Podcast – A Comprehensive Overview Of FOCI Mitigation – Corporate Governance

In Episode 15 of “Are We All Clear? Facilitating Security
Clearances,” host Molly O’Casey and
members of Holland & Knight’s International Trade Group
discuss the complexities of Foreign Ownership, Control or Influence
(FOCI) and its implications for security clearances in government
contracting. They explain how foreign entities can influence
cleared companies, impacting classified contracts, and detail the
Defense Counterintelligence and Security Agency’s (DCSA) role
in overseeing FOCI assessments through the SF-328 form. Mitigation
strategies such as proxy agreements and outside directors are
highlighted to ensure compliance and safeguard national
security.
The episode also revisits Section 847 from the 2020 National
Defense Authorization Act (NDAA), which mandates FOCI assessments
for non-classified U.S. Department of Defense (DOD) contracts
valued at $5 million or more and represents a significant expansion
of FOCI regulations. This discussion reinforces the need for
companies to effectively navigate these complexities while
utilizing supplemental documents like Affiliated Operations Plans
and Technology Control Plans to maintain compliance.
Listen to more episodes of Are We All Clear?
here.
Podcast Transcript
Molly O’Casey: Welcome to the 15th episode
of “Are We All Clear?” the podcast on facilitating
security clearances. I’m your host, Molly O’Casey, an
international trade associate with Holland & Knight’s
Washington, D.C., office. Today’s episode will ask, “What
the FOCI?”, as we review our previous episodes on FOCI,
specifically episodes 10 through 14. We’ll discuss the basics
of FOCI: FOCI enforcement; FOCI mitigation strategies, including
mitigation agreements and FOCI supplements; cleared employees and
shared services; and the new Section 847. So, if you have any
questions on those topics, feel free to go back to previous
episodes and they should probably address that. Today’s
speakers are Antonia Tzinova, Andrew McAllister, Robbie Friedman,
Marina O’Brien and Libby Bloxom. Antonia, Andrew and Robby are
partners in Holland & Knight’s national security and
international trade practice in Washington, D.C. Marina and Libby
are associates in the same practice, so we’ve got a full squad
today y’all. Welcome back to the podcast.
Robert Friedman: Thanks for having us,
Molly.
Andrew McAllister: Great to be back.
Molly O’Casey: All right, with that,
Marina.
Marina O’Brien: So FOCI stands for foreign
ownership, control or influence. And it refers to the situation in
which a foreign person or entity has ownership, control or
influence over a company that has obtained a security clearance
— a cleared company — but in such a way that it may
adversely affect the performance of the classified contract or
unauthorized access to classified information. Here, the ownership
and control are easier to identify. But influence is a tricky one,
right? So it can simply mean a contractual relationship with a
foreign party. For example, if there’s a 20 or 50 percent of
the company’s revenue that comes from one foreign party, then
that party can exert an undue influence over the cleared
company.
Molly O’Casey: Got it. And what are the
implications of FOCI for cleared companies?
Marina O’Brien: Well, it depends on the
degree and amount of FOCI. As previously discussed on this podcast,
U.S. law and regulations have identified that there is a risk
presented by foreign ownership, control or influence to companies
that hold or are being in the process for facility clearance. So
here it is important to know that FOCI issues are not just
considered in relation to the cleared company, right? Foreign
ownership, control and influence is also considered in the context
of parent companies, subsidiaries, foreign contracts, affiliates,
foreign debts, etc. So really it is an expansive assessment that
considers whether a cleared company’s operations could be
compromised by foreign influence.
Molly O’Casey: So companies thinking about
this need to have a pretty broad perspective.
Marina O’Brien: Absolutely.
Molly O’Casey: How much FOCI is too much
FOCI?
Marina O’Brien: Another tricky question.
