Podcast - Uncovering SF 328 and Its Key Takeaways for Foreign Ownership
Tune in for an in-depth exploration of SF-328 and its far-reaching implications for foreign ownership, control and influence (FOCI) within organizations in the fifth episode of "Are We All Clear? Facilitating Security Clearances."
In our latest episode, host Molly O'Casey delves into the intricacies of the SF-328, a critical 10-question survey that serves as a linchpin in the field of FOCI mitigation. With help from Robert Friedman, a partner in Holland & Knight's International Trade Group in Washington, D.C., the conversation uncovers the complexities of this form.
From understanding the multifaceted process of completing the survey to exploring the critical role it plays in the facility clearance process, this episode offers invaluable insights for companies navigating classified government contracting. Gain a comprehensive understanding of this essential document and learn how to avoid common pitfalls that can prolong the facility clearance process.
Listen and subscribe on Amazon.
Listen and subscribe on Apple Podcasts.
Listen and subscribe on SoundCloud.
Listen and subscribe on Spotify.
Watch and subscribe on YouTube.
Molly O'Casey: Welcome to the fifth episode of Are We All Clear? The Podcast on Facilitating Security Clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. This episode will unpack the notorious standard form of 328, also known as the SF-328. As my guest today will explain, there's nothing standard about this form. The SF-328 is a 10-question survey designed to help identify the presence of foreign ownership, control and influence, also known as FOCI, in an organization. The survey also provides the structure for organizing the DCSA analysis process. The SF-328 is one of the primary documents that are submitted when initiating the FCL process. Our speaker today is Robert Friedman, a partner in the international trade regulation practice of Holland & Knight in Washington, D.C. Welcome to the podcast, Robbie.
Robert Friedman: It's my pleasure to be here. To spend a minute or two giving you an overview of my practice, which I know you're familiar with, but for our guests to hear, I practice at the intersection of national security, technology and trade. My practice has several components, including working on foreign investment-related clearances for the Committee on Foreign Investment in the United States, unpacking national security regulations for both foreign companies and U.S. companies that are navigating those issues. Export controls and sanctions compliance is another big piece of my practice. And then what we're here to talk about today is the facility clearance process, including helping companies that are first-time government contractors understand the FOCI mitigation landscape, understand how to get a facility clearance, the steps involved and how to demystify some of the more onerous aspects of that process.
Molly O'Casey: That sounds like a pretty broad scope of practice, so I appreciate you taking the time to talk to us today.
Robert Friedman: Sure. Sure. Happy to do it.
Molly O'Casey: We know from our intro that the SF-328 is a government form with yes/no survey questions. That doesn't sound overly complicated or intimidating. Could you tell us why the documents can be both complex and important to the FCL process?
Robert Friedman: Sure, it's a good question because I often am asked to send this, this standard form to clients to review, you know, in advance of having preliminary discussions or, you know, beginning the process of preparing a facility clearance package. And they take a look at it and they say, well, this is pretty straightforward. And I'll do, yes/no, check the box and I can do it on my own. I don't need to hire counsel to help me navigate the process. And even worse, we've seen situations where companies have submitted the form and then, you know, got nasty grams back from the government where things are unclear. And then they've come to us after the fact. It's all to say that, you know, getting the submission right is critically important to the facility clearance process, and understanding the form and understanding how it should be completed can expedite the facility clearance process and, in fact, lower the barrier for entry to the classified government contracting program. So the way that we typically work at Holland & Knight is to begin the process far in advance of when you actually submit your materials to the government to get your facility clearance. We believe that almost all of the information for the SF-328 can be gleaned, you know, weeks, if not months before you're actually submitting the materials. And so preparing a due diligence questionnaire that walks through the core questions, but then explains context for those questions and sort of what, based on our experience, we know the government will be interested in is a really good way for companies to understand precisely what is asked and precisely how they should be answered. So we use this due diligence questionnaire to collect the detailed information that will ultimately go onto the form. So the form is a yes/no sort of bifurcated answer. But if you answer yes to any of the questions on the form, it sort of triggers an additional requirement to explain why you've checked the "yes" box. And there's a section called the remarks section where you can offer explanatory statements about, you know, why the boxes checked yes. And it's that opportunity where you can really walk the government through the process of understanding, OK, here's a bit more about the company. You know, here's why we checked the "yes" box. And it enables the government to get comfortable with the with the 328 more expeditiously through that explanation process. And the reason that it's important is because really, the SF-328 is the linchpin for FOCI mitigation, and FOCI, just for your listeners, is the foreign ownership, control or influence. That is the essential question that is being evaluated at the time that a facility clearance application is submitted, where the government is looking to see where are their foreign touch points with regard to this applicant, and the SF-328 is designed to glean that information from the company. So completing the form, you know, comprehensively and accurately will begin the process of the government peering into the company’s operations and understanding where there might be folks that need to be mitigated. And as we'll learn, you know, as we go forward, that document is really going to be a roadmap for, you know, the entirety of the facility clearance process. And it helps the government determine and decide the appropriate form of mitigation for that FOCI.
