Podcast - A Comprehensive Overview of FOCI Mitigation

Molly O'Casey: Welcome to the 15th episode of "Are We All Clear?" the podcast on facilitating security clearances. I'm your host, Molly O'Casey, an international trade associate with Holland & Knight's Washington, D.C., office. Today's episode will ask, "What the FOCI?", as we review our previous episodes on FOCI, specifically episodes 10 through 14. We'll discuss the basics of FOCI: FOCI enforcement; FOCI mitigation strategies, including mitigation agreements and FOCI supplements; cleared employees and shared services; and the new Section 847. So, if you have any questions on those topics, feel free to go back to previous episodes and they should probably address that. Today's speakers are Antonia Tzinova, Andrew McAllister, Robbie Friedman, Marina O'Brien and Libby Bloxom. Antonia, Andrew and Robby are partners in Holland & Knight's national security and international trade practice in Washington, D.C. Marina and Libby are associates in the same practice, so we've got a full squad today y'all. Welcome back to the podcast.

Robert Friedman: Thanks for having us, Molly.

Andrew McAllister: Great to be back.

Molly O'Casey: All right, with that, Marina.

Marina O'Brien: So FOCI stands for foreign ownership, control or influence. And it refers to the situation in which a foreign person or entity has ownership, control or influence over a company that has obtained a security clearance — a cleared company — but in such a way that it may adversely affect the performance of the classified contract or unauthorized access to classified information. Here, the ownership and control are easier to identify. But influence is a tricky one, right? So it can simply mean a contractual relationship with a foreign party. For example, if there's a 20 or 50 percent of the company's revenue that comes from one foreign party, then that party can exert an undue influence over the cleared company.

Molly O'Casey: Got it. And what are the implications of FOCI for cleared companies?

Marina O'Brien: Well, it depends on the degree and amount of FOCI. As previously discussed on this podcast, U.S. law and regulations have identified that there is a risk presented by foreign ownership, control or influence to companies that hold or are being in the process for facility clearance. So here it is important to know that FOCI issues are not just considered in relation to the cleared company, right? Foreign ownership, control and influence is also considered in the context of parent companies, subsidiaries, foreign contracts, affiliates, foreign debts, etc. So really it is an expansive assessment that considers whether a cleared company's operations could be compromised by foreign influence.

Molly O'Casey: So companies thinking about this need to have a pretty broad perspective.

Marina O'Brien: Absolutely.

Molly O'Casey: How much FOCI is too much FOCI?

Marina O'Brien: Another tricky question. Generally, foreign ownership of 5 percent or more as well as foreign control must be reported on the SF-328 form. That's the certificate pertaining to foreign interest. However, you should keep in mind that it is not just percentages of ownership control, right? There are also situations where the foreign ownership interest for influence is more attenuated, such as where we have a foreign person that holds only a minority ownership interest but is entitled to representations on the company's board of directors, for example. It's also a little bit tricky question because one might have 100 percent foreign ownership, but if it comes from Canada, for example, or the United Kingdom, it will still likely be approved with a mitigation. But if we have a very small foreign nationality or ownership in the FOCI from a place like China, for example, it's a different story. So locations, geography, politics, it all matters. It's not always all in the percentage.

Molly O'Casey: Interesting. And I would imagine if you're looking to mitigation strategies or if you're trying to start your FOCI review the SF-328 is a good starting point.

Marina O'Brien: That's right.

Molly O'Casey: Antonia, could you talk to us about who the cops are in this area? How are issues around FOCI monitored and enforced?

Antonia Tzinova: Thank you, Molly. So as we've learned over the course of the series, DCSA, the Defense Counterintelligence and Security Agency, is the agency that has jurisdiction over monitoring and enforcing the FOCI program under the system. And the way they learn about it is a cleared contractor must submit an SF-328 certificate pertaining to foreign interests at the time of their application for a facility clearance. And this is where they would mark any foreign element in their operation, be it ownership, be it contractual relationships with a foreign person, or it may be one of their board members serving on a foreign board. And anytime there is a material change to the SF-328, the contractor must notify DCSA of that. This is how DCSA will learn of the FOCI element and this is how it will come to their attention. While they receive it, they assess the threat from the foreign element, and it's important to emphasize the FOCI and it's important to emphasize a recent trend in this area. They have been focusing on the "I" consistently. "I" stands for influence. Ownership and control are kind of no brainers, it's easy. It's, in the M&A context, when a foreign person acquires a certain equity stake. The influence is quite dispersed and can come in many forms. And this is why we are seeing new mitigations being developed by DCSA. And so this is how they will hear about it. This is how they will design their strategies based on the risks stemming from the specific risk.