Generally, foreign ownership of 5 percent or more as well as
foreign control must be reported on the SF-328 form. That’s the
certificate pertaining to foreign interest. However, you should
keep in mind that it is not just percentages of ownership control,
right? There are also situations where the foreign ownership
interest for influence is more attenuated, such as where we have a
foreign person that holds only a minority ownership interest but is
entitled to representations on the company’s board of
directors, for example. It’s also a little bit tricky question
because one might have 100 percent foreign ownership, but if it
comes from Canada, for example, or the United Kingdom, it will
still likely be approved with a mitigation. But if we have a very
small foreign nationality or ownership in the FOCI from a place
like China, for example, it’s a different story. So locations,
geography, politics, it all matters. It’s not always all in the
percentage.
Molly O’Casey: Interesting. And I would
imagine if you’re looking to mitigation strategies or if
you’re trying to start your FOCI review the SF-328 is a good
starting point.
Marina O’Brien: That’s right.
Molly O’Casey: Antonia, could you talk to
us about who the cops are in this area? How are issues around FOCI
monitored and enforced?
Antonia Tzinova: Thank you, Molly. So as
we’ve learned over the course of the series, DCSA, the Defense
Counterintelligence and Security Agency, is the agency that has
jurisdiction over monitoring and enforcing the FOCI program under
the system. And the way they learn about it is a cleared contractor
must submit an SF-328 certificate pertaining to foreign interests
at the time of their application for a facility clearance. And this
is where they would mark any foreign element in their operation, be
it ownership, be it contractual relationships with a foreign
person, or it may be one of their board members serving on a
foreign board. And anytime there is a material change to the
SF-328, the contractor must notify DCSA of that. This is how DCSA
will learn of the FOCI element and this is how it will come to
their attention. While they receive it, they assess the threat from
the foreign element, and it’s important to emphasize the FOCI
and it’s important to emphasize a recent trend in this area.
They have been focusing on the “I” consistently.
“I” stands for influence. Ownership and control are kind
of no brainers, it’s easy. It’s, in the M&A context,
when a foreign person acquires a certain equity stake. The
influence is quite dispersed and can come in many forms. And this
is why we are seeing new mitigations being developed by DCSA. And
so this is how they will hear about it. This is how they will
design their strategies based on the risks stemming from the
specific risk.
Molly O’Casey: And what should companies
watch out for? How do they tend to run into issues with FOCI?
Antonia Tzinova: As I said, I mean, the
immediate one is a cleared contractor may be bought by a foreign
person. So that should be part of due diligence in any M&A
transaction to determine if the investor has any foreign ownership
in it. And it stems all the way up to the ultimate foreign parent
or majority shareholders. So that’s kind of easy. Some other
aspects, the SF-328 is indicative of what DCSA is interested in. So
they need to be mindful of loans that they take that may be
underwritten by a foreign bank or like a foreign loan agent. They
need to be mindful of their senior management officials having some
foreign extra business, extracurricular arrangements. I mean maybe
somebody has an equity interest in a foreign company or they serve
on a board. They need to be mindful of foreign customers that they
have, obviously of foreign suppliers, if the products or services
will end up with the U.S. government customer. So these are some of
the ways that FOCI will pop up, and this is what contractors need
to be aware of.
Molly O’Casey: Thanks, Antonia. Andrew,
could you give us a brief overview of the mitigation strategies for
addressing some of the issues that Antonia highlighted?
Andrew McAllister: Great. Thanks, Molly. So
there are different mitigation instruments that are implemented by
DCSA depending on the nature and extent of the foreign interest.
And so, again, they’re sort of gradations. And so the most
restrictive FOCI mitigation instrument is a proxy agreement. And
then one step down from that is a special security agreement. Both
of those instruments tend to be implemented when the foreign person
either has majority or entire ownership of the cleared contractor.
And so in the case of a proxy agreement, there really is a complete
separation in a way between the foreign parent company and the U.S.
contractor. In the case of a special security agreement, again,
there is a significant separation. But as an example, the foreign
parent is eligible to appoint a director to the cleared contractor.
