Podcast - Mitigating FOCI Under Section 847

Molly O'Casey: Welcome to the 14th episode of Are We All Clear? The podcast on facilitating security clearances. I'm your host, Molly O'Casey, an International Trade associate with Holland and Knight's Washington, D.C. office. Today's episode will discuss section 847, which is a relatively new term in the defense space. We'll discuss the scope of Section 847, what companies should be thinking about and mitigation strategies. Today's speaker is Antonia Tzinova. Antonia leads Holland and Knight's Committee on Foreign Investment and Industrial Security Team. Welcome back to the podcast, Antonia.

Antonia Tzinova: Hi Molly. Thank you. Good to be back.

Molly O'Casey: Good to have you back. Before we get into the episode, I want to provide some general context on Section 847. Section 847 refers to section 847 of the National Defense Authorization Act, or NDAA, specifically for fiscal year 2020. So what is the NDAA? Congress oversees the defense budget through the NDAA and defense appropriation bills. In fiscal year 2020, Congress passed Section 847 of the NDAA, which requires the Department of Defense to establish rules for mitigating Foreign Ownership Control or Influence, also known as FOCI, in companies working on nonclassified defense contracts, subcontracts, or defense research assistant awards where these contracts are valued at over $5 million. In response, on May 13th, 2024, the Department of Defense released DOD, which is the acronym for the Department of Defense, Instruction 5205.87, which is the first step in introducing Section 847 requirements and aims aimed at protecting the Department of Defense's supply chains and Defense Industrial base against adversary FOCI, which could jeopardize critical data systems or procedures. The Defense Counterintelligence and Security Agency, or DCSA, which is the agency entrusted with conducting FOCI reviews, have been busy hiring new staff that will be involved in these reviews. So we know that process is ramping up. With all that, Antonia, would you mind going into more detail about what the impetus was for Congress passing Section 847 of the NDAA in 2020?

Antonia Tzinova: Sure. Thank you, Molly, for the introduction. And as everybody heard, I mean, this is focused on defense and what drove Section 847 into existence. I think that we have been seeing a consistency among the last few administrations when it comes to defining the national security risks from a U.S. perspective. And there is bipartisan, I think, agreement in this area, which is rare in the last 10, 15 years, but in any event, everybody on Capitol Hill is in agreement that China is a consistent threat to U.S. national security. And so, not surprisingly, this is in the base of all of this. During the pandemic, what was revealed was that there are certain risks to our supply chains. I mean, and it started small with medical supplies, food supplies, toilet paper on some occasions, if you remember. But then there was a concern that, you know, a lot of things are kind of way too dependent on certain products that are coming out of China. Microchips, this is one particular example, specifically the elements that go into the building of microchips like rare earths, rare minerals, etc., but some minor components that are used in general production as well.

And so, as soon we got Biden into office. I mean, one of his first actions in the White House was to issue a directive, an executive order that was focused on America's supply chains. And this has been a consistent motive in his administration; there have been a lot of actions passed by this administration, this current administration, focusing on different aspects of supply chain. We can see, you know, how this plays out with foreign investment in the U.S., outbound investment of U.S. companies, export controls of particular technologies, you know, specifically microchips and quantum technologies, AI, but the focus has been like, okay, what is the weak point?

And just to quote from a recent executive action, "More resilient supply chains are secure and diverse. Characteristics of resilient supply chains include: greater domestic production; a diverse and agile supply base; built in redundancies; a reliable transportation system; secure critical infrastructure; adequate stockpiles; safe and secure data networks; reliable food systems; and a world-class, globally competitive American manufacturing base and workforce. Close cooperation on building global supply chain resilience with allies and partners who share our values will foster collective economic and national security, encourage innovation, and strengthen the capacity to respond to and recover from international disasters and emergencies."