Molly O'Casey: Gotcha. So the focus of SF-328 is foreign ownership, control or influence, also known as FOCI. And depending on how you answer that, that sort of has a big role in determining how your FCL proceeds.
Robert Friedman: That's right. Yep. And just as one example to kind of demonstrate, you know, what that could mean. Let's say a company, you know, checked, you know, "no" for every category, it's a completely U.S.-owned company. There's no foreign investors there. You know, they're wholly domestic, but they happen to have a board seat that is held by a foreign individual, right,. foreign national that sits on the board, the likelihood of a really onerous form of mitigation is highly unlikely. You'll learn more throughout our series of this podcast about different mitigation instruments. So it's unlikely that what I just described would require something like a proxy board, which is a, a wholly separate or outside board of directors. But what is likely is that there'd be some kind of board-level resolution or, you know, exclusionary resolution that would be that that individual, that is not a U.S. person and that does not have security clearance, would be excluded from access to classified information. So that's the kind of thing where the explanation on the SF-328 will give the government the information it needs to recommend a form of mitigation.
Molly O'Casey: Gotcha. So even though it seems like a yes/no questionnaire, if you reply yes, you really should provide additional detail to the government because that helps you to contextualize it, which smooths the process going forward, lest you receive a nasty gram from the government.
Robert Friedman: Exactly. That's right.
Molly O'Casey: All righty. Who must submit the SF-328? And who in the company is involved in completing the preparatory due diligence questionnaire that the HK team provides?
Robert Friedman: Both are very good questions. So I think that the one thing to keep in mind when it's, the SF-328 is, it's sort of being prepared, is that we often recommend that clients submit two different SF-328s. The current guidance from the Defense Counterintelligence and Security Agency, or DCSA, is that both the company that is applying to be the cleared company, as well as the highest tier uncleared U.S. entity, must submit separate SF-328s. So just to kind of hammer home that point, let's say there's a U.S. subsidiary and that U.S. subsidiary has a U.S. parent company, and then that U.S. parent company has an ultimate, you know, parent company that's based in the UK, for example. So there's essentially three tiers. The government likes applicants to submit one SF-328 that is completed by the entity that's applying for the facility clearance. So that's the cleared company. And then a separate one for that highest tier U.S. entity, which would be the U.S. parent company. And the reason for that is because the answer to the SF-328 might be different depending on, you know, who's on the board of the different entities and other considerations as well. And so that kind of provides an additional level of insight for the government into the way the company is structured at different tiers, which will also kind of influence the FOCI mitigation analysis and ultimately the recommended approach, going forward, in terms of the individuals and the companies that are typically involved in preparing answers to our due diligence questionnaire. I like to think of it as kind of a kitchen cabinet approach to preparing that document. It's not just, you know, the outside counsel sitting with the general counsel or with somebody else in the company. The key is to ensure that you have the right personnel in the company who are going to know the answers to that due diligence questionnaire and get them all comfortable with the FCL process. So that typically involves, you know, somebody from the legal department, whether that's the general counsel or the chief compliance officer, somebody from the human resources department, usually, you know, the head of HR or somebody who has a good sense of the workforce, you know, where they're located, what their jobs are. And it has a kind of an operational, you know, insight, somebody who is either the liaison to the board or has insight into the board or, at a minimum, is comfortable asking the board personnel questions, because those are going to be central to filling out that due diligence questionnaire. So you want somebody who can easily liaise with the board of directors. You know, at larger companies, there might be a specific individual. In smaller companies that might just be the, you know, the president or the CEO. And then finally somebody who's responsible for security, whether that's cybersecurity or information security or, you know, in the case of security classification, someone who's got some background in national security. Those are all kind of important people to have at the table when completing the form to make sure that, again, you've got all the relevant information presented in a comprehensive fashion. And moreover, those people are going to also be involved as you go through the FCL process. So again, getting them invested early on can pay dividends down the road.