So the foreign parent in the special security agreement arrangement
still has representation. So they have a bit more visibility into
the workings of the cleared contractor. And so you may ask
yourself, “Well, why would anyone ever want a proxy agreement
if they’re essentially turning over full operations to the U.S.
subsidiary?” And the answer typically is that certain
information that’s classified is referred to as proscribed
information. And so with a special security agreement, there’s
a requirement to get national interest determinations from the
particular contracting offices. In the case of a proxy agreement, a
company does not need to go through that national interest
determination. So that’s one reason why a company may opt for a
proxy agreement.
As we go down the list we turn to a security control agreement.
That is typically when the foreign interest has, I would say,
significant ownership, significant control, representation on the
board. So maybe they own 25 percent of the U.S. company of a
cleared contractor and they’re eligible for one board seat.
Again, the security control agreement is almost like a special
security agreement light. So there are still this notion of outside
directors, which Robbie will hit on a little bit later, but those
outside directors are put in to sort of protect the interest of
both the U.S. government, as well as ensuring that classified
information remains at that cleared contractor.
And then as we go down even lower, we have something called
board resolutions. And so those are typically in instances where
you may have foreign passive investment. So private equity fund
owns 100 percent of a cleared contractor. And much of that money,
for example, may come from foreign sources. So the private equity
fund is ultimately controlled by U.S. persons, but there’s that
foreign passive investment. And so in that case, you may have
exclusionary board resolutions from both the foreign parent as well
as the U.S. company, recognizing the FOCI concerns and stating that
there’s no need for the foreign parent to have access to
classified information and that the U.S. subsidiary recognizes
that. So that gives you a sort of broad brush strokes of the four
main mitigation instruments.
Molly O’Casey: Great. Thank you for that
really detailed overview. Robbie, what are the differences between
outside directors, proxy holders and other members of the board, as
Andrew mentioned?
Robert Friedman: Sure. Thanks, Molly. So first
of all, I’ll take one step back and talk about the role of the
outside director and proxy holders within these mitigation
instruments that Andrew mentioned. And then we can drill down and
talk about some of the fundamental differences with regard to these
individuals. So at a higher level, you know, we’ve got the
forms of mitigation that Andrew went over. And one of the core
features of the more stringent forms of mitigation — the SCA,
the SSA and the proxy agreement —are the roles and the
functions of proxy holders and outside directors. So fundamentally,
these are the requirements for either an outside director or a
proxy holder, is that they be a U.S. national, that their
credentials and their qualification to be reviewed and approved by
DCSA in advance and, importantly, that they be disinterested. And
the idea of disinterestedness is one that has evolved over time
within the DCSA context. But it essentially means that there’s
no prior relationship with the individuals that are nominated to
serve for in the role of a proxy holder or not for a director in
the clear company or the foreign owner, and that is to ensure that
there’s, you know, complete independence from those interests.
And that’s both a financial interest as well as, you know,
professional or other relationship. So we often get questions, for
example, you know, “Can we hire or can we nominate an outside
director who was a consultant for us previously, or that was a
board member for us previously?” And those are all areas that
will muddy the waters of disinterestedness. And so those are
typically areas of concern for DCSA. So those are the fundamental
requirements of those roles.
And, you know, we often get questions from clients about
who’s an optimal outside director or proxy or who should we
target. And I always say that there are three key criteria. You
know, they’re not, I would say, mutually exclusive, and
everyone is not going to satisfy each of them. But you’re going
to want somebody to serve in that role who has some experience with
security regulations, who’s generally understanding the NISPOM
and what it requires to serve in that role. That could either be
somebody who’s been a previous independent or outside director
or proxy holder. Somebody that has business acumen is a second
category, right. You don’t want an individual serving on the
board of a company that doesn’t know basic corporate governance
principles and has never, you know, has really had no exposure to
that because it can limit their utility on the board. And then
finally, it’s helpful to have some level of domain expertise.
Right? We work with clients that work in a variety of
subspecialties, whether that is microelectronics or, you know,
security services or cybersecurity or software. And it’s
helpful to have somebody that at least understands the general
parameters of the business so that they can have value in that
role. So those are the general criteria that we look to.
Last point at a high level is that the outside directors and
proxy holders, they wear several hats in their function.
They’re fiduciaries and board members to the company, but
they’re also stewards of national security, and it’s their
principal role to ensure the protection of classified information
as a consequence of their role within the companies.
So, Molly, I think the next question up, just to circle back to
your question that you raised, is some of the differences between
outside directors, proxy holders and other members of the board,
because while the qualifications are often uniform across, the
function within the mitigation structures can be slightly different
depending on the instrument at issue. So we talked about SCAs and
SSAs, which call for outside directors, and that title is
intentional. Outside directors are distinguishable from inside
directors. And as we’ve talked about in previous episodes, you
know, inside directors are essentially nominated by the foreign
owner to serve on the board. And DSCA has no role in the selection
of the inside directors. But of course they do, as we talked about,
have a gating role in approving and vetting the outside directors.
So with an SSA and with an SCA, there’s going to be a mix of
inside directors and outside directors. The outside directors will
outnumber the inside directors, which is the requirement there.
It’s typically, you know, three to two. But, you know, in some
instances we’ve seen two to one, depends on the size of the
company, the number of classified contracts and other factors, but
those are the basic requirements. And then with regard to a proxy
agreement, it’s a different construct. And as a reminder, the
proxy agreement is the most stringent form of FOCI mitigation. It
requires the foreign shareholder of the foreign owner to
effectively grant prerogatives for running the company to the proxy
holders for purposes of both voting at the current company level,
but also managing and the mechanics of day-to-day oversight and
running of the company. So in those contexts, the proxy holders
have a more involved role and are, you know, effectively serving as
the board members of declared company without any involvement from
inside directors.
Molly O’Casey: Got it. Thanks for that,
Robbie. Libby, could you provide a high-level overview of the
relationship between FOCI supplements and FOCI line mitigation
agreements?
Libby Bloxom: Sure, Molly. Much to
everyone’s nonsurprise, if you’ve been following along
these past few months, Mitigation agreements often are not enough.
Typically, a FOCI mitigated company may be required to develop
additional procedures to ensure their FOCI is actually being
mitigated on a day-to-day basis. This is where supplemental
documents come in. The main supplemental documents include the
Affiliated Operations Plan or AOP, Technology Control Plan or TCP,
and electronic communications plan or ECP. Sometimes there are
additional instruments that are required, and these could include a
visitor access plan or a facility location plan, particularly if
any facilities or office space of the cleared company is co-located
or in close proximity with its parent company.
Molly O’Casey: Thanks for adding to our
acronym Bank. Libby.
Libby Bloxom: No problem.
Molly O’Casey: What is an AOP? Could you
provide us a bit more detail about that?
Libby Bloxom: Yeah, an AOP is a requirement for
FOCI mitigated companies when they enter into operational
relationships with their affiliate. So yeah, I think of like
affiliated services like HR, shared third-party services like
accounting or tax professionals who prepare your tax forms, shared
persons and cooperative commercial arrangements. Generally, these
kind of business functions and arrangements with affiliates are not
authorized. So when a company wants to have these shared services
or arrangements with its affiliates, the services must be approved
by DCSA in the AOP in advance of the deployment of the service.
Molly O’Casey: Got it. And could you tell
us a bit more detail about the Technology Control Plan and the
Electronic Communications Plan?
Libby Bloxom: Of course. TCP is a
facility-specific requirement. It outlines how the cleared company
will provide physical protection to classified and export
controlled information. The ECP, on the other hand, is designed to
maintain oversight of electronic communications and networks
between a cleared company and its affiliates. The Government
Security Committee, or GSC, it’s a permanent board community
that is comprised of typically one outside director and two clear
directors or officers and effectuates this oversight function. TCP
and ECP are required for cleared companies operating under a proxy
agreement, special security agreement, security control agreement
or in other situations at DCSA’s discretion.
Molly O’Casey: Thanks, Libby. Robbie, back
to you. Could you tell us a bit about how cleared employees and
shared services impact cleared companies?
