to sensitive government installations. This provision codifies that consideration and notably expands it to include leases of real estate, meaning that CFIUS would potentially have jurisdiction to review the national security impact of commercial leases even if there is no foreign investment transaction.
  • Any investment (other than "passive investment")—even if it does not meet the control threshold of the CFIUS regulations—by a foreign person in any US "critical technology company" or "critical infrastructure company" (as each of these terms is defined in FIRRMA and explained below).
  • Any change in the rights that a foreign person has with respect to a US business in which the foreign person has an investment, if that change could result in foreign control of the US business or a non-passive investment in a critical technology company or critical infrastructure company.
  • The contribution (other than through an ordinary customer relationship) by a US critical technology company of both intellectual property and associated support to a foreign person through any type of arrangement, such as a joint venture. Notably, this provision does not have a geographic limitation, meaning that CFIUS would potentially have jurisdiction to review US critical technology companies entering into joint ventures or other qualifying arrangements with foreign parties even if they are located solely in and focused on non-US locations and markets. Moreover, this would also potentially capture licensing arrangements, meaning that a licensing of technology (outside of an ordinary customer relationship) to a foreign company or joint venture could be subject to CFIUS review even if there is no transfer of interests in or contribution of an actual US business.
  • Any such covered transaction arising from bankruptcy proceedings or other forms of default on debt.
  • Any other transaction, transfer, agreement, or arrangement designed to evade or circumvent the CFIUS process. This concept is part of the current CFIUS regulations, but it is not as explicitly characterized as a covered transaction as it is under FIRRMA.

FIRRMA authorizes CFIUS to exempt from its jurisdiction transactions in the new categories involving real estate, critical technology and infrastructure companies, and contributions of intellectual property where such transactions involve investors from countries to be identified by CFIUS. CFIUS would select the countries eligible for this exemption based on criteria such as whether the United States has a mutual defense treaty in effect with that country, whether the United States has in effect with that country a mutual arrangement to safeguard national security as it pertains to foreign investment, and that country's national security review process for foreign investment. This potential exemption appears designed to allow CFIUS to use these new covered-transaction categories to focus its reviews on investments from countries likely to raise particular concerns in these areas.

FIRRMA introduces several new key terms designed to enable the expansion of CFIUS's scope and jurisdiction. It sets forth criteria for certain of these new terms, which will be clarified in regulations promulgated by CFIUS if the legislation is passed. Notable terms addressed in FIRRMA include:

  • "Critical Technologies," which are technology, components, or technology items that are essential or could be essential to national security. This includes all defense articles or defense services included on the US Munitions List under the International Traffic in Arms Regulations; items controlled for certain reasons on the Commerce Control List under the Export Administration Regulations; certain nuclear-related equipment, technology, software, and facilities; select agents and toxins; and other emerging technologies that could be essential for maintaining or increasing the technological advantage of the United States over countries of special concern (discussed below).
  • A "United States critical infrastructure company" is a US business that owns, operates, or primarily provides services to, an entity or entities that operate within a critical infrastructure sector or subsector. The addition of this term and CFIUS's broader jurisdiction with respect to acquisitions of US critical infrastructure companies reflect an expansion of the current CFIUS statute's focus on protecting US critical infrastructure.
  • A "passive investment" is the only type of foreign investment in a US critical technology or infrastructure company that is not subject to CFIUS's jurisdiction. A passive investment is an investment that, among other criteria, does not fall within the enumerated categories of covered transactions and that does not afford the foreign investor:
    • access to any "nonpublic technical information" (i.e., information without which critical technologies cannot be designed, developed, tested, produced, or manufactured; and in a quantity sufficient to permit the design, development, testing, production, or manufacturing of such technologies) in the possession of the US business;
    • access to any "nontechnical information" (to be defined by CFIUS in FIRRMA's implementing regulations) in the possession of the US business that is not available to all investors;
    • membership or observer rights on the board of directors or equivalent governing body of the US business or the right to nominate an individual to such a position; or
    • any involvement, other than through voting of shares, in substantive decision-making pertaining to any matter involving the US business.