Molly O'Casey: It seems to be kind of a common theme in this area that whenever you're applying for an FCL, it doesn't just involve your company. It tends to involve your parent company or companies that you're connected to.
Robert Friedman: Yeah. That's right. You know, the government wants to get a complete picture of all aspects of the corporate family so that it can understand, you know, where there's potential vulnerabilities from a U.S. national security perspective.
Molly O'Casey: Let's walk through some of the key questions, and if you could please explain some common pitfalls that you've seen in your practice.
Robert Friedman: Yeah, sure. So there's 10 questions. I'm not going to go through them all. We'll do a handful on the podcast. The first question, which, believe it or not, it seems straightforward, but it is a little bit complicated, asks about ownership. And two subpart questions. The first one, A: do any foreign persons directly or indirectly own, or have beneficial ownership of, 5 percent or more of the outstanding shares of any class of your organization's equity securities? So this is for companies that have equity securities that are issued by then. The subpart B is has any foreign person directly or indirectly subscribed 5 percent or more of your organization's total capital commitment? So this is just another sort of form of a company, rather than a company, that issue shares, companies that have no capital commitments that are issued to individuals that are invested in the company. But the basic question is the same, right. Are there foreign persons that have a 5 percent or more direct or indirect interest in declared company? So it seems pretty straightforward, right? You know, we can just look at our ownership structure. If it's an early stage company, maybe look at the capitalization table and you figure out, OK, other people that we need to disclose. Well, the reason that that gets very complicated very quickly is twofold. One, it's not always clear that an investor is a foreign person, because the way that foreign person is defined is it requires an analysis of the chain of ownership of your investor. So it's not enough just to say, well, I've got an investor that holds an 8 percent interest, but they're incorporated in Delaware, so we're fine. They're a U.S. investor, they're not going to trigger this reporting requirement. Well, that Delaware company might be owned by a Chinese, you know, private equity firm. And that would make that Delaware company a foreign person for purposes of the form. So what this requires is companies to go out to their investors who have a 5 percent or greater stake and ask the basic questions around where they're organized, where their principal place of business is and, importantly, whether they have got any ownership or control that is outside of the United States. And again, the reason we start this process very, very early, far in advance of when we submit the forms, is because that often takes a lot of time to go out to investors and get this information. So that's one of the things here that we, we believe is it's critically important to start early in the process. One of the ways in which this can get again, complicated very quickly is a lot of companies have very diverse, you know, ownership interests among many different investors. And some of those investors are funds that could be venture capital funds that could be private equity funds. And within those funds, there are a range of individual investors, right. And a typical general partner or limited partner structure that most funds have, you could have, you know, 15 or 20 different limited partners, each of whom have, you know, small stakes in the fund structure. And the question then becomes, who do you need to disclose if those limited partners, for example, are our foreign persons? And, you know, I can't go too far into the weeds given the time that we have today, but it's very important to kind of understand the nuances of what the disclosure requirements are for limited partners within those funds to make sure you can, to the extent possible, you know, insulate some of those disclosure requirements while at the same time, you know, complying with the requirements of the SF-328. So question one, you know, already out of the gate get pretty complicated pretty quickly.