Robert Friedman: I’d be happy to Molly,
thanks for the question. So, you know, shared services in the
context of national security and facility clearance is a notion or
an idea that means that there’s certain services or functions
that are shared across the cleared company that has gone through
FOCI mitigation and one of its affiliates. And that could be the
parent subsidiary, it could be two sister companies, for example.
There’s a couple of reasons that there’s a role for shared
services within the NISPOM and within the broader facility
clearance context. It can be quite expensive to both go through the
facility clearance process and then set up and operate a cleared
company. And the U.S. government is not insensitive to the cost
associated with the process. And so there’s a role to play for
these shared services where whether it’s because of a need to
develop economies of scale, to streamline business processes or
just to save money, you’ll have certain core functions —
we call them kind of back office support functions — that can
be shared among the cleared company and one of its affiliates.
These typically take the form of things like human resources,
marketing, accounting, legal services, IT services — those
are the typical bucket, can be others as well — and
importantly, in each case where there is a shared service or a
shared employee, it needs to be specifically disclosed to the U.S.
government in the Affiliated Operations Plan and addressed and
approved by DCSA.
So the principle there is one of transparency and pre-approval.
So it’s not an encumbrance to having a shared service, that
just requires engagement with the DCSA and a comfort level that a
risk has been identified because whenever there is a shared service
or shared employee, there will be some level of risk that
there’s going to be seepage of national security, sensitive
information or otherwise. And the AOP will highlight that risk in
developing a mitigation or a way in which the company has addressed
that risk and that the U.S. government is comfortable that the
system will work. One concrete example might be, if a cleared
company and a power company are using the same outsourced HR
provider, you know, perhaps there’s one account professional
that’s handling the cleared company’s HR services and one
that’s handling the power company’s HR services. Or perhaps
there’s just, you know, different electronic folders or
permissions that would keep those functions separate. So
there’s a variety of ways to implement a mitigation strategy.
But the fundamental principle here is that DCSA will approve shared
services and shared employees among a corporate family for certain
purposes.
Molly O’Casey: Thanks, Robbie. Antonia,
could you talk to us about Section 847?
Antonia Tzinova: Sure. Thank you, Molly. So,
Section 847 is a new thing in this world. This is a kind of a
shorthand for a provision introduced in the 2020 National Defense
[Authorization] Act. And the reason for the introduction was the
U.S. government was concerned with the security and resilience of
our defense supply chain kind of in the wake of the pandemic and
issues generally identified in supply chains. So in 2020 NDAA,
Congress mandated that there is an assessment performed for FOCI in
all non-classified Department of Defense contracts that are valued
at $5 million or above. And earlier this year, in May 2024, the
Department of Defense issued an instruction that outlines the
framework for implementing this mandate, and in big strokes, how
this would work, any contract award that DOD issues for a
non-classified work that is valued at $5 million or above would
need to also include a FOCI assessment, meaning that contractors
bidding on such contracts would need to provide information about
foreign ownership, control or influence similar to what cleared
contractors have to do when they apply for facility clearance. And
Congress and the instruction kind of outlined the way of assessment
of FOCI and mitigating it. So, good news, DCSA, the agency that
currently handles FOCI, will be in charge of assessing the risk and
reviewing the information provided, assessing the risk and
outlining, you know, possible threats. But then it will be the
contracting officer at DOD on each specific contract that will have
to decide whether to implement mitigation, and mitigation tools
that will be available are the same tools that we currently know
from the FOCI world. So from the less restrictive board resolutions
excluding certain officers and directors, parent companies to the
most restrictive in the form of the proxy agreement.
Molly O’Casey: Got it. So it sounds like
Section 847 is a close cousin of FOCI mitigation. Could you outline
the key differences between DCSA, FOCI mitigation and Section
847?
Antonia Tzinova: Absolutely. So absolutely a
close cousin, one key difference is that we’re now talking
about non-classified DOD contracts. So a much larger community out
there, government contractors, will be affected by this process.