FIRRMA also states that a determination of whether an investment is passive shall be made irrespective of how low the level of the investor's ownership is, though CFIUS can prescribe a threshold over which an investment is deemed not to be passive. Thus, while CFIUS can set an equity floor above which a transaction cannot be considered passive, FIRRMA makes clear that there is no level of investment so low that CFIUS could not find jurisdiction. The current CFIUS regulations provide for a safe harbor that excludes from CFIUS's jurisdiction transactions for 10% or less of the voting interest in a US business if the transaction is solely for the purpose of passive investment. FIRRMA moves away from any notion of a specific passive investment amount being a safe harbor from CFIUS's jurisdiction and provides additional criteria to determine whether an investment is passive.

  • A "country of special concern" is a country that poses a significant threat to the national security interests of the United States. While CFIUS is not required to maintain a list of specific countries of special concern (and FIRRMA is silent on whether any such list would be made public), the term is relevant to determining whether an emerging technology is a "critical technology" (discussed above) and it also plays a role in several factors that CFIUS must consider in reviewing transactions (discussed below).
  • Under the current CFIUS regulations, a "US business" is defined as an entity engaged in interstate commerce in the United States, but only to the extent of its activities in interstate commerce. FIRRMA now defines "United States Business" as any person engaged in interstate commerce in the United States. This change indicates that CFIUS would likely have broader jurisdiction with respect to what constitutes a US business.


FIRRMA introduces a new "declaration" process that makes notification of certain transactions mandatory and offers a potential path for some transactions to receive approval on an expedited basis following a shortened notification.

Whereas parties have always had to submit a full joint voluntary notice to receive formal feedback from CFIUS, FIRRMA introduces a streamlined process for shorter notifications, called "declarations," that may enable some transactions to effectively receive CFIUS approval based upon an abbreviated notification and in a condensed timeframe. This also offers an avenue for parties unsure of whether to file to gain clarity without necessarily having to go through a full notice and review. Whereas parties are permitted to start with a declaration (rather than a full notice) in any case, in certain circumstances declarations are required—meaning that the CFIUS process would no longer be voluntary for such transactions. The following are the key elements of the declaration process:

  • The parties to a covered transaction may submit a declaration for CFIUS's consideration at the parties' discretion in lieu of a full notice.
  • The regulations implementing FIRRMA will specify the information to be contained in declarations, but FIRRMA specifies that declarations should be abbreviated notifications that generally would not be longer than five pages.
  • Declarations will be mandatory in two circumstances:
    • Transactions where the foreign investor is acquiring at least a 25% interest in a US business and at least 25% of the foreign investor's voting interest is directly or indirectly owned by a foreign government; and
    • Certain transactions requiring mandatory declarations that CFIUS will specify in the regulations implementing FIRRMA. FIRRMA notes that appropriate factors CFIUS should consider in determining which categories of transactions require declarations include the technology, industry, or economic sector involved in the transaction; the difficulty of remedying the harm to national security that may result from completion of the transaction; and the difficulty of obtaining information on the type of covered transaction through other means.
  • A mandatory declaration must be submitted at least 45 days before the completion of the transaction. Any party that is required to submit a declaration may opt to submit a full notice instead. If so, the notice must be submitted at least 90 days before the completion of the transaction.
  • Upon receiving a declaration (either voluntary or mandatory), CFIUS can take one of four actions: it may (1) request that the parties file a full written notice, (2) advise the parties that it cannot complete action based on the declaration and inform parties that they may submit a notice in order for CFIUS to complete action, (3) initiate a unilateral review of the transaction, or (4) notify the parties in writing that CFIUS has completed all action with respect to the transaction. FIRRMA states that CFIUS shall "endeavor" to take one of these actions within 30 days of receiving the declaration but does not make the 30-day time period mandatory, so the declaration process could take longer. CFIUS's use of this provision in practice will affect parties' CFIUS strategy, as parties may ultimately determine that it is more efficient to file a full notice from the outset.
  • CFIUS can impose penalties if parties fail to comply with declaration requirements.


FIRRMA lengthens the time period of the CFIUS process.