I know it's kind of a long quote, but it's in the context of supply chains that underpins certain themes that we have seen over the last few years and that have been the focus of at least two administrations in the last few years. I mean, that's regardless of who sits in the White House. And this focus is on creating some distance from China and rebalancing the relationship with China. I mean, depending on rhetoric used, you may hear decoupling, rebalancing. But in all cases, the idea is that, you know, we have a geopolitical realignment, if you will, and we want to rely more on domestic production. And we've seen some of the policies with respect to buy American and closer ties with our allies. And so, not surprisingly, this Section 847 comes to this background in the context of all this, you know, concern with China kind of being a risk to U.S. national security, the stated goal of both the NDAA 2020 and the DOD instruction is to protect the Department of Defense supply chains and the defense industrial base of the U.S. against adversary FOCI, Foreign Ownership Control or Influence, which has been the topic of your show.

Molly O'Casey: Right. And with the upcoming Trump presidency, I'm sure industry will be happy to hear that it's a bipartisan issue that's likely to be consistently implemented over the next few years.

Antonia Tzinova: I think so. I mean, you mentioned that this initially was passed in NDAA 2020, which is actually the fall of 2019, and the instruction was published earlier this year in May. So you see that this has kind of overlapped two different administrations. So I don't expect, we don't expect, that the Trump administration will reverse course. I mean, the two consecutive administrations have been very consistent, at least on the face of it.

Molly O'Casey: Right. You mentioned that Section 847 is intended to address risks in the supply chain and defense concerns. So how does Section 847 function to address these concerns? What's the scope?

Antonia Tzinova: So I just want to emphasize that this is still kind of in the preliminary stage. So we don't have a rule that has been published or introduced or implemented. So this is all speculative, a little bit just based on the NDAA 2020 and the instruction that was issued this spring. But the basic framework is intended to work as a mechanism to mitigate FOCI in companies that will be working on DOD contracts, and I want to emphasize nonclassified contracts, right, because we already have a mechanism to address foreign ownership of control or influence in the classified world. So Section 847 will address DOD nonclassified contracts include subcontracts or defense research assistance awards that are valued at or over $5 million, and a couple of key characteristics of the process as currently outlined in the instruction. DCSA, the agency that currently reviews FOCI in the classified world, will be the agency that will conduct the initial FOCI review and produce an assessment of the risk based on the existing process, all right, and it's going to follow its standard procedures.

We expect that companies would likely have to complete an asset 328, which is a certificate pertaining to foreign interests, similar to what we know from the classified world. The key here is that there is a requirement for detailed assessment of the beneficial ownership or any contractual or other arrangements of the contractor to detect FOCI issues very early in the contracting process. This is due diligence as part of the award process, so it's not at some point down in the future. And then the key difference with the FOCI mitigation of cleared contractors is that DCSA will conduct the review and issue the assessment, but it is the contracting authority that will decide on whether to implement any mitigation measures or what type of mitigation measures to implement. In other words, there is a split process in decision making, right? DCSA assesses the risk, the contracting officer makes a determination whether to introduce mitigation measures and the most important thing here is that mitigation is optional and not mandatory, as is the case in the classified world.

Molly O'Casey: Right. So even though Section 847 is separate from FOCI there seems like there's going to be a decent amount of overlap between the two regimes. So companies that have experience in FOCI are likely pretty well placed to address section 847 requirements.

Antonia Tzinova: That's right. I mean, the risk factors and the assessment are pretty much the same as we know them from DCSA practice. The mitigation measures to select from, if the contracting officer decides to implement mitigation, are the same mitigation measures. It's just that we have a split process and decision-making, and that now this will be in the context of non-classified work. So, yes, I mean, contractors may be familiar already if they have classified contracts that they perform on, but for many contractors that are not cleared, that will be a new process.

Molly O'Casey: Got it, so it sounds like, I mean, is this an unusual power for a contracting officer or is this kind of in line with their previous involvement in the decision-making process.

Antonia Tzinova: Well, I mean, the contracting officer ultimately has the upper hand on who they select, and they do follow certain processes, right, I mean, it's a well-established process. So I don't necessarily think that they have outsized power here. I mean, they will be acting on the basis of the independent assessment by DCSA on what is the mitigation, sorry, what is the risk factors. And they will be, you know, faced with mitigation measures, but ultimately, they have better visibility into what the parameter of a given contract is, whether critical technologies will be involved, whether the products or services provided will go into a critical platform of the U.S. government. So they will have some discretion on whether to implement or not. It's not like an outright mandate to include mitigation. So, yes, they will have some discretion.