And so it’s very important for contractors to understand the
mechanics of this process early on so that they’re ready once
this rule goes into effect. And I just want to mention that, at
this point, this is just in the development process. The final rule
is not out. This is not mandatory yet. We expect this to, you know,
go into effect in the next 12 to 18 months.
But some of the key differences here are the first one, and I
already alluded to it, there is a split decision making process.
So, the contractors will submit the information that will be
reviewed by the DCSA. I mean, this is the agency we’re familiar
with. They will perform their standard FOCI review and assessment
and issue their report. But then, you know, the decision of whether
to implement mitigation and what type of mitigation will rest with
the contracting officer. So we have like a, you know, a beast with
two heads.
And then we have a difference in whether or not mitigation will
be implemented. So in the classified world, if there is any form of
FOCI, it must be mitigated so that the contractor can perform
unclassified contracts. In the non-classified world, under Section
847, the contracting officer may decide to implement mitigation,
but they may also decide to waive it. Where this may happen, maybe
we’re dealing with a U.S. subsidiary of a French company
that’s going to sell products of the French parent to DOD and
maybe DOD will deem that the risk is not large enough to impose
mitigation here. The other difference is that with classified
contracts, it’s like once and done. I mean, the moment you have
a classified contract, you do need to submit to review and you need
to accept mitigation. Obviously, if your FOCI changes, mitigation
may change as well. But once you’re mitigated, you’re
mitigated. In the non-classified world, this will be happening on a
case-by-case basis. So every time a contractor submits a bid for a
contract that meets the criteria, the FOCI will be assessed and the
contracting officer will determine whether or not to impose
mitigation. And if these are different offices within DOD, you may
end up with incremental mitigation measures being imposed on the
same contractor, depending on the program they’re working
on.
Another difference is that in the classified world, it
doesn’t matter what the value of the contract is. If you need
access to classified information, you would need to be mitigated if
there is any FOCI. In the non-classified world, the starting point
is contract data at $5 million or above, and then there’s
certain exclusions for commercial products and services. So there
are a few differences between the two processes, but the
similarities, I think we should emphasize those as well, is that we
will have DCSA involved, again, in the assessment of the risk and
we’re dealing with the same set of mitigation measures that
contractors are familiar with already.
Molly O’Casey: Well, we have all that to
look forward to.
Antonia Tzinova: Right. It’s going to be a
lot of work.
Molly O’Casey: Looking forward to it. Thank
you, everyone, for coming on and discussing FOCI with us.
Libby Bloxom: Thanks for having us, Molly.
Antonia Tzinova: Thank you, Molly.
Molly O’Casey: So this area is full of
acronyms. This week’s episode, I think, had pretty much all of
them. For all our sakes, I’ll refrain from listing everything
that we mentioned and I’ll stick to just highlighting the main
ones. So we have the National Industrial Security Program Operating
Manual, or NISPOM; Security Control Agreement, or SCA; Special
Security Agreement, SSA; Government Security Committee, GSC;
Technology Control Plans, TCP; Electronic Communication Plans, ECP;
and Affiliated Operations Plan, AOP. Each episode we ask our
speakers to explain an acronym that featured in the episode with
wrong answers only. In the interest of time, not everyone has to
participate in this segment, but whoever wants to can feel free.
But please, somebody participate.
Antonia Tzinova: Well, maybe I take one, and
mine is lame, I was thinking, how do we come up with something
interesting? So I picked FOCI. So I’m thinking forever owned
classified information.
Molly O’Casey: Amazing. Lame is great. I
love lame.
Libby Bloxom: I have one. Actually, I have two.
So I talked about the supplemental documents that may be required.
And so I’m going to take TCP, you know, Technology Control
Plan, a time-consuming process. So often the supplemental documents
can take a lot of time. So when you’re thinking about an ECP or
an Electronic Communications Plan, it’s best early consults,
please.
Molly O’Casey: Early consults indeed. Amen.
All right. Thanks so much, y’all. I hope everyone enjoys their
week.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
link