  • The period for the initial review would extend from 30 calendar days to 45 calendar days. This would provide additional time for the Director of National Intelligence to prepare the National Security Threat Assessment for each transaction, which is currently due on Day 20 but would be due on Day 30 under FIRRMA.
  • In "extraordinary circumstances," at the request of the head of the lead agency, CFIUS could extend an investigation for one 30-day period. In total, this would result in a 120-day formal CFIUS cycle, comprising a 45-day review, a 45-day investigation, and a 30-day extension.
  • FIRRMA does not issue any requirements for how quickly CFIUS must process draft "prefilings" or accept notices once submitted, both of which add time to the process.

Although the timing for the CFIUS process would increase under FIRRMA, allocating more time in the process may enable more cases to be resolved within the initial review period or within one full CFIUS review and investigation cycle. The declaration process may also serve as a way to effectively receive expedited CFIUS approval for less sensitive transactions.


FIRRMA expands the factors CFIUS must consider as part of its national security analysis.

The current CFIUS statute prescribes various factors that CFIUS must consider when conducting its national security analysis. FIRRMA modifies some of the current factors and adds a number of new factors, including:

  • whether the transaction is likely to result in the increased reliance by the United States on foreign suppliers to meet national defense requirements;
  • whether the transaction is likely to reduce the technological and industrial advantage of the United States relative to any country of special concern;
  • whether the transaction is likely to contribute to the loss of or other adverse effects on technologies that provide a strategic national security advantage to the United States;
  • the degree to which the transaction is likely to increase the cost to the US Government of acquiring or maintaining the equipment and systems that are necessary for defense, intelligence, or other national security functions;
  • the potential national security-related effects of the cumulative market share of any one type of infrastructure, energy asset, critical material, or critical technology by foreign persons;
  • whether any foreign person that would acquire an interest in a US business or its assets as a result of the covered transaction has a history of complying with US laws and regulations, including laws and regulations pertaining to exports, the protection of intellectual property, and immigration; and adhering to contracts or other agreements with entities of the US Government;
  • the extent to which the covered transaction is likely to expose, either directly or indirectly, personally identifiable information, genetic information, or other sensitive data of US citizens to access by a foreign government or foreign person that may exploit that information in a manner that threatens national security;
  • whether the transaction is likely to create any new cybersecurity vulnerabilities in the United States or exacerbate existing cybersecurity vulnerabilities;
  • whether the transaction is likely to result in a foreign government gaining a significant new capability to engage in malicious cyber-enabled activities against the United States, including such activities designed to affect the outcome of any election for federal office;
  • whether the transaction involves a country of special concern that has a demonstrated or declared strategic goal of acquiring a type of critical technology that a US business that is a party to the transaction possesses;
  • whether the transaction is likely to facilitate criminal or fraudulent activity affecting the national security of the United States; and
  • whether the transaction is likely to expose any information regarding sensitive national security matters or sensitive procedures or operations of a federal law enforcement agency.

These new factors focus on a number of key themes that have been of increasing importance to CFIUS in recent years, such as securing sensitive technology; protecting the US defense supply chain; ensuring US technical advantages, particularly in the defense space; and emphasizing the importance of cyber security.


FIRRMA provides broad authority for CFIUS and the President to take action when a transaction presents national security concerns.

FIRRMA updates provisions for actions to be taken where there are national security concerns, including imposing and administering mitigation measures. In many cases, these provisions formally reflect what has been long-standing CFIUS practice.