Molly O'Casey: Got it. I know this is a new area in defense contracts. And you mentioned that a lot of our remarks today are a bit speculative, but are there any specific timelines for implementation or do we have an idea of how this process will go.

Antonia Tzinova: Right. In terms of implementation? I mean, based on what we've been hearing from DCSA officials specifically, they expect 12 to 18 months for the process to go through all the phases of publishing a proposed rule, comment from the industry and the public, review assessment of comments and then publishing the final rule going into implementation. DCSA is currently actively hiring new case officers because if this is to be implemented on the scale, they would need to more than double in size and train new people to be able to perform these assessments. So their own assessment is that this is not going to go into effect before 12 to 18 months. Roughly speaking, in terms of what timelines will be imposed on contractors as spelled out right now in the instruction. This information will have to be submitted as part of the award and early due diligence by the contracting officer. And that information will be passed on to DCSA. So DCSA will have 25 working days to review the information and provide an assessment. It is why during their September annual DCSA conference they were pretty confident that they have mastered the process and were not concerned that there will be delays on these initial assessments. And then once the assessment is out, it's the contracting officer that evaluates, determines whether to award the contract based on risks identified there, whether to implement some mitigation.

They may choose not to award the contract if there is no viable way to mitigate the risk. Right. And once they issue the award and they request litigation, the contractor will have 90 days from awarding the contract to implement the proposed or the required mitigation. So these are kind of some high level, I would say, parameters right now we know from the FOCI-cleared world, that classified world that typically when there is a new foreign element, the contractor and foreign parent, for example, will sign a commitment letter so that the foreign investment is approved. And then, you know, the cleared company is allowed some time to implement various mitigation measures and it can span over a few months as long as they are working with DCSA, you know, there is some flexibility there. So we assume that something similar will happen in the context of the non-classified DOD work.

Molly O'Casey: Right. And it sounds like industry has about 12 to 18 months to prepare for this process and companies will have a chance to participate during the public comment periods in its development.

Antonia Tzinova: Absolutely. And it's strongly encouraged that companies who will be affected by this rule participate in the public comment process because there's so many unknowns with this rule. And, you know, there are always unintended consequences of some process or some new rule. Industry is instrumental in developing and helping, you know, the regulator to develop a rule that addresses the concerns but at the same time does not cripple industry. And sometimes industry will identify things that the government hasn't thought of. And so it's a collaborative process. And yes, industry will have time to prepare. It will have an opportunity to be actively engaged in the implementation. They just need to be on the lookout for the proposed rule so that they can gear up to do this.

Molly O'Casey: Got it. In terms of scope, we had discussed how this is inclusive of contracts that are worth 5 million and that are unclassified. Go into a bit more detail about what the implications are of that scope.

Antonia Tzinova: Right. So I mean, just the parameters as outlined currently in the rule, we're talking about DOD contracts, right? For the moment, this is the only agency and we're talking of a value of 5 million or above. So a couple of points to consider here. I mean, and again, this is based on what we hear from DOD at this point, that it would be, on the face of it, the contract at 5 million or above. But it's interpreted to capture contracts that may be at the lower value. For example, 1 million; if there are options to extend and renew for four additional years, you're going to add those up and this is how you're going to calculate value. And when you take this into consideration, that really expands the scope, quite because read this way, it will capture a lot of contracts out there. On the other hand, there are certain exceptions to what is captured and specifically contractors for commercial products or services are excluded unless the contracting officer determines that the contract involves a risk or a potential risk to national security, or a potential compromise of sensitive data systems or processes that might affect personally identifiable information, cybersecurity in National Security systems.

So, at least on the face of it, commercial products and services are excluded. I mean, what is a commercial product? It's an item that is typically used by the general public or non-governmental entities. And it may include general public use products: products typically used by the general public for nongovernmental purposes. It may include products that have evolved or have been modified from such general public use products to the extent that, again, they're available on the marketplace. Commercial services are also excluded, and these are support services that include installation, maintenance, repair or other services for the supporting of commercial products or marketplace services. That these are services that are offered and sold competitively in large quantities in the commercial marketplace and based on established catalog or market prices for the specific task. So again, on the standard commercial terms and widely available to the general public for commercial products. So at this point, these are the two exclusions. We'll see how this plays out when they are proposed through as published.

Molly O'Casey: You mentioned how our experience with the pandemic and supply chain risk was a motivator for passing Section 847. So does that mean that we should kind of interpret the definition of a commercial product, and the potential risk national security, as kind of any commercial product that's considered a necessity in terms of how we conceptualize national security here?

Antonia Tzinova: Well, I mean, we need to remember that it's DOD is the contracting agency here. And then the contracting officer has discretion in both ways, both to determine whether or not to impose mitigation, but also whether or not to exclude commercial products. So depending on the contract, on the context, the contracting officer may decide to add into the mix standard commercial products that we don't necessarily think as part of the defense system.

Molly O'Casey: Right. You mentioned that there was a lot of overlap between the FOCI mitigation program and the likely Section 847 program. But given the different scopes, that FOCI focuses more on classified contracts whereas Section 847 focuses more on non-classified, are there any key differences you predict between the two?

Antonia Tzinova: Yes. I mean, again, at the very high level and just based on what's been published so far, but the scope of this new rule of Section 847 is DOD non-classified contracts at 5 million or more. So we're going to have an assessment here on a contract by contract basis versus, like in the classified world, we're just looking as to whether the company has any classified contract, it could be a very small volume, right. And if there is one classified contract, the mitigation is imposed on the on the company as a whole, regardless of other non-classified work that they have. So that's kind of a key distinction here. Another one is in terms of process. So under the DOD instruction of the FOCI review process is split from the decision on whether to impose mitigation. So DCSA, that is currently conducting FOCI mitigation reviews in the classified world will continue performing the assessment based on the established processes. But it will be the DOD contracting officer that decides whether to impose mitigation or not. And so that is a kind of a split-decision-making power, split process.

Here we have the review assessment with one agency of duty, and then we have the determination to impose mitigation with the contracting agency within DOD and then in terms of mitigation measures, we are looking at the same set of mitigations or the same tools that currently are known to the industry. But one key difference is that in the classified world, mitigation is mandatory; in the non-classified world, mitigation is an option, right? There is discretion whether to impose mitigation or not. So these are some of the key differences between the two programs. The other one is that at the moment, we're talking only about DOD non-classified work. When it comes to classified information, this spreads out beyond DOD it covers Department of Energy. It covers the Intel community. So the scope of FOCI mitigation in classified work is larger, both in terms of agencies involved, but also on smaller contracts. And it's imposed on the entire company for all types of work, right? Not only for classified work here with Section 847, we're talking DOD only for the moment, contracts above certain value, 5 million, as it currently stands and discretionary mitigation.

Molly O'Casey: Right. So if we had to break it down to bullet points because Antonia you know, I love a bullet point.

Antonia Tzinova: Okay.

Molly O'Casey: It's really that there is:

• More limited scope.

• There's a split-the-decision-making process between DCSA and contracting officers.

• And there's optional mitigation.

Antonia Tzinova: That's right. Very good.

Molly O'Casey: Thank you.

Antonia Tzinova: I love it. I love it.

Molly O'Casey: So with that, that limited scope of non-classified contracts where they're valued at over 5 million, although this could also capture contracts that are 1 million with options to extend for an additional four years. What are the implications for Department of Defense contractors, do we predict that a lot of contracts are going to be captured by these regulations?