Molly O'Casey: And what should companies watch out for? How do they tend to run into issues with FOCI?

Antonia Tzinova: As I said, I mean, the immediate one is a cleared contractor may be bought by a foreign person. So that should be part of due diligence in any M&A transaction to determine if the investor has any foreign ownership in it. And it stems all the way up to the ultimate foreign parent or majority shareholders. So that's kind of easy. Some other aspects, the SF-328 is indicative of what DCSA is interested in. So they need to be mindful of loans that they take that may be underwritten by a foreign bank or like a foreign loan agent. They need to be mindful of their senior management officials having some foreign extra business, extracurricular arrangements. I mean maybe somebody has an equity interest in a foreign company or they serve on a board. They need to be mindful of foreign customers that they have, obviously of foreign suppliers, if the products or services will end up with the U.S. government customer. So these are some of the ways that FOCI will pop up, and this is what contractors need to be aware of.

Molly O'Casey: Thanks, Antonia. Andrew, could you give us a brief overview of the mitigation strategies for addressing some of the issues that Antonia highlighted?

Andrew McAllister: Great. Thanks, Molly. So there are different mitigation instruments that are implemented by DCSA depending on the nature and extent of the foreign interest. And so, again, they're sort of gradations. And so the most restrictive FOCI mitigation instrument is a proxy agreement. And then one step down from that is a special security agreement. Both of those instruments tend to be implemented when the foreign person either has majority or entire ownership of the cleared contractor. And so in the case of a proxy agreement, there really is a complete separation in a way between the foreign parent company and the U.S. contractor. In the case of a special security agreement, again, there is a significant separation. But as an example, the foreign parent is eligible to appoint a director to the cleared contractor. So the foreign parent in the special security agreement arrangement still has representation. So they have a bit more visibility into the workings of the cleared contractor. And so you may ask yourself, "Well, why would anyone ever want a proxy agreement if they're essentially turning over full operations to the U.S. subsidiary?" And the answer typically is that certain information that's classified is referred to as proscribed information. And so with a special security agreement, there's a requirement to get national interest determinations from the particular contracting offices. In the case of a proxy agreement, a company does not need to go through that national interest determination. So that's one reason why a company may opt for a proxy agreement.

As we go down the list we turn to a security control agreement. That is typically when the foreign interest has, I would say, significant ownership, significant control, representation on the board. So maybe they own 25 percent of the U.S. company of a cleared contractor and they're eligible for one board seat. Again, the security control agreement is almost like a special security agreement light. So there are still this notion of outside directors, which Robbie will hit on a little bit later, but those outside directors are put in to sort of protect the interest of both the U.S. government, as well as ensuring that classified information remains at that cleared contractor.

And then as we go down even lower, we have something called board resolutions. And so those are typically in instances where you may have foreign passive investment. So private equity fund owns 100 percent of a cleared contractor. And much of that money, for example, may come from foreign sources. So the private equity fund is ultimately controlled by U.S. persons, but there's that foreign passive investment. And so in that case, you may have exclusionary board resolutions from both the foreign parent as well as the U.S. company, recognizing the FOCI concerns and stating that there's no need for the foreign parent to have access to classified information and that the U.S. subsidiary recognizes that. So that gives you a sort of broad brush strokes of the four main mitigation instruments.

Molly O'Casey: Great. Thank you for that really detailed overview. Robbie, what are the differences between outside directors, proxy holders and other members of the board, as Andrew mentioned?

Robert Friedman: Sure. Thanks, Molly. So first of all, I'll take one step back and talk about the role of the outside director and proxy holders within these mitigation instruments that Andrew mentioned. And then we can drill down and talk about some of the fundamental differences with regard to these individuals. So at a higher level, you know, we've got the forms of mitigation that Andrew went over. And one of the core features of the more stringent forms of mitigation — the SCA, the SSA and the proxy agreement —are the roles and the functions of proxy holders and outside directors. So fundamentally, these are the requirements for either an outside director or a proxy holder, is that they be a U.S. national, that their credentials and their qualification to be reviewed and approved by DCSA in advance and, importantly, that they be disinterested. And the idea of disinterestedness is one that has evolved over time within the DCSA context. But it essentially means that there's no prior relationship with the individuals that are nominated to serve for in the role of a proxy holder or not for a director in the clear company or the foreign owner, and that is to ensure that there's, you know, complete independence from those interests. And that's both a financial interest as well as, you know, professional or other relationship. So we often get questions, for example, you know, "Can we hire or can we nominate an outside director who was a consultant for us previously, or that was a board member for us previously?" And those are all areas that will muddy the waters of disinterestedness. And so those are typically areas of concern for DCSA. So those are the fundamental requirements of those roles.

And, you know, we often get questions from clients about who's an optimal outside director or proxy or who should we target. And I always say that there are three key criteria. You know, they're not, I would say, mutually exclusive, and everyone is not going to satisfy each of them. But you're going to want somebody to serve in that role who has some experience with security regulations, who's generally understanding the NISPOM and what it requires to serve in that role. That could either be somebody who's been a previous independent or outside director or proxy holder. Somebody that has business acumen is a second category, right. You don't want an individual serving on the board of a company that doesn't know basic corporate governance principles and has never, you know, has really had no exposure to that because it can limit their utility on the board. And then finally, it's helpful to have some level of domain expertise. Right? We work with clients that work in a variety of subspecialties, whether that is microelectronics or, you know, security services or cybersecurity or software. And it's helpful to have somebody that at least understands the general parameters of the business so that they can have value in that role. So those are the general criteria that we look to.

Last point at a high level is that the outside directors and proxy holders, they wear several hats in their function. They're fiduciaries and board members to the company, but they're also stewards of national security, and it's their principal role to ensure the protection of classified information as a consequence of their role within the companies.

So, Molly, I think the next question up, just to circle back to your question that you raised, is some of the differences between outside directors, proxy holders and other members of the board, because while the qualifications are often uniform across, the function within the mitigation structures can be slightly different depending on the instrument at issue. So we talked about SCAs and SSAs, which call for outside directors, and that title is intentional. Outside directors are distinguishable from inside directors. And as we've talked about in previous episodes, you know, inside directors are essentially nominated by the foreign owner to serve on the board. And DSCA has no role in the selection of the inside directors. But of course they do, as we talked about, have a gating role in approving and vetting the outside directors. So with an SSA and with an SCA, there's going to be a mix of inside directors and outside directors. The outside directors will outnumber the inside directors, which is the requirement there. It's typically, you know, three to two. But, you know, in some instances we've seen two to one, depends on the size of the company, the number of classified contracts and other factors, but those are the basic requirements. And then with regard to a proxy agreement, it's a different construct. And as a reminder, the proxy agreement is the most stringent form of FOCI mitigation. It requires the foreign shareholder of the foreign owner to effectively grant prerogatives for running the company to the proxy holders for purposes of both voting at the current company level, but also managing and the mechanics of day-to-day oversight and running of the company. So in those contexts, the proxy holders have a more involved role and are, you know, effectively serving as the board members of declared company without any involvement from inside directors.

Molly O'Casey: Got it. Thanks for that, Robbie. Libby, could you provide a high-level overview of the relationship between FOCI supplements and FOCI line mitigation agreements?

Libby Bloxom: Sure, Molly. Much to everyone's nonsurprise, if you've been following along these past few months, Mitigation agreements often are not enough. Typically, a FOCI mitigated company may be required to develop additional procedures to ensure their FOCI is actually being mitigated on a day-to-day basis. This is where supplemental documents come in. The main supplemental documents include the Affiliated Operations Plan or AOP, Technology Control Plan or TCP, and electronic communications plan or ECP. Sometimes there are additional instruments that are required, and these could include a visitor access plan or a facility location plan, particularly if any facilities or office space of the cleared company is co-located or in close proximity with its parent company.

Molly O'Casey: Thanks for adding to our acronym Bank. Libby.

Libby Bloxom: No problem.

Molly O'Casey: What is an AOP? Could you provide us a bit more detail about that?