  • If a party to a covered transaction has voluntarily chosen to abandon the transaction, CFIUS may impose mitigation conditions on the party to effectuate the abandonment.
  • If CFIUS reviews a completed transaction, it may impose "any" interim mitigation measures to address a national security risk pending completion of the review and/or investigation. This would potentially provide a legislative solution to an issue raised in the Ralls litigation in 2012, wherein the parties claimed that CFIUS's extensive interim mitigation measures were tantamount to ordering divestment—a power reserved for the President of the United States. The courts never resolved this claim on the merits, but this provision would directly grant CFIUS broad authority to impose interim mitigation measures in transactions that have already been completed, including measures that can effectively unwind the operational aspects of the transaction. Although parties could still claim that certain mitigation measures effectively require divestment, this provision may provide CFIUS with stronger protection against such legal challenges.
  • CFIUS may suspend a proposed or pending covered transaction that may pose a risk to the national security of the United States while the CFIUS review is ongoing. As CFIUS review is currently an ostensibly voluntary process, parties are generally entitled to close a transaction prior to receiving CFIUS approval. In practice, however, where CFIUS has had concerns, it has issued instructions or even mitigation measures having this effect. FIRRMA would explicitly authorize such interim prohibition.
  • When a CFIUS member recommends to CFIUS that the transaction be suspended or mitigation imposed, or refers the case to the President, and if the CFIUS members fail to reach a consensus regarding the particular recommendation, the members who support an "alternative recommendation" must provide a written statement justifying the alternative recommendation supported by a risk-based analysis.
  • FIRRMA provides various mechanisms to address mitigation oversight and the substance of mitigation agreements. In particular, FIRRMA sets minimum criteria for mitigation agreements regarding effectiveness, compliance verifiability, and monitoring that must be present before CFIUS can require mitigation. It also prescribes required elements of mitigation compliance plans. Where parties engage an independent third party to monitor compliance with mitigation requirements, FIRRMA requires CFIUS to ensure that the third party has no fiduciary obligation to any of the parties to avoid conflicts of interest.
  • Beyond issuing penalties, FIRRMA sets forth actions that can be taken in cases where parties do not comply with mitigation requirements: negotiating a plan of action to remediate the lack of compliance, requiring that parties notify all of their covered transactions to CFIUS for a five-year period, and seeking injunctive relief.
  • FIRRMA clarifies that the President can require divestment (in addition to the power to suspend or prohibit a transaction) and may take any additional action the President considers appropriate to address the risk to the national security of the United States identified during the CFIUS review. The "additional action" language could be interpreted to authorize the President to take actions unrelated to the reviewed transaction based upon national security risks identified during the CFIUS process.
  • CFIUS will establish a formal mechanism to monitor non-notified and non-declared transactions. CFIUS currently actively searches for non-notified transactions of interest and "invites" parties to file when it wants to review a transaction. This provision formalizes this function.


FIRRMA establishes an appeals process, but makes clear any recourse for parties is limited.

Likely in response to the Ralls litigation, FIRRMA introduces a limited appeals process for constitutional claims, but carves out broad authority for the President and CFIUS that is not subject to judicial review. Although FIRRMA states that in general CFIUS actions and findings, including the use of its enforcement authorities, are not subject to judicial review, parties may file a petition alleging that the action of CFIUS is in violation of a constitutional right, power, privilege, or immunity. The petition process is, however, limited. It only applies in cases where parties voluntarily notified CFIUS of the transaction (i.e., not in cases where CFIUS initiated a unilateral review), and the petition must be filed within 60 days following action by the President or CFIUS. The United States Court of Appeals for the District of Columbia Circuit would have exclusive jurisdiction to hear the petition and would either affirm the action or remand the case to CFIUS for further consideration. A party with claims outside of the scope of this process (e.g., a party that was subject to a unilateral review) might have to challenge the constitutionality of this provision as well as asserting its substantive claims.


FIRRMA authorizes CFIUS to impose filing fees.

FIRRMA authorizes CFIUS to levy a filing fee for CFIUS reviews. CFIUS would determine the fee amount, but it would be capped at the lesser of one percent of the value of the transaction or $300,000 (subject to annual adjustment for inflation). Currently, CFIUS does not levy any fees on parties undergoing review.


FIRRMA allows wider dissemination of CFIUS notification information among governmental entities.

Under current law, information contained in a CFIUS notice may be disclosed only to Congress or in an administrative or judicial action proceeding. Under FIRRMA, however, the information would be permitted to be disclosed to any domestic or foreign governmental entity "to the extent necessary for national security purposes."

We will continue to closely monitor the progress of FIRRMA. If it is passed, a key function of industry and CFIUS lawyers will be providing input on the proposed implementing regulations, which will determine many of the details of how the law is implemented, during the comment period.


Click here to download PDF.


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2017 White & Case LLP