Podcast - Change Condition Packages: Tips for Cleared Contractors

Molly O'Casey: Welcome to the sixth episode of Are We All Clear? The podcast on Facilitating Security Clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. This episode delves into change condition packages, or CCPs. As the name would suggest, CCPs are essentially a notice to the government that the cleared facility has undergone certain changes. CCPs must be submitted to the Defense Counterintelligence and Security Agency, or DCSA, or to any other Cognizant Security Agency, aka a CSA. Our speaker today is Marina O'Brien, an associate in the national security and international trade regulation practice of Holland & Knight's D.C. office. Marina will discuss the process of preparing and submitting a change condition package and responding to any follow-up questions. We will also outline key documents and information [that] needs to be included, as well as some important considerations and nuances in the process. Welcome to the podcast, Marina. 

Marina O'Brien: Thank you for having me, Molly. I'm delighted to be here. 

Molly O'Casey: So what is a change condition package and why do we need one? 

Marina O'Brien: Well, a change condition package is essentially a notice requirement for cleared companies, those with a facility security clearance. And this can be found in Section 117.8(c) of the NISPOM — here you go, another acronym, the National Industrial Security Program Operating Manual, which is quite a mouthful. Essentially, cleared companies are required to report changes in ownership. Name change, for example, when they add a "doing business as" or a DBA. Any changes in legal structure, and here we are talking about perhaps reorganizing from an inc. or a corporation to an LLC, which stands for a limited liability company. Any changes in addresses, key management personnel — the KMP acronym — business termination or bankruptcy, as well as any changes to foreign ownership, control or influence, also known as FOCI. As you can imagine, the government, as the regulator, should be kept abreast of any such changes, as this may impact the company's eligibility for clearance. So this is very important when it comes to FOCI because, in this case, we might have a transaction that will result in an effective ownership or control by a foreign interest, and in which case the company will need to, in addition to submitting a change condition package, let DCSA know prior to closing. So it's important to just think about all the type of changes, in addition to this being listed in the regulations, just think about essentially the information is submitted with the package when you applied for your facility clearance. If there is any key change, the government should know. 

Molly O'Casey: Interesting. So that seems like a pretty broad set of circumstances that would trigger a CCP. I mean, I don't know if everyone would necessarily think about the implications on facility security clearances whenever they're changing their personnel. 

Marina O'Brien: That's right. It can be varied. Some packages will be more complicated than others. So in case there is just a change of address, you move your office, that should be very straightforward and easy. But most of our cases that we work on at Holland & Knight typically involves mergers and acquisitions or divestitures, and so these are a little bit more complicated and include a variety of changes that have to be reported, including the list of KMPs, the address, the name, new ownership and so forth. So there is a varying degree. 

Molly O'Casey: That makes sense. Before we talk about what should be included in a CCP, let's discuss what we all fear the most: deadlines. When should the package be submitted? 

Marina O'Brien: Well, interestingly enough, there is no regulatory deadline, but typically this is done within two to four weeks after the change occurs. So in cases such as mergers and acquisitions or a new round of fundraising, for example, for a lot of startups this translates to about a month after signing the deal. However, if we're just reporting a name change and nothing further, as it would be expected, you know, it will be reasonable to submit sooner than a month. That said, it's very important to note that if a cleared company has an industrial security representative, or an ISR, it is a good practice to let your contact at DCSA or the cognizant security agency know that there is this impending change coming up. So this is essentially a courtesy heads up. And the ISR would typically then give the company, or the facility security officer in the company, to be more exact, typically a deadline for when they expect this package to be submitted. In most cases, the ISR will be OK with a one-month deadline for the change condition package. And of course, this can be extended for good cause. 

Molly O'Casey: Right. So you do have a bit of breathing room with the two to four weeks. But in the case of an M&A transaction, it's probably something you should be thinking about in advance. 

Marina O'Brien: Absolutely. That's a great point. We always advise our clients to start thinking ahead of time. I know when you're in the midst of a transaction, that's the last thing you want to do. You're trying to get through the diligence process and everything else, and this is an important step, and it will make things easier to start organizing and gathering information. It could be a bit complicated sometimes because the FSO, the facility security officer, is not always reading into the transaction until a week or two, or the last month, before closing. 

Molly O'Casey: And what should the CCP package actually consist of? Given the broad scope, is there anything that does not need to be included? 

Marina O'Brien: Sure. So depending on the type of change, different types of documents will be submitted. However, most often we see the following five or six items. First, as you roadmap, it will be the new organizational chart of the company post-closing, or the org chart. And unlike other org charts submitted to other government entities, for example, the Department of State (inaudible) relations to any ITAR post-closing notice, for example, when submitting an org chart to DCSA, it has to be submitted in a specific format. Typically this is a lot more involved and detailed. It would include information from the cleared entity all the way up to the change of command. All the parent entities, as well as for the cleared company, you will have to report the level of clearance, the FCL, how it's being managed — for example, whether it's through a board of directors or member manage, if it's an LLC and so forth — their CAGE code, etc. Also, the org chart would include information related to ownership versus management because you might have somebody up the chain that is a passive owner but has no management over the company, and all of this is important. 

Another nuance that I would like to mention here is that when you go up the chart all the way to the final beneficial owners, DCSA would like to see additional information related to anybody who owns more than 5 percent of, let's say, an intermediate parent or an ultimate parent. So even if that is not disclosed with the change condition package initially, they might send a follow-up question to that. So always think about that. So for example, let's say we have a cleared company that's being bought by a holding company that's ultimately owned by a company that's listed on the stock exchange. DCSA would like to know about any owners in the top parent that have more than 5 percent, etc. So this is the magic number with DCSA, 5 percent or more. And when it comes to foreign ownership in this chart, the important part is noting any foreign ownership above 5 percent, not only individually, but also in the aggregate. 

