Podcast - Everyone Come to Play: Exploring FOCI Mitigation Instruments

Molly O'Casey: Welcome to the 12th episode of "Are We All Clear," the podcast on facilitating security clearances.  I'm your host Molly O'Casey, an international trade associate with Holland & Knight’s Washington, D.C., office. Today's episode will discuss FOCI instruments. FOCI stands for foreign influence, ownership or control, and FOCI instruments include affiliated operations plans, technology control plans, electronic communications plans, visitor access plans and facilities location plans. Today's speaker is Andrew McAllister. Andrew's a partner in the International Trade Group based out of Washington, D.C. Welcome back to the podcast, Andrew. 

Andrew McAllister: Hey Molly. It's good to be back. I will say we're on episode 12 and I feel like I've already done a few, so I'm happy and honored to be a frequent guest. 

Molly O'Casey: I really appreciate you being such a good sport about it. Thanks, Andrew. We've covered FOCI on previous episodes. But for those listening to this episode as a one-off, could you tell us a little bit about FOCI generally? To set the scene. 

Andrew McAllister: Yeah, absolutely. And so FOCI — F-O-C-I — stands for foreign ownership, control or influence. And it really refers to a situation in which the degree of ownership, control or influence over a company that has a clearance by a foreign interest is such that it may adversely affect the performance of classified contracts or raises a risk for unauthorized access for classified information. 

Molly O'Casey: Right. And what's the context around mitigation instruments? Why do we need mitigation where there's FOCI? 

Andrew McAllister: Yeah. So great question. And so let's start with the premise that a company with a facility security clearance could be 100 percent owned by a foreign company. Let's say a French parent company. And so the fact that the U.S. government is still willing to provide that company in the U.S. with a clearance is actually pretty surprising in some ways. And so we need to build around the mitigation. I almost refer to it as a bubble, right? We create a bubble around that U.S. company such that it's not unduly influenced by the foreign parent. 

Molly O'Casey: And how do we maintain this bubble? What are the mitigation strategies? I mean, I know we discussed this on an earlier episode, but again, for those listening to this as a one-off, could you briefly go through proxy agreements, special security agreements and security control agreements? 

Andrew McAllister: Yeah, absolutely. So the three agreements that you've mentioned, those I would say are on the more onerous side. In particular, the proxy agreement and special security agreement. Those are utilized when a U.S. company is typically either majority owned or wholly owned by a foreign interest. And so then you move down the rung to a security control agreement. That might be something where you have a significant minority foreign owner, let's say 40 percent, and the other owner is a 60 percent U.S. company. And so when we're looking at those three instruments, right, the proxy really creates sort of a stone wall between a foreign parent and the U.S. company. And then as we move down towards a special security agreement and security control agreement, there is some, I would say, added transparency. The foreign parent is more involved, has more knowledge and understanding of what's happening within the U.S. company. In those instruments, we also have something referred to as a government security committee that is comprised of really outside directors. Those are impartial individuals that have been appointed by DCSA, usually at the recommendation of the parties. And so they sit as sort of that outside influence to make sure and protect the secrets of the classified contractor. 

Molly O'Casey: Thanks for that, Andrew. With that context, could you provide a high-level overview of the relationship between FOCI supplements, which we referenced at the outset of the episode, and FOCI mitigation agreements? 

Andrew McAllister: Yeah, exactly. Now we're starting to get into the nuts and bolts. This is, I'm sure, what everyone has been waiting for. And so I like to think of the agreements or sort of the overall structuring, right? How is DCSA, how is the Department of Defense allowing the structure to continue in order for that cleared contractor to continue to hold the clearance? Right? When we talk about supplements, those are typically referenced in the mitigation instruments themselves. And so they are just that — they're supplements to the agreements — and again, I would view those as more operational documents. Right? How does a company holding a clearance with foreign outside influence, how does it operate on a day-to-day basis in order to ensure that appropriate mitigation is in place? 

Molly O'Casey: Got it. And my understanding is the main supplements include the affiliated operations plan or AOP, the technology control plan or TCP and the electronic communications plan, ECP.

Andrew McAllister: Yeah, exactly. So those are core supplements. There's also a visitor access plan. There's a facilities location plan. And then there's one, as I'll mention, more towards the end. There's also a quality management plan. And so again, not all of those are required for each situation of the particular contractor. It depends on the FOCI mitigation agreement in place, as well as the circumstances surrounding, you know, who's the owner, what type of influence are we protecting against? 

Molly O'Casey: Right. And it sounds like maybe these can be grouped in terms of the affiliated operations plan, which is more externally focused on affiliates, the technology control plan and the electronic communications plan, which is more internally focused on information and technology security, and then the visitor access plans and facilities location plans, which is again focused internally, but more on physical security. 

Andrew McAllister: Yeah. No, I think that's a good way of characterizing it because, again, we've got all these different supplements that sometimes [it's] hard to keep track of what exactly each one is doing. So thinking about it in the context of external factors, internal factors, etc., I think helps sort of think about the whole operation holistically. 

Molly O'Casey: To start, could you tell us a bit about affiliated operations plans or AOPs? When is an AOP necessary? 

Andrew McAllister: So this is a requirement for FOCI-mitigated companies when they enter into operational relationships with their affiliates. And so, again, an affiliate would be a foreign parent. It could also be a sister company in the U.S. that's owned by that foreign parent but is not under a mitigation agreement. So affiliates has a pretty broad definition. So any relationships, again, operational relationships with those affiliates could include affiliated services, shared third-party services, shared persons and cooperative commercial arrangements. So maybe I'll explain each of those a little bit in detail. Right. Affiliated services. That might be, oh OK, well yeah, we're a small U.S. company. We need our foreign parent to provide human resource-related services, or they need to provide finance and tax services. OK, that's one. Shared third-party services. Well hey, we're companies. We need outside auditors. Well, why are we going to get two completely separate auditors for the foreign parent and the U.S. company? It's all one business operation. OK, well, that could be a shared third party-service. Shared person. Another example, we've got a subject matter expert who happens to work in an affiliate, but we need him to come to our facility on a regular basis. Maybe he's secunded to our company for a period of time because he's really knowledgeable on how to manufacture things. OK. Well, that's a shared person. And then cooperative commercial arrangements. That would be really sort of contracts or arrangements between the two companies. Right. Buying and selling things. 

Molly O'Casey: Interesting. Next, could you tell us a bit about technology control plans or TCPs and electronic communications plans or ECPs? When is a TCP necessary? 

Andrew McAllister: Yeah. So I would say a TCP I view as sort of an overall, you know, in some ways, an overall sort of business hygiene when it comes to security. Right? And so it outlines, you know, things like physical protection to classified and also export controlled information. Again, that's not classified information. It's generally referred to as CUI or controlled unclassified information. But you may need a TCP again to sort of structure those security measures to protect against some unauthorized access. It might have components of physical security. And so that is a normal document that you see, frankly, in FOCI-mitigated arrangements. But you also see it in lots of other areas related to dealing with sensitive technologies. 

Molly O'Casey: I think you might have covered this already, but is there any specifics of what's involved in a TCP? Particular to security measures, I guess. 

Andrew McAllister: Yeah. And so, again, it's going to have things about, you know, going to have that access, you know, how is one able to access the particular company? It may have things about visitors. It's going to have lots of provisions about U.S. citizens versus non-U.S. citizens. So, again, it's going to, in some ways go above and beyond just classified information. It's going to provide measures to make sure things are controlled appropriately. 

Molly O'Casey: So that's technology control plans. What about electronic communications plans? In what context are they required? 

Andrew McAllister: Yeah. So those are generally in a FOCI arrangement where you have either that proxy agreement, special security agreement or security control agreement, and those are very robust and detailed in nature, which in some ways draws a bit of a contrast to a technology control plan. But the electronic communications plan, you're going to want to have your IT department heavily involved. Those plans go on for pages upon pages and talk about things like your IT infrastructure. It's looking at emails coming in and out. It's looking at how people are given, you know, access to certain folders, files, project documents, and then often in that electronic communications plan they're auditing-type processes. So for example, electronic communication. OK, well are we the U.S. company emailing with our foreign parent company? Well, yeah, of course we are. Right? They're our owner. So yes, we are emailing with them. Well, we need to be making sure that we have a log of when that's happening. We need to keep records of that to audit and review to ensure there's no undue influence or other pressure being provided by the foreign parent. 

Molly O'Casey: Finally, could you tell us a bit about visitor access plans, VAPs, and facilities location plans or FLPs? Firstly, what's involved in a visitor access plan? 

Andrew McAllister: Yeah, so that one in some ways I would say is easy to sort of get your arms around, which is, OK, we need to have a system in place to understand, evaluate and assess everybody coming in and out of our building, right? When they show up at the front door, we likely are checking their badge, checking an ID, we may be walking with them to go to certain parts of our office. We want to make sure that they stay out of anything classified. But then also, there may be areas where export controlled information resides. There may be a factory floor. And so the visitor access plan is really the procedures and protocols related to ensuring that we have knowledge of who's coming in and where they're going within our building. 

Molly O'Casey: Always good to know. When is a facilities location plan necessary? 

Andrew McAllister: So that's more of a FOCI creature in some ways. And so that has to do with the cleared contractor being located in close proximity to an affiliate. And so take, for example, there's a French parent company and there's two U.S. subsidiaries. One of them has a clearance and operates under a FOCI mitigation agreement. The other one doesn't. The other one is all about commercial sales. OK. Well, turns out they're both pretty small. And so they may share office space. They may both be on the 10th floor of Building X. And so that can be OK, but we need to have DCSA authorization through a facilities location plan. DCSA is going to want to look at the floor plan. They're going to want to look at the building diagram to understand what are sort of the opportunities in which the unmitigated company could influence the cleared company in some way, right? Well, do they share a breakroom and a kitchen? Well, of course they do. It's a small office. Well, what might happen in the break room? And so they just want to understand how the building is set up and make sure that we're appropriately protecting against sort of that both undue influence, but also somehow leaking classified information. 

Molly O'Casey: And I imagine this comes up whenever companies are planning on relocating to areas within close proximity to one of their affiliates as well. 

Andrew McAllister: Yeah, exactly. Sometimes there's an efficiency perspective in terms of, well, yeah, we've purchased Company A, but we already had Company B with office space here. And because there's certain economies of scale, certain business efficiencies, we want those two companies to be located next to each other. And so sometimes, as you alluded to, that's when the issue arises.

Molly O'Casey: You also mentioned quality assurance plans. I believe the acronym for that is just QA plan. Could you outline what's involved with those? 

Andrew McAllister: Yes. So a quality management plan is implemented to further secure the company's supply chain and manufacturing activities. So the so-called QMP may require certain quality assurance, prevention, quality control standards, including generally accepted manufacturing inspection and quality standards for the particular industry sector. There may also be measures related to receiving products and services from the foreign parent or a foreign supplier. And so that one, as opposed to, I would say, most of these plans, there are templates, albeit quite dated, on the DCSA website. This is an example of a plan that really hasn't quite made it to the DCSA website yet. 

Molly O'Casey: Well, at least there's a some kind of starting point, right? 

Andrew McAllister: Yes, exactly. And so I think that, you know, again, going back to the —unfortunately, in this area with some of the supplements, there is a need to bring in people with some level of experience in dealing with these sorts of issues in the past. Because although there are templates and instructional guides, they often only get you part of the way there. 

Molly O'Casey: Have there been any interesting recent developments in this area? 

Andrew McAllister: I think one, you know, again, as the audience is probably aware, I mean, certainly over the past couple of years, the U.S. government has been fairly focused on supply chain security. There have been, you know, actions such as earlier this year Department of Commerce prohibiting certain Russian-backed software for use by U.S. customers. And so I reference that to say DCSA is no exception here. And so the quality management plan is gaining more and more momentum in terms of a required supplement for particular contractors, but also the provisions within the quality management plan becoming more detailed and in certain cases more restrictive. So that's one area. I guess the other one I would sort of point to is, again, DCSA is — they're flexible in some of these mitigation arrangements because it's not a one-size-fits-all model. And so as we've referenced, I believe in prior podcasts, in certain instances, DCSA will allow for special board resolution. So those are less onerous than the other plans we've been talking about. But sometimes you will see a light version of an electronic communications plan. So you'll see something called an electronic communications management plan. And so again, it's a little less comprehensive to sort of tie to the special board resolutions being a little lighter. 

Molly O'Casey: Got it. So it sounds like the quality management plans, the electronic communications management plans and the board resolutions are becoming more important in this space. 

Andrew McAllister: Exactly. We're just seeing trends. And so, I mean that's the thing where the target or the potential risk is ever changing. 

Molly O'Casey: And remind me, the quality management plans are the plans that are not available on DCSA's website, right? 

Andrew McAllister: That's correct. 

Molly O'Casey: That's always handy. 

Andrew McAllister: Yes, you find that to some degree in this area, right? Because, again, they're addressing sort of the need of the day. And so the need of the day is supply chain security. And so they continue to work with companies in implementing these plans and they're very tailored to specific companies or threats. And so I think that's another reason why you don't see a generic template.

Molly O'Casey: Got it. Thank you for coming on and sharing your thoughts, Andrew. 

Andrew McAllister: Yeah, absolutely. Great to be back again. 

Molly O'Casey: This area is full of acronyms. This week we had a few new ones with affiliated operations plan or AOP, technology control plan or TCP, electronic communications plan or ECP, visitor access plan, VAP, facilities location plan or FLP, controlled unclassified information or CUI and quality management plan or QMP. Each episode, we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Andrew, would you like to choose an acronym? 

Andrew McAllister: Absolutely. I've been waiting for this question. So I would choose ECP. And the reason I would choose ECP is I would use it as an acronym for "everyone come to play." I know I've got an extra word in there but it's a minor one. 

Molly O'Casey: I'll allow it. 

Andrew McAllister: I appreciate that 'cause I don't want to have to go to my second one. So the reason I would say that is as we talk about these different supplements, you really need an organizational holistic approach, right? We need the IT department, we need the finance and accounting. We need the law department. We need the supply chain department. This isn't just, oh, well, we got our facility security officer, he or she will handle all these supplements. No, we got to have everyone come to play so that it makes for effective documents and we don't find ourselves on the wrong side of complying with DCSA requirements. 

Molly O'Casey: Well, we'll see how it plays out. On that terrible pun, I hope everyone has a great week.