Molly O'Casey: Yeah, that sounds like a lot of detail, again, for a yes or no questionnaire.
Robert Friedman: Yeah definitely. So the next one, question three, just to kind of go skip around a little bit, question three asks do any non-U.S. citizens serve as members of your organization's board of directors or similar governing body officers, executive personnel, general partners, regents trustees, or senior management officials? So two things to keep in mind about that. One is the choice of the of the phrase non-U.S. citizens is, of course, very deliberate. And it's also different than what we see in other regulation. So some of your listeners might be, for example, export control lawyers, where the requirement under the export control laws is that your, you know, U.S. person, in order to receive export controlled information without, you know, raising any concerns for U.S. persons can include, green card holders, for example, question number three, non-U.S. citizens is a different standard. But you've got to be a naturalized citizen. You've got to have citizenship rather than a green card or legal permanent resident. So it narrows sort of the universe of applicable people for purposes of disclosure. The second question is, derives from the range or that subset of people that need to be disclosed. It's a pretty, it's a pretty diverse group of, you know, board members, officers, executive personnel, regents, trustees, general partners. So we get questions all the time from clients about, you know, who do I need to include? And unfortunately, there's not kind of a standard group. Because different companies call different personnel by different names. So this is why having, you know, experienced outside counsel can be useful to try to understand who kind of is inbounds and out of bounds for purposes of question number three. The next question that I'll just tick through relatively quickly is number five. Because again, this isn't one of those questions where clients have trouble figuring out how to answer it. It's a very broadly worded question. Does your organization have any contracts, agreements, understandings or arrangements with a foreign person? So that again, is very broad. If you're a company, whether you're, you know, a U.S. company that has no international sales or you're a multinational company that has a huge number of international engagements, trying to understand, you know, both how to answer the question and then what needs to be provided to the government can be, you know, a tricky, tricky proposition. So contracts, agreements, understandings or arrangements, typically these are either vendor agreements or customer agreements, other kinds of arrangements that, that the cleared company has either with a foreign vendor or foreign supplier, foreign customer. So it's very important, again, to involve personnel in this process that might be in charge of sales or that might, you know, have some ability or some oversight over where the company is doing business so that you can get insight into where there might be these foreign touchpoints. And then the question becomes, what do I need to tell the government? Let's say I've got 500, you know, customers. Do I need to disclose every name of every customer to the government? Seems onerous and it seems like it's overkill. And the reality is that there's a way we can kind of frame the response that is workable for our client, but still answer the mail for the government. And the shorthand answer is that if it's a large number of arrangements and contracts and understandings, typically we can summarize by country the number for each. So let's just use that 500 number. For example, let's say 200 of them are in the UK, 200 of them are in France and 100 of them are in Spain. Instead of having to list out 500, we could just list out by country how many fall within each of those countries. Usually that's sufficient for the government's purposes. We may get additional questions after that, but that's one way to sort of narrow the scope of what is being furnished. And then if it's a small number of contracts, often the government wants to actually see the copies of those contracts. So if there's only a handful, for example, of foreign vendors that might have supplies for your company, that might require furnishing the actual contract itself. And then the last one I'll go through this again very briefly, is question number nine. On the on the form it says, do any members of your organization's board of directors or similar governing body officers, executive personnel, general partners, regents, trustees or senior management officials hold any positions with or serve as consultants for any foreign person? So the subset of people is similar to the one I just read to you a couple minutes ago, but it’s a different question. And that is instead of asking about, you know, individuals who might be non-U.S. citizens, it’s asking about the people that are listed in question number nine. Do they have any foreign involvements or foreign touch points that might be relevant? So, you know, this could be, for example, you might have a board member that also sits on the board of a foreign university that is serving as a consultant for a UK nonprofit. They might have a role, a voluntary role, an advisory role for a company that’s based outside of the United States. These are all questions or these are all issues that would need to be disclosed. But it’s often that, not always obvious to a company that they really need to dig deep in each of these areas when it comes to identifying involvement with foreign persons. So that's just a kind of a high-level overview of a subset of those 10 questions and kind of things that we've seen, and some of the major pitfalls.
