Shawn Rogers, Kentucky APEX Accelerator Procurement Consultant
This article was originally published in our monthly Kentucky APEX Accelerator Newsletter. If you have any questions about this topic, your regional procurement consultant is here to help! Not a client? Sign up here.
With globalization, foreign investment is playing an increasing role in the U.S. industrial base. The U.S. federal government is aware of this trend and allows foreign investment consistent with the national security interests of the United States. It is when foreign entities gain a significant stake in U.S. based companies in sensitive industries—especially those that require access to classified information—that it raises concerns about Foreign Ownership, Control, or Influence (FOCI). This article explores key principles of FOCI, its potential impact on obtaining facility security clearance (FCL) and when an action plan is needed to mitigate risk.
Key Principles of FOCI
U.S. federal regulations requires the Defense Counterintelligence and Security Agency (DCSA) to consider a U.S. entity to be under FOCI when a foreign interest has the power to direct or decide issues affecting the entity's management or operations. That power could result in unauthorized access to classified information, or it could adversely affect the performance of a classified contract or agreement.
FOCI also exists when the foreign government is currently exercising, or could prospectively exercise, the power described above, whether directly or indirectly. Some examples of what this influence looks like include majority ownership of the entity’s shares, the ability to appoint board members or other mechanisms that allow control over the entity's decisions. The concern is that this influence, whether covert or overt, may lead to the compromise of sensitive information, technologies or capabilities that are vital to U.S. national security.
FOCI is a relevant concern for all companies that want to do business with the federal government, but it is especially important if they need to obtain FCL, which is necessary for companies to gain access to classified information. The presence of FOCI could jeopardize the granting or continuation of this clearance. DCSA is charged with processing, issuing and monitoring the eligibility of clearances processed through entity vetting, facility clearances and checking for FOCI.
An entity's FOCI factors are reviewed as part of the facility security clearance process and throughout the life of the FCL. The entity's FOCI factors are documented on the Certificate Pertaining to Foreign Interests (Standard Form 328). This procedure is followed to collect information for an entity eligibility determination to be made, and it is also required when significant changes occur to information previously submitted.
DCSA uses the following factors relating to an entity, the foreign interest and the government of the foreign interest that are reviewed in the aggregate when determining whether an entity is under FOCI:
Record of economic and government espionage against U.S. targets.
Record of enforcement and/or engagement in unauthorized technology transfer.
Record of compliance with pertinent U.S. laws, regulations and contracts.
The type and sensitivity of the information that will be accessed.
The source, nature and extent of FOCI, including, but not limited to, whether a foreign interest holds a majority or substantial minority position in the entity, taking into consideration the immediate, intermediate and ultimate parent companies of the entity or prior relationships between the U.S. entity and the foreign interest.
The nature of any relevant bilateral and multilateral security and information exchange agreements (e.g. the political and military relationship between the USG and the government of the foreign interest).
Ownership or control, in whole or in part, by a foreign government.
Any other factor that indicates or demonstrates a capability on the part of foreign interests to control or influence the operations or management of the business organization concerned.
When Is an Action Plan Needed?
An action plan is necessary to mitigate risk whenever FOCI is identified within an entity that holds or is applying for FCL. The specific type of action plan required depends on the extent of foreign control or influence.
The primary types of mitigation agreements include:
Board Resolution: This is the least restrictive form of mitigation and is appropriate when foreign ownership or influence is limited. The U.S. entity’s board of directors passes a resolution affirming that foreign owners will not exert influence over the entity's decisions regarding classified information.
Security Control Agreement (SCA): An SCA is required when a foreign entity owns a substantial portion of the entity but U.S. citizens still control the board. This agreement ensures that the foreign owner cannot access classified information or influence the entity's management.
Special Security Agreement (SSA): An SSA is necessary when foreign ownership is more significant and foreign nationals may serve on the board. Under this agreement, the entity implements stringent measures to limit the foreign owner’s influence, and independent U.S. citizens are appointed to the board to oversee compliance.
Voting Trust or Proxy Agreement: In cases where the foreign entity has substantial ownership and control, a voting trust or proxy agreement may be required. This involves transferring the foreign entity's voting rights to independent U.S. citizens who act as trustees or proxies.
FOCI is a significant concern for all U.S. entities involved in sensitive industries, particularly those that require access to classified information. When FOCI is determined to exist, developing and implementing an appropriate action plan is crucial to mitigate the associated risks and ensure compliance with U.S. national security regulations.
If you would like additional information on this topic, the Kentucky APEX Accelerator team stands ready to assist. You can email us at kyapex@kstc.com or visit our website at www.kyapex.com to request support.