Libby Bloxom: Yeah, an AOP is a requirement for FOCI mitigated companies when they enter into operational relationships with their affiliate. So yeah, I think of like affiliated services like HR, shared third-party services like accounting or tax professionals who prepare your tax forms, shared persons and cooperative commercial arrangements. Generally, these kind of business functions and arrangements with affiliates are not authorized. So when a company wants to have these shared services or arrangements with its affiliates, the services must be approved by DCSA in the AOP in advance of the deployment of the service.

Molly O'Casey: Got it. And could you tell us a bit more detail about the Technology Control Plan and the Electronic Communications Plan?

Libby Bloxom: Of course. TCP is a facility-specific requirement. It outlines how the cleared company will provide physical protection to classified and export controlled information. The ECP, on the other hand, is designed to maintain oversight of electronic communications and networks between a cleared company and its affiliates. The Government Security Committee, or GSC, it's a permanent board community that is comprised of typically one outside director and two clear directors or officers and effectuates this oversight function. TCP and ECP are required for cleared companies operating under a proxy agreement, special security agreement, security control agreement or in other situations at DCSA's discretion.

Molly O'Casey: Thanks, Libby. Robbie, back to you. Could you tell us a bit about how cleared employees and shared services impact cleared companies?

Robert Friedman: I'd be happy to Molly, thanks for the question. So, you know, shared services in the context of national security and facility clearance is a notion or an idea that means that there's certain services or functions that are shared across the cleared company that has gone through FOCI mitigation and one of its affiliates. And that could be the parent subsidiary, it could be two sister companies, for example. There's a couple of reasons that there's a role for shared services within the NISPOM and within the broader facility clearance context. It can be quite expensive to both go through the facility clearance process and then set up and operate a cleared company. And the U.S. government is not insensitive to the cost associated with the process. And so there's a role to play for these shared services where whether it's because of a need to develop economies of scale, to streamline business processes or just to save money, you'll have certain core functions — we call them kind of back office support functions — that can be shared among the cleared company and one of its affiliates. These typically take the form of things like human resources, marketing, accounting, legal services, IT services — those are the typical bucket, can be others as well — and importantly, in each case where there is a shared service or a shared employee, it needs to be specifically disclosed to the U.S. government in the Affiliated Operations Plan and addressed and approved by DCSA.

So the principle there is one of transparency and pre-approval. So it's not an encumbrance to having a shared service, that just requires engagement with the DCSA and a comfort level that a risk has been identified because whenever there is a shared service or shared employee, there will be some level of risk that there's going to be seepage of national security, sensitive information or otherwise. And the AOP will highlight that risk in developing a mitigation or a way in which the company has addressed that risk and that the U.S. government is comfortable that the system will work. One concrete example might be, if a cleared company and a power company are using the same outsourced HR provider, you know, perhaps there's one account professional that's handling the cleared company's HR services and one that's handling the power company's HR services. Or perhaps there's just, you know, different electronic folders or permissions that would keep those functions separate. So there's a variety of ways to implement a mitigation strategy. But the fundamental principle here is that DCSA will approve shared services and shared employees among a corporate family for certain purposes.

Molly O'Casey: Thanks, Robbie. Antonia, could you talk to us about Section 847?

Antonia Tzinova: Sure. Thank you, Molly. So, Section 847 is a new thing in this world. This is a kind of a shorthand for a provision introduced in the 2020 National Defense [Authorization] Act. And the reason for the introduction was the U.S. government was concerned with the security and resilience of our defense supply chain kind of in the wake of the pandemic and issues generally identified in supply chains. So in 2020 NDAA, Congress mandated that there is an assessment performed for FOCI in all non-classified Department of Defense contracts that are valued at $5 million or above. And earlier this year, in May 2024, the Department of Defense issued an instruction that outlines the framework for implementing this mandate, and in big strokes, how this would work, any contract award that DOD issues for a non-classified work that is valued at $5 million or above would need to also include a FOCI assessment, meaning that contractors bidding on such contracts would need to provide information about foreign ownership, control or influence similar to what cleared contractors have to do when they apply for facility clearance. And Congress and the instruction kind of outlined the way of assessment of FOCI and mitigating it. So, good news, DCSA, the agency that currently handles FOCI, will be in charge of assessing the risk and reviewing the information provided, assessing the risk and outlining, you know, possible threats. But then it will be the contracting officer at DOD on each specific contract that will have to decide whether to implement mitigation, and mitigation tools that will be available are the same tools that we currently know from the FOCI world. So from the less restrictive board resolutions excluding certain officers and directors, parent companies to the most restrictive in the form of the proxy agreement.