Molly O'Casey: Yeah, thanks for that. It seems that given the large scope of these questions, it's really helpful to know the shortcuts to narrow the information provided, as well as some of the nuances and the definitions that can trip companies up when answering these questions. What does the outcome of this process mean for a parent company?
Robert Friedman: Right? So as I mentioned at the outset, the submission of the SF-328 is really critical. Because, you know, doing it incorrectly can prolong the facility clearance process, you know, by months at a time. We've seen SF-328s that need to be submitted, you know, a second or third time with revisions, if it's not clear, for example, where things are incorrect. So getting it right will not only truncate the entirety of the facility clearance process, but it's also critical because it will, as I mentioned before, dictate in part the form of mitigation that the government will require if there is some form of FOCI. And so again, getting that right and making sure that it is accurate is going to help the business both in the short term and then the long term.
Molly O'Casey: Given the complexity and importance of the SF-328, how frequently do you have to file it? Do you do it once and then you're done forever?
Robert Friedman: That's a great question. And often, you know, clients will ask, well, once I get my facility clearance approved, I never have to talk to you guys again as our lawyers. And the reason why we like to stay, you know, closely connected to our client over time is because there's a number of conditions which could be triggered that would require updates to this SF-328 form. These filings are called changed conditioned packages, which I'm sure we'll talk about in a later podcast. But essentially, if anything in your SF-328 changes in a material way, you need to make an update to the U.S. government with a new SF-328. An additional explanation to explain away you know, or explain how those things might be different. And it's not necessarily like if you have a single new contract — for example, let's say you've disclosed that you have 500 foreign customers — you don't have to file an update when you have your 501st foreign customer. It's not that level of disclosure that is needed. And there's guidance from the government kind of on those issues, but more so if you've got, for example, a new 5 percent or greater interest holder who might be a foreign person, that would definitely require an update if you've got a new board member, for example, who is a, a foreign person. That would be another reason that you need to make an update to the government. So once you've got your at your facility clearance and once you're off to the races, we prepare a checklist that helps our clients figure out what within the company, what would trigger a need to make an updated filing with the U.S. government.
Molly O'Casey: So the fun never stops? Actually, change condition packages is our next episode, so we can build on that pretty shortly. This area is full of acronyms. Just this week we had standard form 328 or SF-328. Foreign ownership, control and influence or FOCI. And one we've seen before, Defense Counterintelligence and Security Agency or DCSA. Accordingly, each episode, we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Would you like to pick an acronym?
Robert Friedman: Sure, I'm going to take a short one, but one that's a little bit fun for me. And that is the SF in SF-328. I like to think about it as a sleeping ferret. And you might ask, well, why sleeping ferret? And that is because from afar they look very, you know, cute and nice and, you know, relatively, easy to handle. But once you awaken the sleeping ferret and you pick it up and start, you know, looking at it, it can be quite aggressive and difficult to handle. So that is the SF-328 in a nutshell. It seems easy to deal with, but it is actually quite complex, complicated.
Molly O'Casey: Well, I've got a lot of admiration for anything that's cute but secretly aggressive. Thank you again to Robbie for taking the time to meet with us today and talk about your experience.
Robert Friedman: Thanks Molly for having me. It's been a lot of fun. Take care.
Molly O'Casey: I said on our next episode we will be discussing change conditions packages, and I hope everyone has a great week in the meantime.