Molly O'Casey: Understood. So it seems like we have a lot of these documents that we've been discussing on other episodes. The KMP list, the SF-328, the DD 441. So those documents remain important throughout the process. 

Marina O'Brien: That's right. So the second thing that we typically submit in a change condition package is the KMP list. Here, think about OK, what has changed. In an M&A transaction, oftentimes we see some KMPs leave, some are added. And just as a refresher, the KMPs include officers, directors, partners, LLC members, trustees, managers and so forth of a cleared company. It also includes the facility security officer. So this will have to be updated. In addition to this, we have the third main thing that is typically included. And that is that SF-328. This is essentially the certificate pertaining to foreign interests, which was discussed in length in the last episode, I believe, episode five. And here I would just note that it's important that there will be two different SF-328s submitted, one for the cleared company and one for the highest functioning parent. Essentially, DCSA would like to know whether there has been any changes as a result of the transaction when it comes to any foreign interests. In addition, if there is, for example, a name in the change of the company or address or legal reorganization, a new DD 441 document will be submitted as part of the change condition package. And since we're throwing a lot of jargons there and acronyms that we're talking about, the DOD security agreement. And as one would expect, when these kind of changes occur, the government would also like to get a copy of any corporate documents. So, for example, if there has been any changes in the bylaws, the limited liability agreement. If there is an LLC or any type of consent or approving resolutions for any new officers or directors — that means appointing new KMPs — this should also be shared with the government. Any new documents coming up from the corporate registry, that should also be shared. We typically submit this for and as it relates to the cleared entity. DCSA may ask for some additional documents from some of the parent entities as well. Last thing that I would mention in terms of what we typically submit, what a change condition package typically contains, and before saying what not to include, is that the company will need to submit any FOCI mitigation instruments as necessary, right? It depends on the level of foreign control, if there is any. But even if there is no foreign interest in the chain of command, exclusionary resolutions are still submitted in order to, number one, exclude the parent entities that are not cleared, in case there is a corporate structure where the immediate, intermediate and final parents don't have any facility clearance, so we want to prevent them from having access to classified information, and number two, to exclude any KMPs of the cleared company itself. Typically this sometimes would be the CFO, doesn't always have to have clearance, and if they don't, they will be as well excluded from access to classified information in the possession of the company. So with that, which can be a quite a long list and takes some time to prepare, the question is, well, what do we not include? And to this I will just say, it is important to provide the government everything that is required and to be very thorough. But at the same token, you know, in the same hand, you don't want to give them more than is required. Most often, people can be sensitive when it comes to certain ownership information going up the chain. And unless they are foreign or unless the government wants to know and there is no need to disclose, that should not be voluntarily given. 

Molly O'Casey: So there's still some room for a bit of privacy in this area. 

Marina O'Brien: Absolutely. 

Molly O'Casey: Who's on the hot seat for CCPs? Who has to submit them, and are there any rules on how it must be submitted? 

Marina O'Brien: Yes. So the company's facility security officer, or the FSO, is responsible for submission. Of course, we would be happy to help with preparing the package. But ultimately this person will have to do it, and it cannot be emailed. It has to be submitted via the company's National Industrial Security System or NISS account. And this can be accessed via DCSA's website. So it has to be secure, and therefore, that is the portal that's being used. 

Molly O'Casey: Excellent. Do you have any tips to share for submitting a CCP? Any parting thoughts that you'd like to share? 

Marina O'Brien: Sure. So in addition to being thorough but don't volunteer things you don't have to say, I would say don't forget to update other government-related databases. So for example, if there is a name change or change in ownership, you should update the company's records in your local state where registered, right? That's a given. But also don't forget the System for Award Management, or SAM.gov, and also any account you might have with the Defense Logistics Agency. You might need to update that as well. And finally, if the company is no longer working on any classified information in connection with the U.S. government contract or even a foreign government, you should tell the government because you no longer have a need to hold a facility clearance. So that's another type of change, right? It would be no longer having the need. You’ve ceased working on classified contracts. 

Molly O'Casey: Gotcha. So if it interests one government agency it potentially interests multiple. 

Marina O'Brien: Correct. Especially when this is important for all the government contractors. And so they work with several regulatory schemes at the same time. And they have to be cognizant of all of those requirements. And all these requirements, of course, run in parallel. So it's not necessarily one after another. 

Molly O'Casey: Brilliant. Thank you so much for your thoughts, Marina. 

Marina O'Brien: Absolutely, happy to help. 

Molly O'Casey: This area is full of acronyms. Just this week we had quite a few. So I'm going to beg your patience as I go through them. There's the change conditions packages or CCPs, Defense Counterintelligence and Security Agency or DCSA, Cognizant Security Agency, CSA, National Industrial Security Program Operating Manual or NISPOM, key management personnel or KMPs, foreign ownership, control or influence, FOCI, industrial security representative or ISR, facility security officer or FSO, the National Industrial Security System or NISS, pronounced NISS, Standard Form 328, SF-328, DD 441 or the DOD Security Agreement, Commercial and Government Entity code or CAGE code, System for Award Management Account, SAM.gov, and Defense Logistics Agency, DLA databases. Marina, you and I are also acronym buddies in that my full name is MOC and your full name acronym is MOB. So that's a bit of fun trivia and easy way to get confused whenever we both review documents. 

Marina O'Brien: That's right. Thanks, Molly. 

Molly O'Casey: On our next episode, we'll be discussing the facility security officer: What is it? How do you select one? And, what does it entail? I hope everyone has a great week.