FOCI Update: The Evolving US Department Of Defense FOCI Environment, Process & Timing
8 min read
The foreign ownership, control or influence ("FOCI") program administered by the Department of Defense's ("DoD") Defense Counterintelligence and Security Agency ("DCSA"), which is by far the largest US FOCI program, continues to evolve based on threats to US national security. This alert provides an update on DCSA's FOCI adjudication analysis, process, and timing for companies seeking to obtain a DoD facility security clearance ("FCL") or that have come under FOCI and need to establish a FOCI-mitigation instrument to maintain their FCLs and classified business.
The DoD is one of five Cognizant Security Agencies charged with establishing general industrial security programs. Within the DoD, DCSA administers and oversees the National Industrial Security Program ("NISP") on behalf of DoD government contracting activities and the (currently) 35 federal agencies that have industrial security agreements with DCSA (e.g., the Departments of Justice, State, Homeland Security, and Treasury). DCSA also serves as the Cognizant Security Office providing security oversight of the NISP—including the FOCI mission—on behalf of the Military Departments, the Combatant Commands, the Defense Agencies, the DoD Field Activities, and all other organizational entities within the DoD. As a result, DCSA manages the vast majority of FOCI matters for the US government.
DCSA evaluates a legal entity's FOCI factors in relation to an FCL application, as well as with respect to any changes affecting a cleared company's FCL (e.g., acquisition by a foreign-owned entity). It then determines appropriate FOCI mitigation arrangements for companies under its jurisdiction pursuant to a risk-based approach.
One Size Does Not Fit All
Since 2015, DCSA (at that time called the Defense Security Service) has transitioned away from its previously long-standing approach to FOCI adjudication and mitigation decisions. Specifically, rather than focusing on degree of foreign ownership, DCSA has shifted to a more holistic risk-based approach, which continues to evolve. This has changed the nature of DCSA's risk and threat evaluations for companies with new FOCI adjudications (a "FOCI Company") and DCSA's flexibility in addressing identified risks. Based on the risk and threat profile developed by DCSA for each FOCI Company in process for an FCL or FOCI mitigation agreement, DCSA may alter the traditional FOCI arrangement that would apply. For example, if DCSA were to determine that a Special Security Agreement ("SSA") were required, it could include additional requirements not contained in a standard SSA based on the specific circumstances of the case. DCSA will also consider proposed modifications to FOCI arrangements based on justifications with risk and threat considerations taken into account.
The standard mitigation arrangements are an SSA or a Proxy Agreement for majority ownership cases, a Security Control Agreement ("SCA") for minority foreign investors with board seat rights at the cleared company, a FOCI board resolution for minority foreign investors without such board rights, and the relatively new Special FOCI board resolution, which may include a number FOCI mitigation requirements a cleared entity must satisfy based on the specific risks identified by DCSA. With these baselines, DCSA examines all FOCI cases on their individual merits, including with respect to the sensitivities of the entity's classified (or anticipated classified) activities, and will use its FOCI mitigation toolbox to apply mitigation arrangements that, in some cases, might exceed the standard mitigation measures. Consistent with long-standing DoD policy, DCSA remains the final arbiter of the FOCI mitigation arrangement that applies to a FOCI Company.
FOCI Policies Evolving
While certainly part of the analysis, as indicated above, DCSA is no longer primarily focused on the "ownership" component of FOCI. Rather, it is also keenly interested in the other elements of FOCI, namely the "control" and "influence" aspects that apply to FOCI cases, which are not always clear-cut. As a result of its control and influence focus, the DCSA FOCI mitigation approach will continue to evolve based on risk and threat factors and be addressed on a case-by-case basis. DCSA also expects cleared companies and in-process companies to disclose complete foreign ownership, control or influence details, such as a foreign investor holding a right to a board observer seat at the cleared company level or identification of limited and general partners in relation to private equity or venture capital investments to assess each foreign investor's profile.