Molly O'Casey: Got it. So it sounds like Section 847 is a close cousin of FOCI mitigation. Could you outline the key differences between DCSA, FOCI mitigation and Section 847?

Antonia Tzinova: Absolutely. So absolutely a close cousin, one key difference is that we're now talking about non-classified DOD contracts. So a much larger community out there, government contractors, will be affected by this process. And so it's very important for contractors to understand the mechanics of this process early on so that they're ready once this rule goes into effect. And I just want to mention that, at this point, this is just in the development process. The final rule is not out. This is not mandatory yet. We expect this to, you know, go into effect in the next 12 to 18 months.

But some of the key differences here are the first one, and I already alluded to it, there is a split decision making process. So, the contractors will submit the information that will be reviewed by the DCSA. I mean, this is the agency we're familiar with. They will perform their standard FOCI review and assessment and issue their report. But then, you know, the decision of whether to implement mitigation and what type of mitigation will rest with the contracting officer. So we have like a, you know, a beast with two heads.

And then we have a difference in whether or not mitigation will be implemented. So in the classified world, if there is any form of FOCI, it must be mitigated so that the contractor can perform unclassified contracts. In the non-classified world, under Section 847, the contracting officer may decide to implement mitigation, but they may also decide to waive it. Where this may happen, maybe we're dealing with a U.S. subsidiary of a French company that's going to sell products of the French parent to DOD and maybe DOD will deem that the risk is not large enough to impose mitigation here. The other difference is that with classified contracts, it's like once and done. I mean, the moment you have a classified contract, you do need to submit to review and you need to accept mitigation. Obviously, if your FOCI changes, mitigation may change as well. But once you're mitigated, you're mitigated. In the non-classified world, this will be happening on a case-by-case basis. So every time a contractor submits a bid for a contract that meets the criteria, the FOCI will be assessed and the contracting officer will determine whether or not to impose mitigation. And if these are different offices within DOD, you may end up with incremental mitigation measures being imposed on the same contractor, depending on the program they're working on.

Another difference is that in the classified world, it doesn't matter what the value of the contract is. If you need access to classified information, you would need to be mitigated if there is any FOCI. In the non-classified world, the starting point is contract data at $5 million or above, and then there's certain exclusions for commercial products and services. So there are a few differences between the two processes, but the similarities, I think we should emphasize those as well, is that we will have DCSA involved, again, in the assessment of the risk and we're dealing with the same set of mitigation measures that contractors are familiar with already.

Molly O'Casey: Well, we have all that to look forward to.

Antonia Tzinova: Right. It's going to be a lot of work.

Molly O'Casey: Looking forward to it. Thank you, everyone, for coming on and discussing FOCI with us.

Libby Bloxom: Thanks for having us, Molly.

Antonia Tzinova: Thank you, Molly.

Molly O'Casey: So this area is full of acronyms. This week's episode, I think, had pretty much all of them. For all our sakes, I'll refrain from listing everything that we mentioned and I'll stick to just highlighting the main ones. So we have the National Industrial Security Program Operating Manual, or NISPOM; Security Control Agreement, or SCA; Special Security Agreement, SSA; Government Security Committee, GSC; Technology Control Plans, TCP; Electronic Communication Plans, ECP; and Affiliated Operations Plan, AOP. Each episode we ask our speakers to explain an acronym that featured in the episode with wrong answers only. In the interest of time, not everyone has to participate in this segment, but whoever wants to can feel free. But please, somebody participate.

Antonia Tzinova: Well, maybe I take one, and mine is lame, I was thinking, how do we come up with something interesting? So I picked FOCI. So I'm thinking forever owned classified information.

Molly O'Casey: Amazing. Lame is great. I love lame.

Libby Bloxom: I have one. Actually, I have two. So I talked about the supplemental documents that may be required. And so I'm going to take TCP, you know, Technology Control Plan, a time-consuming process. So often the supplemental documents can take a lot of time. So when you're thinking about an ECP or an Electronic Communications Plan, it's best early consults, please.

Molly O'Casey: Early consults indeed. Amen. All right. Thanks so much, y'all. I hope everyone enjoys their week.