Antonia Tzinova: Right. As you said, I mean, it's it appears so because of how they interpret the value of 5 million to apply across multiple years and options to extend the contract. So, I would say at the very high-level, many DOD contractors will find themselves in new territory. I mean, to quote a high-level DOD official, "They will be evaluated as trustworthy for participation in the DOD supply chain." Which is kind of a new twist. Right up until this point, this was reserved only for cleared companies. So we can expect that there may be a spill over into other US government departments with defense and national security functions. I mean, currently the instruction is focused on DOD contracts only, but I mean, we have the Department of Energy, the Department of Homeland Security, maybe some others there. Who knows, maybe they follow suit? Separately, if we just do a comparison within the DOD world, I guess, currently there are close to 13,000 cleared contractors. 12,759 to be precise as of September of this year, maybe, maybe more by this point. Of those close to 13,000. Approximately 413 companies are under FOCI mitigation imposed by DOD so that's kind of minuscule, comparatively speaking. So that tells you that a very small number of government contractors and DOD contractors understand the FOCI mitigation world and are affected by it.

So with the implementation of these new rules, Section 847, this is going to spread to a large number of contractors. I mean, just the cleared ones close to 13,000. I don't have statistics on non-cleared DOD contractors, but I would imagine that it's larger than the 13,000 by a huge margin. So there will be a huge effect for a large section of the DOD community, that contracting community. There is time to get ready because we were told that there is a 12 to 18 month implementation period, but it's best to start getting ready now and start educating themselves on some of these concepts so that they're able to identify the issues early on. And another key point here is, I mean, we're talking about frequent due diligence in DOD contracting. So, I mean, just imagine this is done on every DOD contract that hits the parameters. And they may already have FOCI mitigation because of their classified work or some other preexisting unclassified program mitigation that's imposed because of 847. But they would still need to submit the paperwork for every contractor that meet the parameters to be reviewed and assessed by DCSA, by the contracting officer. So the due diligence is done on a contract-by-contract basis, and that's huge. That is that is a key point to keep in mind. And the other thing, and even if they already have some FOCI mitigation in place based on the new contract that's added to their portfolio, they may end up with a different FOCI mitigation because again, it's not all one and done. It's like on a continuous basis for every new contract.

And the last thing, and I've said this a few times already, DCSA is conducting the review and providing a risk assessment, but it is not making the decision. The decision will be with the contracting officer. And there is some discretion there on whether or not to impose mitigation. And so, I would suggest that contractors just get educated on FOCI, what factors are being currently considered, consider maybe if they are interested in continuing bidding on this type of work, restructuring their own supply chains early on, if that's possible, and get familiar with that terminology so that they can better describe those things in the paperwork that they will be submitting together with the bid for the contract. So there is time to get ready, but the time to start educating themselves is now.

Molly O'Casey: Right. And hopefully more information and statistics on how many non-cleared contractors and what types of products are captured with us become more available when the proposed rule is released and companies can kind of use that to help organize their comments.

Antonia Tzinova: That's right. I agree with that completely.

Molly O'Casey: Well, I appreciate trustworthy as a new standard. I'm sure that's a useful life standard that that we can all rely on.

Antonia Tzinova: We're only talking about classified and DOD contracts, right, so why should we bother with that? Yes.

Molly O'Casey: Well, thank you so much for coming on, Antonia.

Antonia Tzinova: Absolutely. It's always a pleasure, Molly. Thank you.

Molly O'Casey: This area is full of acronyms. I'm not going to necessarily go too much into the acronyms we've already covered, which is DCSA, FOCI, DOD, but as a new acronym this week, we had the National Defense Authorization Act or NDAA. Each episode, we ask our speaker to explain an acronym that featured in the episode with wrong answers only. Antonia, would you like to choose an acronym?

Antonia Tzinova: Sure. I think it was kind of inevitable that it should be the NDAA, right? We haven't discussed this one so far, so I was thinking, and given the context, I like new defenses against adversaries. I think that's very appropriate for section 847.

Molly O'Casey: Very, very accurate.

Antonia Tzinova: Thank you.

Molly O'Casey: Thanks, Antonia.

Antonia Tzinova: Absolutely, Molly.

Molly O'Casey: I hope everyone has a great week.