FCL and FOCI reviews presently include a careful examination by DCSA to 1) properly account for any risks and threats (including with respect to each company's supply chain), and 2) determine appropriate mitigation measures. DCSA has advised that it is looking at "backdoors", "side doors", and "front doors" as part of its FCL analysis due to concerns about front companies and supply chain vulnerabilities. DCSA expects both companies in process for FCLs and existing cleared companies to identify the use of foreign suppliers in relation to the company's products and services to be delivered to their US government customers. For transparency, cleared companies' and in-process companies' involvement with foreign suppliers should be reported to DCSA upfront in the company's SF 328, Certificate Pertaining to Foreign Interests ("SF 328").
Although most FOCI mitigation arrangements follow template DCSA documents, DCSA has the authority to alter the standard FOCI mitigation arrangements (i.e., the SSA, Proxy Agreement, Voting Trust Agreement, SCA, Special FOCI board resolution, and FOCI board resolution) based on the FOCI factors and risks it identifies. This can include non-standard requirements relating to supplemental FOCI documents like the affiliated operations plan ("AOP"), electronic communications plan ("ECP"), and technology control plan ("TCP"). DCSA can also require additional compliance plans. As DCSA focuses on its more holistic, risk-based analytical approach, we expect it will continue to utilize its flexibility to address risks where appropriate.
Special FOCI board resolutions, which add some SSA/SCA-like requirements to a standard FOCI board resolution, have become increasingly common and may continue to become more prevalent in minority ownership cases, such as where, in addition to the foreign ownership, there are other FOCI factors pertaining to control and/or influence. For example, should an intending cleared entity use foreign suppliers in the products and/or services it intends to provide to US government customers, DCSA might require the company to report this relationship to each applicable US government customer and document it in the Special FOCI board resolution. In other cases, relationships with countries of concern (e.g., China and Russia) could also trigger a Special FOCI board resolution. DCSA holds wide discretion in drafting Special FOCI board resolutions, including requiring a TCP or an electronic communications monitoring plan, which is a hybrid of an ECP and other FOCI mitigation plans.
DCSA instituted an enterprise review system a few years ago, which it applies to all aspects of its industrial security mission, including FCL applications and FOCI adjudications. Many elements within DCSA—at the field office, regional office, and headquarters ("HQ") levels—participate in the review of FCL and FOCI cases. This approach requires companies in process or cleared companies transitioning to a FOCI mitigation arrangement to provide full details of the FOCI factors, including precise ownership and control charts and detailed responses to applicable SF 328 questions.
The enterprise review system includes five review stages that apply to in-process companies; specifically, reviews by the Facility Clearance Branch, the designated DCSA field office, the Business Analysis Unit (HQ), the Mitigation Strategy Unit (HQ), and the applicable DCSA regional office. DCSA performs a deep and deliberate review of each FCL-FOCI application. Timelines to adjudicate FCLs with FOCI or existing FCLs coming under new FOCI generally exceed a year based on our recent experience with DCSA and generally have gotten slower in recent years. We have, however, recently seen efforts from DCSA to work through its backlog of FOCI adjudications and get more FOCI-mitigation agreements finalized.
Cases may extend longer for many reasons, including 1) the DCSA enterprise review process itself, which is an extensive process, 2) missing information in the company's initial FCL information package, 3) failure to timely respond to DCSA questions and information requests, 4) requests for deviations to existing or standard FOCI mitigation arrangements, 5) multiple rounds of DCSA review pertaining to developing an acceptable AOP, ECP and/or TCP, and 6) changed conditions during the DCSA adjudication process that necessitate additional DCSA review.
In an effort to streamline the FCL adjudication process and improve DCSA processing timelines, DCSA published guidance effective March 1, 2023, regarding the FCL application process. Notably, DCSA will now only allow FCL applicants one opportunity to make corrections to insufficient initial FCL application packages. If issues remain after the first correction, the application will be denied, meaning the company will need to restart the FCL application process. A similar process applies with respect to sponsorship packages. This emphasizes the importance of preparing complete FCL application packages at the outset and fully addressing DCSA requirements.
Establishing a FOCI-mitigation agreement, either for a company under FOCI newly seeking an FCL or an existing cleared company that comes under FOCI due to an investment or acquisition, is a complex and often lengthy process. It is important to understand how DCSA is conducting its analysis and internal processes to best manage the process and expectations, avoid delays, and maximize the chances of successful operations under a FOCI-mitigation arrangement.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP