Staying Compliant When Sharing Employees or Services

Molly O'Casey: Welcome to the 13th episode of "Are We All Clear," the podcast on facilitating security clearances. I'm your host, Molly O' Casey, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will discuss the implications of shared services and employees and cleared companies. We'll discuss when these issues come up, what companies should be thinking about and mitigation strategies. Today's speaker is Marina O'Brien. Marina is an associate in the national security and international trade regulation practice of Holland & Knight in Washington, D.C. Welcome back to the podcast Marina. 

Marina O'Brien: Thanks, Molly. It's good to be back. And by the way, number 13 is my favorite number, so this is a good omen.

Molly O'Casey: Well, good to hear that. It's good to have you back. Before we get started into shared services and employees and cleared companies, I wanted to provide some general context from our previous podcast episodes. As a reminder, a cleared company is one that has obtained a facility security clearance, or FCL, from the Defense Counterintelligence and Security Agency, also known as DCSA, which is housed within the Department of Defense. U.S. laws and regulations have identified that there is a risk presented by foreign ownership, control or influence, also known as FOCI, to cleared companies. Accordingly, DCSA monitors cleared companies for potential FOCI issues, including reviewing FOCI mitigation instruments for companies that have come under FOCI. FOCI issues are considered to have implications for cleared companies, parent companies, subsidiaries and affiliates. So, it's not just limited to the cleared company itself. With all that context, Marina, could you tell us a bit about how shared services impact cleared companies?

Marina O'Brien: Absolutely, happy to. So shared services in the context of national security, and here we're talking about facility clearances, it simply means that a cleared company that has been mitigated is sharing services with its affiliate. Well, typically this is done to take advantage of economies of scale or create business efficiencies through streamlined processes. And I believe Andrew McAllister, my colleague, touched upon this in the previous episode, 12th. So hear that one as well, a little plug in. But for example, it's a very broad notion of what affiliates mean in this context. It could be an arrangement between sister companies, or it can be a parent-subsidiary relationship, and it could be for the purpose of handling human resources. It can be marketing, IT services or services provided by third parties, for example, insurance. But again, in each case we have at least one company that is cleared and one that is not, with a cleared company being required to abide by the rules, which in this case are the National Industrial Security Program Operation Manual, a mouthful, also known as NISPOM, as well as abide by any FOCI mitigation agreement. So I guess the key here is to then think about, OK, where are shared services allowed, under what circumstances? What are the risks and how can we, as a cleared company, navigate the system so that we abide by the regulations?

Molly O'Casey: Right. And wanting to share these services across companies is a pretty common business strategy. So I imagine this comes up a lot for cleared companies.

Marina O'Brien: Absolutely. And you know, this is a balancing act, right? They are trying on one hand to keep the industry going and keep the companies in the USA competitive on one hand. They don't want to crush business. But on the other hand, they have to balance that with national security. So they don't want any inadvertent dissemination of classified or any sensitive information because these companies shared services. So it's definitely a balancing act.

Molly O'Casey: What are the type of affiliated operations that DCSA would evaluate and potentially approve for sharing?

Marina O'Brien: Sure. So the most common ones are HR-related services as a human resources or talent acquisition. IT is definitely on the list. Marketing. It could be insurance. But honestly, affiliated operations would include any internal policy or process or procedure. So they always think in terms of risk, like what if you share some process, if you share some personnel, if you share some commonality, even the same software, is there any way that this could give advantage to the non-cleared company or any way to pose a national security risk by leaking some unclassified information in the process?

Molly O'Casey: That sounds like it has the potential to include a lot of different activities. It's a pretty broad scope, not just your core operations.

Marina O'Brien: Yeah, absolutely.

Molly O'Casey: Considering that scope, what are some initial actions cleared companies can take when looking to share services?

Marina O'Brien: Well, in situations where we have a cleared company that wishes to share services with its affiliate, whether it be a parent, a subsidiary or a sister company, they should always start with figuring out what are the administrative and operational functions that are overlapping, right. IDing what could potentially be viewed by DCSA as a shared service or affiliated operation. So it's very important that companies bring a broad scope of folks on the board table, right, to discuss this. Then, once you identify what are the shared operations or affiliate operations, the next thing is to figure out risks that are presented by these operations. And then you work with relevant employees to figure out risk mitigation measures. With that collected, the next step would then be to draft and fill out an affiliate operation plan and present it to DCSA. And once finalized with DCSA, the last step would be, of course, to ensure compliance.

Molly O'Casey: And components of that seem like they reflect a classic risk assessment and due diligence exercise. So companies may be able to weave the process into their current policies and practices.

Marina O'Brien: Yeah, absolutely. Everything is risk-based and proportional to it, and that's how DCSA is approaching it, too. So it's not one-fit-all. Although DCSA has a template that can be used as an affiliate operational plan, this will be highly edited and then adopted to the specific situation of the company.

Molly O'Casey: We love a template.

Marina O'Brien: That's right.

Molly O'Casey: How can companies approach identifying operations that could be captured as a shared service?

Marina O'Brien: Well, there are some questions the company should ask to better identify, as I just mentioned earlier, which operation might be considered by DSCA because some might not be even coming to our mind. So, for example, think about "does sharing the service give the cleared company an economic benefit that it would not otherwise enjoy?" So let's look at an example. We have an affiliated company that decides to give a cleared company specific software, but at a discounted price. So this might give the non-clear company leverage over the cleared company. And that's because in the future, the affiliate company may decide to, in the worst case scenario, discontinue the software or put pressure by increasing the price or whatnot. And with that, then you put the cleared company in a material disadvantage. And the last thing that DCSA wants to do is to have a cleared company in financial reliance, especially if the software becomes an integral part of the business. Some other things to ask is, does the internal process or procedure that's being shared with either affiliated company give the affiliates some operational leverage over the company? It's all about the cleared company maintaining its independence. And in the reverse, ask yourself, is there something that the cleared company is providing to the affiliate? And this also could potentially create risk, mostly in terms of inadvertent leakage of cleared and confidential information. And even if the company is not safeguarding information, it's still a potential risk there. So, last thing that I would mention to think about, is the company using the same third party or service provider as the affiliate? Again, these processes don't have to be internal only. It could be provided by third parties. So for example, think of insurance and medical benefits. And how could that potentially present risks?

Molly O'Casey: Really interesting stuff to think about. What issues tend to come up the most with clients in this area?

Marina O'Brien: So I think the one that we get the most questions centers around shared personnel. And certainly this would fall under the purview of the affiliate operations plan, or AOP, as we've been throwing it around. And it is often allowed, so long as the personnel that's working for the cleared company, if they are shared from the affiliate, they of course, number one, they have to be cleared. But also any hiring and firing decisions really have to stay with a cleared company. Because here's where the undue influence come. So they are OK with sharing personnel as long as we have these precautions put into place.

Molly O'Casey: As we learned in a previous podcast episode, a personnel security clearance, or PCL, is granted following a pretty involved investigation by DCSA to establish whether the personnel meets national security standards so that they can receive access to classified information. To me, that suggests that it's challenging for cleared companies to share personnel without some kind of mitigation strategy, which segues into my question on supplements to FOCI mitigation agreements. You mentioned the AOP or the affiliated operations plans. Could you explain what AOPs entail? What, what does an AOP consist of?

Marina O'Brien: Sure, Molly. So as Andrew mentioned in the previous episode, the FOCI mitigation agreements are what should be done in order to mitigate any potential foreign ownership or influence and any foreign risk that can come into the operation. So we're a clear company. But this affiliate operation plan or other supplement, such as the ECP or electronic communication plan, or the technology control plan, is how, it's the very detailed one, details of how you're going to do it. And in fact, the AOP is probably the most detailed document of all agreements, and in terms of its table of contents and what's really in it, it essentially identifies all of the potential shared agreement or operational services between the two companies. It then discusses each one by identifying what are the risks presented by such sharing and then provides specific steps. Company A is going to do this — X, Y and Z — in order to retain power and possession and independent control of whatever they're trying to do. So an AOP, it identifies all of the shared services between the companies that are being proposed, right? Because first, the companies will send a draft AOP to DCSA for review before it gets finalized. And then it describes the potential risk associated with each one of those proposed shared services and how they can be mitigated, providing very specific steps. So even if certain things have already been mitigated in a cleared company, they still have to be identified. So in essence, the AOP is both a security plan and a governance plan.

Molly O'Casey: So the AOP is the core document in managing shared services between a cleared company and its affiliates.

Marina O'Brien: That's right.

Molly O'Casey: With that in mind, what are some good mitigation strategies?

Marina O'Brien: Well, in terms of proposing mitigating measures, let's take an example. That's the easiest way to, to learn. If we have finance and accounting type of services that you want to share. So this could mean that either an affiliate would like to receive information about the cleared company's financial situation. Most often this is a parent company who would like to know, well, how is my subsidiary doing? Or you have some sister companies or other relationship between the corporate group where companies like to share bank accounts for cash flow purposes. Well, in this kind of situation, DCSA would like to ensure that the Government Security Committee of a cleared entity is able to review the procedures used to report information to the affiliates. So again, you want to make sure that the mitigated company or the cleared company maintains control and oversight over its books. So maintaining control, it's very key. On the other hand, you also want to make sure that the shared information does not lead to security risk. And in a situation where we have shared bank accounts or you are providing certain financial data, the risk is that you could adversely affect the short-term cash flow of the cleared company. You could unduly influence the long-term project and budget situation, so you could inadvertently provide ops specs details. So any cleared information — and by looking in certain finances, maybe you can identify which clear contracts they're working on, and that might be not allowed. So there is certain things that are allowed within limits.

Molly O'Casey: And as we learned on earlier episodes, the mitigation agreements involve a special committee of the company's board of directors called the GSC, or the Government Security Committee, that include outside directors or proxy holders. And the committee handles these matters really to safeguarding classified information. What is the process for AOP submission and approval?

Marina O'Brien: Well, DCSA luckily provides formatted templates on their website for companies to use. So that's the good start. But as I mentioned earlier, it should really reflect the situation at hand so that one can be adjusted to fit the company's specific situations. So once the AOP is drafted with the input of everybody in the cleared company and its affiliate, then it has to be approved before the mitigating company can start leveraging any affiliated operations. So no matter what you do, if the FOCI risk cannot be sufficiently mitigated, it will be a no-go. So, for example, the individuals performing the services or operations, if they have unauthorized access to classified or sensitive information in the performance of their jobs, that's a big red flag. Another example is where mitigated company cannot demonstrate its ability to comply with the mitigation agreement. Maybe they don't have the appropriate stuff or they are not putting enough efforts in it as would typically be required. Or simply, it looks like the cleared company cannot be functioning independently financially from the other company. So they're very immature, didn't have enough staff or financial backing, they don't have enough contract to sustain them and therefore will be very vulnerable to the affiliates.

Molly O'Casey: Right. So overall, DCSA will work with you, but there are limits to what you can manage through a mitigation agreement or strategy.

Marina O'Brien: Yeah, absolutely. I mean, it is a conversation. You should be prepared and present your plan. But at the same time, DCSA might push back, provide different alternatives, and it's an ongoing dialogue.

Molly O'Casey: What are some important considerations in AOP compliance?

Marina O'Brien: All right. So when we are already at the compliance stage, it is important that the affiliated operations that have been approved are being put into motion, right? So don't overstep the scope of the AOP. And, if there has been any circumvention of the requirements as they're outlined in the AOP, the company will have to notify the government if there is an unapproved affiliated operations that have been identified, whether or not there is an AOP put into place. This might affect the facility security clearance. Unapproved affiliated operations might be identified during the security vulnerability assessment by DCSA, and this can have a significant impact on the final security rating, as most of our, or some of our listeners are familiar. There's also a yearly compliance certification that annually, also, a mitigated company must certify that it's effectively monitoring the affiliate operations. So people should know their AOP plan and everything that's entailed, pretty closely follow it. Do internal audits, prepare for any audit by DCSA and for any yearly compliance meetings. And if there are issues that are identified, try to work with DCSA to fix it.

Molly O'Casey: Right. So as you might expect, the compliance is ongoing, and there's some pretty significant responsibilities.

Marina O'Brien: Absolutely.

Molly O'Casey: And finally, what are some of the biggest challenges with AOP?

Marina O'Brien: I think initially it's really understanding the scope of affiliated operations and properly identifying all the potential issues. But perhaps the largest challenge is when you have a company that is very well integrated and then they're trying to spin off a new company that will solely focus on cleared business. And it's very labor intensive and very expensive, when what you want to do is establish a standalone entity because the degree of separation that will be needed to get this company started and pull it out of the cleared company, it's not just putting one office within the suite that will be cleared. You have to separate HR to a large extent. You have to separate IT, only cleared IT personnel may have access to certain things, you have to separate servers. You have to separate so many things, and soon enough it might not be worthwhile for some companies once they look at the time, the talent and the costs that associated with such an endeavor. But if a company already exists and then files for a facilities security clearance, that's a little bit of a different story. And ultimately, really it might pay off to go through that exercise because you might have some really good business consideration. You may have a good amount of potential cleared work down the pipeline and so forth. So definitely worthwhile. But it comes with headaches.

Molly O'Casey: Right. The timing of doing this analysis is really important.

Marina O'Brien: Yes. Taking the time to do it and do it properly, it's key.

Molly O'Casey: Thank you so much for coming on, Marina.

Marina O'Brien: Thank you for having me, Molly.

Molly O'Casey: This area is full of acronyms. This week we had Security Vulnerability Assessment, or SVA. Facility Security Clearance, or FCL. Personnel Security Clearance, or PCL. Government Security Committee, or GSC. Affiliated Operations Plan, or AOP. Technology Control Plan, or TCP. And Electronic Communications Plan, or ECP. So each episode we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Marina, would you like to choose an acronym?

Marina O'Brien: Sure, staying on point with AOP. Except in this instance, it was sent for adverse outcome if no plan. So I did add two little fillers there, similar to Andrew.

Molly O'Casey: I'll allow it.

Marina O'Brien: But in this context, just a reminder that if a mitigated company does not have an AOP where there are shared operations or shared services, there will be adverse consequences.

Molly O'Casey: Well, nobody likes adverse consequences.

Marina O'Brien: No.

Molly O'Casey: With that. I hope everyone has a great week.

Marina O'Brien: Thanks Molly, thanks for having me again.